SSDT and Shadow SSDT table
参考:http://x86.renejeschke.de/html/file_module_x86_id_313.html
http://msdn.microsoft.com/en-us/library/windows/hardware/ff553516(v=vs.85).aspx
http://en.wikipedia.org/wiki/Model-specific_register
rdmsr ( 0x00000174 ) = 0x00000000 ~ 0x00000008
rdmsr ( 0x00000175 ) = 0x00000000 ~ 0xf7a1a000
rdmsr ( 0x00000176 ) = 0x00000000 ~ 0x8053dad0
- kd> dg 0
- P Si Gr Pr Lo
- Sel Base Limit Type l ze an es ng Flags
- ---- -------- -------- ---------- - -- -- -- -- --------
- 0000 00000000 00000000 <Reserved> 0 Nb By Np Nl 00000000
- kd> dg 0x08
- P Si Gr Pr Lo
- Sel Base Limit Type l ze an es ng Flags
- ---- -------- -------- ---------- - -- -- -- -- --------
- 0008 00000000 ffffffff Code RE Ac 0 Bg Pg P Nl 00000c9b
- kd> dg 0x13
- P Si Gr Pr Lo
- Sel Base Limit Type l ze an es ng Flags
- ---- -------- -------- ---------- - -- -- -- -- --------
- 0013 00000000 ffffffff Data RW Ac 0 Bg Pg P Nl 00000c93
- kd> dg 0x18
- P Si Gr Pr Lo
- Sel Base Limit Type l ze an es ng Flags
- ---- -------- -------- ---------- - -- -- -- -- --------
- 0018 00000000 ffffffff Code RE Ac 3 Bg Pg P Nl 00000cfb
- kd> dg 0x23
- P Si Gr Pr Lo
- Sel Base Limit Type l ze an es ng Flags
- ---- -------- -------- ---------- - -- -- -- -- --------
- 0023 00000000 ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3
因此,sysenter_cs就是内核的代码段。
列举内核中全部的driver
- kd> !drivers
- The !drivers command is no longer supported.
- Please use the 'lm t n' command.
- Consult the debugger documentation for the supported 'lm' command options.
- The WinDbg "Modules" window can also be used to display timestamps.
- The "Modules" window supports sorting on name or timestamp values
- kd> lm t n
- nt!KiFastCallEntry:
- 8053dad0 b923000000 mov ecx,23h
- 8053dad5 6a30 push 30h
- 8053dad7 0fa1 pop fs
- 8053dad9 8ed9 mov ds,cx
- 8053dadb 8ec1 mov es,cx
- 8053dadd 8b0d40f0dfff mov ecx,dword ptr ds:[0FFDFF040h]
- 8053dae3 8b6104 mov esp,dword ptr [ecx+4]
- 8053dae6 6a23 push 23h
- 8053dae8 52 push edx
- 8053dae9 9c pushfd
- 8053daea 6a02 push 2
- 8053daec 83c208 add edx,8
- 8053daef 9d popfd
- 8053daf0 804c240102 or byte ptr [esp+1],2
- 8053daf5 6a1b push 1Bh
- 8053daf7 ff350403dfff push dword ptr ds:[0FFDF0304h]
- 8053dafd 6a00 push 0
- 8053daff 55 push ebp
- 8053db00 53 push ebx
- 8053db01 56 push esi
- 8053db02 57 push edi
- 8053db03 8b1d1cf0dfff mov ebx,dword ptr ds:[0FFDFF01Ch]
- 8053db09 6a3b push 3Bh
- 8053db0b 8bb324010000 mov esi,dword ptr [ebx+124h]
- 8053db11 ff33 push dword ptr [ebx]
- 8053db13 c703ffffffff mov dword ptr [ebx],0FFFFFFFFh
- 8053db19 8b6e18 mov ebp,dword ptr [esi+18h]
- 8053db1c 6a01 push 1
- 8053db1e 83ec48 sub esp,48h
- 8053db21 81ed9c020000 sub ebp,29Ch
- 8053db27 c6864001000001 mov byte ptr [esi+140h],1
- 8053db2e 3bec cmp ebp,esp
- 8053db30 759a jne nt!KiFastCallEntry2+0x47 (8053dacc)
- kd> u nt!KiSystemService L20
- nt!KiSystemService:
- 8053da11 6a00 push 0
- 8053da13 55 push ebp
- 8053da14 53 push ebx
- 8053da15 56 push esi
- 8053da16 57 push edi
- 8053da17 0fa0 push fs
- 8053da19 bb30000000 mov ebx,30h
- 8053da1e 668ee3 mov fs,bx
- 8053da21 ff3500f0dfff push dword ptr ds:[0FFDFF000h]
- 8053da27 c70500f0dfffffffffff mov dword ptr ds:[0FFDFF000h],0FFFFFFFFh
- 8053da31 8b3524f1dfff mov esi,dword ptr ds:[0FFDFF124h]
- 8053da37 ffb640010000 push dword ptr [esi+140h]
- 8053da3d 83ec48 sub esp,48h
- 8053da40 8b5c246c mov ebx,dword ptr [esp+6Ch]
- 8053da44 83e301 and ebx,1
- 8053da47 889e40010000 mov byte ptr [esi+140h],bl
- 8053da4d 8bec mov ebp,esp
- 8053da4f 8b9e34010000 mov ebx,dword ptr [esi+134h]
- 8053da55 895d3c mov dword ptr [ebp+3Ch],ebx
- 8053da58 89ae34010000 mov dword ptr [esi+134h],ebp
- 8053da5e fc cld
- 8053da5f 8b5d60 mov ebx,dword ptr [ebp+60h]
- 8053da62 8b7d68 mov edi,dword ptr [ebp+68h]
- 8053da65 89550c mov dword ptr [ebp+0Ch],edx
- 8053da68 c74508000ddbba mov dword ptr [ebp+8],0BADB0D00h
- 8053da6f 895d00 mov dword ptr [ebp],ebx
- 8053da72 897d04 mov dword ptr [ebp+4],edi
- 8053da75 f6462cff test byte ptr [esi+2Ch],0FFh
- 8053da79 0f858dfeffff jne nt!Dr_kss_a (8053d90c)
- 8053da7f fb sti
- 8053da80 e9d8000000 jmp nt!KiFastCallEntry+0x8d (8053db5d)
- nt!KiFastCallEntry2:
- kd> !idt 2e
- Dumping IDT:
- 2e: 8053da11 nt!KiSystemService
- daniel@daniel-mint ~/windbg $ awk '{printf("[% 8x]: \t\t[%s --> %s] \t\t%s\n", NR, $1, $2, $3)}' kiservicetable
- [ 1]: [80502354 --> 80599a66] nt!NtAcceptConnectPort
- [ 2]: [80502358 --> 805e6cce] nt!NtAccessCheck
- [ 3]: [8050235c --> 805ea514] nt!NtAccessCheckAndAuditAlarm
- [ 4]: [80502360 --> 805e6d00] nt!NtAccessCheckByType
- [ 5]: [80502364 --> 805ea54e] nt!NtAccessCheckByTypeAndAuditAlarm
- [ 6]: [80502368 --> 805e6d36] nt!NtAccessCheckByTypeResultList
- [ 7]: [8050236c --> 805ea592] nt!NtAccessCheckByTypeResultListAndAuditAlarm
- [ 8]: [80502370 --> 805ea5d6] nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
- [ 9]: [80502374 --> 8060bc40] nt!NtAddAtom
- [ a]: [80502378 --> 8060c984] nt!NtAddBootEntry
- [ b]: [8050237c --> 805e2066] nt!NtAdjustGroupsToken
- [ c]: [80502380 --> 805e1cbe] nt!NtAdjustPrivilegesToken
- [ d]: [80502384 --> 805caccc] nt!NtAlertResumeThread
- [ e]: [80502388 --> 805cac7c] nt!NtAlertThread
- [ f]: [8050238c --> 8060c266] nt!NtAllocateLocallyUniqueId
- [ 10]: [80502390 --> 805ab654] nt!NtAllocateUserPhysicalPages
- [ 11]: [80502394 --> 8060b87e] nt!NtAllocateUuids
- [ 12]: [80502398 --> 8059dedc] nt!NtAllocateVirtualMemory
- [ 13]: [8050239c --> 805a5aa6] nt!NtAreMappedFilesTheSame
- [ 14]: [805023a0 --> 805cc7aa] nt!NtAssignProcessToJobObject
- [ 15]: [805023a4 --> 80500020] nt!NtCallbackReturn
- [ 16]: [805023a8 --> 805be3e2] nt!NtModifyBootEntry
- [ 17]: [805023ac --> 8056c0c6] nt!NtCancelIoFile
- [ 18]: [805023b0 --> 80535596] nt!NtCancelTimer
- [ 19]: [805023b4 --> 80604f36] nt!NtClearEvent
- [ 1a]: [805023b8 --> 805b1ce0] nt!NtClose
- [ 1b]: [805023bc --> 805eaa4e] nt!NtCloseObjectAuditAlarm
- [ 1c]: [805023c0 --> 80619dfe] nt!NtCompactKeys
- [ 1d]: [805023c4 --> 805eef40] nt!NtCompareTokens
- [ 1e]: [805023c8 --> 8059a154] nt!NtCompleteConnectPort
- [ 1f]: [805023cc --> 8061a052] nt!NtCompressKey
- [ 20]: [805023d0 --> 80599a06] nt!NtConnectPort
- [ 21]: [805023d4 --> 80541390] nt!NtContinue
- [ 22]: [805023d8 --> 806381da] nt!NtCreateDebugObject
- [ 23]: [805023dc --> 805b3bdc] nt!NtCreateDirectoryObject
- [ 24]: [805023e0 --> 80604f86] nt!NtCreateEvent
- [ 25]: [805023e4 --> 8060d1fa] nt!NtCreateEventPair
- [ 26]: [805023e8 --> 8056e62e] nt!NtCreateFile
- [ 27]: [805023ec --> 8056e00c] nt!NtCreateIoCompletion
- [ 28]: [805023f0 --> 805cb76e] nt!NtCreateJobObject
- [ 29]: [805023f4 --> 805cb4a6] nt!NtCreateJobSet
- [ 2a]: [805023f8 --> 8061a22e] nt!NtCreateKey
- [ 2b]: [805023fc --> 8056e73c] nt!NtCreateMailslotFile
- [ 2c]: [80502400 --> 8060d5f2] nt!NtCreateMutant
- [ 2d]: [80502404 --> 8056e668] nt!NtCreateNamedPipeFile
- [ 2e]: [80502408 --> 805a0ec6] nt!NtCreatePagingFile
- [ 2f]: [8050240c --> 8059a522] nt!NtCreatePort
- [ 30]: [80502410 --> 805c7332] nt!NtCreateProcess
- [ 31]: [80502414 --> 805c727c] nt!NtCreateProcessEx
- [ 32]: [80502418 --> 8060da12] nt!NtCreateProfile
- [ 33]: [8050241c --> 805a080a] nt!NtCreateSection
- [ 34]: [80502420 --> 8060af9c] nt!NtCreateSemaphore
- [ 35]: [80502424 --> 805ba9e4] nt!NtCreateSymbolicLinkObject
- [ 36]: [80502428 --> 805c711a] nt!NtCreateThread
- [ 37]: [8050242c --> 8060cec2] nt!NtCreateTimer
- [ 38]: [80502430 --> 805ef2e8] nt!NtCreateToken
- [ 39]: [80502434 --> 8059a546] nt!NtCreateWaitablePort
- [ 3a]: [80502438 --> 806392b6] nt!NtDebugActiveProcess
- [ 3b]: [8050243c --> 80639406] nt!NtDebugContinue
- [ 3c]: [80502440 --> 8060c8d4] nt!NtDelayExecution
- [ 3d]: [80502444 --> 8060c0f6] nt!NtDeleteAtom
- [ 3e]: [80502448 --> 805be3e2] nt!NtModifyBootEntry
- [ 3f]: [8050244c --> 8056c20c] nt!NtDeleteFile
- [ 40]: [80502450 --> 8061a6be] nt!NtDeleteKey
- [ 41]: [80502454 --> 805eab5a] nt!NtDeleteObjectAuditAlarm
- [ 42]: [80502458 --> 8061a88e] nt!NtDeleteValueKey
- [ 43]: [8050245c --> 8056e7f4] nt!NtDeviceIoControlFile
- [ 44]: [80502460 --> 80608f10] nt!NtDisplayString
- [ 45]: [80502464 --> 805b37bc] nt!NtDuplicateObject
- [ 46]: [80502468 --> 805e2f04] nt!NtDuplicateToken
- [ 47]: [8050246c --> 8060c984] nt!NtAddBootEntry
- [ 48]: [80502470 --> 8061aa6e] nt!NtEnumerateKey
- [ 49]: [80502474 --> 8060c976] nt!NtEnumerateSystemEnvironmentValuesEx
- [ 4a]: [80502478 --> 8061acd8] nt!NtEnumerateValueKey
- [ 4b]: [8050247c --> 805a91cc] nt!NtExtendSection
- [ 4c]: [80502480 --> 805e30b0] nt!NtFilterToken
- [ 4d]: [80502484 --> 8060beaa] nt!NtFindAtom
- [ 4e]: [80502488 --> 8056c2d8] nt!NtFlushBuffersFile
- [ 4f]: [8050248c --> 805abede] nt!NtFlushInstructionCache
- [ 50]: [80502490 --> 8061af42] nt!NtFlushKey
- [ 51]: [80502494 --> 805a1bd6] nt!NtFlushVirtualMemory
- [ 52]: [80502498 --> 805abe80] nt!NtFlushWriteBuffer
- [ 53]: [8050249c --> 805ab9f0] nt!NtFreeUserPhysicalPages
- [ 54]: [805024a0 --> 805a84a6] nt!NtFreeVirtualMemory
- [ 55]: [805024a4 --> 8056e828] nt!NtFsControlFile
- [ 56]: [805024a8 --> 805c7644] nt!NtGetContextThread
- [ 57]: [805024ac --> 805be404] nt!NtGetDevicePowerState
- [ 58]: [805024b0 --> 8058e83c] nt!NtGetPlugPlayEvent
- [ 59]: [805024b4 --> 8051df7e] nt!NtGetWriteWatch
- [ 5a]: [805024b8 --> 805eec34] nt!NtImpersonateAnonymousToken
- [ 5b]: [805024bc --> 8059a5b0] nt!NtImpersonateClientOfPort
- [ 5c]: [805024c0 --> 805cd942] nt!NtImpersonateThread
- [ 5d]: [805024c4 --> 80618206] nt!NtInitializeRegistry
- [ 5e]: [805024c8 --> 805be1dc] nt!NtInitiatePowerAction
- [ 5f]: [805024cc --> 805cb36a] nt!NtIsProcessInJob
- [ 60]: [805024d0 --> 805be3f0] nt!NtIsSystemResumeAutomatic
- [ 61]: [805024d4 --> 8059a7bc] nt!NtListenPort
- [ 62]: [805024d8 --> 80579848] nt!NtLoadDriver
- [ 63]: [805024dc --> 8061bf5e] nt!NtLoadKey
- [ 64]: [805024e0 --> 8061bba8] nt!NtLoadKey2
- [ 65]: [805024e4 --> 8056e85c] nt!NtLockFile
- [ 66]: [805024e8 --> 80609472] nt!NtLockProductActivationKeys
- [ 67]: [805024ec --> 8061a0fe] nt!NtLockRegistryKey
- [ 68]: [805024f0 --> 805abfe6] nt!NtLockVirtualMemory
- [ 69]: [805024f4 --> 805b505c] nt!NtMakePermanentObject
- [ 6a]: [805024f8 --> 805b1d84] nt!NtMakeTemporaryObject
- [ 6b]: [805024fc --> 805aa948] nt!NtMapUserPhysicalPages
- [ 6c]: [80502500 --> 805aaf20] nt!NtMapUserPhysicalPagesScatter
- [ 6d]: [80502504 --> 805a7526] nt!NtMapViewOfSection
- [ 6e]: [80502508 --> 805be3e2] nt!NtModifyBootEntry
- [ 6f]: [8050250c --> 8056f48c] nt!NtNotifyChangeDirectoryFile
- [ 70]: [80502510 --> 8061bf28] nt!NtNotifyChangeKey
- [ 71]: [80502514 --> 8061b044] nt!NtNotifyChangeMultipleKeys
- [ 72]: [80502518 --> 805b3cae] nt!NtOpenDirectoryObject
- [ 73]: [8050251c --> 80605086] nt!NtOpenEvent
- [ 74]: [80502520 --> 8060d2d2] nt!NtOpenEventPair
- [ 75]: [80502524 --> 8056f74c] nt!NtOpenFile
- [ 76]: [80502528 --> 8056e0e4] nt!NtOpenIoCompletion
- [ 77]: [8050252c --> 805cb8f4] nt!NtOpenJobObject
- [ 78]: [80502530 --> 8061b5c4] nt!NtOpenKey
- [ 79]: [80502534 --> 8060d6ca] nt!NtOpenMutant
- [ 7a]: [80502538 --> 805ea61c] nt!NtOpenObjectAuditAlarm
- [ 7b]: [8050253c --> 805c11c2] nt!NtOpenProcess
- [ 7c]: [80502540 --> 805e38fc] nt!NtOpenProcessToken
- [ 7d]: [80502544 --> 805e3502] nt!NtOpenProcessTokenEx
- [ 7e]: [80502548 --> 8059f840] nt!NtOpenSection
- [ 7f]: [8050254c --> 8060b096] nt!NtOpenSemaphore
- [ 80]: [80502550 --> 805babca] nt!NtOpenSymbolicLinkObject
- [ 81]: [80502554 --> 805c144e] nt!NtOpenThread
- [ 82]: [80502558 --> 805e391a] nt!NtOpenThreadToken
- [ 83]: [8050255c --> 805e3672] nt!NtOpenThreadTokenEx
- [ 84]: [80502560 --> 8060cfe4] nt!NtOpenTimer
- [ 85]: [80502564 --> 8063b4a8] nt!NtPlugPlayControl
- [ 86]: [80502568 --> 805bf272] nt!NtPowerInformation
- [ 87]: [8050256c --> 805edce6] nt!NtPrivilegeCheck
- [ 88]: [80502570 --> 805e992e] nt!NtPrivilegeObjectAuditAlarm
- [ 89]: [80502574 --> 805e9b1a] nt!NtPrivilegedServiceAuditAlarm
- [ 8a]: [80502578 --> 805adaae] nt!NtProtectVirtualMemory
- [ 8b]: [8050257c --> 8060513e] nt!NtPulseEvent
- [ 8c]: [80502580 --> 8056c4be] nt!NtQueryAttributesFile
- [ 8d]: [80502584 --> 8060c984] nt!NtAddBootEntry
- [ 8e]: [80502588 --> 8060c984] nt!NtAddBootEntry
- [ 8f]: [8050258c --> 8053c5be] nt!NtQueryDebugFilterState
- [ 90]: [80502590 --> 80606caa] nt!NtQueryDefaultLocale
- [ 91]: [80502594 --> 8060790a] nt!NtQueryDefaultUILanguage
- [ 92]: [80502598 --> 8056f426] nt!NtQueryDirectoryFile
- [ 93]: [8050259c --> 805b3d4e] nt!NtQueryDirectoryObject
- [ 94]: [805025a0 --> 8056f77c] nt!NtQueryEaFile
- [ 95]: [805025a4 --> 80605206] nt!NtQueryEvent
- [ 96]: [805025a8 --> 8056c5f6] nt!NtQueryFullAttributesFile
- [ 97]: [805025ac --> 8060c11e] nt!NtQueryInformationAtom
- [ 98]: [805025b0 --> 8056fff8] nt!NtQueryInformationFile
- [ 99]: [805025b4 --> 805cbdc6] nt!NtQueryInformationJobObject
- [ 9a]: [805025b8 --> 8059a81a] nt!NtQueryInformationPort
- [ 9b]: [805025bc --> 805c2b28] nt!NtQueryInformationProcess
- [ 9c]: [805025c0 --> 805c16f4] nt!NtQueryInformationThread
- [ 9d]: [805025c4 --> 805e39fa] nt!NtQueryInformationToken
- [ 9e]: [805025c8 --> 806070a8] nt!NtQueryInstallUILanguage
- [ 9f]: [805025cc --> 8060de94] nt!NtQueryIntervalProfile
- [ a0]: [805025d0 --> 8056e18c] nt!NtQueryIoCompletion
- [ a1]: [805025d4 --> 8061b8e8] nt!NtQueryKey
- [ a2]: [805025d8 --> 806193fc] nt!NtQueryMultipleValueKey
- [ a3]: [805025dc --> 8060d772] nt!NtQueryMutant
- [ a4]: [805025e0 --> 805ba0a4] nt!NtQueryObject
- [ a5]: [805025e4 --> 80619a62] nt!NtQueryOpenSubKeys
- [ a6]: [805025e8 --> 8060df22] nt!NtQueryPerformanceCounter
- [ a7]: [805025ec --> 80570e42] nt!NtQueryQuotaInformationFile
- [ a8]: [805025f0 --> 805adc70] nt!NtQuerySection
- [ a9]: [805025f4 --> 805b5a28] nt!NtQuerySecurityObject
- [ aa]: [805025f8 --> 8060b14e] nt!NtQuerySemaphore
- [ ab]: [805025fc --> 805bac6a] nt!NtQuerySymbolicLinkObject
- [ ac]: [80502600 --> 8060c9a0] nt!NtQuerySystemEnvironmentValue
- [ ad]: [80502604 --> 8060c968] nt!NtSetSystemEnvironmentValueEx
- [ ae]: [80502608 --> 8060798a] nt!NtQuerySystemInformation
- [ af]: [8050260c --> 80609826] nt!NtQuerySystemTime
- [ b0]: [80502610 --> 8060d09c] nt!NtQueryTimer
- [ b1]: [80502614 --> 806090de] nt!NtQueryTimerResolution
- [ b2]: [80502618 --> 806182e8] nt!NtQueryValueKey
- [ b3]: [8050261c --> 805ae2f6] nt!NtQueryVirtualMemory
- [ b4]: [80502620 --> 80571332] nt!NtQueryVolumeInformationFile
- [ b5]: [80502624 --> 805c7390] nt!NtQueueApcThread
- [ b6]: [80502628 --> 805413d8] nt!NtRaiseException
- [ b7]: [8050262c --> 8060adc0] nt!NtRaiseHardError
- [ b8]: [80502630 --> 80571afa] nt!NtReadFile
- [ b9]: [80502634 --> 80572088] nt!NtReadFileScatter
- [ ba]: [80502638 --> 8059b2a2] nt!NtReadRequestData
- [ bb]: [8050263c --> 805a97b8] nt!NtReadVirtualMemory
- [ bc]: [80502640 --> 805c88c6] nt!NtRegisterThreadTerminatePort
- [ bd]: [80502644 --> 8060d8aa] nt!NtReleaseMutant
- [ be]: [80502648 --> 8060b27e] nt!NtReleaseSemaphore
- [ bf]: [8050264c --> 8056e484] nt!NtRemoveIoCompletion
- [ c0]: [80502650 --> 80639386] nt!NtRemoveProcessDebug
- [ c1]: [80502654 --> 80619c54] nt!NtRenameKey
- [ c2]: [80502658 --> 8061be0e] nt!NtReplaceKey
- [ c3]: [8050265c --> 8059a922] nt!NtReplyPort
- [ c4]: [80502660 --> 8059b8ea] nt!NtReplyWaitReceivePort
- [ c5]: [80502664 --> 8059b2f2] nt!NtReplyWaitReceivePortEx
- [ c6]: [80502668 --> 8059ac0c] nt!NtReplyWaitReplyPort
- [ c7]: [8050266c --> 805be374] nt!NtRequestDeviceWakeup
- [ c8]: [80502670 --> 80597e80] nt!NtRequestPort
- [ c9]: [80502674 --> 805981ac] nt!NtRequestWaitReplyPort
- [ ca]: [80502678 --> 805be182] nt!NtRequestWakeupLatency
- [ cb]: [8050267c --> 80605318] nt!NtResetEvent
- [ cc]: [80502680 --> 8051e45e] nt!NtResetWriteWatch
- [ cd]: [80502684 --> 80618636] nt!NtRestoreKey
- [ ce]: [80502688 --> 805cac26] nt!NtResumeProcess
- [ cf]: [8050268c --> 805cab08] nt!NtResumeThread
- [ d0]: [80502690 --> 806186d8] nt!NtSaveKey
- [ d1]: [80502694 --> 80618768] nt!NtSaveKeyEx
- [ d2]: [80502698 --> 80618834] nt!NtSaveMergedKeys
- [ d3]: [8050269c --> 8059919a] nt!NtSecureConnectPort
- [ d4]: [805026a0 --> 8060c984] nt!NtAddBootEntry
- [ d5]: [805026a4 --> 8060c984] nt!NtAddBootEntry
- [ d6]: [805026a8 --> 805c7854] nt!NtSetContextThread
- [ d7]: [805026ac --> 8063c03e] nt!NtSetDebugFilterState
- [ d8]: [805026b0 --> 8060ac6a] nt!NtSetDefaultHardErrorPort
- [ d9]: [805026b4 --> 80606dfa] nt!NtSetDefaultLocale
- [ da]: [805026b8 --> 8060766c] nt!NtSetDefaultUILanguage
- [ db]: [805026bc --> 8056fc98] nt!NtSetEaFile
- [ dc]: [805026c0 --> 806053d8] nt!NtSetEvent
- [ dd]: [805026c4 --> 806054a2] nt!NtSetEventBoostPriority
- [ de]: [805026c8 --> 8060d58e] nt!NtSetHighEventPair
- [ df]: [805026cc --> 8060d4be] nt!NtSetHighWaitLowEventPair
- [ e0]: [805026d0 --> 80638d50] nt!NtSetInformationDebugObject
- [ e1]: [805026d4 --> 805705fc] nt!NtSetInformationFile
- [ e2]: [805026d8 --> 805ccad6] nt!NtSetInformationJobObject
- [ e3]: [805026dc --> 80618fc8] nt!NtSetInformationKey
- [ e4]: [805026e0 --> 805b94e8] nt!NtSetInformationObject
- [ e5]: [805026e4 --> 805c3c80] nt!NtSetInformationProcess
- [ e6]: [805026e8 --> 805c1c40] nt!NtSetInformationThread
- [ e7]: [805026ec --> 805f0062] nt!NtSetInformationToken
- [ e8]: [805026f0 --> 8060d9f6] nt!NtSetIntervalProfile
- [ e9]: [805026f4 --> 8056e422] nt!NtSetIoCompletion
- [ ea]: [805026f8 --> 805c9a52] nt!NtSetLdtEntries
- [ eb]: [805026fc --> 8060d52a] nt!NtSetLowEventPair
- [ ec]: [80502700 --> 8060d452] nt!NtSetLowWaitHighEventPair
- [ ed]: [80502704 --> 80570e20] nt!NtSetQuotaInformationFile
- [ ee]: [80502708 --> 805b595c] nt!NtSetSecurityObject
- [ ef]: [8050270c --> 8060cc24] nt!NtSetSystemEnvironmentValue
- [ f0]: [80502710 --> 8060c968] nt!NtSetSystemEnvironmentValueEx
- [ f1]: [80502714 --> 80605cd8] nt!NtSetSystemInformation
- [ f2]: [80502718 --> 806485f6] nt!NtSetSystemPowerState
- [ f3]: [8050271c --> 8060a3e6] nt!NtSetSystemTime
- [ f4]: [80502720 --> 805be096] nt!NtSetThreadExecutionState
- [ f5]: [80502724 --> 805356d2] nt!NtSetTimer
- [ f6]: [80502728 --> 806098b8] nt!NtSetTimerResolution
- [ f7]: [8050272c --> 8060b734] nt!NtSetUuidSeed
- [ f8]: [80502730 --> 806188ee] nt!NtSetValueKey
- [ f9]: [80502734 --> 80571756] nt!NtSetVolumeInformationFile
- [ fa]: [80502738 --> 80608ed4] nt!NtShutdownSystem
- [ fb]: [8050273c --> 80523210] nt!NtSignalAndWaitForSingleObject
- [ fc]: [80502740 --> 8060dc40] nt!NtStartProfile
- [ fd]: [80502744 --> 8060ddea] nt!NtStopProfile
- [ fe]: [80502748 --> 805cabd0] nt!NtSuspendProcess
- [ ff]: [8050274c --> 805caa42] nt!NtSuspendThread
- [ 100]: [80502750 --> 8060e00e] nt!NtSystemDebugControl
- [ 101]: [80502754 --> 805cd640] nt!NtTerminateJobObject
- [ 102]: [80502758 --> 805c8b10] nt!NtTerminateProcess
- [ 103]: [8050275c --> 805c8d0a] nt!NtTerminateThread
- [ 104]: [80502760 --> 805cad90] nt!NtTestAlert
- [ 105]: [80502764 --> 80531db0] nt!NtTraceEvent
- [ 106]: [80502768 --> 8060c992] nt!NtTranslateFilePath
- [ 107]: [8050276c --> 805799dc] nt!NtUnloadDriver
- [ 108]: [80502770 --> 80618bb6] nt!NtUnloadKey
- [ 109]: [80502774 --> 80618da4] nt!NtUnloadKeyEx
- [ 10a]: [80502778 --> 8056ec08] nt!NtUnlockFile
- [ 10b]: [8050277c --> 805ac574] nt!NtUnlockVirtualMemory
- [ 10c]: [80502780 --> 805a833c] nt!NtUnmapViewOfSection
- [ 10d]: [80502784 --> 805f141a] nt!NtVdmControl
- [ 10e]: [80502788 --> 80638ab8] nt!NtWaitForDebugEvent
- [ 10f]: [8050278c --> 805b6094] nt!NtWaitForMultipleObjects
- [ 110]: [80502790 --> 805b5faa] nt!NtWaitForSingleObject
- [ 111]: [80502794 --> 8060d3ee] nt!NtWaitHighEventPair
- [ 112]: [80502798 --> 8060d38a] nt!NtWaitLowEventPair
- [ 113]: [8050279c --> 80572598] nt!NtWriteFile
- [ 114]: [805027a0 --> 80572ba8] nt!NtWriteFileGather
- [ 115]: [805027a4 --> 8059b2ca] nt!NtWriteRequestData
- [ 116]: [805027a8 --> 805a98c2] nt!NtWriteVirtualMemory
- [ 117]: [805027ac --> 805029f4] nt!NtYieldExecution
- [ 118]: [805027b0 --> 8060e466] nt!NtCreateKeyedEvent
- [ 119]: [805027b4 --> 8060e550] nt!NtOpenKeyedEvent
- [ 11a]: [805027b8 --> 8060e602] nt!NtReleaseKeyedEvent
- [ 11b]: [805027bc --> 8060e88e] nt!NtWaitForKeyedEvent
- [ 11c]: [805027c0 --> 805c16c4] nt!NtQueryPortInformationProcess
可见, KeServiceDescriptorTable的前四项是对KiServiceTable的描述【start_addr, start_index, end_addr, end_index】
- //
- // System Service Table Descriptor
- //
- typedef struct _KSERVICE_TABLE_DESCRIPTOR
- {
- PULONG_PTR Base;
- PULONG Count;
- ULONG Limit;
- #if defined(_IA64_)
- LONG TableBaseGpOffset;
- #endif
- PUCHAR Number;
- } KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
- //
- // Exported System Service Descriptor Tables
- //
- extern KSERVICE_TABLE_DESCRIPTOR NTSYSAPI KeServiceDescriptorTable[SSDT_MAX_ENTRIES];
- extern KSERVICE_TABLE_DESCRIPTOR NTSYSAPI KeServiceDescriptorTableShadow[SSDT_MAX_ENTRIES];
- //
- // Maximum System Descriptor Table Entries
- //
- #define SSDT_MAX_ENTRIES 2
因此KeServiceDescriptorTable与KeServiceDescriptorTableShadow其实是上述结构体KSERVICE_TABLE_DESCRIPTOR的数组,每个数组里面都只有两项。
- kd> dds nt!KeServiceDescriptorTable L8
- 80553580 80502354 nt!KiServiceTable
- 80553584 00000000
- 80553588 0000011c
- 8055358c 805027c8 nt!KiArgumentTable
- 80553590 00000000
- 80553594 00000000
- 80553598 00000000
- 8055359c 00000000
- kd> dds nt!KeServiceDescriptorTableShadow L8
- 80553540 80502354 nt!KiServiceTable
- 80553544 00000000
- 80553548 0000011c
- 8055354c 805027c8 nt!KiArgumentTable
- 80553550 bf999400 win32k!W32pServiceTable
- 80553554 00000000
- 80553558 0000029b
- 8055355c bf99a110 win32k!W32pArgumentTable
而真正的System Service Routine的列表在KiServiceTable和W32pServiceTable中。
- [ 1]: [bf999400 --> bf9357a3] win32k!NtGdiAbortDoc
- [ 2]: [bf999404 --> bf947361] win32k!NtGdiAbortPath
- [ 3]: [bf999408 --> bf896625] win32k!NtGdiAddFontResourceW
- [ 4]: [bf99940c --> bf93ef25] win32k!NtGdiAddRemoteFontToDC
- [ 5]: [bf999410 --> bf948978] win32k!NtGdiAddFontMemResourceEx
- [ 6]: [bf999414 --> bf935a37] win32k!NtGdiRemoveMergeFont
- [ 7]: [bf999418 --> bf935adc] win32k!NtGdiAddRemoteMMInstanceToDC
- [ 8]: [bf99941c --> bf83b65f] win32k!NtGdiAlphaBlend
- [ 9]: [bf999420 --> bf94829f] win32k!NtGdiAngleArc
- [ a]: [bf999424 --> bf934242] win32k!NtGdiAnyLinkedFonts
- [ b]: [bf999428 --> bf948897] win32k!NtGdiFontIsLinked
- [ c]: [bf99942c --> bf90eea2] win32k!NtGdiArcInternal
- [ d]: [bf999430 --> bf900833] win32k!NtGdiBeginPath
- [ e]: [bf999434 --> bf80a178] win32k!NtGdiBitBlt
- [ f]: [bf999438 --> bf948769] win32k!NtGdiCancelDC
- [ 10]: [bf99943c --> bf949f65] win32k!NtGdiCheckBitmapBits
- [ 11]: [bf999440 --> bf8ff130] win32k!NtGdiCloseFigure
- [ 12]: [bf999444 --> bf89d4eb] win32k!NtGdiClearBitmapAttributes
- [ 13]: [bf999448 --> bf948847] win32k!NtGdiClearBrushAttributes
- [ 14]: [bf99944c --> bf94a098] win32k!NtGdiColorCorrectPalette
- [ 15]: [bf999450 --> bf8210bb] win32k!NtGdiCombineRgn
- [ 16]: [bf999454 --> bf8dcd15] win32k!NtGdiCombineTransform
- [ 17]: [bf999458 --> bf88374b] win32k!NtGdiComputeXformCoefficients
- [ 18]: [bf99945c --> bf87d210] win32k!NtGdiConsoleTextOut
- [ 19]: [bf999460 --> bf9100dd] win32k!NtGdiConvertMetafileRect
- [ 1a]: [bf999464 --> bf80e427] win32k!NtGdiCreateBitmap
- [ 1b]: [bf999468 --> bf8dc9bd] win32k!NtGdiCreateClientObj
- [ 1c]: [bf99946c --> bf949d5d] win32k!NtGdiCreateColorSpace
- [ 1d]: [bf999470 --> bf94ac5c] win32k!NtGdiCreateColorTransform
- [ 1e]: [bf999474 --> bf80fc96] win32k!NtGdiCreateCompatibleBitmap
- [ 1f]: [bf999478 --> bf80d0f2] win32k!NtGdiCreateCompatibleDC
- [ 20]: [bf99947c --> bf8d1699] win32k!NtGdiCreateDIBBrush
- [ 21]: [bf999480 --> bf838921] win32k!NtGdiCreateDIBitmapInternal
- [ 22]: [bf999484 --> bf82dac0] win32k!NtGdiCreateDIBSection
- [ 23]: [bf999488 --> bf9386bb] win32k!NtGdiCreateEllipticRgn
- [ 24]: [bf99948c --> bf84b5aa] win32k!NtGdiCreateHalftonePalette
- [ 25]: [bf999490 --> bf94bce8] win32k!NtGdiCreateHatchBrushInternal
- [ 26]: [bf999494 --> bf8e6517] win32k!NtGdiCreateMetafileDC
- [ 27]: [bf999498 --> bf88235e] win32k!NtGdiCreatePaletteInternal
- [ 28]: [bf99949c --> bf8687e1] win32k!NtGdiCreatePatternBrushInternal
- [ 29]: [bf9994a0 --> bf84f1ec] win32k!NtGdiCreatePen
- [ 2a]: [bf9994a4 --> bf8408ce] win32k!NtGdiCreateRectRgn
- [ 2b]: [bf9994a8 --> bf88cb87] win32k!NtGdiCreateRoundRectRgn
- [ 2c]: [bf9994ac --> bf90ffe2] win32k!NtGdiCreateServerMetaFile
- [ 2d]: [bf9994b0 --> bf81a08f] win32k!NtGdiCreateSolidBrush
- [ 2e]: [bf9994b4 --> bf9338ae] win32k!NtGdiD3dContextCreate
- [ 2f]: [bf9994b8 --> bf9338c1] win32k!NtGdiD3dContextDestroy
- [ 30]: [bf9994bc --> bf9338d4] win32k!NtGdiD3dContextDestroyAll
- [ 31]: [bf9994c0 --> bf9338e7] win32k!NtGdiD3dValidateTextureStageState
- [ 32]: [bf9994c4 --> bf9338fa] win32k!NtGdiD3dDrawPrimitives2
- [ 33]: [bf9994c8 --> bf93390d] win32k!NtGdiDdGetDriverState
- [ 34]: [bf9994cc --> bf933783] win32k!NtGdiDdAddAttachedSurface
- [ 35]: [bf9994d0 --> bf9339cd] win32k!NtGdiDdAlphaBlt
- [ 36]: [bf9994d4 --> bf907cf2] win32k!NtGdiDdAttachSurface
- [ 37]: [bf9994d8 --> bf933978] win32k!NtGdiDdBeginMoCompFrame
- [ 38]: [bf9994dc --> bf907d05] win32k!NtGdiDdBlt
- [ 39]: [bf9994e0 --> bf907adf] win32k!NtGdiDdCanCreateSurface
- [ 3a]: [bf9994e4 --> bf933885] win32k!NtGdiDdCanCreateD3DBuffer
- [ 3b]: [bf9994e8 --> bf933796] win32k!NtGdiDdColorControl
- [ 3c]: [bf9994ec --> bf8edd93] win32k!NtGdiDdCreateDirectDrawObject
- [ 3d]: [bf9994f0 --> bf8edda6] win32k!NtGdiDdCreateSurface
- [ 3e]: [bf9994f4 --> bf93386f] win32k!NtGdiDdCreateD3DBuffer
- [ 3f]: [bf9994f8 --> bf907b1e] win32k!NtGdiDdCreateMoComp
- [ 40]: [bf9994fc --> bf90815d] win32k!NtGdiDdCreateSurfaceObject
- [ 41]: [bf999500 --> bf8edfef] win32k!NtGdiDdDeleteDirectDrawObject
- [ 42]: [bf999504 --> bf907cc6] win32k!NtGdiDdDeleteSurfaceObject
- [ 43]: [bf999508 --> bf907af2] win32k!NtGdiDdDestroyMoComp
- [ 44]: [bf99950c --> bf8edfd9] win32k!NtGdiDdDestroySurface
- [ 45]: [bf999510 --> bf933898] win32k!NtGdiDdDestroyD3DBuffer
- [ 46]: [bf999514 --> bf93398b] win32k!NtGdiDdEndMoCompFrame
- [ 47]: [bf999518 --> bf908203] win32k!NtGdiDdFlip
- [ 48]: [bf99951c --> bf90890e] win32k!NtGdiDdFlipToGDISurface
- [ 49]: [bf999520 --> bf907cdc] win32k!NtGdiDdGetAvailDriverMemory
- [ 4a]: [bf999524 --> bf9337a9] win32k!NtGdiDdGetBltStatus
- [ 4b]: [bf999528 --> bf907a4a] win32k!NtGdiDdGetDC
- [ 4c]: [bf99952c --> bf907a89] win32k!NtGdiDdGetDriverInfo
- [ 4d]: [bf999530 --> bf933817] win32k!NtGdiDdGetDxHandle
- [ 4e]: [bf999534 --> bf9337bf] win32k!NtGdiDdGetFlipStatus
- [ 4f]: [bf999538 --> bf933962] win32k!NtGdiDdGetInternalMoCompInfo
- [ 50]: [bf99953c --> bf93394c] win32k!NtGdiDdGetMoCompBuffInfo
- [ 51]: [bf999540 --> bf907b08] win32k!NtGdiDdGetMoCompGuids
- [ 52]: [bf999544 --> bf933936] win32k!NtGdiDdGetMoCompFormats
- [ 53]: [bf999548 --> bf908a14] win32k!NtGdiDdGetScanLine
- [ 54]: [bf99954c --> bf8e42af] win32k!NtGdiDdLock
- [ 55]: [bf999550 --> bf933843] win32k!NtGdiDdLockD3D
- [ 56]: [bf999554 --> bf8edd32] win32k!NtGdiDdQueryDirectDrawObject
- [ 57]: [bf999558 --> bf9339b7] win32k!NtGdiDdQueryMoCompStatus
- [ 58]: [bf99955c --> bf8edd6d] win32k!NtGdiDdReenableDirectDrawObject
- [ 59]: [bf999560 --> bf907bbe] win32k!NtGdiDdReleaseDC
- [ 5a]: [bf999564 --> bf9339a1] win32k!NtGdiDdRenderMoComp
- [ 5b]: [bf999568 --> bf8e40f5] win32k!NtGdiDdResetVisrgn
- [ 5c]: [bf99956c --> bf908219] win32k!NtGdiDdSetColorKey
- [ 5d]: [bf999570 --> bf9337d5] win32k!NtGdiDdSetExclusiveMode
- [ 5e]: [bf999574 --> bf93382d] win32k!NtGdiDdSetGammaRamp
- [ 5f]: [bf999578 --> bf933920] win32k!NtGdiDdCreateSurfaceEx
- [ 60]: [bf99957c --> bf9337eb] win32k!NtGdiDdSetOverlayPosition
- [ 61]: [bf999580 --> bf907d92] win32k!NtGdiDdUnattachSurface
- [ 62]: [bf999584 --> bf8e40a5] win32k!NtGdiDdUnlock
- [ 63]: [bf999588 --> bf933859] win32k!NtGdiDdUnlockD3D
- [ 64]: [bf99958c --> bf9081ed] win32k!NtGdiDdUpdateOverlay
- [ 65]: [bf999590 --> bf933801] win32k!NtGdiDdWaitForVerticalBlank
- [ 66]: [bf999594 --> bf9339e0] win32k!NtGdiDvpCanCreateVideoPort
- [ 67]: [bf999598 --> bf9339f6] win32k!NtGdiDvpColorControl
- [ 68]: [bf99959c --> bf933a0c] win32k!NtGdiDvpCreateVideoPort
- [ 69]: [bf9995a0 --> bf933a22] win32k!NtGdiDvpDestroyVideoPort
- [ 6a]: [bf9995a4 --> bf933a38] win32k!NtGdiDvpFlipVideoPort
- [ 6b]: [bf9995a8 --> bf933a4e] win32k!NtGdiDvpGetVideoPortBandwidth
- [ 6c]: [bf9995ac --> bf933a64] win32k!NtGdiDvpGetVideoPortField
- [ 6d]: [bf9995b0 --> bf933a7a] win32k!NtGdiDvpGetVideoPortFlipStatus
- [ 6e]: [bf9995b4 --> bf933a90] win32k!NtGdiDvpGetVideoPortInputFormats
- [ 6f]: [bf9995b8 --> bf933aa6] win32k!NtGdiDvpGetVideoPortLine
- [ 70]: [bf9995bc --> bf933abc] win32k!NtGdiDvpGetVideoPortOutputFormats
- [ 71]: [bf9995c0 --> bf933ad2] win32k!NtGdiDvpGetVideoPortConnectInfo
- [ 72]: [bf9995c4 --> bf933ae8] win32k!NtGdiDvpGetVideoSignalStatus
- [ 73]: [bf9995c8 --> bf933afe] win32k!NtGdiDvpUpdateVideoPort
- [ 74]: [bf9995cc --> bf933b14] win32k!NtGdiDvpWaitForVideoPortSync
- [ 75]: [bf9995d0 --> bf933b2a] win32k!NtGdiDvpAcquireNotification
- [ 76]: [bf9995d4 --> bf933b40] win32k!NtGdiDvpReleaseNotification
- [ 77]: [bf9995d8 --> bf933770] win32k!NtGdiDxgGenericThunk
- [ 78]: [bf9995dc --> bf8dcadf] win32k!NtGdiDeleteClientObj
- [ 79]: [bf9995e0 --> bf949d50] win32k!NtGdiDeleteColorSpace
- [ 7a]: [bf9995e4 --> bf94af18] win32k!NtGdiDeleteColorTransform
- [ 7b]: [bf9995e8 --> bf80fb23] win32k!NtGdiDeleteObjectApp
- [ 7c]: [bf9995ec --> bf94944e] win32k!NtGdiDescribePixelFormat
- [ 7d]: [bf9995f0 --> bf8faebb] win32k!NtGdiGetPerBandInfo
- [ 7e]: [bf9995f4 --> bf8fc502] win32k!NtGdiDoBanding
- [ 7f]: [bf9995f8 --> bf843898] win32k!NtGdiDoPalette
- [ 80]: [bf9995fc --> bf9482e9] win32k!NtGdiDrawEscape
- [ 81]: [bf999600 --> bf8d41b0] win32k!NtGdiEllipse
- [ 82]: [bf999604 --> bf89bbe3] win32k!NtGdiEnableEudc
- [ 83]: [bf999608 --> bf8fbe4b] win32k!NtGdiEndDoc
- [ 84]: [bf99960c --> bf9052ee] win32k!NtGdiEndPage
- [ 85]: [bf999610 --> bf9008d3] win32k!NtGdiEndPath
- [ 86]: [bf999614 --> bf88768a] win32k!NtGdiEnumFontChunk
- [ 87]: [bf999618 --> bf887609] win32k!NtGdiEnumFontClose
- [ 88]: [bf99961c --> bf886c98] win32k!NtGdiEnumFontOpen
- [ 89]: [bf999620 --> bf8d19a1] win32k!NtGdiEnumObjects
- [ 8a]: [bf999624 --> bf9387b6] win32k!NtGdiEqualRgn
- [ 8b]: [bf999628 --> bf94f4f3] win32k!NtGdiEudcLoadUnloadLink
- [ 8c]: [bf99962c --> bf82d2c1] win32k!NtGdiExcludeClipRect
- [ 8d]: [bf999630 --> bf8c9d87] win32k!NtGdiExtCreatePen
- [ 8e]: [bf999634 --> bf840c15] win32k!NtGdiExtCreateRegion
- [ 8f]: [bf999638 --> bf8bfb6c] win32k!NtGdiExtEscape
- [ 90]: [bf99963c --> bf950311] win32k!NtGdiExtFloodFill
- [ 91]: [bf999640 --> bf82c1c7] win32k!NtGdiExtGetObjectW
- [ 92]: [bf999644 --> bf80f2e7] win32k!NtGdiExtSelectClipRgn
- [ 93]: [bf999648 --> bf82928c] win32k!NtGdiExtTextOutW
- [ 94]: [bf99964c --> bf947486] win32k!NtGdiFillPath
- [ 95]: [bf999650 --> bf875583] win32k!NtGdiFillRgn
- [ 96]: [bf999654 --> bf9473eb] win32k!NtGdiFlattenPath
- [ 97]: [bf999658 --> bf80c24f] win32k!NtGdiFlushUserBatch
- [ 98]: [bf99965c --> bf807a02] win32k!NtGdiFlush
- [ 99]: [bf999660 --> bf94932e] win32k!NtGdiForceUFIMapping
- [ 9a]: [bf999664 --> bf88cdf9] win32k!NtGdiFrameRgn
- [ 9b]: [bf999668 --> bf93b48f] win32k!NtGdiFullscreenControl
- [ 9c]: [bf99966c --> bf8c9058] win32k!NtGdiGetAndSetDCDword
- [ 9d]: [bf999670 --> bf816afe] win32k!NtGdiGetAppClipBox
- [ 9e]: [bf999674 --> bf875a76] win32k!NtGdiGetBitmapBits
- [ 9f]: [bf999678 --> bf949250] win32k!NtGdiGetBitmapDimension
- [ a0]: [bf99967c --> bf8bd5dd] win32k!NtGdiGetBoundsRect
- [ a1]: [bf999680 --> bf8f91ba] win32k!NtGdiGetCharABCWidthsW
- [ a2]: [bf999684 --> bf9479f4] win32k!NtGdiGetCharacterPlacementW
- [ a3]: [bf999688 --> bf80f8b3] win32k!NtGdiGetCharSet
- [ a4]: [bf99968c --> bf8eb49e] win32k!NtGdiGetCharWidthW
- [ a5]: [bf999690 --> bf882e1c] win32k!NtGdiGetCharWidthInfo
- [ a6]: [bf999694 --> bf94860b] win32k!NtGdiGetColorAdjustment
- [ a7]: [bf999698 --> bf950bc6] win32k!NtGdiGetColorSpaceforBitmap
- [ a8]: [bf99969c --> bf82c494] win32k!NtGdiGetDCDword
- [ a9]: [bf9996a0 --> bf836294] win32k!NtGdiGetDCforBitmap
- [ aa]: [bf9996a4 --> bf82c321] win32k!NtGdiGetDCObject
- [ ab]: [bf9996a8 --> bf8c5409] win32k!NtGdiGetDCPoint
- [ ac]: [bf9996ac --> bf948807] win32k!NtGdiGetDeviceCaps
- [ ad]: [bf9996b0 --> bf94a2ef] win32k!NtGdiGetDeviceGammaRamp
- [ ae]: [bf9996b4 --> bf8fa227] win32k!NtGdiGetDeviceCapsAll
- [ af]: [bf9996b8 --> bf84567d] win32k!NtGdiGetDIBitsInternal
- [ b0]: [bf9996bc --> bf951b29] win32k!NtGdiGetETM
- [ b1]: [bf9996c0 --> bf94cf95] win32k!NtGdiGetEudcTimeStampEx
- [ b2]: [bf9996c4 --> bf8ecc8c] win32k!NtGdiGetFontData
- [ b3]: [bf9996c8 --> bf948aa6] win32k!NtGdiGetFontResourceInfoInternalW
- [ b4]: [bf9996cc --> bf949731] win32k!NtGdiGetGlyphIndicesW
- [ b5]: [bf9996d0 --> bf9495d4] win32k!NtGdiGetGlyphIndicesWInternal
- [ b6]: [bf9996d4 --> bf9483fc] win32k!NtGdiGetGlyphOutline
- [ b7]: [bf9996d8 --> bf948501] win32k!NtGdiGetKerningPairs
- [ b8]: [bf9996dc --> bf9357bb] win32k!NtGdiGetLinkedUFIs
- [ b9]: [bf9996e0 --> bf8e657f] win32k!NtGdiGetMiterLimit
- [ ba]: [bf9996e4 --> bf93e3b6] win32k!NtGdiGetMonitorID
- [ bb]: [bf9996e8 --> bf82d417] win32k!NtGdiGetNearestColor
- [ bc]: [bf9996ec --> bf94bd6e] win32k!NtGdiGetNearestPaletteIndex
- [ bd]: [bf9996f0 --> bf948592] win32k!NtGdiGetObjectBitmapHandle
- [ be]: [bf9996f4 --> bf8eab87] win32k!NtGdiGetOutlineTextMetricsInternalW
- [ bf]: [bf9996f8 --> bf947853] win32k!NtGdiGetPath
- [ c0]: [bf9996fc --> bf84666d] win32k!NtGdiGetPixel
- [ c1]: [bf999700 --> bf80f2f7] win32k!NtGdiGetRandomRgn
- [ c2]: [bf999704 --> bf8ed7ca] win32k!NtGdiGetRasterizerCaps
- [ c3]: [bf999708 --> bf9497dc] win32k!NtGdiGetRealizationInfo
- [ c4]: [bf99970c --> bf87f1b4] win32k!NtGdiGetRegionData
- [ c5]: [bf999710 --> bf8c5353] win32k!NtGdiGetRgnBox
- [ c6]: [bf999714 --> bf91023c] win32k!NtGdiGetServerMetaFileBits
- [ c7]: [bf999718 --> bf890c97] win32k!NtGdiGetSpoolMessage
- [ c8]: [bf99971c --> bf951ca6] win32k!NtGdiGetStats
- [ c9]: [bf999720 --> bf81fa30] win32k!NtGdiGetStockObject
- [ ca]: [bf999724 --> bf94eb87] win32k!NtGdiGetStringBitmapW
- [ cb]: [bf999728 --> bf8f4c41] win32k!NtGdiGetSystemPaletteUse
- [ cc]: [bf99972c --> bf837d45] win32k!NtGdiGetTextCharsetInfo
- [ cd]: [bf999730 --> bf84ab72] win32k!NtGdiGetTextExtent
- [ ce]: [bf999734 --> bf8d1207] win32k!NtGdiGetTextExtentExW
- [ cf]: [bf999738 --> bf839de4] win32k!NtGdiGetTextFaceW
- [ d0]: [bf99973c --> bf837ba3] win32k!NtGdiGetTextMetricsW
- [ d1]: [bf999740 --> bf8bc64f] win32k!NtGdiGetTransform
- [ d2]: [bf999744 --> bf948ced] win32k!NtGdiGetUFI
- [ d3]: [bf999748 --> bf948db6] win32k!NtGdiGetEmbUFI
- [ d4]: [bf99974c --> bf948e96] win32k!NtGdiGetUFIPathname
- [ d5]: [bf999750 --> bf948c6e] win32k!NtGdiGetEmbedFonts
- [ d6]: [bf999754 --> bf948c78] win32k!NtGdiChangeGhostFont
- [ d7]: [bf999758 --> bf934aed] win32k!NtGdiAddEmbFontToDC
- [ d8]: [bf99975c --> bf949755] win32k!NtGdiGetFontUnicodeRanges
- [ d9]: [bf999760 --> bf838ff4] win32k!NtGdiGetWidthTable
- [ da]: [bf999764 --> bf88e033] win32k!NtGdiGradientFill
- [ db]: [bf999768 --> bf837891] win32k!NtGdiHfontCreate
- [ dc]: [bf99976c --> bf94a8d3] win32k!NtGdiIcmBrushInfo
- [ dd]: [bf999770 --> bf87c3bc] win32k!NtGdiInit
- [ de]: [bf999774 --> bf89dc09] win32k!NtGdiInitSpool
- [ df]: [bf999778 --> bf816627] win32k!NtGdiIntersectClipRect
- [ e0]: [bf99977c --> bf8f8704] win32k!NtGdiInvertRgn
- [ e1]: [bf999780 --> bf8c6c65] win32k!NtGdiLineTo
- [ e2]: [bf999784 --> bf9494c8] win32k!NtGdiMakeFontDir
- [ e3]: [bf999788 --> bf950bff] win32k!NtGdiMakeInfoDC
- [ e4]: [bf99978c --> bf8386f2] win32k!NtGdiMaskBlt
- [ e5]: [bf999790 --> bf8bc42c] win32k!NtGdiModifyWorldTransform
- [ e6]: [bf999794 --> bf8e6752] win32k!NtGdiMonoBitmap
- [ e7]: [bf999798 --> bf948799] win32k!NtGdiMoveTo
- [ e8]: [bf99979c --> bf8fc39d] win32k!NtGdiOffsetClipRgn
- [ e9]: [bf9997a0 --> bf8367a8] win32k!NtGdiOffsetRgn
- [ ea]: [bf9997a4 --> bf838c10] win32k!NtGdiOpenDCW
- [ eb]: [bf9997a8 --> bf8c49c1] win32k!NtGdiPatBlt
- [ ec]: [bf9997ac --> bf82f42b] win32k!NtGdiPolyPatBlt
- [ ed]: [bf9997b0 --> bf947560] win32k!NtGdiPathToRegion
- [ ee]: [bf9997b4 --> bf94312d] win32k!NtGdiPlgBlt
- [ ef]: [bf9997b8 --> bf947e87] win32k!NtGdiPolyDraw
- [ f0]: [bf9997bc --> bf84ea6e] win32k!NtGdiPolyPolyDraw
- [ f1]: [bf9997c0 --> bf947f84] win32k!NtGdiPolyTextOutW
- [ f2]: [bf9997c4 --> bf948887] win32k!NtGdiPtInRegion
- [ f3]: [bf9997c8 --> bf938958] win32k!NtGdiPtVisible
- [ f4]: [bf9997cc --> bf9488a7] win32k!NtGdiQueryFonts
- [ f5]: [bf9997d0 --> bf87c8cd] win32k!NtGdiQueryFontAssocInfo
- [ f6]: [bf9997d4 --> bf8e3601] win32k!NtGdiRectangle
- [ f7]: [bf9997d8 --> bf8ee042] win32k!NtGdiRectInRegion
- [ f8]: [bf9997dc --> bf8351f2] win32k!NtGdiRectVisible
- [ f9]: [bf9997e0 --> bf8d0ae2] win32k!NtGdiRemoveFontResourceW
- [ fa]: [bf9997e4 --> bf948a8a] win32k!NtGdiRemoveFontMemResourceEx
- [ fb]: [bf9997e8 --> bf8e3060] win32k!NtGdiResetDC
- [ fc]: [bf9997ec --> bf94bfe2] win32k!NtGdiResizePalette
- [ fd]: [bf9997f0 --> bf82e80f] win32k!NtGdiRestoreDC
- [ fe]: [bf9997f4 --> bf90e07e] win32k!NtGdiRoundRect
- [ ff]: [bf9997f8 --> bf82e81f] win32k!NtGdiSaveDC
- [ 100]: [bf9997fc --> bf94131f] win32k!NtGdiScaleViewportExtEx
- [ 101]: [bf999800 --> bf9491dc] win32k!NtGdiScaleWindowExtEx
- [ 102]: [bf999804 --> bf808d86] win32k!GreSelectBitmap
- [ 103]: [bf999808 --> bf948779] win32k!NtGdiSelectBrush
- [ 104]: [bf99980c --> bf9009ce] win32k!NtGdiSelectClipPath
- [ 105]: [bf999810 --> bf8210cb] win32k!NtGdiSelectFont
- [ 106]: [bf999814 --> bf948789] win32k!NtGdiSelectPen
- [ 107]: [bf999818 --> bf89d5f2] win32k!NtGdiSetBitmapAttributes
- [ 108]: [bf99981c --> bf8c4309] win32k!NtGdiSetBitmapBits
- [ 109]: [bf999820 --> bf9492ba] win32k!NtGdiSetBitmapDimension
- [ 10a]: [bf999824 --> bf8bd9e4] win32k!NtGdiSetBoundsRect
- [ 10b]: [bf999828 --> bf948827] win32k!NtGdiSetBrushAttributes
- [ 10c]: [bf99982c --> bf8c43a7] win32k!NtGdiSetBrushOrg
- [ 10d]: [bf999830 --> bf94866c] win32k!NtGdiSetColorAdjustment
- [ 10e]: [bf999834 --> bf949e12] win32k!NtGdiSetColorSpace
- [ 10f]: [bf999838 --> bf94a62b] win32k!NtGdiSetDeviceGammaRamp
- [ 110]: [bf99983c --> bf82bbeb] win32k!NtGdiSetDIBitsToDeviceInternal
- [ 111]: [bf999840 --> bf8b82ba] win32k!NtGdiSetFontEnumeration
- [ 112]: [bf999844 --> bf8dce95] win32k!NtGdiSetFontXform
- [ 113]: [bf999848 --> bf8c65a8] win32k!NtGdiSetIcmMode
- [ 114]: [bf99984c --> bf8fabb9] win32k!NtGdiSetLinkedUFIs
- [ 115]: [bf999850 --> bf94c26c] win32k!NtGdiSetMagicColors
- [ 116]: [bf999854 --> bf8dcc14] win32k!NtGdiSetMetaRgn
- [ 117]: [bf999858 --> bf8dcc36] win32k!NtGdiSetMiterLimit
- [ 118]: [bf99985c --> bf9491cc] win32k!NtGdiGetDeviceWidth
- [ 119]: [bf999860 --> bf9491bc] win32k!NtGdiMirrorWindowOrg
- [ 11a]: [bf999864 --> bf82d1c9] win32k!NtGdiSetLayout
- [ 11b]: [bf999868 --> bf8468af] win32k!NtGdiSetPixel
- [ 11c]: [bf99986c --> bf952970] win32k!NtGdiSetPixelFormat
- [ 11d]: [bf999870 --> bf948877] win32k!NtGdiSetRectRgn
- [ 11e]: [bf999874 --> bf948817] win32k!NtGdiSetSystemPaletteUse
- [ 11f]: [bf999878 --> bf951f36] win32k!NtGdiSetTextJustification
- [ 120]: [bf99987c --> bf8992a6] win32k!NtGdiSetupPublicCFONT
- [ 121]: [bf999880 --> bf8dca38] win32k!NtGdiSetVirtualResolution
- [ 122]: [bf999884 --> bf8dcf06] win32k!NtGdiSetSizeDevice
- [ 123]: [bf999888 --> bf9041c6] win32k!NtGdiStartDoc
- [ 124]: [bf99988c --> bf90513f] win32k!NtGdiStartPage
- [ 125]: [bf999890 --> bf881872] win32k!NtGdiStretchBlt
- [ 126]: [bf999894 --> bf848dfd] win32k!NtGdiStretchDIBitsInternal
- [ 127]: [bf999898 --> bf8ff549] win32k!NtGdiStrokeAndFillPath
- [ 128]: [bf99989c --> bf947767] win32k!NtGdiStrokePath
- [ 129]: [bf9998a0 --> bf952b18] win32k!NtGdiSwapBuffers
- [ 12a]: [bf9998a4 --> bf8c4b54] win32k!NtGdiTransformPoints
- [ 12b]: [bf9998a8 --> bf8bbdaf] win32k!NtGdiTransparentBlt
- [ 12c]: [bf9998ac --> bf94939f] win32k!NtGdiUnloadPrinterDriver
- [ 12d]: [bf9998b0 --> bf952dd6] win32k!NtGdiUnmapMemFont
- [ 12e]: [bf9998b4 --> bf948867] win32k!NtGdiUnrealizeObject
- [ 12f]: [bf9998b8 --> bf94c27c] win32k!NtGdiUpdateColors
- [ 130]: [bf9998bc --> bf947648] win32k!NtGdiWidenPath
- [ 131]: [bf9998c0 --> bf8855d0] win32k!NtUserActivateKeyboardLayout
- [ 132]: [bf9998c4 --> bf88b0ee] win32k!NtUserAlterWindowStyle
- [ 133]: [bf9998c8 --> bf9143f8] win32k!NtUserAssociateInputContext
- [ 134]: [bf9998cc --> bf8f519c] win32k!NtUserAttachThreadInput
- [ 135]: [bf9998d0 --> bf815a6d] win32k!NtUserBeginPaint
- [ 136]: [bf9998d4 --> bf8f4c67] win32k!NtUserBitBltSysBmp
- [ 137]: [bf9998d8 --> bf912d94] win32k!NtUserBlockInput
- [ 138]: [bf9998dc --> bf91452f] win32k!NtUserBuildHimcList
- [ 139]: [bf9998e0 --> bf8360b3] win32k!NtUserBuildHwndList
- [ 13a]: [bf9998e4 --> bf86b9f4] win32k!NtUserBuildNameList
- [ 13b]: [bf9998e8 --> bf912b57] win32k!NtUserBuildPropList
- [ 13c]: [bf9998ec --> bf8c208c] win32k!NtUserCallHwnd
- [ 13d]: [bf9998f0 --> bf8366ef] win32k!NtUserCallHwndLock
- [ 13e]: [bf9998f4 --> bf89ac2c] win32k!NtUserCallHwndOpt
- [ 13f]: [bf9998f8 --> bf8368e2] win32k!NtUserCallHwndParam
- [ 140]: [bf9998fc --> bf828813] win32k!NtUserCallHwndParamLock
- [ 141]: [bf999900 --> bf8f4b76] win32k!NtUserCallMsgFilter
- [ 142]: [bf999904 --> bf8f655f] win32k!NtUserCallNextHookEx
- [ 143]: [bf999908 --> bf8010df] win32k!NtUserCallNoParam
- [ 144]: [bf99990c --> bf801097] win32k!NtUserCallOneParam
- [ 145]: [bf999910 --> bf8368a2] win32k!NtUserCallTwoParam
- [ 146]: [bf999914 --> bf8f974d] win32k!NtUserChangeClipboardChain
- [ 147]: [bf999918 --> bf8b689c] win32k!NtUserChangeDisplaySettings
- [ 148]: [bf99991c --> bf86c501] win32k!NtUserCheckImeHotKey
- [ 149]: [bf999920 --> bf8cca4b] win32k!NtUserCheckMenuItem
- [ 14a]: [bf999924 --> bf8940b7] win32k!NtUserChildWindowFromPointEx
- [ 14b]: [bf999928 --> bf8fa9d9] win32k!NtUserClipCursor
- [ 14c]: [bf99992c --> bf8f8609] win32k!NtUserCloseClipboard
- [ 14d]: [bf999930 --> bf86b6cf] win32k!NtUserCloseDesktop
- [ 14e]: [bf999934 --> bf86b791] win32k!NtUserCloseWindowStation
- [ 14f]: [bf999938 --> bf87bdf0] win32k!NtUserConsoleControl
- [ 150]: [bf99993c --> bf8ea9b4] win32k!NtUserConvertMemHandle
- [ 151]: [bf999940 --> bf90d6b7] win32k!NtUserCopyAcceleratorTable
- [ 152]: [bf999944 --> bf8f4c1b] win32k!NtUserCountClipboardFormats
- [ 153]: [bf999948 --> bf84b4cf] win32k!NtUserCreateAcceleratorTable
- [ 154]: [bf99994c --> bf8733b4] win32k!NtUserCreateCaret
- [ 155]: [bf999950 --> bf89d1d8] win32k!NtUserCreateDesktop
- [ 156]: [bf999954 --> bf91435e] win32k!NtUserCreateInputContext
- [ 157]: [bf999958 --> bf8f9aa8] win32k!NtUserCreateLocalMemHandle
- [ 158]: [bf99995c --> bf834af6] win32k!NtUserCreateWindowEx
- [ 159]: [bf999960 --> bf89d949] win32k!NtUserCreateWindowStation
- [ 15a]: [bf999964 --> bf911be1] win32k!NtUserDdeGetQualityOfService
- [ 15b]: [bf999968 --> bf89b8dd] win32k!NtUserDdeInitialize
- [ 15c]: [bf99996c --> bf911b11] win32k!NtUserDdeSetQualityOfService
- [ 15d]: [bf999970 --> bf86c82e] win32k!NtUserDeferWindowPos
- [ 15e]: [bf999974 --> bf86cbf4] win32k!NtUserDefSetText
- [ 15f]: [bf999978 --> bf8737e0] win32k!NtUserDeleteMenu
- [ 160]: [bf99997c --> bf8fa978] win32k!NtUserDestroyAcceleratorTable
- [ 161]: [bf999980 --> bf835e37] win32k!NtUserDestroyCursor
- [ 162]: [bf999984 --> bf9143ae] win32k!NtUserDestroyInputContext
- [ 163]: [bf999988 --> bf845a1f] win32k!NtUserDestroyMenu
- [ 164]: [bf99998c --> bf866c76] win32k!NtUserDestroyWindow
- [ 165]: [bf999990 --> bf914b66] win32k!NtUserDisableThreadIme
- [ 166]: [bf999994 --> bf80ed89] win32k!NtUserDispatchMessage
- [ 167]: [bf999998 --> bf912c52] win32k!NtUserDragDetect
- [ 168]: [bf99999c --> bf9110d5] win32k!NtUserDragObject
- [ 169]: [bf9999a0 --> bf911db1] win32k!NtUserDrawAnimatedRects
- [ 16a]: [bf9999a4 --> bf911e74] win32k!NtUserDrawCaption
- [ 16b]: [bf9999a8 --> bf90b537] win32k!NtUserDrawCaptionTemp
- [ 16c]: [bf9999ac --> bf83c221] win32k!NtUserDrawIconEx
- [ 16d]: [bf9999b0 --> bf912e1f] win32k!NtUserDrawMenuBarTemp
- [ 16e]: [bf9999b4 --> bf8ea639] win32k!NtUserEmptyClipboard
- [ 16f]: [bf9999b8 --> bf8c550e] win32k!NtUserEnableMenuItem
- [ 170]: [bf9999bc --> bf911a8c] win32k!NtUserEnableScrollBar
- [ 171]: [bf9999c0 --> bf82cdb7] win32k!NtUserEndDeferWindowPosEx
- [ 172]: [bf9999c4 --> bf911f1d] win32k!NtUserEndMenu
- [ 173]: [bf9999c8 --> bf815724] win32k!NtUserEndPaint
- [ 174]: [bf9999cc --> bf880b0c] win32k!NtUserEnumDisplayDevices
- [ 175]: [bf9999d0 --> bf835801] win32k!NtUserEnumDisplayMonitors
- [ 176]: [bf9999d4 --> bf8c0e17] win32k!NtUserEnumDisplaySettings
- [ 177]: [bf9999d8 --> bf911362] win32k!NtUserEvent
- [ 178]: [bf9999dc --> bf8f890a] win32k!NtUserExcludeUpdateRgn
- [ 179]: [bf9999e0 --> bf8f4aad] win32k!NtUserFillWindow
- [ 17a]: [bf9999e4 --> bf81b77e] win32k!NtUserFindExistingCursorIcon
- [ 17b]: [bf9999e8 --> bf869562] win32k!NtUserFindWindowEx
- [ 17c]: [bf9999ec --> bf914f55] win32k!NtUserFlashWindowEx
- [ 17d]: [bf9999f0 --> bf8e885b] win32k!NtUserGetAltTabInfo
- [ 17e]: [bf9999f4 --> bf82c9c9] win32k!NtUserGetAncestor
- [ 17f]: [bf9999f8 --> bf914903] win32k!NtUserGetAppImeLevel
- [ 180]: [bf9999fc --> bf87146d] win32k!NtUserGetAsyncKeyState
- [ 181]: [bf999a00 --> bf834cd2] win32k!NtUserGetAtomName
- [ 182]: [bf999a04 --> bf842297] win32k!NtUserGetCaretBlinkTime
- [ 183]: [bf999a08 --> bf8c50b2] win32k!NtUserGetCaretPos
- [ 184]: [bf999a0c --> bf843559] win32k!NtUserGetClassInfo
- [ 185]: [bf999a10 --> bf82c6fa] win32k!NtUserGetClassName
- [ 186]: [bf999a14 --> bf8f98e3] win32k!NtUserGetClipboardData
- [ 187]: [bf999a18 --> bf8ee107] win32k!NtUserGetClipboardFormatName
- [ 188]: [bf999a1c --> bf8ea72f] win32k!NtUserGetClipboardOwner
- [ 189]: [bf999a20 --> bf8c4e6b] win32k!NtUserGetClipboardSequenceNumber
- [ 18a]: [bf999a24 --> bf911f63] win32k!NtUserGetClipboardViewer
- [ 18b]: [bf999a28 --> bf9119f4] win32k!NtUserGetClipCursor
- [ 18c]: [bf999a2c --> bf91162a] win32k!NtUserGetComboBoxInfo
- [ 18d]: [bf999a30 --> bf882d33] win32k!NtUserGetControlBrush
- [ 18e]: [bf999a34 --> bf9075cb] win32k!NtUserGetControlColor
- [ 18f]: [bf999a38 --> bf821662] win32k!NtUserGetCPD
- [ 190]: [bf999a3c --> bf882fd2] win32k!NtUserGetCursorFrameInfo
- [ 191]: [bf999a40 --> bf911747] win32k!NtUserGetCursorInfo
- [ 192]: [bf999a44 --> bf804547] win32k!NtUserGetDC
- [ 193]: [bf999a48 --> bf83a237] win32k!NtUserGetDCEx
- [ 194]: [bf999a4c --> bf83b202] win32k!NtUserGetDoubleClickTime
- [ 195]: [bf999a50 --> bf820d48] win32k!NtUserGetForegroundWindow
- [ 196]: [bf999a54 --> bf91119e] win32k!NtUserGetGuiResources
- [ 197]: [bf999a58 --> bf869f06] win32k!NtUserGetGUIThreadInfo
- [ 198]: [bf999a5c --> bf842cc5] win32k!NtUserGetIconInfo
- [ 199]: [bf999a60 --> bf842e15] win32k!NtUserGetIconSize
- [ 19a]: [bf999a64 --> bf9147c1] win32k!NtUserGetImeHotKey
- [ 19b]: [bf999a68 --> bf914631] win32k!NtUserGetImeInfoEx
- [ 19c]: [bf999a6c --> bf9113f3] win32k!NtUserGetInternalWindowPos
- [ 19d]: [bf999a70 --> bf835528] win32k!NtUserGetKeyboardLayoutList
- [ 19e]: [bf999a74 --> bf8f5ff8] win32k!NtUserGetKeyboardLayoutName
- [ 19f]: [bf999a78 --> bf87606e] win32k!NtUserGetKeyboardState
- [ 1a0]: [bf999a7c --> bf90b884] win32k!NtUserGetKeyNameText
- [ 1a1]: [bf999a80 --> bf820ff3] win32k!NtUserGetKeyState
- [ 1a2]: [bf999a84 --> bf9116f3] win32k!NtUserGetListBoxInfo
- [ 1a3]: [bf999a88 --> bf911844] win32k!NtUserGetMenuBarInfo
- [ 1a4]: [bf999a8c --> bf911c9a] win32k!NtUserGetMenuIndex
- [ 1a5]: [bf999a90 --> bf9127ce] win32k!NtUserGetMenuItemRect
- [ 1a6]: [bf999a94 --> bf819fc9] win32k!NtUserGetMessage
- [ 1a7]: [bf999a98 --> bf9124a9] win32k!NtUserGetMouseMovePointsEx
- [ 1a8]: [bf999a9c --> bf81a241] win32k!NtUserGetObjectInformation
- [ 1a9]: [bf999aa0 --> bf8f4bef] win32k!NtUserGetOpenClipboardWindow
- [ 1aa]: [bf999aa4 --> bf911f8f] win32k!NtUserGetPriorityClipboardFormat
- [ 1ab]: [bf999aa8 --> bf81a0ac] win32k!NtUserGetProcessWindowStation
- [ 1ac]: [bf999aac --> bf9157d5] win32k!NtUserGetRawInputBuffer
- [ 1ad]: [bf999ab0 --> bf9150d5] win32k!NtUserGetRawInputData
- [ 1ae]: [bf999ab4 --> bf9152af] win32k!NtUserGetRawInputDeviceInfo
- [ 1af]: [bf999ab8 --> bf9155a4] win32k!NtUserGetRawInputDeviceList
- [ 1b0]: [bf999abc --> bf91579a] win32k!NtUserGetRegisteredRawInputDevices
- [ 1b1]: [bf999ac0 --> bf84624e] win32k!NtUserGetScrollBarInfo
- [ 1b2]: [bf999ac4 --> bf840ace] win32k!NtUserGetSystemMenu
- [ 1b3]: [bf999ac8 --> bf81a4f7] win32k!NtUserGetThreadDesktop
- [ 1b4]: [bf999acc --> bf823b41] win32k!NtUserGetThreadState
- [ 1b5]: [bf999ad0 --> bf83a4c1] win32k!NtUserGetTitleBarInfo
- [ 1b6]: [bf999ad4 --> bf83b02f] win32k!NtUserGetUpdateRect
- [ 1b7]: [bf999ad8 --> bf8c51fa] win32k!NtUserGetUpdateRgn
- [ 1b8]: [bf999adc --> bf803811] win32k!NtUserGetWindowDC
- [ 1b9]: [bf999ae0 --> bf8f9b76] win32k!NtUserGetWindowPlacement
- [ 1ba]: [bf999ae4 --> bf90da63] win32k!NtUserGetWOWClass
- [ 1bb]: [bf999ae8 --> bf910fdf] win32k!NtUserHardErrorControl
- [ 1bc]: [bf999aec --> bf82ce91] win32k!NtUserHideCaret
- [ 1bd]: [bf999af0 --> bf912018] win32k!NtUserHiliteMenuItem
- [ 1be]: [bf999af4 --> bf912dba] win32k!NtUserImpersonateDdeClientWindow
- [ 1bf]: [bf999af8 --> bf8b1d7e] win32k!NtUserInitialize
- [ 1c0]: [bf999afc --> bf8ac31e] win32k!NtUserInitializeClientPfnArrays
- [ 1c1]: [bf999b00 --> bf9114d2] win32k!NtUserInitTask
- [ 1c2]: [bf999b04 --> bf83a5bd] win32k!NtUserInternalGetWindowText
- [ 1c3]: [bf999b08 --> bf814dbb] win32k!NtUserInvalidateRect
- [ 1c4]: [bf999b0c --> bf8459c5] win32k!NtUserInvalidateRgn
- [ 1c5]: [bf999b10 --> bf8c4e31] win32k!NtUserIsClipboardFormatAvailable
- [ 1c6]: [bf999b14 --> bf80ea37] win32k!NtUserKillTimer
- [ 1c7]: [bf999b18 --> bf891798] win32k!NtUserLoadKeyboardLayoutEx
- [ 1c8]: [bf999b1c --> bf89d43a] win32k!NtUserLockWindowStation
- [ 1c9]: [bf999b20 --> bf8cc992] win32k!NtUserLockWindowUpdate
- [ 1ca]: [bf999b24 --> bf9110b8] win32k!NtUserLockWorkStation
- [ 1cb]: [bf999b28 --> bf8c7e35] win32k!NtUserMapVirtualKeyEx
- [ 1cc]: [bf999b2c --> bf9128a5] win32k!NtUserMenuItemFromPoint
- [ 1cd]: [bf999b30 --> bf80efcd] win32k!NtUserMessageCall
- [ 1ce]: [bf999b34 --> bf90f645] win32k!NtUserMinMaximize
- [ 1cf]: [bf999b38 --> bf912168] win32k!NtUserMNDragLeave
- [ 1d0]: [bf999b3c --> bf9120b8] win32k!NtUserMNDragOver
- [ 1d1]: [bf999b40 --> bf8e3267] win32k!NtUserModifyUserStartupInfoFlags
- [ 1d2]: [bf999b44 --> bf838ae5] win32k!NtUserMoveWindow
- [ 1d3]: [bf999b48 --> bf914b01] win32k!NtUserNotifyIMEStatus
- [ 1d4]: [bf999b4c --> bf87c3f2] win32k!NtUserNotifyProcessCreate
- [ 1d5]: [bf999b50 --> bf8c54b9] win32k!NtUserNotifyWinEvent
- [ 1d6]: [bf999b54 --> bf8f8586] win32k!NtUserOpenClipboard
- [ 1d7]: [bf999b58 --> bf86b969] win32k!NtUserOpenDesktop
- [ 1d8]: [bf999b5c --> bf899b89] win32k!NtUserOpenInputDesktop
- [ 1d9]: [bf999b60 --> bf8f9dbe] win32k!NtUserOpenWindowStation
- [ 1da]: [bf999b64 --> bf885886] win32k!NtUserPaintDesktop
- [ 1db]: [bf999b68 --> bf803700] win32k!NtUserPeekMessage
- [ 1dc]: [bf999b6c --> bf808b4d] win32k!NtUserPostMessage
- [ 1dd]: [bf999b70 --> bf86bf40] win32k!NtUserPostThreadMessage
- [ 1de]: [bf999b74 --> bf8b83bd] win32k!NtUserPrintWindow
- [ 1df]: [bf999b78 --> bf87a14a] win32k!NtUserProcessConnect
- [ 1e0]: [bf999b7c --> bf912937] win32k!NtUserQueryInformationThread
- [ 1e1]: [bf999b80 --> bf9144ab] win32k!NtUserQueryInputContext
- [ 1e2]: [bf999b84 --> bf912ce5] win32k!NtUserQuerySendMessage
- [ 1e3]: [bf999b88 --> bf914c0a] win32k!NtUserQueryUserCounters
- [ 1e4]: [bf999b8c --> bf803b9c] win32k!NtUserQueryWindow
- [ 1e5]: [bf999b90 --> bf911806] win32k!NtUserRealChildWindowFromPoint
- [ 1e6]: [bf999b94 --> bf899641] win32k!NtUserRealInternalGetMessage
- [ 1e7]: [bf999b98 --> bf91270e] win32k!NtUserRealWaitMessageEx
- [ 1e8]: [bf999b9c --> bf823d16] win32k!NtUserRedrawWindow
- [ 1e9]: [bf999ba0 --> bf81f433] win32k!NtUserRegisterClassExWOW
- [ 1ea]: [bf999ba4 --> bf89dd35] win32k!NtUserRegisterUserApiHook
- [ 1eb]: [bf999ba8 --> bf8b7901] win32k!NtUserRegisterHotKey
- [ 1ec]: [bf999bac --> bf9156ee] win32k!NtUserRegisterRawInputDevices
- [ 1ed]: [bf999bb0 --> bf9115f6] win32k!NtUserRegisterTasklist
- [ 1ee]: [bf999bb4 --> bf807b93] win32k!NtUserRegisterWindowMessage
- [ 1ef]: [bf999bb8 --> bf8b82e5] win32k!NtUserRemoveMenu
- [ 1f0]: [bf999bbc --> bf832c6e] win32k!NtUserRemoveProp
- [ 1f1]: [bf999bc0 --> bf892189] win32k!NtUserResolveDesktop
- [ 1f2]: [bf999bc4 --> bf9159e5] win32k!NtUserResolveDesktopForWOW
- [ 1f3]: [bf999bc8 --> bf8460f5] win32k!NtUserSBGetParms
- [ 1f4]: [bf999bcc --> bf879a5a] win32k!NtUserScrollDC
- [ 1f5]: [bf999bd0 --> bf8e593a] win32k!NtUserScrollWindowEx
- [ 1f6]: [bf999bd4 --> bf83856c] win32k!NtUserSelectPalette
- [ 1f7]: [bf999bd8 --> bf8c33ab] win32k!NtUserSendInput
- [ 1f8]: [bf999bdc --> bf8bacca] win32k!NtUserSetActiveWindow
- [ 1f9]: [bf999be0 --> bf914898] win32k!NtUserSetAppImeLevel
- [ 1fa]: [bf999be4 --> bf8724da] win32k!NtUserSetCapture
- [ 1fb]: [bf999be8 --> bf845c62] win32k!NtUserSetClassLong
- [ 1fc]: [bf999bec --> bf912185] win32k!NtUserSetClassWord
- [ 1fd]: [bf999bf0 --> bf8ea8d8] win32k!NtUserSetClipboardData
- [ 1fe]: [bf999bf4 --> bf8f9663] win32k!NtUserSetClipboardViewer
- [ 1ff]: [bf999bf8 --> bf88636b] win32k!NtUserSetConsoleReserveKeys
- [ 200]: [bf999bfc --> bf82126e] win32k!NtUserSetCursor
- [ 201]: [bf999c00 --> bf912787] win32k!NtUserSetCursorContents
- [ 202]: [bf999c04 --> bf842fa4] win32k!NtUserSetCursorIconData
- [ 203]: [bf999c08 --> bf911d1d] win32k!NtUserSetDbgTag
- [ 204]: [bf999c0c --> bf83a9b3] win32k!NtUserSetFocus
- [ 205]: [bf999c10 --> bf8916c2] win32k!NtUserSetImeHotKey
- [ 206]: [bf999c14 --> bf914716] win32k!NtUserSetImeInfoEx
- [ 207]: [bf999c18 --> bf91496d] win32k!NtUserSetImeOwnerWindow
- [ 208]: [bf999c1c --> bf87c056] win32k!NtUserSetInformationProcess
- [ 209]: [bf999c20 --> bf886135] win32k!NtUserSetInformationThread
- [ 20a]: [bf999c24 --> bf911913] win32k!NtUserSetInternalWindowPos
- [ 20b]: [bf999c28 --> bf8f89ea] win32k!NtUserSetKeyboardState
- [ 20c]: [bf999c2c --> bf8a5d53] win32k!NtUserSetLogonNotifyWindow
- [ 20d]: [bf999c30 --> bf90b74a] win32k!NtUserSetMenu
- [ 20e]: [bf999c34 --> bf911d40] win32k!NtUserSetMenuContextHelpId
- [ 20f]: [bf999c38 --> bf8b827a] win32k!NtUserSetMenuDefaultItem
- [ 210]: [bf999c3c --> bf911d7d] win32k!NtUserSetMenuFlagRtoL
- [ 211]: [bf999c40 --> bf91102a] win32k!NtUserSetObjectInformation
- [ 212]: [bf999c44 --> bf882afc] win32k!NtUserSetParent
- [ 213]: [bf999c48 --> bf86bd5b] win32k!NtUserSetProcessWindowStation
- [ 214]: [bf999c4c --> bf82847c] win32k!NtUserSetProp
- [ 215]: [bf999c50 --> bf911cfa] win32k!NtUserSetRipFlags
- [ 216]: [bf999c54 --> bf80e774] win32k!NtUserSetScrollInfo
- [ 217]: [bf999c58 --> bf89a417] win32k!NtUserSetShellWindowEx
- [ 218]: [bf999c5c --> bf9121c0] win32k!NtUserSetSysColors
- [ 219]: [bf999c60 --> bf91274e] win32k!NtUserSetSystemCursor
- [ 21a]: [bf999c64 --> bf8f61bb] win32k!NtUserSetSystemMenu
- [ 21b]: [bf999c68 --> bf912cac] win32k!NtUserSetSystemTimer
- [ 21c]: [bf999c6c --> bf86bdb3] win32k!NtUserSetThreadDesktop
- [ 21d]: [bf999c70 --> bf914a80] win32k!NtUserSetThreadLayoutHandles
- [ 21e]: [bf999c74 --> bf882cf7] win32k!NtUserSetThreadState
- [ 21f]: [bf999c78 --> bf803aab] win32k!NtUserSetTimer
- [ 220]: [bf999c7c --> bf882ba7] win32k!NtUserSetWindowFNID
- [ 221]: [bf999c80 --> bf832d7e] win32k!NtUserSetWindowLong
- [ 222]: [bf999c84 --> bf88d87b] win32k!NtUserSetWindowPlacement
- [ 223]: [bf999c88 --> bf828223] win32k!NtUserSetWindowPos
- [ 224]: [bf999c8c --> bf840823] win32k!NtUserSetWindowRgn
- [ 225]: [bf999c90 --> bf88e300] win32k!NtUserSetWindowsHookAW
- [ 226]: [bf999c94 --> bf8ba057] win32k!NtUserSetWindowsHookEx
- [ 227]: [bf999c98 --> bf89d2d7] win32k!NtUserSetWindowStationUser
- [ 228]: [bf999c9c --> bf8f8f9b] win32k!NtUserSetWindowWord
- [ 229]: [bf999ca0 --> bf8edb64] win32k!NtUserSetWinEventHook
- [ 22a]: [bf999ca4 --> bf82cef3] win32k!NtUserShowCaret
- [ 22b]: [bf999ca8 --> bf8c5730] win32k!NtUserShowScrollBar
- [ 22c]: [bf999cac --> bf83513b] win32k!NtUserShowWindow
- [ 22d]: [bf999cb0 --> bf89207c] win32k!NtUserShowWindowAsync
- [ 22e]: [bf999cb4 --> bf8e32d5] win32k!NtUserSoundSentry
- [ 22f]: [bf999cb8 --> bf89a6ac] win32k!NtUserSwitchDesktop
- [ 230]: [bf999cbc --> bf81e8e3] win32k!NtUserSystemParametersInfo
- [ 231]: [bf999cc0 --> bf90dbee] win32k!NtUserTestForInteractiveUser
- [ 232]: [bf999cc4 --> bf8f611c] win32k!NtUserThunkedMenuInfo
- [ 233]: [bf999cc8 --> bf83fc0d] win32k!NtUserThunkedMenuItemInfo
- [ 234]: [bf999ccc --> bf912559] win32k!NtUserToUnicodeEx
- [ 235]: [bf999cd0 --> bf86c580] win32k!NtUserTrackMouseEvent
- [ 236]: [bf999cd4 --> bf912376] win32k!NtUserTrackPopupMenuEx
- [ 237]: [bf999cd8 --> bf83a728] win32k!NtUserCalcMenuBar
- [ 238]: [bf999cdc --> bf8eef29] win32k!NtUserPaintMenuBar
- [ 239]: [bf999ce0 --> bf8f81f3] win32k!NtUserTranslateAccelerator
- [ 23a]: [bf999ce4 --> bf870be0] win32k!NtUserTranslateMessage
- [ 23b]: [bf999ce8 --> bf8ba646] win32k!NtUserUnhookWindowsHookEx
- [ 23c]: [bf999cec --> bf8edc3f] win32k!NtUserUnhookWinEvent
- [ 23d]: [bf999cf0 --> bf912c24] win32k!NtUserUnloadKeyboardLayout
- [ 23e]: [bf999cf4 --> bf8911ed] win32k!NtUserUnlockWindowStation
- [ 23f]: [bf999cf8 --> bf81fd00] win32k!NtUserUnregisterClass
- [ 240]: [bf999cfc --> bf89d748] win32k!NtUserUnregisterUserApiHook
- [ 241]: [bf999d00 --> bf91246c] win32k!NtUserUnregisterHotKey
- [ 242]: [bf999d04 --> bf91445b] win32k!NtUserUpdateInputContext
- [ 243]: [bf999d08 --> bf9112cd] win32k!NtUserUpdateInstance
- [ 244]: [bf999d0c --> bf874e3f] win32k!NtUserUpdateLayeredWindow
- [ 245]: [bf999d10 --> bf915017] win32k!NtUserGetLayeredWindowAttributes
- [ 246]: [bf999d14 --> bf845afb] win32k!NtUserSetLayeredWindowAttributes
- [ 247]: [bf999d18 --> bf8a2f52] win32k!NtUserUpdatePerUserSystemParameters
- [ 248]: [bf999d1c --> bf91297e] win32k!NtUserUserHandleGrantAccess
- [ 249]: [bf999d20 --> bf8018ac] win32k!NtUserValidateHandleSecure
- [ 24a]: [bf999d24 --> bf8f8bd9] win32k!NtUserValidateRect
- [ 24b]: [bf999d28 --> bf807eba] win32k!NtUserValidateTimerCallback
- [ 24c]: [bf999d2c --> bf8c3d69] win32k!NtUserVkKeyScanEx
- [ 24d]: [bf999d30 --> bf90d432] win32k!NtUserWaitForInputIdle
- [ 24e]: [bf999d34 --> bf90c444] win32k!NtUserWaitForMsgAndEvent
- [ 24f]: [bf999d38 --> bf8037a7] win32k!NtUserWaitMessage
- [ 250]: [bf999d3c --> bf911020] win32k!NtUserWin32PoolAllocationStats
- [ 251]: [bf999d40 --> bf821530] win32k!NtUserWindowFromPoint
- [ 252]: [bf999d44 --> bf90db86] win32k!NtUserYieldTask
- [ 253]: [bf999d48 --> bf899f9e] win32k!NtUserRemoteConnect
- [ 254]: [bf999d4c --> bf910ea7] win32k!NtUserRemoteRedrawRectangle
- [ 255]: [bf999d50 --> bf910ef4] win32k!NtUserRemoteRedrawScreen
- [ 256]: [bf999d54 --> bf910f48] win32k!NtUserRemoteStopScreenUpdates
- [ 257]: [bf999d58 --> bf910f95] win32k!NtUserCtxDisplayIOCtl
- [ 258]: [bf999d5c --> bf8fbcf2] win32k!NtGdiEngAssociateSurface
- [ 259]: [bf999d60 --> bf8fc6a2] win32k!NtGdiEngCreateBitmap
- [ 25a]: [bf999d64 --> bf8fbcbf] win32k!NtGdiEngCreateDeviceSurface
- [ 25b]: [bf999d68 --> bf952de1] win32k!NtGdiEngCreateDeviceBitmap
- [ 25c]: [bf999d6c --> bf8defe9] win32k!NtGdiEngCreatePalette
- [ 25d]: [bf999d70 --> bf90635f] win32k!NtGdiEngComputeGlyphSet
- [ 25e]: [bf999d74 --> bf952f37] win32k!NtGdiEngCopyBits
- [ 25f]: [bf999d78 --> bf8dfb75] win32k!NtGdiEngDeletePalette
- [ 260]: [bf999d7c --> bf8fbc45] win32k!NtGdiEngDeleteSurface
- [ 261]: [bf999d80 --> bf953d9a] win32k!NtGdiEngEraseSurface
- [ 262]: [bf999d84 --> bf8ffefb] win32k!NtGdiEngUnlockSurface
- [ 263]: [bf999d88 --> bf8fc0f7] win32k!NtGdiEngLockSurface
- [ 264]: [bf999d8c --> bf904ee3] win32k!NtGdiEngBitBlt
- [ 265]: [bf999d90 --> bf9002d4] win32k!NtGdiEngStretchBlt
- [ 266]: [bf999d94 --> bf95332f] win32k!NtGdiEngPlgBlt
- [ 267]: [bf999d98 --> bf8fc798] win32k!NtGdiEngMarkBandingSurface
- [ 268]: [bf999d9c --> bf8fd592] win32k!NtGdiEngStrokePath
- [ 269]: [bf999da0 --> bf953526] win32k!NtGdiEngFillPath
- [ 26a]: [bf999da4 --> bf8fe227] win32k!NtGdiEngStrokeAndFillPath
- [ 26b]: [bf999da8 --> bf953691] win32k!NtGdiEngPaint
- [ 26c]: [bf999dac --> bf9537ad] win32k!NtGdiEngLineTo
- [ 26d]: [bf999db0 --> bf9538d6] win32k!NtGdiEngAlphaBlend
- [ 26e]: [bf999db4 --> bf953a55] win32k!NtGdiEngGradientFill
- [ 26f]: [bf999db8 --> bf953c2e] win32k!NtGdiEngTransparentBlt
- [ 270]: [bf999dbc --> bf8fed98] win32k!NtGdiEngTextOut
- [ 271]: [bf999dc0 --> bf9530d3] win32k!NtGdiEngStretchBltROP
- [ 272]: [bf999dc4 --> bf95454c] win32k!NtGdiXLATEOBJ_cGetPalette
- [ 273]: [bf999dc8 --> bf954608] win32k!NtGdiXLATEOBJ_iXlate
- [ 274]: [bf999dcc --> bf9544fe] win32k!NtGdiXLATEOBJ_hGetColorTransform
- [ 275]: [bf999dd0 --> bf8fda8f] win32k!NtGdiCLIPOBJ_bEnum
- [ 276]: [bf999dd4 --> bf8fdb3c] win32k!NtGdiCLIPOBJ_cEnumStart
- [ 277]: [bf999dd8 --> bf953e64] win32k!NtGdiCLIPOBJ_ppoGetPath
- [ 278]: [bf999ddc --> bf953ea2] win32k!NtGdiEngDeletePath
- [ 279]: [bf999de0 --> bf953edc] win32k!NtGdiEngCreateClip
- [ 27a]: [bf999de4 --> bf953f0e] win32k!NtGdiEngDeleteClip
- [ 27b]: [bf999de8 --> bf8fd0fa] win32k!NtGdiBRUSHOBJ_ulGetBrushColor
- [ 27c]: [bf999dec --> bf953f48] win32k!NtGdiBRUSHOBJ_pvAllocRbrush
- [ 27d]: [bf999df0 --> bf953f99] win32k!NtGdiBRUSHOBJ_pvGetRbrush
- [ 27e]: [bf999df4 --> bf9063e5] win32k!NtGdiBRUSHOBJ_hGetColorTransform
- [ 27f]: [bf999df8 --> bf905d2e] win32k!NtGdiXFORMOBJ_bApplyXform
- [ 280]: [bf999dfc --> bf8fafef] win32k!NtGdiXFORMOBJ_iGetXform
- [ 281]: [bf999e00 --> bf905eef] win32k!NtGdiFONTOBJ_vGetInfo
- [ 282]: [bf999e04 --> bf8faf55] win32k!NtGdiFONTOBJ_pxoGetXform
- [ 283]: [bf999e08 --> bf905993] win32k!NtGdiFONTOBJ_cGetGlyphs
- [ 284]: [bf999e0c --> bf8fb160] win32k!NtGdiFONTOBJ_pifi
- [ 285]: [bf999e10 --> bf9546c3] win32k!NtGdiFONTOBJ_pfdg
- [ 286]: [bf999e14 --> bf9547ca] win32k!NtGdiFONTOBJ_pQueryGlyphAttrs
- [ 287]: [bf999e18 --> bf95442e] win32k!NtGdiFONTOBJ_pvTrueTypeFontFile
- [ 288]: [bf999e1c --> bf953fe7] win32k!NtGdiFONTOBJ_cGetAllGlyphHandles
- [ 289]: [bf999e20 --> bf9548a2] win32k!NtGdiSTROBJ_bEnum
- [ 28a]: [bf999e24 --> bf90611d] win32k!NtGdiSTROBJ_bEnumPositionsOnly
- [ 28b]: [bf999e28 --> bf8fb273] win32k!NtGdiSTROBJ_bGetAdvanceWidths
- [ 28c]: [bf999e2c --> bf90613b] win32k!NtGdiSTROBJ_vEnumStart
- [ 28d]: [bf999e30 --> bf9540b2] win32k!NtGdiSTROBJ_dwGetCodePage
- [ 28e]: [bf999e34 --> bf9541a3] win32k!NtGdiPATHOBJ_vGetBounds
- [ 28f]: [bf999e38 --> bf9548c0] win32k!NtGdiPATHOBJ_bEnum
- [ 290]: [bf999e3c --> bf954234] win32k!NtGdiPATHOBJ_vEnumStart
- [ 291]: [bf999e40 --> bf954278] win32k!NtGdiPATHOBJ_vEnumStartClipLines
- [ 292]: [bf999e44 --> bf954325] win32k!NtGdiPATHOBJ_bEnumClipLines
- [ 293]: [bf999e48 --> bf952daf] win32k!NtGdiGetDhpdev
- [ 294]: [bf999e4c --> bf95465a] win32k!NtGdiEngCheckAbort
- [ 295]: [bf999e50 --> bf9057d8] win32k!NtGdiHT_Get8BPPFormatPalette
- [ 296]: [bf999e54 --> bf952e23] win32k!NtGdiHT_Get8BPPMaskPalette
- [ 297]: [bf999e58 --> bf9414e4] win32k!NtGdiUpdateTransform
- [ 298]: [bf999e5c --> bf8dd701] win32k!NtGdiSetPUMPDOBJ
- [ 299]: [bf999e60 --> bf954100] win32k!NtGdiBRUSHOBJ_DeleteRbrush
- [ 29a]: [bf999e64 --> bf952dd6] win32k!NtGdiUnmapMemFont
- [ 29b]: [bf999e68 --> bf8177ad] win32k!NtGdiDrawStream
SSDT and Shadow SSDT table的更多相关文章
- 两种方法获取shadow ssdt
ULONG GetShadowSsdtCurrentAddresses( PSSDT_ADDRESS AddressInfo, PULONG Length ) { PSYSTEM ...
- 64位使用windbg获取Shadow SSDT
首先选择一个带界面的程序explorer.exe进行附加 kd> !process explorer.exe PROCESS ffff86893dd075c0 SessionId: Cid: 0 ...
- Shadow SSDT详解、WinDbg查看Shadow SSDT
一.获取ShadowSSDT 好吧,我们已经在R3获取SSDT的原始地址及SDT.SST.KiServiceTbale的关系里面提到:所有的SST都保存在系统服务描述表(SDT)中.系统中一共有两个S ...
- Win64 驱动内核编程-22.SHADOW SSDT HOOK(宋孖健)
SHADOW SSDT HOOK HOOK 和 UNHOOK SHADOW SSDT 跟之前的 HOOK/UNHOOK SSDT 类似,区别是查找SSSDT的特征码,以及根据索引计算函数地址的公式,还 ...
- OD: Kernel Vulnerabilities Analyze
内核漏洞大多出没于 ring3 到 ring0 的交互中.从 ring3 进入 ring0 的通道,以及操作系统提供的 API 都有可能存在漏洞.例如:驱动程序中 IoControl 的处理函数,SS ...
- OD: Windows Driver Fuzz
内核 FUZZ 思路 内核 API 函数:是提供给 Ring3 调用,在 Ring0 完成最终功能的函数.这些函数接收 Ring3 传入的参数,如果处理参数的过程存在问题的话,很有可能成为一个内核漏 ...
- 手工杀毒辅助软件(PC Hunter) V1.51 免费绿色版
软件名称: 手工杀毒辅助软件(PC Hunter) 软件语言: 简体中文 授权方式: 免费软件 运行环境: Win 32位/64位 软件大小: 4.7MB 图片预览: 软件简介: PC Hunter是 ...
- XueTr 0.45 (手工杀毒辅助工具) 绿色版
软件名称: XueTr 0.45 (手工杀毒辅助工具)软件语言: 简体中文授权方式: 免费软件运行环境: Win7 / Vista / Win2003 / WinXP 软件大小: 3.3MB图片预览: ...
- windows7内核分析之x86&x64第二章系统调用
windows7内核分析之x86&x64第二章系统调用 2.1内核与系统调用 上节讲到进入内核五种方式 其中一种就是 系统调用 syscall/sysenter或者int 2e(在 64 位环 ...
随机推荐
- k8s ingress路由强制跳转至https设置
为ingress配置增加注解(annotations):nginx.ingress.kubernetes.io/ssl-redirect: 'true' 就可以实现http强制跳转至https 不过默 ...
- 【记录】mysql查询语句对于为null和为空字符串给出特定值处理
SELECT if(IFNULL(filedName,"指定字符串")="","指定字符串",filedName) '重命名的字符名' FR ...
- 阿里云centos下搭建vsftpd,被动模式出现的问题
最近计网课设要做一个ftp服务端,所以先在自己服务器搭一个来了解一下. 首先在默认情况下连接,227 Entering Passive Mode (192,168,*,*,227,175). 显示连接 ...
- 1.VUE前端框架学习记录一
VUE前端框架学习记录一文字信息没办法描述清楚,主要看编码实战里面,有附带有一个完整可用的Html页面,有需要的同学到脑图里面自取.脑图地址http://naotu.baidu.com/file/f0 ...
- java 静态内存图、静态代码块
package java08; /* 静态代码块格式: public class 类名称{ static{ //静态代码块 } } 特点:当第一次执行本类时,静态代码块执行唯一的一次 * */ pub ...
- 高手教您编写简单的JSON解析器
编写JSON解析器是熟悉解析技术的最简单方法之一.格式非常简单.它是递归定义的,所以与解析Brainfuck相比,你会遇到轻微的挑战 ; 你可能已经使用JSON.除了最后一点之外,解析 Scheme的 ...
- ForkJoinPool线程池--分支执行
import java.util.ArrayList; import java.util.concurrent.ExecutionException; import java.util.concurr ...
- 51nod 1253:Kundu and Tree(组合数学)
题目链接:https://www.51nod.com/onlineJudge/questionCode.html#!problemId=1253 所有的三元组的可能情况数有ans0=C(n,3).然后 ...
- Java反射学习-5 - 反射复制对象
通过反射方式复制对象: package cn.tx.reflect; import java.lang.reflect.Constructor; import java.lang.reflect.Fi ...
- paper 155:face/head pose estimation
参考来源:http://www.cnblogs.com/lanye/p/5312620.html 人脸姿态估计:pitch,yaw,roll三种角度,分别代表上下翻转,左右翻转,平面内旋转的角度. ...