Academic ramblings about software security.
Archive for the ‘code analysis’ Category
Here, you can use “virtual machine” as in “Java Virtual Machine”, not as in virtualization. We will play with the virtual machine described in the paper Tracing the Meta-Level: PyPy’s Tracing JIT Compiler by C.F. Bolz, A. Cuni, M. Fijalkowski and A. Rigo (it’s a great read by the way).
PyPy is a fascinating project, too complex to describe here. Among other things, PyPy can take any interpreter written in a subset of Python, translate it to C, and automatically generate a JIT compiler for this language. Does it sound too good to be true? Let’s try this.
- grab PyPy source code
- create the interpreter in pypy/translator/goal/target-toy.py with the following code:
</pre>
<pre style="text-align: justify;">import os, sys
import autopath
import py
# these are the opcodes for the interpreted language
JUMP_IF_A = 1
MOV_A_R = 2
MOV_R_A = 3
ADD_R_TO_A = 4
DECR_A = 5
RETURN_A = 6
<em>from pypy.rlib.jit import JitDriver tlrjitdriver = JitDriver(greens = ['pc', 'bytecode'], reds = ['a', 'regs'])</em>
# the main interpreter loop
def interpret(bytecode, a):
regs = [0] * 256
pc = 0
while True:
<em> tlrjitdriver.jit_merge_point(bytecode=bytecode, pc=pc, a=a, regs=regs) </em> opcode = bytecode[pc]
pc += 1
if opcode == JUMP_IF_A:
target = bytecode[pc]
pc += 1
if a:
<em> if target<pc: tlrjitdriver.can_enter_jit(bytecode=bytecode, pc=target, a=a, regs=regs) </em> pc = target
elif opcode == MOV_A_R:
n = bytecode[pc]
pc += 1
regs[n] = a
elif opcode == MOV_R_A:
n = bytecode[pc]
pc += 1
a = regs[n]
elif opcode == ADD_R_TO_A:
n = bytecode[pc]
pc += 1
a += regs[n]
elif opcode == DECR_A:
a -= 1
elif opcode == RETURN_A:
return a
# __________ Entry point __________
def entry_point(argv):
# the program we want to interpret
# it computes the square of its argument
bytecode = [
MOV_A_R, 0, # i = a
MOV_A_R, 1, # copy of ’a’
# 4:
MOV_R_A, 0, # i--
DECR_A,
MOV_A_R, 0,
MOV_R_A, 2, # res += a
ADD_R_TO_A, 1,
MOV_A_R, 2,
MOV_R_A, 0, # if i!=0: goto 4
JUMP_IF_A, 4,
MOV_R_A, 2,
RETURN_A
]
result = interpret(bytecode, int(argv[1]))
print result
return 0
def jitpolicy(driver):
from pypy.jit.metainterp.policy import JitPolicy
return JitPolicy()
# _____ Define and setup target ___
def target(*args):
return entry_point, None
# main function, if this script is called from the command line
if __name__ == '__main__':
entry_point(sys.argv)</pre>
<div><span style="color: #000000;">
- the lines in italic are the annotations for the JIT compiler. We need to give PyPy some insight on the interpreted language by declaring what is the instruction pointer (the green variables), the beginning of the dispatch loop and the backward branches (see the paper for full details).
- check that you can execute this script correctly by running
python target-toy.py 12, the output should be 144
- PyPy can translate this script in C. For this, first install the dependencies and then run the following command:
python translate.py target-toy.py
- this should give you an executable target-toy-c, rename it target-toy-native and check that
./target-toy-native 12 yields 144
- now we can ask PyPy to translate target-toy.py in C and generate a JIT compiler for it. For this, we just run
python translate.py --opt=jit target-toy.py
- note: the 64-bit backend of PyPy is not implemented yet, so if you are on a 64-bit system, you will have to struggle a bit. You will have to use a 32-bit Python interpreter (see my former post), create an alias for gcc -m32 (let’s call it gcc32) and then pass the option –cc=gcc32 to translate.py.
- this should give you another target-toy-c executable, rename it to target-toy-jit and check that
./target-toy-jit 12 yields 144
Ok, everything is working, so let’s now see how all this performs by computing large squares:
~/pypy-trunk/pypy/translator/goal$ time python target-toy.py 1000000
1000000000000
real 0m18.637s
~/pypy-trunk/pypy/translator/goal$ time ./target-toy-native 1000000
-727379968
real 0m0.024s
~/pypy-trunk/pypy/translator/goal$ time ./target-toy-jit 1000000
-727379968
[...]
real 0m0.005s
The first run is the square program interpreted by our program, itself interpreted by the Python interpreter. Double interpretation is slow.
The second run is the square program interpreted by a native version of our interpret function. Interpretation by native code is ok.
The third run is the square program interpreted and JIT’ed on the fly. It’s super awesome :)
Final note: I must thank everybody from #pypy on freenode, for their help and resilience to stupid questions. Thanks guys!
(disclaimer: the author of Savarin, Matthieu Kaczmarek, is a colleague working in the office next door and a friend of mine)
Savarin is a free online binary classification service (you can think of it as automatic diff’ing against large databases of programs). It is in beta, not fully polished yet, but you can still squeeze some interesting results out of it. Here is your daily shot of binary analysis, freshly brewed.
You will need:
- 2 different malware samples in the same malware family. We are going to use Sasser.A (already in Savarin’s database) and an unpacked Sasser.G (md5 b973853d0863070aca89ce00d4ee0fb9 [offensivecomputing.net])
- IDA with IDAPython for the actual diff’ing (I have IDA 5.5, I don’t know if this works with the free version)
Let’s go:
- open Savarin
- in “Classification against custom database”, choose SasserA
- upload the Sasser.G sample
- in the results page, click More to see the similarity with other binaries in the Sasser family
- you can see that the sample is 41.95% similar to a sample with md5 edc66a4031f5a41f9ddf08595a1d4c92
At this point, you have a classification of a sample against a (small) database of programs. You can therefore see the distance between this sample and other samples. If you ask me, it’s a lot better to see that unknownsample.exe is 80% similar to badguy.exe and 90% similar to badguy2.0.exe than just “infected” or “not infected”.
For the actual diff’ing, follow these steps:
- open the Sasser.G sample in IDA
- download the IDAPython analysis report on Savarin’s analysis page (this report contains all the data needed to visualize the binary differences in IDA)
- execute the IDAPython analysis report
- right now, the situation is pretty anticlimactic since you should see no change apart from a few lines in the console. Wait until next step for the interesting stuff. Yes, you had nothing to do in this step, so what?
- type SavColor(‘md5.edc66a4031f5a41f9ddf08595a1d4c92′, 0x0088ff) in the IDAPython console (it is the md5 value of the Sasser.A sample)
- type SavComment(‘md5.edc66a4031f5a41f9ddf08595a1d4c92′) in the IDAPython console
- this is it, now you can browse the Sasser.G sample, and the common parts with Sasser.A will be colored. Additionally, for two matching instructions you will see the corresponding address in the Sasser.A sample.
The Fine Screenshots:
Thanks to Silvio Cesare and Felix Gröbert, I now have 44 species in my packer zoo. I tested TraceSurfer on these 44 packers, here are the full results and the visualizations.
(quick recap: TraceSurfer uses Pin to trace every instruction in target binaries, extracting a trace file. Then the trace is analysed (or surfed) to detect layers of self-modifying code (or code waves) and code protection patterns)
Highlights:
- only 35 binaries execute correctly on my machine
- Pin v. 31933 works on 30 of these binaries (success rate of 85.71%)
- some packers don’t seem to pack anything since they have only 1 code wave (!Epack Lite 1.4, Pepack, VmProtect). Either the binaries are indeed packed and I fail to detect the self-modifying code, or they’re not self-modifying at all. It’s probably the latter, since the trace sizes are very close to the original (unpacked) binary.
- very few packers seem to use code scrambling (supposedly an advanced anti-dumping technique): Acprotect, Petite and the Yoda family
- integrity checking seems to be more popular, it is used in Acprotect, Themida, Enigma, Pelock, NSPack…
- given the trace size, it seems that anti-emulation loops can be found in Morphine (164M instructions) and !Epack 1.0 (87M instructions)
- nice similarities between Yoda Crypter 1.3 and Yoda Protector 1.4
- the Monster Award is attributed to… Themida 1.8.5.2 (80M instructions, 31 code waves, 142890 decrypted bytes + integrity checking)
I have been working with my PhD supervisor on a dynamic typing system to detect and visualize the temporal evolution of self-modifying programs (it’s not as complicated as it sounds). The typing system works as follows:
- each memory address has a read, write and execution level (r, w, x)
- initially, every memory address begin with type (0, 0, 0)
- when an address with type (r, w, x) is executed, its type becomes (r, w, w+1)
- when an instruction with type (r1, w1, x1) reads a memory address with type (r2, w2, x2), the target address type becomes (x1, w2, x2)
- when an instruction with type (r1, w1, x1) writes to a memory address with type (r2, w2, x2), the target address type becomes (r2, x1, x2)
With that we can get a trace from a program (with DBI, an emulator, a debugger, whatever) and see what is executed (execution level >= 1). By construction, if we have code with an execution level of 2, it means that it has been written by the program itself before being executed, therefore it is self-modifying code.
Again by construction, if we see code with an execution level k+1, it means that it has been written by code at level k. Hence we can precisely distinguish between different layers of code (in our jargon, different code waves)
Now we can detect some interesting properties based on the type of memory addresses:
- if an address has been read, written and then executed (RWX), we label it decrypted
- if an address has only been written and executed (WX), we label it blind write
- if an address has been executed and then read (XR), we assume there has been an integrity check
- if an address has been executed and then written (XW), we assume the code has been scrambled (supposedly as an anti-memory-dump technique)
Therefore we have a way to trace different layers of code, and some relations between the layers (decryption, blind writes, integrity checking and code scrambling). This gives us the following visualization for some packers:
Note 1: thanks to Silvio Cesare for providing the packed samples
Note 2: we are going to present all this stuff at Malware (Montréal) with Jean-Yves Marion and Wadie Guizani, and at Deepsec (Vienna)
Recently I’ve been wondering, how is malware analysis different from traditional program analysis? The fundamental reason is that programs can generally self-modify themselves. There is a direct consequence: with malware we have to admit that we don’t have static access to the program listing (thus preventing standard program analyses). And since turning self-modifying code (SMC) into normal code is undecidable, we end up only with technical (i.e. partial) solutions. This is why virtually every paper on malware analysis will only be a report on how a given technology/implementation is better/faster/stronger than the others.
This has a corollary too: since we have only partial solutions, malware authors actively implement techniques to defeat our implementations. This opens a sub-research field: the production of techniques to defeat the analysis-defeating techniques. Yes, there is some irony in this, for instance this about packing -> emulation-based unpacking -> anti-emulation techniques -> other-wonderful-unpacking-techniques…
Now, you might wonder, how did we get into this quagmire? As Schneier (http://www.schneier.com/blog/archives/2007/05/do_we_really_ne.html) pointed it out before me, this is an accident – a historic by-product of the way the IT industry evolved. The x86 architecture allowed self-modifying code, and operating systems did nothing to prevent or regulate that. And bam, a research niche was born.
Recently I’ve been wondering, how is malware analysis different from traditional program analysis? The fundamental reason is that programs can generally self-modify themselves. There is a direct consequence: with malware we have to admit that we don’t have static access to the program listing (thus preventing standard program analyses). And since turning self-modifying code into normal code is undecidable, we end up only with technical, partial solutions. This is why virtually every paper on malware analysis will only be a report on how a given technology/implementation is better/faster/stronger than the others.
This has a corollary too: since we have only partial solutions, in some cases they don’t work. And malware authors actively exploit that fact, by implementing techniques to defeat our implementations. This opened a sub-research field: the production of techniques to defeat the analysis-defeating techniques. Yes, there is some irony in this, for instance think about packing -> emulation-based unpacking -> anti-emulation techniques -> other-wonderful-unpacking-techniques…
Now, you might wonder, how did we get into this quagmire? As Schneier pointed it out before me, this is an accident – a historic by-product of the way the IT industry evolved. The x86 architecture allowed self-modifying code, and operating systems did nothing to prevent or regulate that. And bam, a research niche was born.
Metasm is an LGPL’ed assembly manipulation framework written in Ruby. It is capable of following flow dependences along multiple paths, a feature called backtracking in metasm jargon and close to the notion of program slicing [wikipedia.org].
Definition: a node j is flow-dependent on a node i if (1) a variable x is referenced at j, (2) x is defined at i and (3) there exists a path from i to j without intervening definitions of x. Source [research.ibm.com]
We are going to use the following ruby script to test the backtracker with different source programs, it takes as input a program (sourcecode), a node (labeled ‘sliceme’) and a variable (eax) and returns the flow-dependences of eax and in some cases, the actual values that eax will take.
require 'metasm'
include Metasm
def sliceit(asmsource, label, reg)
# encode the shellcode
sc = Shellcode.assemble(Ia32.new, asmsource)
dasm = sc.disassemble(0)
# get the address of the label
offset = sc.encoded.export[label]
reg = reg.to_sym
# backtrace
log = []
dasm.backtrace(reg, offset, :log => log)
# return the trace
log
end
sourcecode = <<EOS
; asm program here
EOS
slice = sliceit(sourcecode, 'sliceme', 'eax')
# slice est un tableau qui contient le log du backtrace
slice.each { |ev, *args|
if ev == :di # decodedinstruction
after = args[0]
before = args[1]
instr = args[2]
puts "#{instr} [#{before} -> #{after}]"
end#
}
Let’s take some simple code samples. If there is a single execution path, metasm can compute the value contained in the variable, for instance:
mov eax, 42h
inc eax
sliceme: jmp eax
-> metasm returns:
5 inc eax [eax -> eax+1]
0 mov eax, 42h [eax+1 -> 43h]
We can see that useless definitions of the variable are not taken into account:
mov eax, 0h
mov eax, 42h
inc eax
sliceme: jmp eax
-> metasm returns:
0ah inc eax [eax -> eax+1]
5 mov eax, 42h [eax+1 -> 43h]
Definitions of other variables are also ignored (if eax does not depend on them):
mov eax, 42h
mov ebx, 0
sliceme: jmp eax
-> metasm returns:
0 mov eax, 42h [eax -> 42h]
But they are included if eax depends on them:
mov ebx, 1h
mov eax, 42h
add eax, ebx
sliceme: jmp eax
-> metasm returns:
0ah add eax, ebx [eax -> eax+ebx]
5 mov eax, 42h [eax+ebx -> ebx+42h]
0 mov ebx, 1 [ebx+42h -> 43h]
If there are multiple acyclic paths, metasm will be able to compute the value of the sliced variable along each path, for instance:
mov eax, 42h
cmp ebx, 0
jnz pouet
dec eax
jmp sliceme
pouet: inc eax
sliceme: jmp eax
-> metasm returns:
0dh inc eax [eax -> eax+1]
0 mov eax, 42h [eax+1 -> 43h]
0ah dec eax [eax -> eax-1]
0 mov eax, 42h [eax-1 -> 41h]
Metasm states that at the end, eax will be either 41h or 43h but it doesn’t know which one. It doesn’t state it explicitly, but the value of eax is control-dependent on ebx.
Finally in the worst case scenario, if there are cyclic paths (such as loops), metasm will go through each path once but will be unable to compute the value after the cycle. Note that in the general case, this is undecidable.
mov eax, 0
entry: cmp ebx, 0
jnz sliceme
dec ebx
inc eax
jmp entry
sliceme: jmp eax
-> metasm returns:
0bh inc eax [eax -> eax+1]
0 mov eax, entrypoint_0 [eax -> 0]
This is mostly a note to myself, but I guess people interested in automating reverse engineering will be interested at some point in IR suitable for low-level abstractions. I consider top-down IR used by optimizing compilers and bottom-up IR used by decompilers and other reversing tools.
Intermediate Representations for Reverse Engineering
REIL. Used in BinNavi, the Reverse Engineering Intermediate Language defines a very simple RISC architecture (17 instructions), with the nice property that each instruction has at most one side-effect. Thomas Dullien and Sebastian Porst recently presented at CanSecWest an abstract interpretation framework for REIL (paper, slides). It is clearly possible to easily write analyses and transformation passes for REIL without getting into the complexity of the whole x86 architecture, given x86 -> REIL and REIL -> x86 translators.
Here are some sample REIL instructions :
1006E4B00: str edi, , edi
1006E4D00: sub esp, 4, esp
1006E4D01: and esp, 4294967295, esp
1006E4D02: stm ebp, , esp
Language Reference
Hex Rays Microcode. Presented at Black Hat USA 2008 by Ilfak Guilfanov (paper, slides), it is an IR used during decompilation. From the paper: “The microcode language is very detailed and precisely represents how each instruction modifies the memory, registers, and processor condition codes. Typically one CPU instruction is converted into 5-15 microinstructions”. According to the REIL paper, REIL and the microcode language are significantly different, for instance the microinstructions can have a variable number of operands and perform multiple side effects.
Sample microcode:
mov esi.4, eoff.4
mov ds.2, seg.2
add eoff.4, #4.4, eoff.4
ldx seg.2, eoff.4, et1.4
mov et1.4, eax.4
I couldn’t find the language reference.
ELIR. Part of the ERESI project, the goal of ELIR is to simplify static analysis by providing a platform independent abstraction. An overview was presented at Ekoparty08 (slides) and some ideas appeared in Phrack 64, but 30s of Googling didn’t get me to the language reference or a code sample, so that’s all I will say about ELIR for the moment.
Pin Inspection API. PIN, Intel’s Dynamic Binary Instrumentation framework provides a very handy instruction inspection API. This is not an IR but provides the same type of information about complex instructions without having to make giant switch statements. For instance, this is the way to log memory writes with PIN given an instruction:
VOID RecordMemWrite(VOID * addr, UINT32 size) {
fprintf(trace,",%dW%p", size, addr);
}
// this function is called each time an instruction is encountered
VOID Instruction(INS ins, VOID *v) {
// isn't that a nice API ?
if (WRITES && INS_IsMemoryWrite(ins)) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemWrite,
IARG_MEMORYWRITE_EA,
IARG_MEMORYWRITE_SIZE,
IARG_END);
}
}
API Documentation
Valgrind IR. On my todo list.
FermaT Transformation System. I’ll have to write something about it someday. Oh lucky you, a wikipedia entry and a bunch of papers!
Optimizing Compilers Intermediate Representations
LLVM Bitcode. This language uses low-level RISC-like instructions in SSA form with type information. It is clean and well defined, and is a very suitable target for platform-independent analysis and optimization. It is designed to convey high-level information in lower level operations, so converting machine code to LLVM bitcode probably requires some intensive work.
Here is the hello world example :
; Declare the string constant as a global constant...
@.LC0 = internal constant [13 x i8] c"hello worldA0"
; External declaration of the puts function
declare i32 @puts(i8 *)
; Definition of main function
define i32 @main() {
; Convert [13 x i8]* to i8 *...
%cast210 = getelementptr [13 x i8]* @.LC0, i64 0, i64 0 ; i8 *
; Call puts function to write out the string to stdout...
call i32 @puts(i8 * %cast210)
ret i32 0
}
Language reference
Register Transfer Language. One of the IR used in GCC, it is an architecture-neutral assembly language that represents instructions in a LISP-like form (d’oh), like this:
(insn 2 49 3 test.c:3 (set (mem/c/i:SI (plus:DI (reg/f:DI 6 bp)
(const_int -20 [0xffffffffffffffec])) [0 argc+0 S4 A32])
(reg:SI 5 di [ argc ])) 47 {*movsi_1} (nil))
It feels a bit old-fashioned and less clean than LLVM bitcode, but this is just a gut feeling. Use gcc -fdump-rtl-all to see what it looks like.
Side note: the idea of dumping RTL to a file, performing transformations on it and giving this back to GCC is quite common, but RMS qualifies it as “not feasible”, even though the creator of RTL says it is not only feasible but quite useful actually.
Not much. Except the purpose, of course, but fundamentally they are both dynamic code generators. That means that if you run an automatic unpacker on a just-in-time compiler along with a source program, the output of the automatic unpacker should be the entrypoint of the native code in memory. Let’s check that: we use PIN to log memory writes and instruction pointers and then a python script to find the intersection.
For the JIT we’ll use LLVM and a simple fibonacci program (intendedly naive):
#include <stdio.h>
#include <stdlib.h>
int fibonacci(int curr) {
if(curr < 2) return curr;
else return(fibonacci(curr-1) + fibonacci(curr-2));
}
int main(int argc, char** argv) {
printf("fibonacci(%d) = %d\n", 20, fibonacci(20));
}
Let’s compile this program:
$ llvm-gcc -O3 -emit-llvm fib.c -c -o fib.bc
And run it, with JIT (by default) and without (forced interpretation):
$ time lli fib.bc
fibonacci(20) = 6765
real 0m0.059s
user 0m0.044s
sys 0m0.004s
$ time lli -force-interpreter fib.bc
fibonacci(20) = 6765
real 0m0.192s
user 0m0.180s
sys 0m0.000s
The time difference between interpretation and JIT compilation becomes a lot more spectacular around fibonacci(40) but we don’t want to get huge traces. Now let’s write the pintool that logs the memory writes and the instruction pointers (it is fairly simple as it is based on two examples in PIN’s manual):
// This function is called before every instruction is executed
// and prints the IP
VOID printip(VOID *ip) { fprintf(itrace, "%p\n", ip); }
// Print a memory write record
VOID RecordMemWrite(VOID * ip, VOID * addr) {
fprintf(pinatrace,"%p: W %p\n", ip, addr);
}
// Pin calls this function every time a new instruction is encountered
VOID Instruction(INS ins, VOID *v) {
// instruments stores using a predicated call, i.e.
// the call happens iff the store will be actually executed
if (INS_IsMemoryWrite(ins)) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemWrite,
IARG_INST_PTR,
IARG_MEMORYWRITE_EA,
IARG_END);
} else {
// Insert a call to printip before every instruction, and pass it the IP
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)printip, IARG_INST_PTR, IARG_END);
}
}
Now let’s trace LLVM with this pintool:
$ time pin -t mixtrace.so -- lli fib.bc
fibonacci(20) = 6765
real 1m4.304s
user 0m41.931s
sys 0m3.816s
We’ll use the following python script to find the intersection between the memory writes and the instruction pointers:
def main():
pinatrace = args[0]
itrace = args[1]
# the parsing functions are omitted, but they return sets
# (unordered collections of unique elements)
writes = parse(pinatrace)
eips = iparse(itrace)
inter = writes & eips
for hit in inter:
print "dynamic code at 0x%X" % hit
if len(inter) == 0:
print "no hits found, the binary does not contain dynamic code"
if __name__ == "__main__":
main()
And finally, the result:
$ tracesurfer.py pinatrace.out itrace.out
parsing pinatrace.out
done, parsed 116965 memory writes.
parsing itrace.out
done, parsed 193618 instruction pointers
dynamic code at 0x7F07B3555202
...
dynamic code at 0x7F07B35551F9
And for the sake of completude, let’s see what we obtain without the JIT:
$ time pin -t mixtrace.so -- lli -force-interpreter fib.bc
fibonacci(20) = 6765
real 4m10.077s
user 1m42.538s
sys 0m18.533s
# in case you wonder, the traces are *big*
$ ls -l *.out
-rw-r--r-- 1 reynaudd reynaudd 3174401813 2009-02-16 18:07 itrace.out
-rw-r--r-- 1 reynaudd reynaudd 4055787304 2009-02-16 18:07 pinatrace.out
$ tracesurfer.py pinatrace.out itrace.out
parsing pinatrace.out
done, parsed 27582 memory writes.
parsing itrace.out
done, parsed 73332 instruction pointers
no hits found, the binary does not contain dynamic code
In case anybody needs system call ordinals for an x64 system, I have retrieved them on my test machine since I couldn’t find them anywhere (not even metasploit’s system call table).
Ero Carrera posted a compact IDAPython script that did the trick, so I adapted the code a little. In ntdll.dll, there are two patterns that we need to look for:
mov eax, XXXX ; XXXX is the system call ordinal we need
xor ecx, ecx
lea edx, [esp+arg_0]
call large dword ptr fs:0C0h
and
mov eax, XXXX ; again, we need XXXX
mov ecx, 1Ah
lea edx, [esp+arg_0]
call large dword ptr fs:0C0h
This translates to the following byte sequences: ‘B8 ? ? 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00′ and ‘B8 ? ? 00 00 B9 ? 00 00 00 8D 54 24 04 64 FF 15 C0 00 00 00′. Here is the adapted IDAPython script:
syscall_ordinal_code = 'B8 ? ? 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00'
syscall_ordinal_code2 = 'B8 ? ? 00 00 B9 ? 00 00 00 8D 54 24 04 64 FF 15 C0 00 00 00'
out = open('c:\\temp\\idapython.txt', 'w')
for seg in Segments():
for func in Functions(seg, SegEnd(seg)):
address = FindBinary(func, SEARCH_DOWN, syscall_ordinal_code)
address2 = FindBinary(func, SEARCH_DOWN, syscall_ordinal_code2)
if address == func or address2 == func:
out.write('%08x: Syscall ordinal %04x for %s (%s)\n' % (func, Dword(func+1), Name(func), Comment(func)))
out.close()
UPDATE: user32.dll and kernel32.dll also contain references to system call ordinals, using the following pattern:
mov eax, XXXXh
lea edx, [esp+arg_0]
mov ecx, 4
call large dword ptr fs:0C0h
so we must also look for byte sequence ‘B8 ? ? 00 00 8D 54 24 04 B9 ? 00 00 00 64 FF 15 C0′ in user32.dll.
And finally, the output of the script (on Windows XP SP2 x64):
7d61c7fb: Syscall ordinal 0000 for _ZwMapUserPhysicalPagesScatter@12 (NtMapUserPhysicalPagesScatter)
7d61c813: Syscall ordinal 0001 for _ZwWaitForSingleObject@12 (NtWaitForSingleObject)
7d61c82b: Syscall ordinal 0002 for _ZwCallbackReturn@12 (NtCallbackReturn)
7d61c843: Syscall ordinal 0003 for _NtReadFile@36 (NtReadFile)
7d61c85b: Syscall ordinal 0004 for _ZwDeviceIoControlFile@40 (NtDeviceIoControlFile)
7d61c873: Syscall ordinal 0005 for _NtWriteFile@36 (NtWriteFile)
7d61c88b: Syscall ordinal 0006 for _ZwRemoveIoCompletion@20 (NtRemoveIoCompletion)
7d61c8a3: Syscall ordinal 0007 for _NtReleaseSemaphore@12 (NtReleaseSemaphore)
7d61c8bb: Syscall ordinal 0008 for _NtReplyWaitReceivePort@16 (NtReplyWaitReceivePort)
7d61c8d3: Syscall ordinal 0009 for _ZwReplyPort@8 (NtReplyPort)
7d61c8eb: Syscall ordinal 000a for _ZwSetInformationThread@16 (NtSetInformationThread)
7d61c903: Syscall ordinal 000b for _NtSetEvent@8 (NtSetEvent)
7d61c91b: Syscall ordinal 000c for _NtClose@4 (NtClose)
7d61c933: Syscall ordinal 000d for _NtQueryObject@20 (NtQueryObject)
7d61c94b: Syscall ordinal 000e for _ZwQueryInformationFile@20 (NtQueryInformationFile)
7d61c963: Syscall ordinal 000f for _ZwOpenKey@12 (NtOpenKey)
7d61c97b: Syscall ordinal 0010 for _NtEnumerateValueKey@24 (NtEnumerateValueKey)
7d61c993: Syscall ordinal 0011 for _NtFindAtom@12 (NtFindAtom)
7d61c9ab: Syscall ordinal 0012 for _NtQueryDefaultLocale@8 (NtQueryDefaultLocale)
7d61c9c3: Syscall ordinal 0013 for _ZwQueryKey@20 (NtQueryKey)
7d61c9db: Syscall ordinal 0014 for _ZwQueryValueKey@24 (NtQueryValueKey)
7d61c9f3: Syscall ordinal 0015 for _NtAllocateVirtualMemory@24 (NtAllocateVirtualMemory)
7d61ca0b: Syscall ordinal 0016 for _ZwQueryInformationProcess@20 (NtQueryInformationProcess)
7d61ca23: Syscall ordinal 0017 for _NtWaitForMultipleObjects32@20 (NtWaitForMultipleObjects32)
7d61ca3b: Syscall ordinal 0018 for _NtWriteFileGather@36 (NtWriteFileGather)
7d61ca53: Syscall ordinal 0019 for _ZwSetInformationProcess@16 (NtSetInformationProcess)
7d61ca6b: Syscall ordinal 001a for _ZwCreateKey@28 (NtCreateKey)
7d61ca83: Syscall ordinal 001b for _NtFreeVirtualMemory@16 (NtFreeVirtualMemory)
7d61ca9b: Syscall ordinal 001c for _ZwImpersonateClientOfPort@8 (NtImpersonateClientOfPort)
7d61cab3: Syscall ordinal 001d for _ZwReleaseMutant@8 (NtReleaseMutant)
7d61cacb: Syscall ordinal 001e for _ZwQueryInformationToken@20 (NtQueryInformationToken)
7d61cae3: Syscall ordinal 001f for _NtRequestWaitReplyPort@12 (NtRequestWaitReplyPort)
7d61cafb: Syscall ordinal 0020 for _NtQueryVirtualMemory@24 (NtQueryVirtualMemory)
7d61cb13: Syscall ordinal 0021 for _NtOpenThreadToken@16 (NtOpenThreadToken)
7d61cb2b: Syscall ordinal 0022 for _NtQueryInformationThread@20 (NtQueryInformationThread)
7d61cb43: Syscall ordinal 0023 for _ZwOpenProcess@16 (NtOpenProcess)
7d61cb5b: Syscall ordinal 0024 for _ZwSetInformationFile@20 (NtSetInformationFile)
7d61cb73: Syscall ordinal 0025 for _ZwMapViewOfSection@40 (NtMapViewOfSection)
7d61cb8b: Syscall ordinal 0026 for _ZwAccessCheckAndAuditAlarm@44 (NtAccessCheckAndAuditAlarm)
7d61cba3: Syscall ordinal 0027 for _NtUnmapViewOfSection@8 (NtUnmapViewOfSection)
7d61cbbb: Syscall ordinal 0028 for _NtReplyWaitReceivePortEx@20 (NtReplyWaitReceivePortEx)
7d61cbd3: Syscall ordinal 0029 for _ZwTerminateProcess@8 (NtTerminateProcess)
7d61cbeb: Syscall ordinal 002a for _NtSetEventBoostPriority@4 (NtSetEventBoostPriority)
7d61cc03: Syscall ordinal 002b for _NtReadFileScatter@36 (NtReadFileScatter)
7d61cc1b: Syscall ordinal 002c for _NtOpenThreadTokenEx@20 (NtOpenThreadTokenEx)
7d61cc33: Syscall ordinal 002d for _ZwOpenProcessTokenEx@16 (NtOpenProcessTokenEx)
7d61cc4b: Syscall ordinal 002e for _NtQueryPerformanceCounter@8 (NtQueryPerformanceCounter)
7d61cc63: Syscall ordinal 002f for _ZwEnumerateKey@24 (NtEnumerateKey)
7d61cc7b: Syscall ordinal 0030 for _NtOpenFile@24 (NtOpenFile)
7d61cc93: Syscall ordinal 0031 for _ZwDelayExecution@8 (NtDelayExecution)
7d61ccab: Syscall ordinal 0032 for _ZwQueryDirectoryFile@44 (NtQueryDirectoryFile)
7d61ccc3: Syscall ordinal 0033 for _NtQuerySystemInformation@16 (NtQuerySystemInformation)
7d61ccdb: Syscall ordinal 0034 for _NtOpenSection@12 (NtOpenSection)
7d61ccf3: Syscall ordinal 0035 for _ZwQueryTimer@20 (NtQueryTimer)
7d61cd0b: Syscall ordinal 0036 for _NtFsControlFile@40 (NtFsControlFile)
7d61cd23: Syscall ordinal 0037 for _NtWriteVirtualMemory@20 (NtWriteVirtualMemory)
7d61cd3b: Syscall ordinal 0038 for _ZwCloseObjectAuditAlarm@12 (NtCloseObjectAuditAlarm)
7d61cd53: Syscall ordinal 0039 for _ZwDuplicateObject@28 (NtDuplicateObject)
7d61cd6b: Syscall ordinal 003a for _ZwQueryAttributesFile@8 (NtQueryAttributesFile)
7d61cd83: Syscall ordinal 003b for _NtClearEvent@4 (NtClearEvent)
7d61cd9b: Syscall ordinal 003c for _NtReadVirtualMemory@20 (NtReadVirtualMemory)
7d61cdb3: Syscall ordinal 003d for _NtOpenEvent@12 (NtOpenEvent)
7d61cdcb: Syscall ordinal 003e for _ZwAdjustPrivilegesToken@24 (NtAdjustPrivilegesToken)
7d61cde3: Syscall ordinal 003f for _NtDuplicateToken@24 (NtDuplicateToken)
7d61cdfb: Syscall ordinal 0040 for _ZwContinue@8 (NtContinue)
7d61ce13: Syscall ordinal 0041 for _ZwQueryDefaultUILanguage@4 (NtQueryDefaultUILanguage)
7d61ce2b: Syscall ordinal 0042 for _NtQueueApcThread@20 (NtQueueApcThread)
7d61ce43: Syscall ordinal 0043 for _ZwYieldExecution@0 (NtYieldExecution)
7d61ce5c: Syscall ordinal 0044 for _NtAddAtom@12 (NtAddAtom)
7d61ce74: Syscall ordinal 0045 for _NtCreateEvent@20 (NtCreateEvent)
7d61ce8c: Syscall ordinal 0046 for _NtQueryVolumeInformationFile@20 (NtQueryVolumeInformationFile)
7d61cea4: Syscall ordinal 0047 for _NtCreateSection@28 (NtCreateSection)
7d61cebc: Syscall ordinal 0048 for _ZwFlushBuffersFile@8 (NtFlushBuffersFile)
7d61ced4: Syscall ordinal 0049 for _NtApphelpCacheControl@8 (NtApphelpCacheControl)
7d61ceec: Syscall ordinal 004a for _ZwCreateProcessEx@36 (NtCreateProcessEx)
7d61cf04: Syscall ordinal 004b for _NtCreateThread@32 (NtCreateThread)
7d61cf1c: Syscall ordinal 004c for _ZwIsProcessInJob@8 (NtIsProcessInJob)
7d61cf34: Syscall ordinal 004d for _ZwProtectVirtualMemory@20 (NtProtectVirtualMemory)
7d61cf4c: Syscall ordinal 004e for _ZwQuerySection@20 (NtQuerySection)
7d61cf64: Syscall ordinal 004f for _ZwResumeThread@8 (NtResumeThread)
7d61cf7c: Syscall ordinal 0050 for _ZwTerminateThread@8 (NtTerminateThread)
7d61cf94: Syscall ordinal 0051 for _ZwReadRequestData@24 (NtReadRequestData)
7d61cfac: Syscall ordinal 0052 for _NtCreateFile@44 (NtCreateFile)
7d61cfc4: Syscall ordinal 0053 for _NtQueryEvent@20 (NtQueryEvent)
7d61cfdc: Syscall ordinal 0054 for _NtWriteRequestData@24 (NtWriteRequestData)
7d61cff4: Syscall ordinal 0055 for _ZwOpenDirectoryObject@12 (NtOpenDirectoryObject)
7d61d00c: Syscall ordinal 0056 for _NtAccessCheckByTypeAndAuditAlarm@64 (NtAccessCheckByTypeAndAuditAlarm)
7d61d024: Syscall ordinal 0057 for _NtQuerySystemTime@4 (NtQuerySystemTime)
7d61d03c: Syscall ordinal 0058 for _NtWaitForMultipleObjects@20 (NtWaitForMultipleObjects)
7d61d054: Syscall ordinal 0059 for _ZwSetInformationObject@16 (NtSetInformationObject)
7d61d06c: Syscall ordinal 005a for _ZwCancelIoFile@8 (NtCancelIoFile)
7d61d084: Syscall ordinal 005b for _NtTraceEvent@16 (NtTraceEvent)
7d61d09c: Syscall ordinal 005c for _ZwPowerInformation@20 (NtPowerInformation)
7d61d0b4: Syscall ordinal 005d for _ZwSetValueKey@24 (NtSetValueKey)
7d61d0cc: Syscall ordinal 005e for _ZwCancelTimer@8 (NtCancelTimer)
7d61d0e4: Syscall ordinal 005f for _ZwSetTimer@28 (NtSetTimer)
7d61d0fc: Syscall ordinal 0060 for _NtAcceptConnectPort@24 (NtAcceptConnectPort)
7d61d114: Syscall ordinal 0061 for _NtAccessCheck@32 (NtAccessCheck)
7d61d12c: Syscall ordinal 0062 for _NtAccessCheckByType@44 (NtAccessCheckByType)
7d61d144: Syscall ordinal 0063 for _NtAccessCheckByTypeResultList@44 (NtAccessCheckByTypeResultList)
7d61d15c: Syscall ordinal 0064 for _NtAccessCheckByTypeResultListAndAuditAlarm@64 (NtAccessCheckByTypeResultListAndAuditAlarm)
7d61d174: Syscall ordinal 0065 for _ZwAccessCheckByTypeResultListAndAuditAlarmByHandle@68 (NtAccessCheckByTypeResultListAndAuditAlarmByHandle)
7d61d18c: Syscall ordinal 0066 for _ZwAddBootEntry@8 (NtAddBootEntry)
7d61d1a4: Syscall ordinal 0067 for _NtAddDriverEntry@8 (NtAddDriverEntry)
7d61d1bc: Syscall ordinal 0068 for _ZwAdjustGroupsToken@24 (NtAdjustGroupsToken)
7d61d1d4: Syscall ordinal 0069 for _NtAlertResumeThread@8 (NtAlertResumeThread)
7d61d1ec: Syscall ordinal 006a for _NtAlertThread@4 (NtAlertThread)
7d61d204: Syscall ordinal 006b for _ZwAllocateLocallyUniqueId@4 (NtAllocateLocallyUniqueId)
7d61d21c: Syscall ordinal 006c for _NtAllocateUserPhysicalPages@12 (NtAllocateUserPhysicalPages)
7d61d234: Syscall ordinal 006d for _NtAllocateUuids@16 (NtAllocateUuids)
7d61d24c: Syscall ordinal 006e for _ZwAreMappedFilesTheSame@8 (NtAreMappedFilesTheSame)
7d61d264: Syscall ordinal 006f for _ZwAssignProcessToJobObject@8 (NtAssignProcessToJobObject)
7d61d27c: Syscall ordinal 0070 for _NtCancelDeviceWakeupRequest@4 (NtCancelDeviceWakeupRequest)
7d61d294: Syscall ordinal 0071 for _NtCompactKeys@8 (NtCompactKeys)
7d61d2ac: Syscall ordinal 0072 for _ZwCompareTokens@12 (NtCompareTokens)
7d61d2c4: Syscall ordinal 0073 for _NtCompleteConnectPort@4 (NtCompleteConnectPort)
7d61d2dc: Syscall ordinal 0074 for _ZwCompressKey@4 (NtCompressKey)
7d61d2f4: Syscall ordinal 0075 for _NtConnectPort@32 (NtConnectPort)
7d61d30c: Syscall ordinal 0076 for _ZwCreateDebugObject@16 (NtCreateDebugObject)
7d61d324: Syscall ordinal 0077 for _ZwCreateDirectoryObject@12 (NtCreateDirectoryObject)
7d61d33c: Syscall ordinal 0078 for _NtCreateEventPair@12 (NtCreateEventPair)
7d61d354: Syscall ordinal 0079 for _NtCreateIoCompletion@16 (NtCreateIoCompletion)
7d61d36c: Syscall ordinal 007a for _ZwCreateJobObject@12 (NtCreateJobObject)
7d61d384: Syscall ordinal 007b for _NtCreateJobSet@12 (NtCreateJobSet)
7d61d39c: Syscall ordinal 007c for _ZwCreateKeyedEvent@16 (NtCreateKeyedEvent)
7d61d3b4: Syscall ordinal 007d for _ZwCreateMailslotFile@32 (NtCreateMailslotFile)
7d61d3cc: Syscall ordinal 007e for _ZwCreateMutant@16 (NtCreateMutant)
7d61d3e4: Syscall ordinal 007f for _ZwCreateNamedPipeFile@56 (NtCreateNamedPipeFile)
7d61d3fc: Syscall ordinal 0080 for _NtCreatePagingFile@16 (NtCreatePagingFile)
7d61d414: Syscall ordinal 0081 for _ZwCreatePort@20 (NtCreatePort)
7d61d42c: Syscall ordinal 0082 for _ZwCreateProcess@32 (NtCreateProcess)
7d61d444: Syscall ordinal 0083 for _ZwCreateProfile@36 (NtCreateProfile)
7d61d45c: Syscall ordinal 0084 for _NtCreateSemaphore@20 (NtCreateSemaphore)
7d61d474: Syscall ordinal 0085 for _ZwCreateSymbolicLinkObject@16 (NtCreateSymbolicLinkObject)
7d61d48c: Syscall ordinal 0086 for _ZwCreateTimer@16 (NtCreateTimer)
7d61d4a4: Syscall ordinal 0087 for _NtCreateToken@52 (NtCreateToken)
7d61d4bc: Syscall ordinal 0088 for _ZwCreateWaitablePort@20 (NtCreateWaitablePort)
7d61d4d4: Syscall ordinal 0089 for _NtDebugActiveProcess@8 (NtDebugActiveProcess)
7d61d4ec: Syscall ordinal 008a for _ZwDebugContinue@12 (NtDebugContinue)
7d61d504: Syscall ordinal 008b for _ZwDeleteAtom@4 (NtDeleteAtom)
7d61d51c: Syscall ordinal 008c for _NtDeleteBootEntry@4 (NtDeleteBootEntry)
7d61d534: Syscall ordinal 008d for _ZwDeleteDriverEntry@4 (NtDeleteDriverEntry)
7d61d54c: Syscall ordinal 008e for _NtDeleteFile@4 (NtDeleteFile)
7d61d564: Syscall ordinal 008f for _ZwDeleteKey@4 (NtDeleteKey)
7d61d57c: Syscall ordinal 0090 for _NtDeleteObjectAuditAlarm@12 (NtDeleteObjectAuditAlarm)
7d61d594: Syscall ordinal 0091 for _NtDeleteValueKey@8 (NtDeleteValueKey)
7d61d5ac: Syscall ordinal 0092 for _NtDisplayString@4 (NtDisplayString)
7d61d5c4: Syscall ordinal 0093 for _ZwEnumerateBootEntries@8 (NtEnumerateBootEntries)
7d61d5dc: Syscall ordinal 0094 for _NtEnumerateDriverEntries@8 (NtEnumerateDriverEntries)
7d61d5f4: Syscall ordinal 0095 for _ZwEnumerateSystemEnvironmentValuesEx@12 (NtEnumerateSystemEnvironmentValuesEx)
7d61d60c: Syscall ordinal 0096 for _ZwExtendSection@8 (NtExtendSection)
7d61d624: Syscall ordinal 0097 for _NtFilterToken@24 (NtFilterToken)
7d61d63c: Syscall ordinal 0098 for _ZwFlushInstructionCache@12 (NtFlushInstructionCache)
7d61d654: Syscall ordinal 0099 for _NtFlushKey@4 (NtFlushKey)
7d61d66c: Syscall ordinal 009a for _ZwFlushVirtualMemory@16 (NtFlushVirtualMemory)
7d61d684: Syscall ordinal 009b for _NtFlushWriteBuffer@0 (NtFlushWriteBuffer)
7d61d69c: Syscall ordinal 009c for _NtFreeUserPhysicalPages@12 (NtFreeUserPhysicalPages)
7d61d6b4: Syscall ordinal 009d for _NtGetContextThread@8 (NtGetContextThread)
7d61d6cc: Syscall ordinal 009e for _NtGetCurrentProcessorNumber@0 (NtGetCurrentProcessorNumber
RtlGetCurrentProcessorNumber)
7d61d6e4: Syscall ordinal 009f for _NtGetDevicePowerState@8 (NtGetDevicePowerState)
7d61d6fc: Syscall ordinal 00a0 for _ZwGetPlugPlayEvent@16 (NtGetPlugPlayEvent)
7d61d714: Syscall ordinal 00a1 for _NtGetWriteWatch@28 (NtGetWriteWatch)
7d61d72c: Syscall ordinal 00a2 for _NtImpersonateAnonymousToken@4 (NtImpersonateAnonymousToken)
7d61d744: Syscall ordinal 00a3 for _ZwImpersonateThread@12 (NtImpersonateThread)
7d61d75c: Syscall ordinal 00a4 for _ZwInitializeRegistry@4 (NtInitializeRegistry)
7d61d774: Syscall ordinal 00a5 for _NtInitiatePowerAction@16 (NtInitiatePowerAction)
7d61d78c: Syscall ordinal 00a6 for _NtIsSystemResumeAutomatic@0 (NtIsSystemResumeAutomatic)
7d61d7a4: Syscall ordinal 00a7 for _ZwListenPort@8 (NtListenPort)
7d61d7bc: Syscall ordinal 00a8 for _NtLoadDriver@4 (NtLoadDriver)
7d61d7d4: Syscall ordinal 00a9 for _NtLoadKey@8 (NtLoadKey)
7d61d7ec: Syscall ordinal 00aa for _NtLoadKey2@12 (NtLoadKey2)
7d61d804: Syscall ordinal 00ab for _NtLoadKeyEx@16 (NtLoadKeyEx)
7d61d81c: Syscall ordinal 00ac for _NtLockFile@40 (NtLockFile)
7d61d834: Syscall ordinal 00ad for _ZwLockProductActivationKeys@8 (NtLockProductActivationKeys)
7d61d84c: Syscall ordinal 00ae for _NtLockRegistryKey@4 (NtLockRegistryKey)
7d61d864: Syscall ordinal 00af for _ZwLockVirtualMemory@16 (NtLockVirtualMemory)
7d61d87c: Syscall ordinal 00b0 for _ZwMakePermanentObject@4 (NtMakePermanentObject)
7d61d894: Syscall ordinal 00b1 for _NtMakeTemporaryObject@4 (NtMakeTemporaryObject)
7d61d8ac: Syscall ordinal 00b2 for _NtMapUserPhysicalPages@12 (NtMapUserPhysicalPages)
7d61d8c4: Syscall ordinal 00b3 for _NtModifyBootEntry@4 (NtModifyBootEntry)
7d61d8dc: Syscall ordinal 00b4 for _ZwModifyDriverEntry@4 (NtModifyDriverEntry)
7d61d8f4: Syscall ordinal 00b5 for _NtNotifyChangeDirectoryFile@36 (NtNotifyChangeDirectoryFile)
7d61d90c: Syscall ordinal 00b6 for _NtNotifyChangeKey@40 (NtNotifyChangeKey)
7d61d924: Syscall ordinal 00b7 for _NtNotifyChangeMultipleKeys@48 (NtNotifyChangeMultipleKeys)
7d61d93c: Syscall ordinal 00b8 for _NtOpenEventPair@12 (NtOpenEventPair)
7d61d954: Syscall ordinal 00b9 for _ZwOpenIoCompletion@12 (NtOpenIoCompletion)
7d61d96c: Syscall ordinal 00ba for _ZwOpenJobObject@12 (NtOpenJobObject)
7d61d984: Syscall ordinal 00bb for _NtOpenKeyedEvent@12 (NtOpenKeyedEvent)
7d61d99c: Syscall ordinal 00bc for _NtOpenMutant@12 (NtOpenMutant)
7d61d9b4: Syscall ordinal 00bd for _ZwOpenObjectAuditAlarm@48 (NtOpenObjectAuditAlarm)
7d61d9cc: Syscall ordinal 00be for _ZwOpenProcessToken@12 (NtOpenProcessToken)
7d61d9e4: Syscall ordinal 00bf for _NtOpenSemaphore@12 (NtOpenSemaphore)
7d61d9fc: Syscall ordinal 00c0 for _NtOpenSymbolicLinkObject@12 (NtOpenSymbolicLinkObject)
7d61da14: Syscall ordinal 00c1 for _ZwOpenThread@16 (NtOpenThread)
7d61da2c: Syscall ordinal 00c2 for _ZwOpenTimer@12 (NtOpenTimer)
7d61da44: Syscall ordinal 00c3 for _NtPlugPlayControl@12 (NtPlugPlayControl)
7d61da5c: Syscall ordinal 00c4 for _ZwPrivilegeCheck@12 (NtPrivilegeCheck)
7d61da74: Syscall ordinal 00c5 for _ZwPrivilegeObjectAuditAlarm@24 (NtPrivilegeObjectAuditAlarm)
7d61da8c: Syscall ordinal 00c6 for _NtPrivilegedServiceAuditAlarm@20 (NtPrivilegedServiceAuditAlarm)
7d61daa4: Syscall ordinal 00c7 for _ZwPulseEvent@8 (NtPulseEvent)
7d61dabc: Syscall ordinal 00c8 for _ZwQueryBootEntryOrder@8 (NtQueryBootEntryOrder)
7d61dad4: Syscall ordinal 00c9 for _ZwQueryBootOptions@8 (NtQueryBootOptions)
7d61daec: Syscall ordinal 00ca for _NtQueryDebugFilterState@8 (NtQueryDebugFilterState)
7d61db04: Syscall ordinal 00cb for _ZwQueryDirectoryObject@28 (NtQueryDirectoryObject)
7d61db1c: Syscall ordinal 00cc for _NtQueryDriverEntryOrder@8 (NtQueryDriverEntryOrder)
7d61db34: Syscall ordinal 00cd for _ZwQueryEaFile@36 (NtQueryEaFile)
7d61db4c: Syscall ordinal 00ce for _ZwQueryFullAttributesFile@8 (NtQueryFullAttributesFile)
7d61db64: Syscall ordinal 00cf for _NtQueryInformationAtom@20 (NtQueryInformationAtom)
7d61db7c: Syscall ordinal 00d0 for _ZwQueryInformationJobObject@20 (NtQueryInformationJobObject)
7d61db94: Syscall ordinal 00d1 for _ZwQueryInformationPort@20 (NtQueryInformationPort)
7d61dbac: Syscall ordinal 00d2 for _NtQueryInstallUILanguage@4 (NtQueryInstallUILanguage)
7d61dbc4: Syscall ordinal 00d3 for _NtQueryIntervalProfile@8 (NtQueryIntervalProfile)
7d61dbdc: Syscall ordinal 00d4 for _NtQueryIoCompletion@20 (NtQueryIoCompletion)
7d61dbf4: Syscall ordinal 00d5 for _NtQueryMultipleValueKey@24 (NtQueryMultipleValueKey)
7d61dc0c: Syscall ordinal 00d6 for _NtQueryMutant@20 (NtQueryMutant)
7d61dc24: Syscall ordinal 00d7 for _NtQueryOpenSubKeys@8 (NtQueryOpenSubKeys)
7d61dc3c: Syscall ordinal 00d8 for _NtQueryOpenSubKeysEx@16 (NtQueryOpenSubKeysEx)
7d61dc54: Syscall ordinal 00d9 for _ZwQueryPortInformationProcess@0 (NtQueryPortInformationProcess)
7d61dc6c: Syscall ordinal 00da for _ZwQueryQuotaInformationFile@36 (NtQueryQuotaInformationFile)
7d61dc84: Syscall ordinal 00db for _NtQuerySecurityObject@20 (NtQuerySecurityObject)
7d61dc9c: Syscall ordinal 00dc for _ZwQuerySemaphore@20 (NtQuerySemaphore)
7d61dcb4: Syscall ordinal 00dd for _ZwQuerySymbolicLinkObject@12 (NtQuerySymbolicLinkObject)
7d61dccc: Syscall ordinal 00de for _ZwQuerySystemEnvironmentValue@16 (NtQuerySystemEnvironmentValue)
7d61dce4: Syscall ordinal 00df for _ZwQuerySystemEnvironmentValueEx@20 (NtQuerySystemEnvironmentValueEx)
7d61dcfc: Syscall ordinal 00e0 for _NtQueryTimerResolution@12 (NtQueryTimerResolution)
7d61dd14: Syscall ordinal 00e1 for _ZwRaiseException@12 (NtRaiseException)
7d61dd2c: Syscall ordinal 00e2 for _ZwRaiseHardError@24 (NtRaiseHardError)
7d61dd44: Syscall ordinal 00e3 for _ZwRegisterThreadTerminatePort@4 (NtRegisterThreadTerminatePort)
7d61dd5c: Syscall ordinal 00e4 for _NtReleaseKeyedEvent@16 (NtReleaseKeyedEvent)
7d61dd74: Syscall ordinal 00e5 for _ZwRemoveProcessDebug@8 (NtRemoveProcessDebug)
7d61dd8c: Syscall ordinal 00e6 for _ZwRenameKey@8 (NtRenameKey)
7d61dda4: Syscall ordinal 00e7 for _ZwReplaceKey@12 (NtReplaceKey)
7d61ddbc: Syscall ordinal 00e8 for _NtReplyWaitReplyPort@8 (NtReplyWaitReplyPort)
7d61ddd4: Syscall ordinal 00e9 for _ZwRequestDeviceWakeup@4 (NtRequestDeviceWakeup)
7d61ddec: Syscall ordinal 00ea for _ZwRequestPort@8 (NtRequestPort)
7d61de04: Syscall ordinal 00eb for _ZwRequestWakeupLatency@4 (NtRequestWakeupLatency)
7d61de1c: Syscall ordinal 00ec for _NtResetEvent@8 (NtResetEvent)
7d61de34: Syscall ordinal 00ed for _ZwResetWriteWatch@12 (NtResetWriteWatch)
7d61de4c: Syscall ordinal 00ee for _NtRestoreKey@12 (NtRestoreKey)
7d61de64: Syscall ordinal 00ef for _ZwResumeProcess@4 (NtResumeProcess)
7d61de7c: Syscall ordinal 00f0 for _NtSaveKey@8 (NtSaveKey)
7d61de94: Syscall ordinal 00f1 for _NtSaveKeyEx@12 (NtSaveKeyEx)
7d61deac: Syscall ordinal 00f2 for _NtSaveMergedKeys@12 (NtSaveMergedKeys)
7d61dec4: Syscall ordinal 00f3 for _NtSecureConnectPort@36 (NtSecureConnectPort)
7d61dedc: Syscall ordinal 00f4 for _ZwSetBootEntryOrder@8 (NtSetBootEntryOrder)
7d61def4: Syscall ordinal 00f5 for _ZwSetBootOptions@8 (NtSetBootOptions)
7d61df0c: Syscall ordinal 00f6 for _ZwSetContextThread@8 (NtSetContextThread)
7d61df24: Syscall ordinal 00f7 for _NtSetDebugFilterState@12 (NtSetDebugFilterState)
7d61df3c: Syscall ordinal 00f8 for _NtSetDefaultHardErrorPort@4 (NtSetDefaultHardErrorPort)
7d61df54: Syscall ordinal 00f9 for _NtSetDefaultLocale@8 (NtSetDefaultLocale)
7d61df6c: Syscall ordinal 00fa for _ZwSetDefaultUILanguage@4 (NtSetDefaultUILanguage)
7d61df84: Syscall ordinal 00fb for _NtSetDriverEntryOrder@8 (NtSetDriverEntryOrder)
7d61df9c: Syscall ordinal 00fc for _ZwSetEaFile@16 (NtSetEaFile)
7d61dfb4: Syscall ordinal 00fd for _NtSetHighEventPair@4 (NtSetHighEventPair)
7d61dfcc: Syscall ordinal 00fe for _NtSetHighWaitLowEventPair@4 (NtSetHighWaitLowEventPair)
7d61dfe4: Syscall ordinal 00ff for _ZwSetInformationDebugObject@20 (NtSetInformationDebugObject)
7d61dffc: Syscall ordinal 0100 for _ZwSetInformationJobObject@16 (NtSetInformationJobObject)
7d61e014: Syscall ordinal 0101 for _ZwSetInformationKey@16 (NtSetInformationKey)
7d61e02c: Syscall ordinal 0102 for _ZwSetInformationToken@16 (NtSetInformationToken)
7d61e044: Syscall ordinal 0103 for _NtSetIntervalProfile@8 (NtSetIntervalProfile)
7d61e05c: Syscall ordinal 0104 for _NtSetIoCompletion@20 (NtSetIoCompletion)
7d61e074: Syscall ordinal 0105 for _ZwSetLdtEntries@24 (NtSetLdtEntries)
7d61e08c: Syscall ordinal 0106 for _ZwSetLowEventPair@4 (NtSetLowEventPair)
7d61e0a4: Syscall ordinal 0107 for _ZwSetLowWaitHighEventPair@4 (NtSetLowWaitHighEventPair)
7d61e0bc: Syscall ordinal 0108 for _ZwSetQuotaInformationFile@16 (NtSetQuotaInformationFile)
7d61e0d4: Syscall ordinal 0109 for _NtSetSecurityObject@12 (NtSetSecurityObject)
7d61e0ec: Syscall ordinal 010a for _ZwSetSystemEnvironmentValue@8 (NtSetSystemEnvironmentValue)
7d61e104: Syscall ordinal 010b for _ZwSetSystemEnvironmentValueEx@20 (NtSetSystemEnvironmentValueEx)
7d61e11c: Syscall ordinal 010c for _ZwSetSystemInformation@12 (NtSetSystemInformation)
7d61e134: Syscall ordinal 010d for _ZwSetSystemPowerState@12 (NtSetSystemPowerState)
7d61e14c: Syscall ordinal 010e for _ZwSetSystemTime@8 (NtSetSystemTime)
7d61e164: Syscall ordinal 010f for _ZwSetThreadExecutionState@8 (NtSetThreadExecutionState)
7d61e17c: Syscall ordinal 0110 for _NtSetTimerResolution@12 (NtSetTimerResolution)
7d61e194: Syscall ordinal 0111 for _ZwSetUuidSeed@4 (NtSetUuidSeed)
7d61e1ac: Syscall ordinal 0112 for _NtSetVolumeInformationFile@20 (NtSetVolumeInformationFile)
7d61e1c4: Syscall ordinal 0113 for _ZwShutdownSystem@4 (NtShutdownSystem)
7d61e1dc: Syscall ordinal 0114 for _ZwSignalAndWaitForSingleObject@16 (NtSignalAndWaitForSingleObject)
7d61e1f4: Syscall ordinal 0115 for _NtStartProfile@4 (NtStartProfile)
7d61e20c: Syscall ordinal 0116 for _ZwStopProfile@4 (NtStopProfile)
7d61e224: Syscall ordinal 0117 for _ZwSuspendProcess@4 (NtSuspendProcess)
7d61e23c: Syscall ordinal 0118 for _ZwSuspendThread@8 (NtSuspendThread)
7d61e254: Syscall ordinal 0119 for _NtSystemDebugControl@24 (NtSystemDebugControl)
7d61e26c: Syscall ordinal 011a for _ZwTerminateJobObject@8 (NtTerminateJobObject)
7d61e284: Syscall ordinal 011b for _NtTestAlert@0 (NtTestAlert)
7d61e29c: Syscall ordinal 011c for _NtTranslateFilePath@16 (NtTranslateFilePath)
7d61e2b4: Syscall ordinal 011d for _ZwUnloadDriver@4 (NtUnloadDriver)
7d61e2cc: Syscall ordinal 011e for _NtUnloadKey@4 (NtUnloadKey)
7d61e2e4: Syscall ordinal 011f for _ZwUnloadKey2@8 (NtUnloadKey2)
7d61e2fc: Syscall ordinal 0120 for _ZwUnloadKeyEx@8 (NtUnloadKeyEx)
7d61e314: Syscall ordinal 0121 for _ZwUnlockFile@20 (NtUnlockFile)
7d61e32c: Syscall ordinal 0122 for _NtUnlockVirtualMemory@16 (NtUnlockVirtualMemory)
7d61e344: Syscall ordinal 0123 for _NtVdmControl@8 (NtVdmControl)
7d61e35c: Syscall ordinal 0124 for _NtWaitForDebugEvent@16 (NtWaitForDebugEvent)
7d61e374: Syscall ordinal 0125 for _NtWaitForKeyedEvent@16 (NtWaitForKeyedEvent)
7d61e38c: Syscall ordinal 0126 for _ZwWaitHighEventPair@4 (NtWaitHighEventPair)
7d61e3a4: Syscall ordinal 0127 for _NtWaitLowEventPair@4 (NtWaitLowEventPair)
7d61e3bc: Syscall ordinal 0128 for _ZwWow64CsrClientConnectToServer@20 (NtWow64CsrClientConnectToServer)
7d61e3d4: Syscall ordinal 0129 for _NtWow64CsrNewThread@0 (NtWow64CsrNewThread)
7d61e3e8: Syscall ordinal 012a for _NtWow64CsrIdentifyAlertableThread@0 (NtWow64CsrIdentifyAlertableThread)
7d61e3fc: Syscall ordinal 012b for _NtWow64CsrClientCallServer@16 (NtWow64CsrClientCallServer)
7d61e414: Syscall ordinal 012c for _NtWow64CsrAllocateCaptureBuffer@8 (NtWow64CsrAllocateCaptureBuffer)
7d61e42c: Syscall ordinal 012d for _ZwWow64CsrFreeCaptureBuffer@4 (NtWow64CsrFreeCaptureBuffer)
7d61e444: Syscall ordinal 012e for _ZwWow64CsrAllocateMessagePointer@12 (NtWow64CsrAllocateMessagePointer)
7d61e45c: Syscall ordinal 012f for _ZwWow64CsrCaptureMessageBuffer@16 (NtWow64CsrCaptureMessageBuffer)
7d61e474: Syscall ordinal 0130 for _ZwWow64CsrCaptureMessageString@20 (NtWow64CsrCaptureMessageString)
7d61e48c: Syscall ordinal 0131 for _ZwWow64CsrSetPriorityClass@8 (NtWow64CsrSetPriorityClass)
7d61e4a4: Syscall ordinal 0132 for _NtWow64CsrGetProcessId@0 (NtWow64CsrGetProcessId)
7d61e4b8: Syscall ordinal 0133 for _NtWow64DebuggerCall@20 (NtWow64DebuggerCall)
7d61e4d0: Syscall ordinal 0134 for _ZwWow64GetNativeSystemInformation@16 (NtWow64GetNativeSystemInformation
RtlGetNativeSystemInformation)
7d61e4e8: Syscall ordinal 0135 for _NtWow64QueryInformationProcess64@20 (NtWow64QueryInformationProcess64)
7d61e500: Syscall ordinal 0136 for _NtWow64ReadVirtualMemory64@28 (NtWow64ReadVirtualMemory64)
7d61e518: Syscall ordinal 0137 for _ZwWow64QueryVirtualMemory64@32 (NtWow64QueryVirtualMemory64)
Here is the output for user32.dll:
7d947018: Syscall ordinal 1005 for _NtUserCallNoParam@4 (None)
7d9470ba: Syscall ordinal 106b for _NtUserGetObjectInformation@20 (None)
7d9470f4: Syscall ordinal 1021 for _NtUserGetProcessWindowStation@0 (None)
7d9471dd: Syscall ordinal 100e for _NtUserPostMessage@16 (None)
7d947261: Syscall ordinal 105d for _NtUserMoveWindow@24 (None)
7d94784b: Syscall ordinal 1006 for _NtUserGetMessage@16 (None)
7d947a14: Syscall ordinal 125b for _NtUserInitializeClientPfnArrays@16 (None)
7d948043: Syscall ordinal 1002 for _NtUserCallOneParam@8 (None)
7d948270: Syscall ordinal 1041 for _NtUserSystemParametersInfo@16 (None)
7d948473: Syscall ordinal 1007 for _NtUserMessageCall@28 (None)
7d948535: Syscall ordinal 104b for _NtUserSetProp@12 (None)
7d9485c5: Syscall ordinal 109f for _NtUserCallHwndParam@12 (None)
7d948631: Syscall ordinal 100f for _NtUserQueryWindow@8 (None)
7d948670: Syscall ordinal 1017 for _NtUserSetTimer@16 (None)
7d94868d: Syscall ordinal 101a for _NtUserKillTimer@8 (None)
7d9486aa: Syscall ordinal 103b for _NtUserGetForegroundWindow@0 (None)
7d9488ff: Syscall ordinal 1291 for _NtUserUpdateLayeredWindow@40 (None)
7d9489e6: Syscall ordinal 106e for _NtUserFindWindowEx@20 (None)
7d948a1e: Syscall ordinal 1070 for _NtUserUnhookWindowsHookEx@4 (None)
7d948a3b: Syscall ordinal 10d1 for _NtUserValidateRect@8 (None)
7d948a58: Syscall ordinal 1078 for _NtUserSetParent@8 (None)
7d948a99: Syscall ordinal 10d9 for _NtUserGetWindowPlacement@8 (None)
7d948ab6: Syscall ordinal 105e for _NtUserPostThreadMessage@16 (None)
7d948cdd: Syscall ordinal 1036 for _NtUserRegisterWindowMessage@4 (None)
7d9490f6: Syscall ordinal 1019 for _NtUserSetCursor@4 (None)
7d94913e: Syscall ordinal 1045 for _NtUserRemoveProp@8 (None)
7d949175: Syscall ordinal 1023 for _NtUserSetWindowPos@28 (None)
7d9491f4: Syscall ordinal 1001 for _NtUserPeekMessage@20 (None)
7d949355: Syscall ordinal 100c for _NtUserWaitMessage@0 (None)
7d949370: Syscall ordinal 1035 for _NtUserDispatchMessage@4 (None)
7d94950b: Syscall ordinal 1004 for _NtUserInvalidateRect@12 (None)
7d9496c8: Syscall ordinal 1000 for _NtUserGetThreadState@4 (None)
7d9496f2: Syscall ordinal 1018 for _NtUserEndPaint@8 (None)
7d94970f: Syscall ordinal 1016 for _NtUserBeginPaint@8 (None)
7d94972c: Syscall ordinal 1012 for _NtUserRedrawWindow@16 (None)
7d9499f8: Syscall ordinal 107c for _NtUserGetClassName@12 (None)
7d949a42: Syscall ordinal 10b6 for _NtUserGetAncestor@8 (None)
7d949bbe: Syscall ordinal 1003 for _NtUserGetKeyState@4 (None)
7d949bdb: Syscall ordinal 1026 for _NtUserCallHwndParamLock@12 (None)
7d949da1: Syscall ordinal 1013 for _NtUserWindowFromPoint@8 (None)
7d94a011: Syscall ordinal 10cc for _NtUserInvalidateRgn@12 (None)
7d94a09d: Syscall ordinal 100a for _NtUserGetDC@4 (None)
7d94a183: Syscall ordinal 1057 for _NtUserShowWindow@8 (None)
7d94a312: Syscall ordinal 1063 for _NtUserGetWindowDC@4 (None)
7d94a5c1: Syscall ordinal 105b for _NtUserSetWindowLong@16 (None)
7d94a6df: Syscall ordinal 1048 for _NtUserSetCapture@4 (None)
7d94a722: Syscall ordinal 1058 for _NtUserGetKeyboardLayoutList@8 (None)
7d94ad62: Syscall ordinal 100d for _NtUserTranslateMessage@8 (None)
7d94adfb: Syscall ordinal 1020 for _NtUserCallHwndLock@8 (None)
7d94ae1d: Syscall ordinal 101e for _NtUserHideCaret@4 (None)
7d94ae3a: Syscall ordinal 1024 for _NtUserShowCaret@4 (None)
7d94af58: Syscall ordinal 1029 for _NtUserCallTwoParam@12 (None)
7d94af75: Syscall ordinal 1031 for _NtUserCreateCaret@16 (None)
7d94b0b8: Syscall ordinal 102e for _NtUserIsClipboardFormatAvailable@4 (None)
7d94b0d5: Syscall ordinal 1055 for _NtUserGetClipboardSequenceNumber@0 (None)
7d94b132: Syscall ordinal 102f for _NtUserSetScrollInfo@16 (None)
7d94b29f: Syscall ordinal 1025 for _NtUserEndDeferWindowPosEx@8 (None)
7d94b2bc: Syscall ordinal 1052 for _NtUserDeferWindowPos@32 (None)
7d94c0cf: Syscall ordinal 1050 for _NtUserSetFocus@4 (None)
7d94c268: Syscall ordinal 1090 for _NtUserGetTitleBarInfo@8 (None)
7d94c2ac: Syscall ordinal 1062 for _NtUserInternalGetWindowText@12 (None)
7d94c2c9: Syscall ordinal 1098 for _NtUserCalcMenuBar@20 (None)
7d94c2e6: Syscall ordinal 1093 for _NtUserGetDCEx@12 (None)
7d94c412: Syscall ordinal 105f for _NtUserDrawIconEx@44 (None)
7d94c6b5: Syscall ordinal 101b for _NtUserBuildHwndList@28 (None)
7d94c821: Syscall ordinal 109e for _NtUserDestroyWindow@4 (None)
7d94c856: Syscall ordinal 109d for _NtUserDestroyCursor@8 (None)
7d94c873: Syscall ordinal 104e for _NtUserGetIconInfo@24 (None)
7d94c8bf: Syscall ordinal 10ce for _NtUserSetWindowRgn@12 (None)
7d94cb0e: Syscall ordinal 10ad for _NtUserGetAtomName@8 (None)
7d94cc1b: Syscall ordinal 10bd for _NtUserGetClassInfoEx@20 (None)
7d94cd6a: Syscall ordinal 1099 for _NtUserThunkedMenuItemInfo@24 (None)
7d94cd87: Syscall ordinal 10c0 for _NtUserDeleteMenu@12 (None)
7d94d117: Syscall ordinal 10c2 for _NtUserScrollWindowEx@32 (None)
7d94d195: Syscall ordinal 127b for _NtUserSetLayeredWindowAttributes@16 (None)
7d94d1b2: Syscall ordinal 10c4 for _NtUserSetClassLong@16 (None)
7d94d3fd: Syscall ordinal 1104 for _NtUserGetGUIThreadInfo@8 (None)
7d94da17: Syscall ordinal 1010 for _NtUserTranslateAccelerator@12 (None)
7d94da4c: Syscall ordinal 1015 for _NtUserValidateTimerCallback@4 (None)
7d94deb1: Syscall ordinal 103d for _NtUserFindExistingCursorIcon@12 (None)
7d94df61: Syscall ordinal 103c for _NtUserShowScrollBar@12 (None)
7d94dfb5: Syscall ordinal 10e1 for _NtUserDestroyMenu@4 (None)
7d94e0d2: Syscall ordinal 10ba for _NtUserGetDoubleClickTime@0 (None)
7d94e284: Syscall ordinal 10bf for _NtUserUnregisterClass@12 (None)
7d94e5d6: Syscall ordinal 104d for _NtUserSBGetParms@16 (None)
7d94e66a: Syscall ordinal 1094 for _NtUserGetScrollBarInfo@12 (None)
7d94ed83: Syscall ordinal 10a8 for _NtUserSetCursorIconData@16 (None)
7d94f54e: Syscall ordinal 10f5 for _NtUserCreateAcceleratorTable@8 (None)
7d94f87b: Syscall ordinal 1077 for _NtUserCreateWindowEx@60 (None)
7d94f898: Syscall ordinal 10b4 for _NtUserRegisterClassExWOW@28 (None)
7d95008e: Syscall ordinal 1060 for _NtUserGetSystemMenu@8 (None)
7d9505a3: Syscall ordinal 1049 for _NtUserEnumDisplayMonitors@16 (None)
7d950e13: Syscall ordinal 105a for _NtUserMapVirtualKeyEx@16 (None)
7d950f8c: Syscall ordinal 110a for _NtUserUnhookWinEvent@4 (None)
7d951366: Syscall ordinal 10df for _NtUserTrackMouseEvent@4 (None)
7d9513f4: Syscall ordinal 1112 for _NtUserCallHwnd@8 (None)
7d9514e8: Syscall ordinal 10ec for _NtUserSetWindowWord@12 (None)
7d951835: Syscall ordinal 1089 for _NtUserGetIconSize@16 (None)
7d952548: Syscall ordinal 10f8 for _NtUserGetCaretBlinkTime@0 (None)
7d95256b: Syscall ordinal 123f for _NtUserGetCaretPos@4 (None)
7d9529aa: Syscall ordinal 1043 for _NtUserGetAsyncKeyState@4 (None)
7d952ab8: Syscall ordinal 10d2 for _NtUserCloseClipboard@0 (None)
7d952afd: Syscall ordinal 10d3 for _NtUserOpenClipboard@8 (None)
7d952c07: Syscall ordinal 104f for _NtUserExcludeUpdateRgn@8 (None)
7d952c24: Syscall ordinal 1079 for _NtUserGetKeyboardState@4 (None)
7d952c41: Syscall ordinal 10f3 for _NtUserSetKeyboardState@4 (None)
7d952d4b: Syscall ordinal 1044 for _NtUserGetCPD@12 (None)
7d952dce: Syscall ordinal 1027 for _NtUserVkKeyScanEx@12 (None)
7d952e3c: Syscall ordinal 102c for _NtUserNotifyWinEvent@16 (None)
7d9531f0: Syscall ordinal 1121 for _NtUserSetClipboardViewer@4 (None)
7d95320d: Syscall ordinal 111f for _NtUserChangeClipboardChain@8 (None)
7d953a99: Syscall ordinal 10f2 for _NtUserPaintMenuBar@24 (None)
7d954d8d: Syscall ordinal 108d for _NtUserSetWindowsHookEx@24 (None)
7d954f9a: Syscall ordinal 10b9 for _NtUserCloseWindowStation@4 (None)
7d955278: Syscall ordinal 1080 for _NtUserDefSetText@8 (None)
7d955c20: Syscall ordinal 1096 for _NtUserSetWindowFNID@8 (None)
7d955d70: Syscall ordinal 10dd for _NtUserSetThreadState@8 (None)
7d9566a3: Syscall ordinal 10e4 for _NtUserSetActiveWindow@4 (None)
7d956abc: Syscall ordinal 10f6 for _NtUserGetCursorFrameInfo@16 (None)
7d956b38: Syscall ordinal 101d for _NtUserCallNextHookEx@16 (None)
7d956bce: Syscall ordinal 10e6 for _NtUserSetWindowPlacement@8 (None)
7d956f86: Syscall ordinal 108a for _NtUserFillWindow@16 (None)
7d956fba: Syscall ordinal 1014 for _NtUserCallMsgFilter@8 (None)
7d957d5c: Syscall ordinal 110c for _NtUserLockWindowUpdate@4 (None)
7d958b57: Syscall ordinal 10fb for _NtUserEnumDisplayDevices@16 (None)
7d958cc0: Syscall ordinal 1109 for _NtUserSetWinEventHook@32 (None)
7d959cf6: Syscall ordinal 10aa for _NtUserCloseDesktop@4 (None)
7d959e46: Syscall ordinal 10b2 for _NtUserBuildNameList@16 (None)
7d959eb0: Syscall ordinal 10ab for _NtUserOpenDesktop@12 (None)
7d95a0f5: Syscall ordinal 10a1 for _NtUserOpenWindowStation@8 (None)
7d95a825: Syscall ordinal 107b for _NtUserGetControlBrush@12 (None)
7d9610e1: Syscall ordinal 10d7 for _NtUserAlterWindowStyle@12 (None)
7d9652e2: Syscall ordinal 1106 for _NtUserSetWindowsHookAW@12 (None)
7d96534d: Syscall ordinal 1108 for _NtUserCheckMenuItem@12 (None)
7d967424: Syscall ordinal 110d for _NtUserSetSystemMenu@8 (None)
7d9677a4: Syscall ordinal 110e for _NtUserThunkedMenuInfo@8 (None)
7d967fb4: Syscall ordinal 10cf for _NtUserBitBltSysBmp@32 (None)
7d969411: Syscall ordinal 1114 for _NtUserModifyUserStartupInfoFlags@8 (None)
7d9699bd: Syscall ordinal 1084 for _NtUserGetThreadDesktop@8 (None)
7d969c69: Syscall ordinal 10ed for _NtUserGetClipboardFormatName@12 (None)
7d969cf8: Syscall ordinal 10fc for _NtUserEmptyClipboard@0 (None)
7d969d13: Syscall ordinal 10cd for _NtUserGetClipboardOwner@0 (None)
7d969ef4: Syscall ordinal 10fd for _NtUserGetClipboardData@8 (None)
7d969f66: Syscall ordinal 10ef for _NtUserCreateLocalMemHandle@16 (None)
7d969f93: Syscall ordinal 10d5 for _NtUserSetClipboardData@12 (None)
7d96a120: Syscall ordinal 1102 for _NtUserConvertMemHandle@8 (None)
7d96a6bf: Syscall ordinal 10dc for _NtUserGetOpenClipboardWindow@0 (None)
7d96a6da: Syscall ordinal 1115 for _NtUserCountClipboardFormats@0 (None)
7d96a753: Syscall ordinal 122c for _NtUserClipCursor@4 (None)
7d96a8f2: Syscall ordinal 10c5 for _NtUserGetMenuBarInfo@16 (None)
7d96a963: Syscall ordinal 10fe for _NtUserRemoveMenu@12 (None)
7d96aa0e: Syscall ordinal 111a for _NtUserEnumDisplaySettings@16 (None)
7d96abbb: Syscall ordinal 102b for _NtUserCopyAcceleratorTable@12 (None)
7d96bca8: Syscall ordinal 107a for _NtUserToUnicodeEx@28 (None)
7d96c41c: Syscall ordinal 122b for _NtUserChildWindowFromPointEx@16 (None)
7d96c566: Syscall ordinal 1107 for _NtUserSetMenuDefaultItem@12 (None)
7d96d34e: Syscall ordinal 1113 for _NtUserDdeInitialize@20 (None)
7d96d976: Syscall ordinal 1231 for _NtUserDdeGetQualityOfService@12 (None)
7d96f7d7: Syscall ordinal 127d for _NtUserSetMenu@12 (None)
7d96f996: Syscall ordinal 10ac for _NtUserSetProcessWindowStation@4 (None)
7d96fa81: Syscall ordinal 1092 for _NtUserSetThreadDesktop@4 (None)
7d96fd73: Syscall ordinal 10e7 for _NtUserGetControlColor@16 (None)
7d9819d7: Syscall ordinal 1296 for _NtUserWaitForMsgAndEvent@4 (None)
7d981d9c: Syscall ordinal 1126 for _NtUserActivateKeyboardLayout@8 (None)
7d981db9: Syscall ordinal 1123 for _NtUserSetConsoleReserveKeys@8 (None)
7d981f00: Syscall ordinal 1262 for _NtUserMinMaximize@12 (None)
7d986b17: Syscall ordinal 1286 for _NtUserSetWindowStationUser@16 (None)
7d986b34: Syscall ordinal 1229 for _NtUserCallHwndOpt@8 (None)
7d986b51: Syscall ordinal 122f for _NtUserCreateWindowStation@28 (None)
7d9a0785: Syscall ordinal 1083 for _NtUserSendInput@12 (None)
7d9a07a2: Syscall ordinal 10bb for _NtUserEnableScrollBar@12 (None)
7d9a07bf: Syscall ordinal 10e5 for _NtUserSetInformationThread@16 (None)
7d9a07dc: Syscall ordinal 10ee for _NtUserRealInternalGetMessage@24 (None)
7d9a07f9: Syscall ordinal 10f0 for _NtUserAttachThreadInput@12 (None)
7d9a0816: Syscall ordinal 10f7 for _NtUserGetAltTabInfo@24 (None)
7d9a0833: Syscall ordinal 10fa for _NtUserProcessConnect@12 (None)
7d9a0850: Syscall ordinal 111b for _NtUserPaintDesktop@4 (None)
7d9a086d: Syscall ordinal 1122 for _NtUserShowWindowAsync@8 (None)
7d9a088a: Syscall ordinal 1226 for _NtUserBlockInput@4 (None)
7d9a08a7: Syscall ordinal 1228 for _NtUserBuildPropList@16 (None)
7d9a08c4: Syscall ordinal 122a for _NtUserChangeDisplaySettings@16 (None)
7d9a08e1: Syscall ordinal 122d for _NtUserCreateDesktop@20 (None)
7d9a08fe: Syscall ordinal 1232 for _NtUserDdeSetQualityOfService@12 (None)
7d9a091b: Syscall ordinal 1235 for _NtUserDragDetect@12 (None)
7d9a0938: Syscall ordinal 1236 for _NtUserDragObject@20 (None)
7d9a0955: Syscall ordinal 1237 for _NtUserDrawAnimatedRects@16 (None)
7d9a0972: Syscall ordinal 1238 for _NtUserDrawCaption@16 (None)
7d9a098f: Syscall ordinal 1239 for _NtUserDrawCaptionTemp@28 (None)
7d9a09ac: Syscall ordinal 123a for _NtUserDrawMenuBarTemp@20 (None)
7d9a09c9: Syscall ordinal 123b for _NtUserEndMenu@0 (None)
7d9a09e4: Syscall ordinal 123c for _NtUserEvent@4 (None)
7d9a0a01: Syscall ordinal 123d for _NtUserFlashWindowEx@4 (None)
7d9a0a1e: Syscall ordinal 1240 for _NtUserGetClipCursor@4 (None)
7d9a0a3b: Syscall ordinal 1241 for _NtUserGetClipboardViewer@0 (None)
7d9a0a56: Syscall ordinal 1242 for _NtUserGetComboBoxInfo@8 (None)
7d9a0a73: Syscall ordinal 1243 for _NtUserGetCursorInfo@4 (None)
7d9a0a90: Syscall ordinal 1244 for _NtUserGetGuiResources@8 (None)
7d9a0aad: Syscall ordinal 1245 for _NtUserGetImeHotKey@16 (None)
7d9a0aca: Syscall ordinal 1247 for _NtUserGetInternalWindowPos@12 (None)
7d9a0ae7: Syscall ordinal 1248 for _NtUserGetKeyNameText@12 (None)
7d9a0b04: Syscall ordinal 1249 for _NtUserGetKeyboardLayoutName@4 (None)
7d9a0b21: Syscall ordinal 124a for _NtUserGetLayeredWindowAttributes@16 (None)
7d9a0b3e: Syscall ordinal 124b for _NtUserGetListBoxInfo@4 (None)
7d9a0b5b: Syscall ordinal 124c for _NtUserGetMenuIndex@8 (None)
7d9a0b78: Syscall ordinal 124d for _NtUserGetMenuItemRect@16 (None)
7d9a0b95: Syscall ordinal 124e for _NtUserGetMouseMovePointsEx@20 (None)
7d9a0bb2: Syscall ordinal 124f for _NtUserGetPriorityClipboardFormat@8 (None)
7d9a0bcf: Syscall ordinal 1250 for _NtUserGetRawInputBuffer@12 (None)
7d9a0bec: Syscall ordinal 1251 for _NtUserGetRawInputData@20 (None)
7d9a0c09: Syscall ordinal 1252 for _NtUserGetRawInputDeviceInfo@16 (None)
7d9a0c26: Syscall ordinal 1253 for _NtUserGetRawInputDeviceList@12 (None)
7d9a0c43: Syscall ordinal 1254 for _NtUserGetRegisteredRawInputDevices@12 (None)
7d9a0c60: Syscall ordinal 1255 for _NtUserGetWOWClass@8 (None)
7d9a0c7d: Syscall ordinal 1257 for _NtUserHiliteMenuItem@16 (None)
7d9a0c9a: Syscall ordinal 1258 for _NtUserImpersonateDdeClientWindow@8 (None)
7d9a0cb7: Syscall ordinal 1259 for _NtUserInitTask@48 (None)
7d9a0cd4: Syscall ordinal 125c for _NtUserLoadKeyboardLayoutEx@28 (None)
7d9a0cf1: Syscall ordinal 125d for _NtUserLockWindowStation@4 (None)
7d9a0d0e: Syscall ordinal 125e for _NtUserLockWorkStation@0 (None)
7d9a0d29: Syscall ordinal 125f for _NtUserMNDragLeave@0 (None)
7d9a0d44: Syscall ordinal 1260 for _NtUserMNDragOver@8 (None)
7d9a0d61: Syscall ordinal 1261 for _NtUserMenuItemFromPoint@16 (None)
7d9a0d7e: Syscall ordinal 1263 for _NtUserNotifyIMEStatus@12 (None)
7d9a0d9b: Syscall ordinal 1264 for _NtUserOpenInputDesktop@12 (None)
7d9a0db8: Syscall ordinal 1265 for _NtUserPrintWindow@12 (None)
7d9a0dd5: Syscall ordinal 1268 for _NtUserQuerySendMessage@4 (None)
7d9a0df2: Syscall ordinal 1269 for _NtUserRealChildWindowFromPoint@12 (None)
7d9a0e0f: Syscall ordinal 126a for _NtUserRealWaitMessageEx@8 (None)
7d9a0e2c: Syscall ordinal 126b for _NtUserRegisterHotKey@16 (None)
7d9a0e49: Syscall ordinal 126c for _NtUserRegisterRawInputDevices@12 (None)
7d9a0e66: Syscall ordinal 126d for _NtUserRegisterTasklist@4 (None)
7d9a0e83: Syscall ordinal 126e for _NtUserRegisterUserApiHook@16 (None)
7d9a0ea0: Syscall ordinal 1273 for _NtUserResolveDesktopForWOW@4 (None)
7d9a0ebd: Syscall ordinal 1275 for _NtUserSetClassWord@12 (None)
7d9a0eda: Syscall ordinal 1276 for _NtUserSetCursorContents@8 (None)
7d9a0ef7: Syscall ordinal 1277 for _NtUserSetImeHotKey@20 (None)
7d9a0f14: Syscall ordinal 1279 for _NtUserSetImeOwnerWindow@8 (None)
7d9a0f31: Syscall ordinal 127a for _NtUserSetInternalWindowPos@16 (None)
7d9a0f4e: Syscall ordinal 127c for _NtUserSetLogonNotifyWindow@4 (None)
7d9a0f6b: Syscall ordinal 127e for _NtUserSetMenuContextHelpId@8 (None)
7d9a0f88: Syscall ordinal 127f for _NtUserSetMenuFlagRtoL@4 (None)
7d9a0fa5: Syscall ordinal 1280 for _NtUserSetObjectInformation@16 (SetUserObjectInformationA)
7d9a0fc2: Syscall ordinal 1281 for _NtUserSetShellWindowEx@8 (None)
7d9a0fdf: Syscall ordinal 1282 for _NtUserSetSysColors@16 (None)
7d9a0ffc: Syscall ordinal 1283 for _NtUserSetSystemCursor@8 (None)
7d9a1019: Syscall ordinal 1284 for _NtUserSetSystemTimer@16 (None)
7d9a1036: Syscall ordinal 1288 for _NtUserSwitchDesktop@4 (None)
7d9a1053: Syscall ordinal 1289 for _NtUserTestForInteractiveUser@4 (None)
7d9a1070: Syscall ordinal 128a for _NtUserTrackPopupMenuEx@24 (None)
7d9a108d: Syscall ordinal 128b for _NtUserUnloadKeyboardLayout@4 (None)
7d9a10aa: Syscall ordinal 128c for _NtUserUnlockWindowStation@4 (None)
7d9a10c7: Syscall ordinal 128d for _NtUserUnregisterHotKey@8 (None)
7d9a10e4: Syscall ordinal 128e for _NtUserUnregisterUserApiHook@0 (None)
7d9a10ff: Syscall ordinal 128f for _NtUserUpdateInputContext@12 (None)
7d9a111c: Syscall ordinal 1290 for _NtUserUpdateInstance@12 (None)
7d9a1139: Syscall ordinal 1292 for _NtUserUpdatePerUserSystemParameters@8 (None)
7d9a1156: Syscall ordinal 1293 for _NtUserUserHandleGrantAccess@12 (None)
7d9a1173: Syscall ordinal 1294 for _NtUserValidateHandleSecure@4 (None)
7d9a1190: Syscall ordinal 1295 for _NtUserWaitForInputIdle@12 (None)
7d9a11ad: Syscall ordinal 1297 for _NtUserWin32PoolAllocationStats@24 (None)
7d9a11ca: Syscall ordinal 1298 for _NtUserYieldTask@0 (None)
And here is the output for kernel32.dll:
7d4df1bc: Syscall ordinal 3000 for _NtWow64CsrBasepSoundSentryNotification@4 (None)
7d4df1d4: Syscall ordinal 3001 for _NtWow64CsrBasepRefreshIniFileMapping@4 (None)
7d4df1ec: Syscall ordinal 3002 for _NtWow64CsrBasepDefineDosDevice@12 (None)
7d4df204: Syscall ordinal 3003 for _NtWow64CsrBasepGetTempFile@0 (None)
7d4df218: Syscall ordinal 3004 for _NtWow64CsrBasepCreateProcess@4 (None)
7d4df230: Syscall ordinal 3005 for _NtWow64CsrBasepExitProcess@4 (None)
7d4df248: Syscall ordinal 3006 for _NtWow64CsrBasepSetProcessShutdownParam@8 (None)
7d4df260: Syscall ordinal 3007 for _NtWow64CsrBasepGetProcessShutdownParam@8 (None)
7d4df278: Syscall ordinal 3008 for _NtWow64CsrBasepSetTermsrvAppInstallMode@4 (None)
7d4df290: Syscall ordinal 3009 for _NtWow64CsrBasepSetClientTimeZoneInformation@4 (None)
7d4df2a8: Syscall ordinal 300a for _NtWow64CsrBasepCreateThread@12 (None)
7d4df2c0: Syscall ordinal 300b for _NtWow64CsrBaseClientConnectToServer@12 (None)
7d4df2d8: Syscall ordinal 300c for _NtWow64CsrBasepNlsSetUserInfo@12 (None)
7d4df2f0: Syscall ordinal 300d for _NtWow64CsrBasepNlsSetMultipleUserInfo@28 (None)
7d4df308: Syscall ordinal 300e for _NtWow64CsrBasepNlsCreateSection@12 (None)
7d4df320: Syscall ordinal 300f for _NtWow64CsrBasepCreateActCtx@4 (None)
7d4df338: Syscall ordinal 3010 for _NtWow64CsrBasepNlsUpdateCacheCount@0 (None)
7d4df34c: Syscall ordinal 3011 for _NtWow64CsrBaseCheckRunApp@40 (None)
7d4df364: Syscall ordinal 3012 for _NtWow64CsrBasepNlsGetUserInfo@8 (None)
7d4df37c: Syscall ordinal 3013 for _NtWow64CsrBaseQueryModuleData@20 (None)
7d4e9514: Syscall ordinal 203b for _ConnectConsoleInternal@12 (None)
7d4ea51e: Syscall ordinal 2000 for _OpenConsoleWInternal@16 (None)
7d4eade7: Syscall ordinal 203f for _GetConsoleLangId@4 (None)
7d4eb3ee: Syscall ordinal 204b for _GetConsoleTitleInternal@12 (None)
7d4eb7a2: Syscall ordinal 202a for _GetConsoleCP@0 (None)
7d4ed26f: Syscall ordinal 2007 for _VerifyConsoleIoHandle@4 (None)
7d4ed28c: Syscall ordinal 2012 for _GetConsoleMode@8 (None)
7d4ed2a9: Syscall ordinal 2002 for _WriteConsoleInternal@20 (None)
7d4ed325: Syscall ordinal 2004 for _DuplicateConsoleHandle@16 (None)
7d4ed34c: Syscall ordinal 2003 for _CloseConsoleHandle@4 (None)
7d4ed374: Syscall ordinal 201e for _SetConsoleMode@8 (None)
7d4ed51b: Syscall ordinal 202c for _GetConsoleOutputCP@0 (None)
7d503305: Syscall ordinal 2017 for _GetConsoleScreenBufferInfo@8 (None)
7d54f034: Syscall ordinal 2001 for _ReadConsoleInternal@32 (None)
7d54f051: Syscall ordinal 2005 for _GetConsoleHandleInformation@8 (None)
7d54f06e: Syscall ordinal 2006 for _SetConsoleHandleInformation@12 (None)
7d54f08b: Syscall ordinal 2008 for _SetLastConsoleEventActiveInternal@0 (None)
7d54f0a6: Syscall ordinal 2009 for _GetConsoleInput@24 (None)
7d54f0c3: Syscall ordinal 200a for _WriteConsoleInputInternal@24 (None)
7d54f0e0: Syscall ordinal 200b for _ReadConsoleOutputInternal@24 (None)
7d54f0fd: Syscall ordinal 200c for _WriteConsoleOutputInternal@24 (None)
7d54f11a: Syscall ordinal 200d for _ReadConsoleOutputString@28 (None)
7d54f137: Syscall ordinal 200e for _WriteConsoleOutputString@28 (None)
7d54f154: Syscall ordinal 200f for _FillConsoleOutput@24 (None)
7d54f171: Syscall ordinal 2010 for _CreateConsoleScreenBuffer@20 (None)
7d54f18e: Syscall ordinal 2011 for _InvalidateConsoleDIBits@8 (None)
7d54f1ab: Syscall ordinal 2013 for _GetConsoleProcessList@8 (None)
7d54f1c8: Syscall ordinal 2014 for _GetNumberOfConsoleFonts@0 (None)
7d54f1e3: Syscall ordinal 2015 for _GetNumberOfConsoleInputEvents@8 (None)
7d54f200: Syscall ordinal 2016 for _GetLargestConsoleWindowSize@4 (None)
7d54f21d: Syscall ordinal 2018 for _GetConsoleCursorInfo@8 (None)
7d54f23a: Syscall ordinal 2019 for _GetConsoleSelectionInfo@4 (None)
7d54f257: Syscall ordinal 201a for _GetNumberOfConsoleMouseButtons@4 (None)
7d54f274: Syscall ordinal 201b for _GetConsoleFontInfo@16 (None)
7d54f291: Syscall ordinal 201c for _GetConsoleFontSize@8 (None)
7d54f2ae: Syscall ordinal 201d for _GetCurrentConsoleFont@12 (None)
7d54f2cb: Syscall ordinal 201f for _GenerateConsoleCtrlEvent@8 (None)
7d54f2e8: Syscall ordinal 2020 for _SetConsoleActiveScreenBuffer@4 (None)
7d54f305: Syscall ordinal 2021 for _FlushConsoleInputBuffer@4 (None)
7d54f322: Syscall ordinal 2022 for _SetConsoleScreenBufferSize@8 (None)
7d54f33f: Syscall ordinal 2023 for _SetConsoleCursorPosition@8 (None)
7d54f35c: Syscall ordinal 2024 for _SetConsoleCursorInfo@8 (None)
7d54f379: Syscall ordinal 2025 for _SetConsoleWindowInfo@12 (None)
7d54f396: Syscall ordinal 2026 for _ScrollConsoleScreenBufferInternal@24 (None)
7d54f3b3: Syscall ordinal 2027 for _SetConsoleTextAttribute@8 (None)
7d54f3d0: Syscall ordinal 2028 for _SetConsoleFont@8 (None)
7d54f3ed: Syscall ordinal 2029 for _SetConsoleIcon@4 (None)
7d54f40a: Syscall ordinal 202b for _SetConsoleCP@4 (None)
7d54f427: Syscall ordinal 202d for _SetConsoleOutputCPInternal@4 (None)
7d54f444: Syscall ordinal 202e for _GetConsoleKeyboardLayoutNameWorker@8 (None)
7d54f461: Syscall ordinal 202f for _GetConsoleWindow@0 (None)
7d54f47c: Syscall ordinal 2030 for _SetConsoleCursor@8 (None)
7d54f499: Syscall ordinal 2031 for _ShowConsoleCursor@8 (None)
7d54f4b6: Syscall ordinal 2032 for _ConsoleMenuControl@12 (None)
7d54f4d3: Syscall ordinal 2033 for _SetConsolePaletteInternal@12 (None)
7d54f4f0: Syscall ordinal 2034 for _RegisterConsoleVDM@44 (None)
7d54f50d: Syscall ordinal 2035 for _SetConsoleDisplayMode@12 (None)
7d54f52a: Syscall ordinal 2036 for _GetConsoleHardwareState@12 (None)
7d54f547: Syscall ordinal 2037 for _SetConsoleHardwareState@12 (None)
7d54f564: Syscall ordinal 2038 for _GetConsoleDisplayMode@4 (None)
7d54f581: Syscall ordinal 2039 for _SetConsoleKeyShortcuts@16 (None)
7d54f59e: Syscall ordinal 203a for _SetConsoleMenuClose@4 (None)
7d54f5bb: Syscall ordinal 203c for _AllocConsoleInternal@44 (None)
7d54f5d8: Syscall ordinal 203d for _FreeConsoleInternal@0 (None)
7d54f5f3: Syscall ordinal 203e for _AttachConsoleInternal@16 (None)
7d54f610: Syscall ordinal 2040 for _AddConsoleAliasInternal@24 (None)
7d54f62d: Syscall ordinal 2041 for _GetConsoleAliasInternal@24 (None)
7d54f64a: Syscall ordinal 2042 for _GetConsoleAliasesLengthInternal@8 (None)
7d54f667: Syscall ordinal 2043 for _GetConsoleAliasExesLengthInternal@4 (None)
7d54f684: Syscall ordinal 2044 for _GetConsoleAliasesInternal@16 (None)
7d54f6a1: Syscall ordinal 2045 for _GetConsoleAliasExesInternal@12 (None)
7d54f6be: Syscall ordinal 2046 for _ExpungeConsoleCommandHistoryInternal@8 (None)
7d54f6db: Syscall ordinal 2047 for _SetConsoleNumberOfCommandsInternal@12 (None)
7d54f6f8: Syscall ordinal 2048 for _GetConsoleCommandHistoryLengthInternal@8 (None)
7d54f715: Syscall ordinal 2049 for _GetConsoleCommandHistoryInternal@16 (None)
7d54f732: Syscall ordinal 204a for _SetConsoleCommandHistoryMode@4 (None)
7d54f74f: Syscall ordinal 204c for _SetConsoleTitleInternal@12 (None)
7d54f76c: Syscall ordinal 204d for _GetConsoleCharType@12 (None)
7d54f789: Syscall ordinal 204e for _SetConsoleLocalEUDC@16 (None)
7d54f7a6: Syscall ordinal 204f for _SetConsoleCursorMode@12 (None)
7d54f7c3: Syscall ordinal 2050 for _GetConsoleCursorMode@12 (None)
7d54f7e0: Syscall ordinal 2051 for _RegisterConsoleOS2@4 (None)
7d54f7fd: Syscall ordinal 2052 for _SetConsoleOS2OemFormat@4 (None)
7d54f81a: Syscall ordinal 2053 for _GetConsoleNlsMode@8 (None)
7d54f837: Syscall ordinal 2054 for _SetConsoleNlsMode@8 (None)
7d54f854: Syscall ordinal 2055 for _RegisterConsoleIMEInternal@20 (None)
7d54f871: Syscall ordinal 2056 for _UnregisterConsoleIMEInternal@4 (None)
Or how to escape PIN in 5 instructions, using the self-modification technique seen in the previous post. Ready ? Go:
#include <stdio.h>
main() {
asm("call foo\n\t"
"foo: pop %rax\n\t"
"movl $0x4004e7, 10(%eax)\n\t" // put @nottraced() in the next mov
"movl $0x4004fb, %eax\n\t" // @traced(), will be overwritten
// by @nottraced() if not instrumented
"call *%rax\n\t");
}
// we don't want PIN to analyse this
nottraced() {
printf("trace me if you can!\n");
}
// we want PIN to analyse this, a dummy function
traced() {
printf("you're not supposed to get here\n");
}
As usual: compile, make the .text section and the program header writable, and run.
reynaudd@lhs-2:~/test/packed$ ./escape2
trace me if you can!
reynaudd@lhs-2:~/test/packed$ pin -t ../pin-2.5-24110-gcc.4.0.0-ia32_intel64-linux/source/tools/ManualExamples/obj-intel64/inscount0.so -- ./escape2
you're not supposed to get here
‘Nuff said.
UPDATE: as the authors of PIN pointed out, this situation in handled correctly by PIN with the option -smc_strict. That’s because for performance reasons (and standards compliance), PIN makes the assumption that there is at least a taken branch between a modification of the code and its execution (i.e. no basic block modifies itself). My example violates this assumption.
