A Survey of Call Graph and Points-to Algorithms in Java

Disclaimer: I am not an expert on the subject, this post is a collection of my reading notes from a bunch of papers. There may be factual errors and the content is subject to change. Just because I can.

In object-oriented languages, constructing a call graph is complicated by the presence of virtual method calls. This is a problem known as the dynamic dispatch problem, and is common in many programming languages and paradigms. The problem can be formulated as follows for Java: if m is a virtual method (i.e. not private or static), then the method that o.m() resolves to depends on the run-time type of o (as opposed to its declaration type). Determining the run-time type of o requires points-to information (what object may o point to?), which in turn requires a call graph to be computed (because what values o may point to depend on what methods get called). This mutual recursion is a fundamental problem, that is not quite trivial to tackle.

A number of static analyses have been proposed to do the job, but since the problem is undecidable no algorithm can return both a precise and correct answer. As a result, we have to decide if we want fast or precise analyses, since they can not be both. Some of the characteristics that affect the precision and cost of the algorithms are:

  • flow sensitivity: does the order of statements matter?
  • context sensitivity: how to distinguish between two calls of the same procedure in different contexts?
  • aggregate structure modeling: how are arrays, lists, and hash tables abstracted?
  • heap modeling: how to differentiate the potentially unbounded number of objects that may be created at a given allocation site?

Below are some notes about flow sensitivity and context sensitivity, followed by a discussion of some of the classic algorithms for call graph construction.

Flow sensitivity

  • Flow-insensitive analyses are only concerned with what statements are present in the program, not with the order or the reachability of statements. They return properties of variables valid in the whole program.
  • Flow-sensitive analyses compute what values may flow to variables by considering valid paths in the program. They return properties of variables valid at certain program points. Therefore, they are more precise but more expensive to compute.

Example (courtesy of smcc): a parity analysis for the following code snippet yields different results depending on the flow sensitivity of the analysis. A flow-insensitive analysis would return that x could be anything, while a flow-sensitive analysis would return that x is even at line 3 and odd at line 4.

void someMethod(int y) {
   int x;
   x = 2 * y;
   x = x + 1;
}

A common way to obtain a form of flow sensitivity is to transform the program in SSA form (thereby encoding control dependencies in variable names) and then to apply flow-insensitive analyses. Algorithms for efficient translation to SSA form are given in Appel, Modern Compiler Implementation in Java. For an implementation that transforms Java bytecode to SSA form, see Soot. In SSA form, the above example would become:

void someMethod(int y) {
    int x_1 = 2 * y;
    int x_2 = x_1 + 1;
}

A flow-insensitive analysis would then be sufficient to return that x_1 is even and x_2 is odd.
Although instances of the standard dataflow frameworks (Kildall, A Unified Approach to Global Program Optimization, POPL 1973) lend themselves particularly well to flow-sensitive analyses, Nielson et al. in Principles of Program Analysis give an example of a flow-insensitive instance, by simply considering empty kill sets in the dataflow equations (i.e., it loses information about which variables are overwritten).

Context sensitivity

Context sensitivity matters for inter-procedural analyses, where a single method may be invoked in different contexts. So, “what is a context?”, you may ask. Well, it is a parameter of the analysis, so the answer is “it depends”. The most common abstractions seem to be:

  • call sites, so that the same method invoked from different line numbers would be distinct. However, if a method is invoked multiple times from the same program point (in a loop for example), then all these invocations would look exactly the same to the analysis, because they are all abstracted to come from the same place.
  • receiver objects, so that the same method applied to two different (abstract) objects would be distinct. Objects are commonly abstracted by their allocation site (i.e., the place where they are new’ed). The same restriction as above applies, multiple allocations in a loop will be merged. The technique is described in Parameterized Object Sensitivity for Points-to Analysis for Java (ISSTA 2002, 129 citations) by Milanova, Rounev and Ryder.

Call site sensitivity example (from Lhoták’s PhD thesis): A context-insensitive points-to analysis would analyse id() once, and return that both c and d may point to b and a. A context-sensitive analysis using call sites as the context abstraction, on the other hand, would analyze id() in 2 different contexts and would properly return that c points to a and d points to b.

Object id(Object o) {
    return o;
}

void f() {
    Object a = new Object();
    Object b = new Object();
    Object c = id(a);
    Object d = id(b);
}

Object sensitivity example (from Chord’s PLDI tutorial): in the following example, we want to examine whether floors.elems and events.elems may point to the same elements. An object-insensitive points-to analysis would return that they could point to the same objects, because it does not distinguish between different instances of List. An object-sensitive analysis would abstract events and floors using two different allocation sites, and would maintain separate points-to information for evens.elems and floors.elems. Therefore, it would be able to determine that these two arrays have disjoint points-to sets.

class List {
	Object[] elems;

	List() {
		elems = new Object[42];
	}
}

class Bldg {
	List events, floors;

	Bldg() {
		this.events = new List();
		this.floors = new List();
		for (int i=0; i < events.elems.length; i++)
			events.elems[i] = new Object();
		for (int i=0; i < floors.elems.length; i++)
			floors.elems[i] = new Object();
	}
}

In each case (object sensitivity and call site sensitivity), we could get further precision by examining not only the last call site/receiver object, but the list of call sites/receiver objects that lead to the current context (i.e., the call stack is the context). In general, these lists may be infinite, so a common abstraction is to bound them by a parameter k. Hence, we refer to k-object-sensitivity or k-call-site-sensitivity. However, if m in the number of abstract context abstractions (allocation sites or call sites), there are m^k potential abstract contexts to consider. It quickly becomes impractical for values of k greater than 2 or 3.

The added precision of context-sensitivity depends on the client analysis. For instance, context-sensitivity does not add much to the precision of call graph construction and virtual method resolution. In Java, 1-object-sensitivity seems to provide the best tradeoff between performance and precision for most client analyses.

Algorithms

Example:

abstract class Animal {
	public abstract void saySomething();
}

class Cat extends Animal {
	public void saySomething() {
		System.out.println("purr");
	}
}

class Dog extends Animal {
	public void saySomething() {
		System.out.println("woof");
	}
}

class Fish extends Animal {
	public void saySomething() {
		System.out.println("...");
	}
}

class Car {  // not an Animal
	public void saySomething() {
		System.out.println("honk!");
	}
}

public class Main {
	static Animal neverCalled() {
		return new Fish();
	}

	static Animal selectAnimal() {
		return new Cat();
	}

	public static void main(String[] args) {
		Animal animal = selectAnimal();
		animal.saySomething();
	}
}

There are 4 methods called saySomething in this application, and the problem is to find which one(s) may be called at run-time (the correct answer is Cat.saySomething()). A dumb and incorrect analysis would just report that any method called saySomething could be invoked, including the one in the Car class. Many algorithms have been proposed to solve this problem, here are a few examples (they are all flow-insensitive, and n stands for the program size):

  • CHA (Class Hierarchy Analysis)
    • by Dean, Grove and Chambers in Optimization of object-oriented programs using static class hierarchy analysis (ECOOP 1995, 490 citations)
    • complexity: O(n)?
    • it does the only trivial thing to do: it first builds the class hierarchy (i.e., it figures that Cat, Fish and Dog are subclasses of Animal) and determines that saySomething() could be applied to any subclass of Animal, thereby eliminating Car.
  • RTA (Rapid Type Analysis)
    • by Bacon and Sweeney in Fast Static Analysis of C++ Virtual Function Calls (OOPSLA 1996, 387 citations)
    • complexity: O(n)?
    • simply put, it prunes from the CHA call graph methods that can never be reached because their enclosing class is never instantiated. In our example, it would determine that saySomething() could be applied to a Fish or a Cat but not a Dog, since no instance of Dog is ever created. It is strictly more powerful than CHA and still very fast and simple.
  • VTA (Variable Type Analysis)
    • by Sundaresan et al. in Practical Virtual Method Call Resolution for Java (OOPSLA 2000, 206 citations)
    • complexity: O(n)?
    • it can be thought of as a refined version of RTA. When RTA collects all objects that can be created in the whole program and uses that information to prune the call graph, VTA does this for each variable instead, providing more precise information. In our example, VTA would correctly determine that saySomething() can not be applied to a Fish, because there is no corresponding edge in the type propagation graph.
  • k-CFA (Control Flow Analysis of order k):
    • by Shivers in Control-flow analysis of higher-order languages (1991 PhD thesis, 476 citations)
    • complexity: O(n3/log(n)) for 0CFA
    • initially formulated for the functional language Scheme, it has apparently evolved to mean different things in the functional and OO communities (I am still looking for a simple formulation for OO languages though). In Resolving and Exploiting the k-CFA Paradox (PLDI 2010), it is described as a “k-call-site-sensitive, field-sensitive points-to analysis algorithm with a context-sensitive heap and with on-the-fly call-graph construction”. It seems that any analysis that uses k-call-strings as contexts could be called a k-CFA analysis.
    • in the PLDI paper, Might et al. also note that “[in the OO setting] 1- and 2-CFA analysis is considered heavy but certainly possible”.
    • in our example, 0CFA would return that saySomething() at line 40 has to be applied to a Cat, because only a Cat can flow to the animal variable.
  • ZCWL
    • by Zhu and Calman in Symbolic pointer analysis revisited (PLDI 2004, 69 citations) and Whaley and Lam in Cloning-based context-sensitive pointer alias analysis using binary decision diagrams (PLDI 2004, 327 citations)
    • complexity: massive
    • essentially a k-CFA analysis where k is the depth of the call graph (plus some fancy-schmancy operations on strongly connected components of the call graph). Requires a context-insensitive call-graph to boot, which it then makes context-sensitive.

Based on this simple example, we see that CHA and RTA return an imprecise call graph, while VTA, 0CFA and ZCWL return a precise call graph. VTA is by far the simplest and most efficient in our case, because we only want a rather coarse-grained call graph, not variable-level points-to information that k-CFA and ZCWL provide.

Further reading

  • for a detailed discussion of the different sensitivities/abstractions: Lhoták, Program analysis using binary decision diagrams (PhD thesis, 2006)
  • for a theoretical comparison of the relative precision of different algorithms: Grove et al., Call Graph Construction in Object-Oriented Languages (ACM SIGPLAN 1997, 209 citations)
  • for an empirical comparison of the relative precision and performance of different algorithms: Lhoták and Hendren, Context-sensitive points-to analysis: is it worth it? (CC 2006, 75 citations)

Generic Iterative Dataflow Analysis in Python

Here is an example of a remarkably simple yet powerful dataflow analysis technique. The algorithm is very generic and can be used to implement a number of forward and backward analyses such as constant propagation, reaching definitions, value-set analysis, or in my case type inference.

The algorithm, adapted from the maximal fixedpoint algorithm in the dragon book, takes a control flow graph as input and outputs IN and OUT (maps from basic block to abstract state at their entry and exit (an abstract state maps variables to abstract values)). It is parametric, you must supply it with a few functions that will determine the output of your analysis:

  • analysis.meet, takes two abstract states and returns an abstract state (see lattices). To guarantee that the algorithm terminates, this function should be monotone (and your lattice of abstract values of finite height).
  • analysis.step_forward (resp. analysis.step_backward), a function that takes an instruction and an abstract state at its entry (resp. exit) and “executes” it, transforming the abstract state. They are used to automatically compute the transfer function for each basic block in the cfg.
It looks like this:
def forward_transfer_function(analysis, bb, IN_bb):
    OUT_bb = IN_bb.copy()
    for insn in bb:
        analysis.step_forward(insn, OUT_bb)
    return OUT_bb

def backward_transfer_function(analysis, bb, OUT_bb):
    IN_bb = OUT_bb.copy()
    for insn in reversed(bb):
        analysis.step_backward(insn, IN_bb)
    return IN_bb

def update(env, bb, newval, todo_set, todo_candidates):
    if newval != env[bb]:
        print '{0} has changed, adding {1}'.format(bb, todo_candidates)
        env[bb] = newval
        todo_set |= todo_candidates

def maximal_fixed_point(analysis, cfg, init={}):
    # state at the entry and exit of each basic block
    IN, OUT = {}, {}
    for bb in cfg.nodes:
        IN[bb] = {}
        OUT[bb] = {}
    IN[cfg.entry_point] = init

    # first make a pass over each basic block
    todo_forward = cfg.nodes
    todo_backward = cfg.nodes

    while todo_backward or todo_forward:
        while todo_forward:
            bb = todo_forward.pop()

            ####
            # compute the environment at the entry of this BB
            new_IN = reduce(analysis.meet, map(OUT.get, cfg.pred[bb]), IN[bb])
            update(IN, bb, new_IN, todo_backward, cfg.pred[bb])

            ####
            # propagate information for this basic block
            new_OUT = forward_transfer_function(analysis, bb, IN[bb])
            update(OUT, bb, new_OUT, todo_forward, cfg.succ[bb])

        while todo_backward:
            bb = todo_backward.pop()

            ####
            # compute the environment at the exit of this BB
            new_OUT = reduce(analysis.meet, map(IN.get, succ[bb]), OUT[bb])
            update(OUT, bb, new_OUT, todo_forward, cfg.succ[bb])

            ####
            # propagate information for this basic block (backwards)
            new_IN = backward_transfer_function(analysis, bb, OUT[bb])
            update(IN, bb, new_IN, todo_backward, cfg.pred[bb])

    ####
    # IN and OUT have converged
    return IN, OUT
Ideally, to propagate dataflow information in one pass, you would like to have visited every predecessors of a basic block B for a forward pass before analyzing B. Unfortunately, due to irreducible flow graphs you are not guaranteed to be able to do this. Instead, this algorithm
  1. starts with an empty state at some arbitrary basic block
  2. makes a forward pass and a backward pass over each basic block, adding the successors/predecessors to a worklist when changes are detected
  3. continues until the worklist is empty.
The meet function is here to “combine” information from multiple paths, for instance if B2 is reachable from B0 and B1, then IN(B2) = meet(OUT(B1), OUT(B2)). If you wanted to collect value set information and you had:
  • OUT(B0) = [a->{1}]
  • OUT(B1) = [a-> {-1}]
  • then meet could output IN(B2) = [a -> {1, -1}]
Depending on how meet is defined, it can look for information true for all paths coming to a basic block, or for information from at least one path.
Now, some sample code to implement a simple constant propagation analysis. It is forward only for simplicity, but the algorithm works for bidirectional analyses such as type inference.

def meet_val(lhs, rhs):
    result = None

    if lhs == 'NAC' or rhs == 'NAC':
        result = 'NAC'

    elif lhs == 'UNDEF' or rhs == 'UNDEF':
        result = 'UNDEF'

    else:
        result = 'CONST'

    return result

def meet_env(lhs, rhs):
    lhs_keys = set(lhs.keys())
    rhs_keys = set(rhs.keys())
    result = {}

    for var in lhs_keys - rhs_keys:
        result[var] = lhs[var]

    for var in rhs_keys - lhs_keys:
        result[var] = rhs[var]

    for var in lhs_keys & rhs_keys:
        result[var] = meet_val(lhs[var], rhs[var])

    return result

def abstract_value(env, expr):
    if expr.isdigit():
        return 'CONST'

    try:
        return env[expr]
    except KeyError:
        return 'UNDEF'

def step_forward(insn, env_in):
    if type(insn) == str:
        return 

    var, op, expr = insn

    # insn is var = c
    if len(expr) == 1:
        env_in[var] = abstract_value(env_in, expr)

    else:
        e1, op, e2 = expr
        val1 = abstract_value(env_in, e1)
        val2 = abstract_value(env_in, e2)
        env_in[var] = meet_val(val1, val2)

def step_backward(insn, env_in):
    pass

The function step_forward defines the abstract semantics for the statements or instructions of the language you want to analyze and for the analysis you want to implement. For instance here we only collect if a variable at some program point is constant, undefined, or not a constant (NAC). To do the actual propagation, we could also collect the allocation site of the constant.

the example program

Let’s consider a super simple language, where variables are numbers that can only be affected to or added together. The function meet_val computes the meet for two abstract values, according to this table:

        UNDEF  CONST  NAC
       -----------------
UNDEF | UNDEF  UNDEF  NAC
CONST | UNDEF  CONST  NAC
NAC   | NAC    NAC    NAC

Let’s consider a simple program in this “language” where we don’t specify the constructs for the control flow. The algorithm just assumes that every edge in the CFG is reachable. This is obviously not the case in practice, but that only means that we are going to miss some patterns (the analysis is sound but imprecise in order to terminate).

Now, we want to find if a and ret are constants. Here is the code necessary to setup and run the example (you need networkx to run it):

import networkx as nx    

class SomeObject:
    pass

def instructionify(somestr):
    toks = somestr.split()
    if '+' in somestr:
        return (toks[0], toks[1], (toks[2], toks[3], toks[4]))
    return tuple(somestr.split())

# setup the program's cfg
prog = nx.DiGraph()
s0 = ('entry'),
s1 = instructionify('b = x'),
s2 = instructionify('c = 2'),
s3 = instructionify('a = 40 + c'),
s4 = instructionify('ret = a + x'),
prog.add_edge(s0, s1)
prog.add_edge(s1, s2)
prog.add_edge(s2, s1)
prog.add_edge(s1, s3)
prog.add_edge(s3, s3)
prog.add_edge(s3, s4)

# initialize pred and succ
pred, succ = {}, {}
for bb in prog:
    pred[bb] = set(prog.predecessors(bb))
    succ[bb] = set(prog.successors(bb))

cfg             = SomeObject()
cfg.nodes       = set(prog.nodes())
cfg.pred        = pred
cfg.succ        = succ
cfg.entry_point = s0

analysis               = SomeObject()
analysis.meet          = meet_env
analysis.step_forward  = step_forward
analysis.step_backward = step_backward

# run the whole thing
IN, OUT = maximal_fixed_point(analysis, cfg)
print 'a   at program point s3 is', OUT[s3]['a']
print 'ret at program point s4 is', OUT[s4]['ret']

And the output is:

a   at program point s3 is CONST
ret at program point s4 is UNDEF

As a final note: it is possible to speed things up a bit by choosing a better ordering for basic blocks than just going randomly at first (because we initially fail to propagate lots of information). This might end up in another blog post. Cheers!

Command your shiny Android in Python

I am the happy owner of an Android phone. I love it. But what I love even more, is rolling some sweet Python on my precious.

In case you have a vanilla phone like I do, you will need to follow these steps:

  • download and install the Android SDK for your platform
  • add the SDK tools to your system path, for instance on Windows run this in a shell:
> set PATH=%PATH%;path_to_android_sdk\tools
  • activate USB debugging on your phone (Parameters > Applications > Development > USB Debugging)
  • setup your system to detect your device as explained here (on Windows, it means installing the usb driver from the SDK)
  • check that your phone is detected correctly by running adb get-state (if everything is ok, the result should be ‘device’)
  • check out the Android Scripting Environment svn repository on your computer (see this page)

Your system is almost configured, let’s install the necessary applications on the phone:

  • install the Android Scripting Environment on your phone
  • (optionally) install the Text-to-Speech library (by Charles Chen) on your phone if you want to use it in your scripts, via the Android Market
  • run ASE on your phone, type menu and start a Python shell, you will notice a line like ‘export AP_PORT = “49508”‘.
  • setup port forwarding on your system with the value you just noted:
> set AP_PORT=49508
> adb forward tcp:%AP_PORT% tcp:%AP_PORT%
  • go to the ASE directory on your computer containing the android.py module
> cd path_to_ASE\python\ase
  • run your favorite Python 2.6 interpreter and enjoy the magic:
> python
Python 2.6 (r26:66721, Oct  2 2008, 11:35:03) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import android
>>> droid = android.Android()
# now your phone is ready to acknowledge your awesomeness
>>> droid.speak('hello, my master')
{u'result': None, u'id': 2, u'error': None}
# or alternatively, if you don't have the TTS library installed:
>>> droid.makeToast('hello, my master')
{u'result': None, u'id': 1, u'error': None}

Now you have all the information you need to start exploring the API and roll  more interesting examples.

droid.makeToast

Python Idioms: + versus join

I was told to use ”.join([]) instead of the ‘+’ operator in Python. However a (bad) benchmark showed ‘+’ to be a lot faster. I think it is reasonable to say that in some cases ‘+’ is faster, here is my test:

def test0(b, c, d, e, f):
    for i in xrange(10**7):
        a = b + c + d + e + f
    print(a)

def test1():
    l = ['hello ', 'world ', 'with ', '+ ', 'operator']
    for i in xrange(10**7):
        a = ''
	for j in l:
            a += j
    print(a)

def test2():
    l = ['hello', 'world', 'with', 'join', 'function']
    for i in xrange(10**7):
	a = ' '.join(l)
    print(a)

test0('hello ', 'world ', 'with ', '+ ', 'operator')
test1()
test2()

And the result of the test:

$ python -m cProfile -s cumulative test.py
hello world with + operator
hello world with + operator
hello world with join function

   10000007 function calls in 14.968 CPU seconds
   Ordered by: cumulative time

   ncalls  tottime  percall  cumtime  percall filename:lineno(function)
        ...
        1    6.838    6.838    6.838    6.838 test.py:7(test1)
        1    2.683    2.683    5.113    5.113 test.py:15(test2)
        1    3.016    3.016    3.016    3.016 test.py:2(test0)

So clearly the worst way of using ‘+’ is when iterating over a list of strings and accumulating the concatenations in a variable (function test1). But there is nothing wrong with performing multiple ‘+’ operations in a single line and then storing the result in a variable (function test0).

A quick look at the bytecode of the function confirms this intuition, we can see a bunch of LOADs and ADDs and only one STORE:

>>> import dis
>>> dis.dis(test0)
...
             19 LOAD_FAST                0 (b)
             22 LOAD_FAST                1 (c)
             25 BINARY_ADD          
             26 LOAD_FAST                2 (d)
             29 BINARY_ADD          
             30 LOAD_FAST                3 (e)
             33 BINARY_ADD          
             34 LOAD_FAST                4 (f)
             37 BINARY_ADD          
             38 STORE_FAST               6 (a)

The test was performed with Python 2.5.4 on a Debian sid. Would be nice to see if the results hold for new versions of the Python interpreter.

UPDATED: Don’t use set.add() in python when running cProfile

UPDATE: As pointed out in the comments, my original conclusion was wrong and is due to the effect of the profiler on the performance. When using the time command instead with Python 3.2 on OS X Lion (averaged over 3 runs), the version with set.add takes 1.37s versus 4.85s for the version with set union (results are 2.17s and 7.12s respectively with Python 2.7.1). Sorry for the “d’oh” moment. Take-home lesson: use a profiler to count events, not to time them.

Use the union operator instead, it’s 2 to 3x faster on my machine.

$ cat sets.py
def mister():
    s = set([1,2,3])
    for i in range(10**7):
        s.add(1)

def hankey():
    s = set([1,2,3])
    for i in range(10**7):
        s |= set([1])
mister()
hankey()

$ python -m cProfile sets.py
10000008 function calls in 28.257 CPU seconds

Ordered by: standard name

ncalls tottime percall cumtime percall filename:lineno(function)
 1 11.507 11.507 22.978 22.978 sets.py:1(mister) 1 5.138 5.138 5.278 5.278 sets.py:6(hankey)

(tested on Python 2.5, 2.6 and 3.1 on Windows and Linux)

Digging up System Calls Ordinals – on XP SP2 x64

In case anybody needs system call ordinals for an x64 system, I have retrieved them on my test machine since I couldn’t find them anywhere (not even metasploit’s system call table).

Ero Carrera posted a compact IDAPython script that did the trick, so I adapted the code a little. In ntdll.dll, there are two patterns that we need to look for:

mov     eax, XXXX          ; XXXX is the system call ordinal we need
xor     ecx, ecx
lea     edx, [esp+arg_0]
call    large dword ptr fs:0C0h

and

mov     eax, XXXX          ; again, we need XXXX
mov     ecx, 1Ah
lea     edx, [esp+arg_0]
call    large dword ptr fs:0C0h

This translates to the following byte sequences: ‘B8 ? ? 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00’ and ‘B8 ? ? 00 00 B9 ? 00 00 00 8D 54 24 04 64 FF 15 C0 00 00 00’. Here is the adapted IDAPython script:

syscall_ordinal_code = 'B8 ? ? 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00'
syscall_ordinal_code2 = 'B8 ? ? 00 00 B9 ? 00 00 00 8D 54 24 04 64 FF 15 C0 00 00 00'
out = open('c:\\temp\\idapython.txt', 'w')

for seg in Segments():
  for func in Functions(seg, SegEnd(seg)):
    address = FindBinary(func, SEARCH_DOWN, syscall_ordinal_code)
    address2 = FindBinary(func, SEARCH_DOWN, syscall_ordinal_code2)
    if address == func or address2 == func:
      out.write('%08x: Syscall ordinal %04x for %s (%s)\n' % (func, Dword(func+1), Name(func), Comment(func)))

out.close()

UPDATE: user32.dll and kernel32.dll also contain references to system call ordinals, using the following pattern:

mov     eax, XXXXh
lea     edx, [esp+arg_0]
mov     ecx, 4
call    large dword ptr fs:0C0h

so we must also look for byte sequence ‘B8 ? ? 00 00 8D 54 24 04 B9 ? 00 00 00 64 FF 15 C0’ in user32.dll.

And finally, the output of the script (on Windows XP SP2 x64):

7d61c7fb: Syscall ordinal 0000 for _ZwMapUserPhysicalPagesScatter@12 (NtMapUserPhysicalPagesScatter)
7d61c813: Syscall ordinal 0001 for _ZwWaitForSingleObject@12 (NtWaitForSingleObject)
7d61c82b: Syscall ordinal 0002 for _ZwCallbackReturn@12 (NtCallbackReturn)
7d61c843: Syscall ordinal 0003 for _NtReadFile@36 (NtReadFile)
7d61c85b: Syscall ordinal 0004 for _ZwDeviceIoControlFile@40 (NtDeviceIoControlFile)
7d61c873: Syscall ordinal 0005 for _NtWriteFile@36 (NtWriteFile)
7d61c88b: Syscall ordinal 0006 for _ZwRemoveIoCompletion@20 (NtRemoveIoCompletion)
7d61c8a3: Syscall ordinal 0007 for _NtReleaseSemaphore@12 (NtReleaseSemaphore)
7d61c8bb: Syscall ordinal 0008 for _NtReplyWaitReceivePort@16 (NtReplyWaitReceivePort)
7d61c8d3: Syscall ordinal 0009 for _ZwReplyPort@8 (NtReplyPort)
7d61c8eb: Syscall ordinal 000a for _ZwSetInformationThread@16 (NtSetInformationThread)
7d61c903: Syscall ordinal 000b for _NtSetEvent@8 (NtSetEvent)
7d61c91b: Syscall ordinal 000c for _NtClose@4 (NtClose)
7d61c933: Syscall ordinal 000d for _NtQueryObject@20 (NtQueryObject)
7d61c94b: Syscall ordinal 000e for _ZwQueryInformationFile@20 (NtQueryInformationFile)
7d61c963: Syscall ordinal 000f for _ZwOpenKey@12 (NtOpenKey)
7d61c97b: Syscall ordinal 0010 for _NtEnumerateValueKey@24 (NtEnumerateValueKey)
7d61c993: Syscall ordinal 0011 for _NtFindAtom@12 (NtFindAtom)
7d61c9ab: Syscall ordinal 0012 for _NtQueryDefaultLocale@8 (NtQueryDefaultLocale)
7d61c9c3: Syscall ordinal 0013 for _ZwQueryKey@20 (NtQueryKey)
7d61c9db: Syscall ordinal 0014 for _ZwQueryValueKey@24 (NtQueryValueKey)
7d61c9f3: Syscall ordinal 0015 for _NtAllocateVirtualMemory@24 (NtAllocateVirtualMemory)
7d61ca0b: Syscall ordinal 0016 for _ZwQueryInformationProcess@20 (NtQueryInformationProcess)
7d61ca23: Syscall ordinal 0017 for _NtWaitForMultipleObjects32@20 (NtWaitForMultipleObjects32)
7d61ca3b: Syscall ordinal 0018 for _NtWriteFileGather@36 (NtWriteFileGather)
7d61ca53: Syscall ordinal 0019 for _ZwSetInformationProcess@16 (NtSetInformationProcess)
7d61ca6b: Syscall ordinal 001a for _ZwCreateKey@28 (NtCreateKey)
7d61ca83: Syscall ordinal 001b for _NtFreeVirtualMemory@16 (NtFreeVirtualMemory)
7d61ca9b: Syscall ordinal 001c for _ZwImpersonateClientOfPort@8 (NtImpersonateClientOfPort)
7d61cab3: Syscall ordinal 001d for _ZwReleaseMutant@8 (NtReleaseMutant)
7d61cacb: Syscall ordinal 001e for _ZwQueryInformationToken@20 (NtQueryInformationToken)
7d61cae3: Syscall ordinal 001f for _NtRequestWaitReplyPort@12 (NtRequestWaitReplyPort)
7d61cafb: Syscall ordinal 0020 for _NtQueryVirtualMemory@24 (NtQueryVirtualMemory)
7d61cb13: Syscall ordinal 0021 for _NtOpenThreadToken@16 (NtOpenThreadToken)
7d61cb2b: Syscall ordinal 0022 for _NtQueryInformationThread@20 (NtQueryInformationThread)
7d61cb43: Syscall ordinal 0023 for _ZwOpenProcess@16 (NtOpenProcess)
7d61cb5b: Syscall ordinal 0024 for _ZwSetInformationFile@20 (NtSetInformationFile)
7d61cb73: Syscall ordinal 0025 for _ZwMapViewOfSection@40 (NtMapViewOfSection)
7d61cb8b: Syscall ordinal 0026 for _ZwAccessCheckAndAuditAlarm@44 (NtAccessCheckAndAuditAlarm)
7d61cba3: Syscall ordinal 0027 for _NtUnmapViewOfSection@8 (NtUnmapViewOfSection)
7d61cbbb: Syscall ordinal 0028 for _NtReplyWaitReceivePortEx@20 (NtReplyWaitReceivePortEx)
7d61cbd3: Syscall ordinal 0029 for _ZwTerminateProcess@8 (NtTerminateProcess)
7d61cbeb: Syscall ordinal 002a for _NtSetEventBoostPriority@4 (NtSetEventBoostPriority)
7d61cc03: Syscall ordinal 002b for _NtReadFileScatter@36 (NtReadFileScatter)
7d61cc1b: Syscall ordinal 002c for _NtOpenThreadTokenEx@20 (NtOpenThreadTokenEx)
7d61cc33: Syscall ordinal 002d for _ZwOpenProcessTokenEx@16 (NtOpenProcessTokenEx)
7d61cc4b: Syscall ordinal 002e for _NtQueryPerformanceCounter@8 (NtQueryPerformanceCounter)
7d61cc63: Syscall ordinal 002f for _ZwEnumerateKey@24 (NtEnumerateKey)
7d61cc7b: Syscall ordinal 0030 for _NtOpenFile@24 (NtOpenFile)
7d61cc93: Syscall ordinal 0031 for _ZwDelayExecution@8 (NtDelayExecution)
7d61ccab: Syscall ordinal 0032 for _ZwQueryDirectoryFile@44 (NtQueryDirectoryFile)
7d61ccc3: Syscall ordinal 0033 for _NtQuerySystemInformation@16 (NtQuerySystemInformation)
7d61ccdb: Syscall ordinal 0034 for _NtOpenSection@12 (NtOpenSection)
7d61ccf3: Syscall ordinal 0035 for _ZwQueryTimer@20 (NtQueryTimer)
7d61cd0b: Syscall ordinal 0036 for _NtFsControlFile@40 (NtFsControlFile)
7d61cd23: Syscall ordinal 0037 for _NtWriteVirtualMemory@20 (NtWriteVirtualMemory)
7d61cd3b: Syscall ordinal 0038 for _ZwCloseObjectAuditAlarm@12 (NtCloseObjectAuditAlarm)
7d61cd53: Syscall ordinal 0039 for _ZwDuplicateObject@28 (NtDuplicateObject)
7d61cd6b: Syscall ordinal 003a for _ZwQueryAttributesFile@8 (NtQueryAttributesFile)
7d61cd83: Syscall ordinal 003b for _NtClearEvent@4 (NtClearEvent)
7d61cd9b: Syscall ordinal 003c for _NtReadVirtualMemory@20 (NtReadVirtualMemory)
7d61cdb3: Syscall ordinal 003d for _NtOpenEvent@12 (NtOpenEvent)
7d61cdcb: Syscall ordinal 003e for _ZwAdjustPrivilegesToken@24 (NtAdjustPrivilegesToken)
7d61cde3: Syscall ordinal 003f for _NtDuplicateToken@24 (NtDuplicateToken)
7d61cdfb: Syscall ordinal 0040 for _ZwContinue@8 (NtContinue)
7d61ce13: Syscall ordinal 0041 for _ZwQueryDefaultUILanguage@4 (NtQueryDefaultUILanguage)
7d61ce2b: Syscall ordinal 0042 for _NtQueueApcThread@20 (NtQueueApcThread)
7d61ce43: Syscall ordinal 0043 for _ZwYieldExecution@0 (NtYieldExecution)
7d61ce5c: Syscall ordinal 0044 for _NtAddAtom@12 (NtAddAtom)
7d61ce74: Syscall ordinal 0045 for _NtCreateEvent@20 (NtCreateEvent)
7d61ce8c: Syscall ordinal 0046 for _NtQueryVolumeInformationFile@20 (NtQueryVolumeInformationFile)
7d61cea4: Syscall ordinal 0047 for _NtCreateSection@28 (NtCreateSection)
7d61cebc: Syscall ordinal 0048 for _ZwFlushBuffersFile@8 (NtFlushBuffersFile)
7d61ced4: Syscall ordinal 0049 for _NtApphelpCacheControl@8 (NtApphelpCacheControl)
7d61ceec: Syscall ordinal 004a for _ZwCreateProcessEx@36 (NtCreateProcessEx)
7d61cf04: Syscall ordinal 004b for _NtCreateThread@32 (NtCreateThread)
7d61cf1c: Syscall ordinal 004c for _ZwIsProcessInJob@8 (NtIsProcessInJob)
7d61cf34: Syscall ordinal 004d for _ZwProtectVirtualMemory@20 (NtProtectVirtualMemory)
7d61cf4c: Syscall ordinal 004e for _ZwQuerySection@20 (NtQuerySection)
7d61cf64: Syscall ordinal 004f for _ZwResumeThread@8 (NtResumeThread)
7d61cf7c: Syscall ordinal 0050 for _ZwTerminateThread@8 (NtTerminateThread)
7d61cf94: Syscall ordinal 0051 for _ZwReadRequestData@24 (NtReadRequestData)
7d61cfac: Syscall ordinal 0052 for _NtCreateFile@44 (NtCreateFile)
7d61cfc4: Syscall ordinal 0053 for _NtQueryEvent@20 (NtQueryEvent)
7d61cfdc: Syscall ordinal 0054 for _NtWriteRequestData@24 (NtWriteRequestData)
7d61cff4: Syscall ordinal 0055 for _ZwOpenDirectoryObject@12 (NtOpenDirectoryObject)
7d61d00c: Syscall ordinal 0056 for _NtAccessCheckByTypeAndAuditAlarm@64 (NtAccessCheckByTypeAndAuditAlarm)
7d61d024: Syscall ordinal 0057 for _NtQuerySystemTime@4 (NtQuerySystemTime)
7d61d03c: Syscall ordinal 0058 for _NtWaitForMultipleObjects@20 (NtWaitForMultipleObjects)
7d61d054: Syscall ordinal 0059 for _ZwSetInformationObject@16 (NtSetInformationObject)
7d61d06c: Syscall ordinal 005a for _ZwCancelIoFile@8 (NtCancelIoFile)
7d61d084: Syscall ordinal 005b for _NtTraceEvent@16 (NtTraceEvent)
7d61d09c: Syscall ordinal 005c for _ZwPowerInformation@20 (NtPowerInformation)
7d61d0b4: Syscall ordinal 005d for _ZwSetValueKey@24 (NtSetValueKey)
7d61d0cc: Syscall ordinal 005e for _ZwCancelTimer@8 (NtCancelTimer)
7d61d0e4: Syscall ordinal 005f for _ZwSetTimer@28 (NtSetTimer)
7d61d0fc: Syscall ordinal 0060 for _NtAcceptConnectPort@24 (NtAcceptConnectPort)
7d61d114: Syscall ordinal 0061 for _NtAccessCheck@32 (NtAccessCheck)
7d61d12c: Syscall ordinal 0062 for _NtAccessCheckByType@44 (NtAccessCheckByType)
7d61d144: Syscall ordinal 0063 for _NtAccessCheckByTypeResultList@44 (NtAccessCheckByTypeResultList)
7d61d15c: Syscall ordinal 0064 for _NtAccessCheckByTypeResultListAndAuditAlarm@64 (NtAccessCheckByTypeResultListAndAuditAlarm)
7d61d174: Syscall ordinal 0065 for _ZwAccessCheckByTypeResultListAndAuditAlarmByHandle@68 (NtAccessCheckByTypeResultListAndAuditAlarmByHandle)
7d61d18c: Syscall ordinal 0066 for _ZwAddBootEntry@8 (NtAddBootEntry)
7d61d1a4: Syscall ordinal 0067 for _NtAddDriverEntry@8 (NtAddDriverEntry)
7d61d1bc: Syscall ordinal 0068 for _ZwAdjustGroupsToken@24 (NtAdjustGroupsToken)
7d61d1d4: Syscall ordinal 0069 for _NtAlertResumeThread@8 (NtAlertResumeThread)
7d61d1ec: Syscall ordinal 006a for _NtAlertThread@4 (NtAlertThread)
7d61d204: Syscall ordinal 006b for _ZwAllocateLocallyUniqueId@4 (NtAllocateLocallyUniqueId)
7d61d21c: Syscall ordinal 006c for _NtAllocateUserPhysicalPages@12 (NtAllocateUserPhysicalPages)
7d61d234: Syscall ordinal 006d for _NtAllocateUuids@16 (NtAllocateUuids)
7d61d24c: Syscall ordinal 006e for _ZwAreMappedFilesTheSame@8 (NtAreMappedFilesTheSame)
7d61d264: Syscall ordinal 006f for _ZwAssignProcessToJobObject@8 (NtAssignProcessToJobObject)
7d61d27c: Syscall ordinal 0070 for _NtCancelDeviceWakeupRequest@4 (NtCancelDeviceWakeupRequest)
7d61d294: Syscall ordinal 0071 for _NtCompactKeys@8 (NtCompactKeys)
7d61d2ac: Syscall ordinal 0072 for _ZwCompareTokens@12 (NtCompareTokens)
7d61d2c4: Syscall ordinal 0073 for _NtCompleteConnectPort@4 (NtCompleteConnectPort)
7d61d2dc: Syscall ordinal 0074 for _ZwCompressKey@4 (NtCompressKey)
7d61d2f4: Syscall ordinal 0075 for _NtConnectPort@32 (NtConnectPort)
7d61d30c: Syscall ordinal 0076 for _ZwCreateDebugObject@16 (NtCreateDebugObject)
7d61d324: Syscall ordinal 0077 for _ZwCreateDirectoryObject@12 (NtCreateDirectoryObject)
7d61d33c: Syscall ordinal 0078 for _NtCreateEventPair@12 (NtCreateEventPair)
7d61d354: Syscall ordinal 0079 for _NtCreateIoCompletion@16 (NtCreateIoCompletion)
7d61d36c: Syscall ordinal 007a for _ZwCreateJobObject@12 (NtCreateJobObject)
7d61d384: Syscall ordinal 007b for _NtCreateJobSet@12 (NtCreateJobSet)
7d61d39c: Syscall ordinal 007c for _ZwCreateKeyedEvent@16 (NtCreateKeyedEvent)
7d61d3b4: Syscall ordinal 007d for _ZwCreateMailslotFile@32 (NtCreateMailslotFile)
7d61d3cc: Syscall ordinal 007e for _ZwCreateMutant@16 (NtCreateMutant)
7d61d3e4: Syscall ordinal 007f for _ZwCreateNamedPipeFile@56 (NtCreateNamedPipeFile)
7d61d3fc: Syscall ordinal 0080 for _NtCreatePagingFile@16 (NtCreatePagingFile)
7d61d414: Syscall ordinal 0081 for _ZwCreatePort@20 (NtCreatePort)
7d61d42c: Syscall ordinal 0082 for _ZwCreateProcess@32 (NtCreateProcess)
7d61d444: Syscall ordinal 0083 for _ZwCreateProfile@36 (NtCreateProfile)
7d61d45c: Syscall ordinal 0084 for _NtCreateSemaphore@20 (NtCreateSemaphore)
7d61d474: Syscall ordinal 0085 for _ZwCreateSymbolicLinkObject@16 (NtCreateSymbolicLinkObject)
7d61d48c: Syscall ordinal 0086 for _ZwCreateTimer@16 (NtCreateTimer)
7d61d4a4: Syscall ordinal 0087 for _NtCreateToken@52 (NtCreateToken)
7d61d4bc: Syscall ordinal 0088 for _ZwCreateWaitablePort@20 (NtCreateWaitablePort)
7d61d4d4: Syscall ordinal 0089 for _NtDebugActiveProcess@8 (NtDebugActiveProcess)
7d61d4ec: Syscall ordinal 008a for _ZwDebugContinue@12 (NtDebugContinue)
7d61d504: Syscall ordinal 008b for _ZwDeleteAtom@4 (NtDeleteAtom)
7d61d51c: Syscall ordinal 008c for _NtDeleteBootEntry@4 (NtDeleteBootEntry)
7d61d534: Syscall ordinal 008d for _ZwDeleteDriverEntry@4 (NtDeleteDriverEntry)
7d61d54c: Syscall ordinal 008e for _NtDeleteFile@4 (NtDeleteFile)
7d61d564: Syscall ordinal 008f for _ZwDeleteKey@4 (NtDeleteKey)
7d61d57c: Syscall ordinal 0090 for _NtDeleteObjectAuditAlarm@12 (NtDeleteObjectAuditAlarm)
7d61d594: Syscall ordinal 0091 for _NtDeleteValueKey@8 (NtDeleteValueKey)
7d61d5ac: Syscall ordinal 0092 for _NtDisplayString@4 (NtDisplayString)
7d61d5c4: Syscall ordinal 0093 for _ZwEnumerateBootEntries@8 (NtEnumerateBootEntries)
7d61d5dc: Syscall ordinal 0094 for _NtEnumerateDriverEntries@8 (NtEnumerateDriverEntries)
7d61d5f4: Syscall ordinal 0095 for _ZwEnumerateSystemEnvironmentValuesEx@12 (NtEnumerateSystemEnvironmentValuesEx)
7d61d60c: Syscall ordinal 0096 for _ZwExtendSection@8 (NtExtendSection)
7d61d624: Syscall ordinal 0097 for _NtFilterToken@24 (NtFilterToken)
7d61d63c: Syscall ordinal 0098 for _ZwFlushInstructionCache@12 (NtFlushInstructionCache)
7d61d654: Syscall ordinal 0099 for _NtFlushKey@4 (NtFlushKey)
7d61d66c: Syscall ordinal 009a for _ZwFlushVirtualMemory@16 (NtFlushVirtualMemory)
7d61d684: Syscall ordinal 009b for _NtFlushWriteBuffer@0 (NtFlushWriteBuffer)
7d61d69c: Syscall ordinal 009c for _NtFreeUserPhysicalPages@12 (NtFreeUserPhysicalPages)
7d61d6b4: Syscall ordinal 009d for _NtGetContextThread@8 (NtGetContextThread)
7d61d6cc: Syscall ordinal 009e for _NtGetCurrentProcessorNumber@0 (NtGetCurrentProcessorNumber
RtlGetCurrentProcessorNumber)
7d61d6e4: Syscall ordinal 009f for _NtGetDevicePowerState@8 (NtGetDevicePowerState)
7d61d6fc: Syscall ordinal 00a0 for _ZwGetPlugPlayEvent@16 (NtGetPlugPlayEvent)
7d61d714: Syscall ordinal 00a1 for _NtGetWriteWatch@28 (NtGetWriteWatch)
7d61d72c: Syscall ordinal 00a2 for _NtImpersonateAnonymousToken@4 (NtImpersonateAnonymousToken)
7d61d744: Syscall ordinal 00a3 for _ZwImpersonateThread@12 (NtImpersonateThread)
7d61d75c: Syscall ordinal 00a4 for _ZwInitializeRegistry@4 (NtInitializeRegistry)
7d61d774: Syscall ordinal 00a5 for _NtInitiatePowerAction@16 (NtInitiatePowerAction)
7d61d78c: Syscall ordinal 00a6 for _NtIsSystemResumeAutomatic@0 (NtIsSystemResumeAutomatic)
7d61d7a4: Syscall ordinal 00a7 for _ZwListenPort@8 (NtListenPort)
7d61d7bc: Syscall ordinal 00a8 for _NtLoadDriver@4 (NtLoadDriver)
7d61d7d4: Syscall ordinal 00a9 for _NtLoadKey@8 (NtLoadKey)
7d61d7ec: Syscall ordinal 00aa for _NtLoadKey2@12 (NtLoadKey2)
7d61d804: Syscall ordinal 00ab for _NtLoadKeyEx@16 (NtLoadKeyEx)
7d61d81c: Syscall ordinal 00ac for _NtLockFile@40 (NtLockFile)
7d61d834: Syscall ordinal 00ad for _ZwLockProductActivationKeys@8 (NtLockProductActivationKeys)
7d61d84c: Syscall ordinal 00ae for _NtLockRegistryKey@4 (NtLockRegistryKey)
7d61d864: Syscall ordinal 00af for _ZwLockVirtualMemory@16 (NtLockVirtualMemory)
7d61d87c: Syscall ordinal 00b0 for _ZwMakePermanentObject@4 (NtMakePermanentObject)
7d61d894: Syscall ordinal 00b1 for _NtMakeTemporaryObject@4 (NtMakeTemporaryObject)
7d61d8ac: Syscall ordinal 00b2 for _NtMapUserPhysicalPages@12 (NtMapUserPhysicalPages)
7d61d8c4: Syscall ordinal 00b3 for _NtModifyBootEntry@4 (NtModifyBootEntry)
7d61d8dc: Syscall ordinal 00b4 for _ZwModifyDriverEntry@4 (NtModifyDriverEntry)
7d61d8f4: Syscall ordinal 00b5 for _NtNotifyChangeDirectoryFile@36 (NtNotifyChangeDirectoryFile)
7d61d90c: Syscall ordinal 00b6 for _NtNotifyChangeKey@40 (NtNotifyChangeKey)
7d61d924: Syscall ordinal 00b7 for _NtNotifyChangeMultipleKeys@48 (NtNotifyChangeMultipleKeys)
7d61d93c: Syscall ordinal 00b8 for _NtOpenEventPair@12 (NtOpenEventPair)
7d61d954: Syscall ordinal 00b9 for _ZwOpenIoCompletion@12 (NtOpenIoCompletion)
7d61d96c: Syscall ordinal 00ba for _ZwOpenJobObject@12 (NtOpenJobObject)
7d61d984: Syscall ordinal 00bb for _NtOpenKeyedEvent@12 (NtOpenKeyedEvent)
7d61d99c: Syscall ordinal 00bc for _NtOpenMutant@12 (NtOpenMutant)
7d61d9b4: Syscall ordinal 00bd for _ZwOpenObjectAuditAlarm@48 (NtOpenObjectAuditAlarm)
7d61d9cc: Syscall ordinal 00be for _ZwOpenProcessToken@12 (NtOpenProcessToken)
7d61d9e4: Syscall ordinal 00bf for _NtOpenSemaphore@12 (NtOpenSemaphore)
7d61d9fc: Syscall ordinal 00c0 for _NtOpenSymbolicLinkObject@12 (NtOpenSymbolicLinkObject)
7d61da14: Syscall ordinal 00c1 for _ZwOpenThread@16 (NtOpenThread)
7d61da2c: Syscall ordinal 00c2 for _ZwOpenTimer@12 (NtOpenTimer)
7d61da44: Syscall ordinal 00c3 for _NtPlugPlayControl@12 (NtPlugPlayControl)
7d61da5c: Syscall ordinal 00c4 for _ZwPrivilegeCheck@12 (NtPrivilegeCheck)
7d61da74: Syscall ordinal 00c5 for _ZwPrivilegeObjectAuditAlarm@24 (NtPrivilegeObjectAuditAlarm)
7d61da8c: Syscall ordinal 00c6 for _NtPrivilegedServiceAuditAlarm@20 (NtPrivilegedServiceAuditAlarm)
7d61daa4: Syscall ordinal 00c7 for _ZwPulseEvent@8 (NtPulseEvent)
7d61dabc: Syscall ordinal 00c8 for _ZwQueryBootEntryOrder@8 (NtQueryBootEntryOrder)
7d61dad4: Syscall ordinal 00c9 for _ZwQueryBootOptions@8 (NtQueryBootOptions)
7d61daec: Syscall ordinal 00ca for _NtQueryDebugFilterState@8 (NtQueryDebugFilterState)
7d61db04: Syscall ordinal 00cb for _ZwQueryDirectoryObject@28 (NtQueryDirectoryObject)
7d61db1c: Syscall ordinal 00cc for _NtQueryDriverEntryOrder@8 (NtQueryDriverEntryOrder)
7d61db34: Syscall ordinal 00cd for _ZwQueryEaFile@36 (NtQueryEaFile)
7d61db4c: Syscall ordinal 00ce for _ZwQueryFullAttributesFile@8 (NtQueryFullAttributesFile)
7d61db64: Syscall ordinal 00cf for _NtQueryInformationAtom@20 (NtQueryInformationAtom)
7d61db7c: Syscall ordinal 00d0 for _ZwQueryInformationJobObject@20 (NtQueryInformationJobObject)
7d61db94: Syscall ordinal 00d1 for _ZwQueryInformationPort@20 (NtQueryInformationPort)
7d61dbac: Syscall ordinal 00d2 for _NtQueryInstallUILanguage@4 (NtQueryInstallUILanguage)
7d61dbc4: Syscall ordinal 00d3 for _NtQueryIntervalProfile@8 (NtQueryIntervalProfile)
7d61dbdc: Syscall ordinal 00d4 for _NtQueryIoCompletion@20 (NtQueryIoCompletion)
7d61dbf4: Syscall ordinal 00d5 for _NtQueryMultipleValueKey@24 (NtQueryMultipleValueKey)
7d61dc0c: Syscall ordinal 00d6 for _NtQueryMutant@20 (NtQueryMutant)
7d61dc24: Syscall ordinal 00d7 for _NtQueryOpenSubKeys@8 (NtQueryOpenSubKeys)
7d61dc3c: Syscall ordinal 00d8 for _NtQueryOpenSubKeysEx@16 (NtQueryOpenSubKeysEx)
7d61dc54: Syscall ordinal 00d9 for _ZwQueryPortInformationProcess@0 (NtQueryPortInformationProcess)
7d61dc6c: Syscall ordinal 00da for _ZwQueryQuotaInformationFile@36 (NtQueryQuotaInformationFile)
7d61dc84: Syscall ordinal 00db for _NtQuerySecurityObject@20 (NtQuerySecurityObject)
7d61dc9c: Syscall ordinal 00dc for _ZwQuerySemaphore@20 (NtQuerySemaphore)
7d61dcb4: Syscall ordinal 00dd for _ZwQuerySymbolicLinkObject@12 (NtQuerySymbolicLinkObject)
7d61dccc: Syscall ordinal 00de for _ZwQuerySystemEnvironmentValue@16 (NtQuerySystemEnvironmentValue)
7d61dce4: Syscall ordinal 00df for _ZwQuerySystemEnvironmentValueEx@20 (NtQuerySystemEnvironmentValueEx)
7d61dcfc: Syscall ordinal 00e0 for _NtQueryTimerResolution@12 (NtQueryTimerResolution)
7d61dd14: Syscall ordinal 00e1 for _ZwRaiseException@12 (NtRaiseException)
7d61dd2c: Syscall ordinal 00e2 for _ZwRaiseHardError@24 (NtRaiseHardError)
7d61dd44: Syscall ordinal 00e3 for _ZwRegisterThreadTerminatePort@4 (NtRegisterThreadTerminatePort)
7d61dd5c: Syscall ordinal 00e4 for _NtReleaseKeyedEvent@16 (NtReleaseKeyedEvent)
7d61dd74: Syscall ordinal 00e5 for _ZwRemoveProcessDebug@8 (NtRemoveProcessDebug)
7d61dd8c: Syscall ordinal 00e6 for _ZwRenameKey@8 (NtRenameKey)
7d61dda4: Syscall ordinal 00e7 for _ZwReplaceKey@12 (NtReplaceKey)
7d61ddbc: Syscall ordinal 00e8 for _NtReplyWaitReplyPort@8 (NtReplyWaitReplyPort)
7d61ddd4: Syscall ordinal 00e9 for _ZwRequestDeviceWakeup@4 (NtRequestDeviceWakeup)
7d61ddec: Syscall ordinal 00ea for _ZwRequestPort@8 (NtRequestPort)
7d61de04: Syscall ordinal 00eb for _ZwRequestWakeupLatency@4 (NtRequestWakeupLatency)
7d61de1c: Syscall ordinal 00ec for _NtResetEvent@8 (NtResetEvent)
7d61de34: Syscall ordinal 00ed for _ZwResetWriteWatch@12 (NtResetWriteWatch)
7d61de4c: Syscall ordinal 00ee for _NtRestoreKey@12 (NtRestoreKey)
7d61de64: Syscall ordinal 00ef for _ZwResumeProcess@4 (NtResumeProcess)
7d61de7c: Syscall ordinal 00f0 for _NtSaveKey@8 (NtSaveKey)
7d61de94: Syscall ordinal 00f1 for _NtSaveKeyEx@12 (NtSaveKeyEx)
7d61deac: Syscall ordinal 00f2 for _NtSaveMergedKeys@12 (NtSaveMergedKeys)
7d61dec4: Syscall ordinal 00f3 for _NtSecureConnectPort@36 (NtSecureConnectPort)
7d61dedc: Syscall ordinal 00f4 for _ZwSetBootEntryOrder@8 (NtSetBootEntryOrder)
7d61def4: Syscall ordinal 00f5 for _ZwSetBootOptions@8 (NtSetBootOptions)
7d61df0c: Syscall ordinal 00f6 for _ZwSetContextThread@8 (NtSetContextThread)
7d61df24: Syscall ordinal 00f7 for _NtSetDebugFilterState@12 (NtSetDebugFilterState)
7d61df3c: Syscall ordinal 00f8 for _NtSetDefaultHardErrorPort@4 (NtSetDefaultHardErrorPort)
7d61df54: Syscall ordinal 00f9 for _NtSetDefaultLocale@8 (NtSetDefaultLocale)
7d61df6c: Syscall ordinal 00fa for _ZwSetDefaultUILanguage@4 (NtSetDefaultUILanguage)
7d61df84: Syscall ordinal 00fb for _NtSetDriverEntryOrder@8 (NtSetDriverEntryOrder)
7d61df9c: Syscall ordinal 00fc for _ZwSetEaFile@16 (NtSetEaFile)
7d61dfb4: Syscall ordinal 00fd for _NtSetHighEventPair@4 (NtSetHighEventPair)
7d61dfcc: Syscall ordinal 00fe for _NtSetHighWaitLowEventPair@4 (NtSetHighWaitLowEventPair)
7d61dfe4: Syscall ordinal 00ff for _ZwSetInformationDebugObject@20 (NtSetInformationDebugObject)
7d61dffc: Syscall ordinal 0100 for _ZwSetInformationJobObject@16 (NtSetInformationJobObject)
7d61e014: Syscall ordinal 0101 for _ZwSetInformationKey@16 (NtSetInformationKey)
7d61e02c: Syscall ordinal 0102 for _ZwSetInformationToken@16 (NtSetInformationToken)
7d61e044: Syscall ordinal 0103 for _NtSetIntervalProfile@8 (NtSetIntervalProfile)
7d61e05c: Syscall ordinal 0104 for _NtSetIoCompletion@20 (NtSetIoCompletion)
7d61e074: Syscall ordinal 0105 for _ZwSetLdtEntries@24 (NtSetLdtEntries)
7d61e08c: Syscall ordinal 0106 for _ZwSetLowEventPair@4 (NtSetLowEventPair)
7d61e0a4: Syscall ordinal 0107 for _ZwSetLowWaitHighEventPair@4 (NtSetLowWaitHighEventPair)
7d61e0bc: Syscall ordinal 0108 for _ZwSetQuotaInformationFile@16 (NtSetQuotaInformationFile)
7d61e0d4: Syscall ordinal 0109 for _NtSetSecurityObject@12 (NtSetSecurityObject)
7d61e0ec: Syscall ordinal 010a for _ZwSetSystemEnvironmentValue@8 (NtSetSystemEnvironmentValue)
7d61e104: Syscall ordinal 010b for _ZwSetSystemEnvironmentValueEx@20 (NtSetSystemEnvironmentValueEx)
7d61e11c: Syscall ordinal 010c for _ZwSetSystemInformation@12 (NtSetSystemInformation)
7d61e134: Syscall ordinal 010d for _ZwSetSystemPowerState@12 (NtSetSystemPowerState)
7d61e14c: Syscall ordinal 010e for _ZwSetSystemTime@8 (NtSetSystemTime)
7d61e164: Syscall ordinal 010f for _ZwSetThreadExecutionState@8 (NtSetThreadExecutionState)
7d61e17c: Syscall ordinal 0110 for _NtSetTimerResolution@12 (NtSetTimerResolution)
7d61e194: Syscall ordinal 0111 for _ZwSetUuidSeed@4 (NtSetUuidSeed)
7d61e1ac: Syscall ordinal 0112 for _NtSetVolumeInformationFile@20 (NtSetVolumeInformationFile)
7d61e1c4: Syscall ordinal 0113 for _ZwShutdownSystem@4 (NtShutdownSystem)
7d61e1dc: Syscall ordinal 0114 for _ZwSignalAndWaitForSingleObject@16 (NtSignalAndWaitForSingleObject)
7d61e1f4: Syscall ordinal 0115 for _NtStartProfile@4 (NtStartProfile)
7d61e20c: Syscall ordinal 0116 for _ZwStopProfile@4 (NtStopProfile)
7d61e224: Syscall ordinal 0117 for _ZwSuspendProcess@4 (NtSuspendProcess)
7d61e23c: Syscall ordinal 0118 for _ZwSuspendThread@8 (NtSuspendThread)
7d61e254: Syscall ordinal 0119 for _NtSystemDebugControl@24 (NtSystemDebugControl)
7d61e26c: Syscall ordinal 011a for _ZwTerminateJobObject@8 (NtTerminateJobObject)
7d61e284: Syscall ordinal 011b for _NtTestAlert@0 (NtTestAlert)
7d61e29c: Syscall ordinal 011c for _NtTranslateFilePath@16 (NtTranslateFilePath)
7d61e2b4: Syscall ordinal 011d for _ZwUnloadDriver@4 (NtUnloadDriver)
7d61e2cc: Syscall ordinal 011e for _NtUnloadKey@4 (NtUnloadKey)
7d61e2e4: Syscall ordinal 011f for _ZwUnloadKey2@8 (NtUnloadKey2)
7d61e2fc: Syscall ordinal 0120 for _ZwUnloadKeyEx@8 (NtUnloadKeyEx)
7d61e314: Syscall ordinal 0121 for _ZwUnlockFile@20 (NtUnlockFile)
7d61e32c: Syscall ordinal 0122 for _NtUnlockVirtualMemory@16 (NtUnlockVirtualMemory)
7d61e344: Syscall ordinal 0123 for _NtVdmControl@8 (NtVdmControl)
7d61e35c: Syscall ordinal 0124 for _NtWaitForDebugEvent@16 (NtWaitForDebugEvent)
7d61e374: Syscall ordinal 0125 for _NtWaitForKeyedEvent@16 (NtWaitForKeyedEvent)
7d61e38c: Syscall ordinal 0126 for _ZwWaitHighEventPair@4 (NtWaitHighEventPair)
7d61e3a4: Syscall ordinal 0127 for _NtWaitLowEventPair@4 (NtWaitLowEventPair)
7d61e3bc: Syscall ordinal 0128 for _ZwWow64CsrClientConnectToServer@20 (NtWow64CsrClientConnectToServer)
7d61e3d4: Syscall ordinal 0129 for _NtWow64CsrNewThread@0 (NtWow64CsrNewThread)
7d61e3e8: Syscall ordinal 012a for _NtWow64CsrIdentifyAlertableThread@0 (NtWow64CsrIdentifyAlertableThread)
7d61e3fc: Syscall ordinal 012b for _NtWow64CsrClientCallServer@16 (NtWow64CsrClientCallServer)
7d61e414: Syscall ordinal 012c for _NtWow64CsrAllocateCaptureBuffer@8 (NtWow64CsrAllocateCaptureBuffer)
7d61e42c: Syscall ordinal 012d for _ZwWow64CsrFreeCaptureBuffer@4 (NtWow64CsrFreeCaptureBuffer)
7d61e444: Syscall ordinal 012e for _ZwWow64CsrAllocateMessagePointer@12 (NtWow64CsrAllocateMessagePointer)
7d61e45c: Syscall ordinal 012f for _ZwWow64CsrCaptureMessageBuffer@16 (NtWow64CsrCaptureMessageBuffer)
7d61e474: Syscall ordinal 0130 for _ZwWow64CsrCaptureMessageString@20 (NtWow64CsrCaptureMessageString)
7d61e48c: Syscall ordinal 0131 for _ZwWow64CsrSetPriorityClass@8 (NtWow64CsrSetPriorityClass)
7d61e4a4: Syscall ordinal 0132 for _NtWow64CsrGetProcessId@0 (NtWow64CsrGetProcessId)
7d61e4b8: Syscall ordinal 0133 for _NtWow64DebuggerCall@20 (NtWow64DebuggerCall)
7d61e4d0: Syscall ordinal 0134 for _ZwWow64GetNativeSystemInformation@16 (NtWow64GetNativeSystemInformation
RtlGetNativeSystemInformation)
7d61e4e8: Syscall ordinal 0135 for _NtWow64QueryInformationProcess64@20 (NtWow64QueryInformationProcess64)
7d61e500: Syscall ordinal 0136 for _NtWow64ReadVirtualMemory64@28 (NtWow64ReadVirtualMemory64)
7d61e518: Syscall ordinal 0137 for _ZwWow64QueryVirtualMemory64@32 (NtWow64QueryVirtualMemory64)

Here is the output for user32.dll:

7d947018: Syscall ordinal 1005 for _NtUserCallNoParam@4 (None)
7d9470ba: Syscall ordinal 106b for _NtUserGetObjectInformation@20 (None)
7d9470f4: Syscall ordinal 1021 for _NtUserGetProcessWindowStation@0 (None)
7d9471dd: Syscall ordinal 100e for _NtUserPostMessage@16 (None)
7d947261: Syscall ordinal 105d for _NtUserMoveWindow@24 (None)
7d94784b: Syscall ordinal 1006 for _NtUserGetMessage@16 (None)
7d947a14: Syscall ordinal 125b for _NtUserInitializeClientPfnArrays@16 (None)
7d948043: Syscall ordinal 1002 for _NtUserCallOneParam@8 (None)
7d948270: Syscall ordinal 1041 for _NtUserSystemParametersInfo@16 (None)
7d948473: Syscall ordinal 1007 for _NtUserMessageCall@28 (None)
7d948535: Syscall ordinal 104b for _NtUserSetProp@12 (None)
7d9485c5: Syscall ordinal 109f for _NtUserCallHwndParam@12 (None)
7d948631: Syscall ordinal 100f for _NtUserQueryWindow@8 (None)
7d948670: Syscall ordinal 1017 for _NtUserSetTimer@16 (None)
7d94868d: Syscall ordinal 101a for _NtUserKillTimer@8 (None)
7d9486aa: Syscall ordinal 103b for _NtUserGetForegroundWindow@0 (None)
7d9488ff: Syscall ordinal 1291 for _NtUserUpdateLayeredWindow@40 (None)
7d9489e6: Syscall ordinal 106e for _NtUserFindWindowEx@20 (None)
7d948a1e: Syscall ordinal 1070 for _NtUserUnhookWindowsHookEx@4 (None)
7d948a3b: Syscall ordinal 10d1 for _NtUserValidateRect@8 (None)
7d948a58: Syscall ordinal 1078 for _NtUserSetParent@8 (None)
7d948a99: Syscall ordinal 10d9 for _NtUserGetWindowPlacement@8 (None)
7d948ab6: Syscall ordinal 105e for _NtUserPostThreadMessage@16 (None)
7d948cdd: Syscall ordinal 1036 for _NtUserRegisterWindowMessage@4 (None)
7d9490f6: Syscall ordinal 1019 for _NtUserSetCursor@4 (None)
7d94913e: Syscall ordinal 1045 for _NtUserRemoveProp@8 (None)
7d949175: Syscall ordinal 1023 for _NtUserSetWindowPos@28 (None)
7d9491f4: Syscall ordinal 1001 for _NtUserPeekMessage@20 (None)
7d949355: Syscall ordinal 100c for _NtUserWaitMessage@0 (None)
7d949370: Syscall ordinal 1035 for _NtUserDispatchMessage@4 (None)
7d94950b: Syscall ordinal 1004 for _NtUserInvalidateRect@12 (None)
7d9496c8: Syscall ordinal 1000 for _NtUserGetThreadState@4 (None)
7d9496f2: Syscall ordinal 1018 for _NtUserEndPaint@8 (None)
7d94970f: Syscall ordinal 1016 for _NtUserBeginPaint@8 (None)
7d94972c: Syscall ordinal 1012 for _NtUserRedrawWindow@16 (None)
7d9499f8: Syscall ordinal 107c for _NtUserGetClassName@12 (None)
7d949a42: Syscall ordinal 10b6 for _NtUserGetAncestor@8 (None)
7d949bbe: Syscall ordinal 1003 for _NtUserGetKeyState@4 (None)
7d949bdb: Syscall ordinal 1026 for _NtUserCallHwndParamLock@12 (None)
7d949da1: Syscall ordinal 1013 for _NtUserWindowFromPoint@8 (None)
7d94a011: Syscall ordinal 10cc for _NtUserInvalidateRgn@12 (None)
7d94a09d: Syscall ordinal 100a for _NtUserGetDC@4 (None)
7d94a183: Syscall ordinal 1057 for _NtUserShowWindow@8 (None)
7d94a312: Syscall ordinal 1063 for _NtUserGetWindowDC@4 (None)
7d94a5c1: Syscall ordinal 105b for _NtUserSetWindowLong@16 (None)
7d94a6df: Syscall ordinal 1048 for _NtUserSetCapture@4 (None)
7d94a722: Syscall ordinal 1058 for _NtUserGetKeyboardLayoutList@8 (None)
7d94ad62: Syscall ordinal 100d for _NtUserTranslateMessage@8 (None)
7d94adfb: Syscall ordinal 1020 for _NtUserCallHwndLock@8 (None)
7d94ae1d: Syscall ordinal 101e for _NtUserHideCaret@4 (None)
7d94ae3a: Syscall ordinal 1024 for _NtUserShowCaret@4 (None)
7d94af58: Syscall ordinal 1029 for _NtUserCallTwoParam@12 (None)
7d94af75: Syscall ordinal 1031 for _NtUserCreateCaret@16 (None)
7d94b0b8: Syscall ordinal 102e for _NtUserIsClipboardFormatAvailable@4 (None)
7d94b0d5: Syscall ordinal 1055 for _NtUserGetClipboardSequenceNumber@0 (None)
7d94b132: Syscall ordinal 102f for _NtUserSetScrollInfo@16 (None)
7d94b29f: Syscall ordinal 1025 for _NtUserEndDeferWindowPosEx@8 (None)
7d94b2bc: Syscall ordinal 1052 for _NtUserDeferWindowPos@32 (None)
7d94c0cf: Syscall ordinal 1050 for _NtUserSetFocus@4 (None)
7d94c268: Syscall ordinal 1090 for _NtUserGetTitleBarInfo@8 (None)
7d94c2ac: Syscall ordinal 1062 for _NtUserInternalGetWindowText@12 (None)
7d94c2c9: Syscall ordinal 1098 for _NtUserCalcMenuBar@20 (None)
7d94c2e6: Syscall ordinal 1093 for _NtUserGetDCEx@12 (None)
7d94c412: Syscall ordinal 105f for _NtUserDrawIconEx@44 (None)
7d94c6b5: Syscall ordinal 101b for _NtUserBuildHwndList@28 (None)
7d94c821: Syscall ordinal 109e for _NtUserDestroyWindow@4 (None)
7d94c856: Syscall ordinal 109d for _NtUserDestroyCursor@8 (None)
7d94c873: Syscall ordinal 104e for _NtUserGetIconInfo@24 (None)
7d94c8bf: Syscall ordinal 10ce for _NtUserSetWindowRgn@12 (None)
7d94cb0e: Syscall ordinal 10ad for _NtUserGetAtomName@8 (None)
7d94cc1b: Syscall ordinal 10bd for _NtUserGetClassInfoEx@20 (None)
7d94cd6a: Syscall ordinal 1099 for _NtUserThunkedMenuItemInfo@24 (None)
7d94cd87: Syscall ordinal 10c0 for _NtUserDeleteMenu@12 (None)
7d94d117: Syscall ordinal 10c2 for _NtUserScrollWindowEx@32 (None)
7d94d195: Syscall ordinal 127b for _NtUserSetLayeredWindowAttributes@16 (None)
7d94d1b2: Syscall ordinal 10c4 for _NtUserSetClassLong@16 (None)
7d94d3fd: Syscall ordinal 1104 for _NtUserGetGUIThreadInfo@8 (None)
7d94da17: Syscall ordinal 1010 for _NtUserTranslateAccelerator@12 (None)
7d94da4c: Syscall ordinal 1015 for _NtUserValidateTimerCallback@4 (None)
7d94deb1: Syscall ordinal 103d for _NtUserFindExistingCursorIcon@12 (None)
7d94df61: Syscall ordinal 103c for _NtUserShowScrollBar@12 (None)
7d94dfb5: Syscall ordinal 10e1 for _NtUserDestroyMenu@4 (None)
7d94e0d2: Syscall ordinal 10ba for _NtUserGetDoubleClickTime@0 (None)
7d94e284: Syscall ordinal 10bf for _NtUserUnregisterClass@12 (None)
7d94e5d6: Syscall ordinal 104d for _NtUserSBGetParms@16 (None)
7d94e66a: Syscall ordinal 1094 for _NtUserGetScrollBarInfo@12 (None)
7d94ed83: Syscall ordinal 10a8 for _NtUserSetCursorIconData@16 (None)
7d94f54e: Syscall ordinal 10f5 for _NtUserCreateAcceleratorTable@8 (None)
7d94f87b: Syscall ordinal 1077 for _NtUserCreateWindowEx@60 (None)
7d94f898: Syscall ordinal 10b4 for _NtUserRegisterClassExWOW@28 (None)
7d95008e: Syscall ordinal 1060 for _NtUserGetSystemMenu@8 (None)
7d9505a3: Syscall ordinal 1049 for _NtUserEnumDisplayMonitors@16 (None)
7d950e13: Syscall ordinal 105a for _NtUserMapVirtualKeyEx@16 (None)
7d950f8c: Syscall ordinal 110a for _NtUserUnhookWinEvent@4 (None)
7d951366: Syscall ordinal 10df for _NtUserTrackMouseEvent@4 (None)
7d9513f4: Syscall ordinal 1112 for _NtUserCallHwnd@8 (None)
7d9514e8: Syscall ordinal 10ec for _NtUserSetWindowWord@12 (None)
7d951835: Syscall ordinal 1089 for _NtUserGetIconSize@16 (None)
7d952548: Syscall ordinal 10f8 for _NtUserGetCaretBlinkTime@0 (None)
7d95256b: Syscall ordinal 123f for _NtUserGetCaretPos@4 (None)
7d9529aa: Syscall ordinal 1043 for _NtUserGetAsyncKeyState@4 (None)
7d952ab8: Syscall ordinal 10d2 for _NtUserCloseClipboard@0 (None)
7d952afd: Syscall ordinal 10d3 for _NtUserOpenClipboard@8 (None)
7d952c07: Syscall ordinal 104f for _NtUserExcludeUpdateRgn@8 (None)
7d952c24: Syscall ordinal 1079 for _NtUserGetKeyboardState@4 (None)
7d952c41: Syscall ordinal 10f3 for _NtUserSetKeyboardState@4 (None)
7d952d4b: Syscall ordinal 1044 for _NtUserGetCPD@12 (None)
7d952dce: Syscall ordinal 1027 for _NtUserVkKeyScanEx@12 (None)
7d952e3c: Syscall ordinal 102c for _NtUserNotifyWinEvent@16 (None)
7d9531f0: Syscall ordinal 1121 for _NtUserSetClipboardViewer@4 (None)
7d95320d: Syscall ordinal 111f for _NtUserChangeClipboardChain@8 (None)
7d953a99: Syscall ordinal 10f2 for _NtUserPaintMenuBar@24 (None)
7d954d8d: Syscall ordinal 108d for _NtUserSetWindowsHookEx@24 (None)
7d954f9a: Syscall ordinal 10b9 for _NtUserCloseWindowStation@4 (None)
7d955278: Syscall ordinal 1080 for _NtUserDefSetText@8 (None)
7d955c20: Syscall ordinal 1096 for _NtUserSetWindowFNID@8 (None)
7d955d70: Syscall ordinal 10dd for _NtUserSetThreadState@8 (None)
7d9566a3: Syscall ordinal 10e4 for _NtUserSetActiveWindow@4 (None)
7d956abc: Syscall ordinal 10f6 for _NtUserGetCursorFrameInfo@16 (None)
7d956b38: Syscall ordinal 101d for _NtUserCallNextHookEx@16 (None)
7d956bce: Syscall ordinal 10e6 for _NtUserSetWindowPlacement@8 (None)
7d956f86: Syscall ordinal 108a for _NtUserFillWindow@16 (None)
7d956fba: Syscall ordinal 1014 for _NtUserCallMsgFilter@8 (None)
7d957d5c: Syscall ordinal 110c for _NtUserLockWindowUpdate@4 (None)
7d958b57: Syscall ordinal 10fb for _NtUserEnumDisplayDevices@16 (None)
7d958cc0: Syscall ordinal 1109 for _NtUserSetWinEventHook@32 (None)
7d959cf6: Syscall ordinal 10aa for _NtUserCloseDesktop@4 (None)
7d959e46: Syscall ordinal 10b2 for _NtUserBuildNameList@16 (None)
7d959eb0: Syscall ordinal 10ab for _NtUserOpenDesktop@12 (None)
7d95a0f5: Syscall ordinal 10a1 for _NtUserOpenWindowStation@8 (None)
7d95a825: Syscall ordinal 107b for _NtUserGetControlBrush@12 (None)
7d9610e1: Syscall ordinal 10d7 for _NtUserAlterWindowStyle@12 (None)
7d9652e2: Syscall ordinal 1106 for _NtUserSetWindowsHookAW@12 (None)
7d96534d: Syscall ordinal 1108 for _NtUserCheckMenuItem@12 (None)
7d967424: Syscall ordinal 110d for _NtUserSetSystemMenu@8 (None)
7d9677a4: Syscall ordinal 110e for _NtUserThunkedMenuInfo@8 (None)
7d967fb4: Syscall ordinal 10cf for _NtUserBitBltSysBmp@32 (None)
7d969411: Syscall ordinal 1114 for _NtUserModifyUserStartupInfoFlags@8 (None)
7d9699bd: Syscall ordinal 1084 for _NtUserGetThreadDesktop@8 (None)
7d969c69: Syscall ordinal 10ed for _NtUserGetClipboardFormatName@12 (None)
7d969cf8: Syscall ordinal 10fc for _NtUserEmptyClipboard@0 (None)
7d969d13: Syscall ordinal 10cd for _NtUserGetClipboardOwner@0 (None)
7d969ef4: Syscall ordinal 10fd for _NtUserGetClipboardData@8 (None)
7d969f66: Syscall ordinal 10ef for _NtUserCreateLocalMemHandle@16 (None)
7d969f93: Syscall ordinal 10d5 for _NtUserSetClipboardData@12 (None)
7d96a120: Syscall ordinal 1102 for _NtUserConvertMemHandle@8 (None)
7d96a6bf: Syscall ordinal 10dc for _NtUserGetOpenClipboardWindow@0 (None)
7d96a6da: Syscall ordinal 1115 for _NtUserCountClipboardFormats@0 (None)
7d96a753: Syscall ordinal 122c for _NtUserClipCursor@4 (None)
7d96a8f2: Syscall ordinal 10c5 for _NtUserGetMenuBarInfo@16 (None)
7d96a963: Syscall ordinal 10fe for _NtUserRemoveMenu@12 (None)
7d96aa0e: Syscall ordinal 111a for _NtUserEnumDisplaySettings@16 (None)
7d96abbb: Syscall ordinal 102b for _NtUserCopyAcceleratorTable@12 (None)
7d96bca8: Syscall ordinal 107a for _NtUserToUnicodeEx@28 (None)
7d96c41c: Syscall ordinal 122b for _NtUserChildWindowFromPointEx@16 (None)
7d96c566: Syscall ordinal 1107 for _NtUserSetMenuDefaultItem@12 (None)
7d96d34e: Syscall ordinal 1113 for _NtUserDdeInitialize@20 (None)
7d96d976: Syscall ordinal 1231 for _NtUserDdeGetQualityOfService@12 (None)
7d96f7d7: Syscall ordinal 127d for _NtUserSetMenu@12 (None)
7d96f996: Syscall ordinal 10ac for _NtUserSetProcessWindowStation@4 (None)
7d96fa81: Syscall ordinal 1092 for _NtUserSetThreadDesktop@4 (None)
7d96fd73: Syscall ordinal 10e7 for _NtUserGetControlColor@16 (None)
7d9819d7: Syscall ordinal 1296 for _NtUserWaitForMsgAndEvent@4 (None)
7d981d9c: Syscall ordinal 1126 for _NtUserActivateKeyboardLayout@8 (None)
7d981db9: Syscall ordinal 1123 for _NtUserSetConsoleReserveKeys@8 (None)
7d981f00: Syscall ordinal 1262 for _NtUserMinMaximize@12 (None)
7d986b17: Syscall ordinal 1286 for _NtUserSetWindowStationUser@16 (None)
7d986b34: Syscall ordinal 1229 for _NtUserCallHwndOpt@8 (None)
7d986b51: Syscall ordinal 122f for _NtUserCreateWindowStation@28 (None)
7d9a0785: Syscall ordinal 1083 for _NtUserSendInput@12 (None)
7d9a07a2: Syscall ordinal 10bb for _NtUserEnableScrollBar@12 (None)
7d9a07bf: Syscall ordinal 10e5 for _NtUserSetInformationThread@16 (None)
7d9a07dc: Syscall ordinal 10ee for _NtUserRealInternalGetMessage@24 (None)
7d9a07f9: Syscall ordinal 10f0 for _NtUserAttachThreadInput@12 (None)
7d9a0816: Syscall ordinal 10f7 for _NtUserGetAltTabInfo@24 (None)
7d9a0833: Syscall ordinal 10fa for _NtUserProcessConnect@12 (None)
7d9a0850: Syscall ordinal 111b for _NtUserPaintDesktop@4 (None)
7d9a086d: Syscall ordinal 1122 for _NtUserShowWindowAsync@8 (None)
7d9a088a: Syscall ordinal 1226 for _NtUserBlockInput@4 (None)
7d9a08a7: Syscall ordinal 1228 for _NtUserBuildPropList@16 (None)
7d9a08c4: Syscall ordinal 122a for _NtUserChangeDisplaySettings@16 (None)
7d9a08e1: Syscall ordinal 122d for _NtUserCreateDesktop@20 (None)
7d9a08fe: Syscall ordinal 1232 for _NtUserDdeSetQualityOfService@12 (None)
7d9a091b: Syscall ordinal 1235 for _NtUserDragDetect@12 (None)
7d9a0938: Syscall ordinal 1236 for _NtUserDragObject@20 (None)
7d9a0955: Syscall ordinal 1237 for _NtUserDrawAnimatedRects@16 (None)
7d9a0972: Syscall ordinal 1238 for _NtUserDrawCaption@16 (None)
7d9a098f: Syscall ordinal 1239 for _NtUserDrawCaptionTemp@28 (None)
7d9a09ac: Syscall ordinal 123a for _NtUserDrawMenuBarTemp@20 (None)
7d9a09c9: Syscall ordinal 123b for _NtUserEndMenu@0 (None)
7d9a09e4: Syscall ordinal 123c for _NtUserEvent@4 (None)
7d9a0a01: Syscall ordinal 123d for _NtUserFlashWindowEx@4 (None)
7d9a0a1e: Syscall ordinal 1240 for _NtUserGetClipCursor@4 (None)
7d9a0a3b: Syscall ordinal 1241 for _NtUserGetClipboardViewer@0 (None)
7d9a0a56: Syscall ordinal 1242 for _NtUserGetComboBoxInfo@8 (None)
7d9a0a73: Syscall ordinal 1243 for _NtUserGetCursorInfo@4 (None)
7d9a0a90: Syscall ordinal 1244 for _NtUserGetGuiResources@8 (None)
7d9a0aad: Syscall ordinal 1245 for _NtUserGetImeHotKey@16 (None)
7d9a0aca: Syscall ordinal 1247 for _NtUserGetInternalWindowPos@12 (None)
7d9a0ae7: Syscall ordinal 1248 for _NtUserGetKeyNameText@12 (None)
7d9a0b04: Syscall ordinal 1249 for _NtUserGetKeyboardLayoutName@4 (None)
7d9a0b21: Syscall ordinal 124a for _NtUserGetLayeredWindowAttributes@16 (None)
7d9a0b3e: Syscall ordinal 124b for _NtUserGetListBoxInfo@4 (None)
7d9a0b5b: Syscall ordinal 124c for _NtUserGetMenuIndex@8 (None)
7d9a0b78: Syscall ordinal 124d for _NtUserGetMenuItemRect@16 (None)
7d9a0b95: Syscall ordinal 124e for _NtUserGetMouseMovePointsEx@20 (None)
7d9a0bb2: Syscall ordinal 124f for _NtUserGetPriorityClipboardFormat@8 (None)
7d9a0bcf: Syscall ordinal 1250 for _NtUserGetRawInputBuffer@12 (None)
7d9a0bec: Syscall ordinal 1251 for _NtUserGetRawInputData@20 (None)
7d9a0c09: Syscall ordinal 1252 for _NtUserGetRawInputDeviceInfo@16 (None)
7d9a0c26: Syscall ordinal 1253 for _NtUserGetRawInputDeviceList@12 (None)
7d9a0c43: Syscall ordinal 1254 for _NtUserGetRegisteredRawInputDevices@12 (None)
7d9a0c60: Syscall ordinal 1255 for _NtUserGetWOWClass@8 (None)
7d9a0c7d: Syscall ordinal 1257 for _NtUserHiliteMenuItem@16 (None)
7d9a0c9a: Syscall ordinal 1258 for _NtUserImpersonateDdeClientWindow@8 (None)
7d9a0cb7: Syscall ordinal 1259 for _NtUserInitTask@48 (None)
7d9a0cd4: Syscall ordinal 125c for _NtUserLoadKeyboardLayoutEx@28 (None)
7d9a0cf1: Syscall ordinal 125d for _NtUserLockWindowStation@4 (None)
7d9a0d0e: Syscall ordinal 125e for _NtUserLockWorkStation@0 (None)
7d9a0d29: Syscall ordinal 125f for _NtUserMNDragLeave@0 (None)
7d9a0d44: Syscall ordinal 1260 for _NtUserMNDragOver@8 (None)
7d9a0d61: Syscall ordinal 1261 for _NtUserMenuItemFromPoint@16 (None)
7d9a0d7e: Syscall ordinal 1263 for _NtUserNotifyIMEStatus@12 (None)
7d9a0d9b: Syscall ordinal 1264 for _NtUserOpenInputDesktop@12 (None)
7d9a0db8: Syscall ordinal 1265 for _NtUserPrintWindow@12 (None)
7d9a0dd5: Syscall ordinal 1268 for _NtUserQuerySendMessage@4 (None)
7d9a0df2: Syscall ordinal 1269 for _NtUserRealChildWindowFromPoint@12 (None)
7d9a0e0f: Syscall ordinal 126a for _NtUserRealWaitMessageEx@8 (None)
7d9a0e2c: Syscall ordinal 126b for _NtUserRegisterHotKey@16 (None)
7d9a0e49: Syscall ordinal 126c for _NtUserRegisterRawInputDevices@12 (None)
7d9a0e66: Syscall ordinal 126d for _NtUserRegisterTasklist@4 (None)
7d9a0e83: Syscall ordinal 126e for _NtUserRegisterUserApiHook@16 (None)
7d9a0ea0: Syscall ordinal 1273 for _NtUserResolveDesktopForWOW@4 (None)
7d9a0ebd: Syscall ordinal 1275 for _NtUserSetClassWord@12 (None)
7d9a0eda: Syscall ordinal 1276 for _NtUserSetCursorContents@8 (None)
7d9a0ef7: Syscall ordinal 1277 for _NtUserSetImeHotKey@20 (None)
7d9a0f14: Syscall ordinal 1279 for _NtUserSetImeOwnerWindow@8 (None)
7d9a0f31: Syscall ordinal 127a for _NtUserSetInternalWindowPos@16 (None)
7d9a0f4e: Syscall ordinal 127c for _NtUserSetLogonNotifyWindow@4 (None)
7d9a0f6b: Syscall ordinal 127e for _NtUserSetMenuContextHelpId@8 (None)
7d9a0f88: Syscall ordinal 127f for _NtUserSetMenuFlagRtoL@4 (None)
7d9a0fa5: Syscall ordinal 1280 for _NtUserSetObjectInformation@16 (SetUserObjectInformationA)
7d9a0fc2: Syscall ordinal 1281 for _NtUserSetShellWindowEx@8 (None)
7d9a0fdf: Syscall ordinal 1282 for _NtUserSetSysColors@16 (None)
7d9a0ffc: Syscall ordinal 1283 for _NtUserSetSystemCursor@8 (None)
7d9a1019: Syscall ordinal 1284 for _NtUserSetSystemTimer@16 (None)
7d9a1036: Syscall ordinal 1288 for _NtUserSwitchDesktop@4 (None)
7d9a1053: Syscall ordinal 1289 for _NtUserTestForInteractiveUser@4 (None)
7d9a1070: Syscall ordinal 128a for _NtUserTrackPopupMenuEx@24 (None)
7d9a108d: Syscall ordinal 128b for _NtUserUnloadKeyboardLayout@4 (None)
7d9a10aa: Syscall ordinal 128c for _NtUserUnlockWindowStation@4 (None)
7d9a10c7: Syscall ordinal 128d for _NtUserUnregisterHotKey@8 (None)
7d9a10e4: Syscall ordinal 128e for _NtUserUnregisterUserApiHook@0 (None)
7d9a10ff: Syscall ordinal 128f for _NtUserUpdateInputContext@12 (None)
7d9a111c: Syscall ordinal 1290 for _NtUserUpdateInstance@12 (None)
7d9a1139: Syscall ordinal 1292 for _NtUserUpdatePerUserSystemParameters@8 (None)
7d9a1156: Syscall ordinal 1293 for _NtUserUserHandleGrantAccess@12 (None)
7d9a1173: Syscall ordinal 1294 for _NtUserValidateHandleSecure@4 (None)
7d9a1190: Syscall ordinal 1295 for _NtUserWaitForInputIdle@12 (None)
7d9a11ad: Syscall ordinal 1297 for _NtUserWin32PoolAllocationStats@24 (None)
7d9a11ca: Syscall ordinal 1298 for _NtUserYieldTask@0 (None)

And here is the output for kernel32.dll:

7d4df1bc: Syscall ordinal 3000 for _NtWow64CsrBasepSoundSentryNotification@4 (None)
7d4df1d4: Syscall ordinal 3001 for _NtWow64CsrBasepRefreshIniFileMapping@4 (None)
7d4df1ec: Syscall ordinal 3002 for _NtWow64CsrBasepDefineDosDevice@12 (None)
7d4df204: Syscall ordinal 3003 for _NtWow64CsrBasepGetTempFile@0 (None)
7d4df218: Syscall ordinal 3004 for _NtWow64CsrBasepCreateProcess@4 (None)
7d4df230: Syscall ordinal 3005 for _NtWow64CsrBasepExitProcess@4 (None)
7d4df248: Syscall ordinal 3006 for _NtWow64CsrBasepSetProcessShutdownParam@8 (None)
7d4df260: Syscall ordinal 3007 for _NtWow64CsrBasepGetProcessShutdownParam@8 (None)
7d4df278: Syscall ordinal 3008 for _NtWow64CsrBasepSetTermsrvAppInstallMode@4 (None)
7d4df290: Syscall ordinal 3009 for _NtWow64CsrBasepSetClientTimeZoneInformation@4 (None)
7d4df2a8: Syscall ordinal 300a for _NtWow64CsrBasepCreateThread@12 (None)
7d4df2c0: Syscall ordinal 300b for _NtWow64CsrBaseClientConnectToServer@12 (None)
7d4df2d8: Syscall ordinal 300c for _NtWow64CsrBasepNlsSetUserInfo@12 (None)
7d4df2f0: Syscall ordinal 300d for _NtWow64CsrBasepNlsSetMultipleUserInfo@28 (None)
7d4df308: Syscall ordinal 300e for _NtWow64CsrBasepNlsCreateSection@12 (None)
7d4df320: Syscall ordinal 300f for _NtWow64CsrBasepCreateActCtx@4 (None)
7d4df338: Syscall ordinal 3010 for _NtWow64CsrBasepNlsUpdateCacheCount@0 (None)
7d4df34c: Syscall ordinal 3011 for _NtWow64CsrBaseCheckRunApp@40 (None)
7d4df364: Syscall ordinal 3012 for _NtWow64CsrBasepNlsGetUserInfo@8 (None)
7d4df37c: Syscall ordinal 3013 for _NtWow64CsrBaseQueryModuleData@20 (None)
7d4e9514: Syscall ordinal 203b for _ConnectConsoleInternal@12 (None)
7d4ea51e: Syscall ordinal 2000 for _OpenConsoleWInternal@16 (None)
7d4eade7: Syscall ordinal 203f for _GetConsoleLangId@4 (None)
7d4eb3ee: Syscall ordinal 204b for _GetConsoleTitleInternal@12 (None)
7d4eb7a2: Syscall ordinal 202a for _GetConsoleCP@0 (None)
7d4ed26f: Syscall ordinal 2007 for _VerifyConsoleIoHandle@4 (None)
7d4ed28c: Syscall ordinal 2012 for _GetConsoleMode@8 (None)
7d4ed2a9: Syscall ordinal 2002 for _WriteConsoleInternal@20 (None)
7d4ed325: Syscall ordinal 2004 for _DuplicateConsoleHandle@16 (None)
7d4ed34c: Syscall ordinal 2003 for _CloseConsoleHandle@4 (None)
7d4ed374: Syscall ordinal 201e for _SetConsoleMode@8 (None)
7d4ed51b: Syscall ordinal 202c for _GetConsoleOutputCP@0 (None)
7d503305: Syscall ordinal 2017 for _GetConsoleScreenBufferInfo@8 (None)
7d54f034: Syscall ordinal 2001 for _ReadConsoleInternal@32 (None)
7d54f051: Syscall ordinal 2005 for _GetConsoleHandleInformation@8 (None)
7d54f06e: Syscall ordinal 2006 for _SetConsoleHandleInformation@12 (None)
7d54f08b: Syscall ordinal 2008 for _SetLastConsoleEventActiveInternal@0 (None)
7d54f0a6: Syscall ordinal 2009 for _GetConsoleInput@24 (None)
7d54f0c3: Syscall ordinal 200a for _WriteConsoleInputInternal@24 (None)
7d54f0e0: Syscall ordinal 200b for _ReadConsoleOutputInternal@24 (None)
7d54f0fd: Syscall ordinal 200c for _WriteConsoleOutputInternal@24 (None)
7d54f11a: Syscall ordinal 200d for _ReadConsoleOutputString@28 (None)
7d54f137: Syscall ordinal 200e for _WriteConsoleOutputString@28 (None)
7d54f154: Syscall ordinal 200f for _FillConsoleOutput@24 (None)
7d54f171: Syscall ordinal 2010 for _CreateConsoleScreenBuffer@20 (None)
7d54f18e: Syscall ordinal 2011 for _InvalidateConsoleDIBits@8 (None)
7d54f1ab: Syscall ordinal 2013 for _GetConsoleProcessList@8 (None)
7d54f1c8: Syscall ordinal 2014 for _GetNumberOfConsoleFonts@0 (None)
7d54f1e3: Syscall ordinal 2015 for _GetNumberOfConsoleInputEvents@8 (None)
7d54f200: Syscall ordinal 2016 for _GetLargestConsoleWindowSize@4 (None)
7d54f21d: Syscall ordinal 2018 for _GetConsoleCursorInfo@8 (None)
7d54f23a: Syscall ordinal 2019 for _GetConsoleSelectionInfo@4 (None)
7d54f257: Syscall ordinal 201a for _GetNumberOfConsoleMouseButtons@4 (None)
7d54f274: Syscall ordinal 201b for _GetConsoleFontInfo@16 (None)
7d54f291: Syscall ordinal 201c for _GetConsoleFontSize@8 (None)
7d54f2ae: Syscall ordinal 201d for _GetCurrentConsoleFont@12 (None)
7d54f2cb: Syscall ordinal 201f for _GenerateConsoleCtrlEvent@8 (None)
7d54f2e8: Syscall ordinal 2020 for _SetConsoleActiveScreenBuffer@4 (None)
7d54f305: Syscall ordinal 2021 for _FlushConsoleInputBuffer@4 (None)
7d54f322: Syscall ordinal 2022 for _SetConsoleScreenBufferSize@8 (None)
7d54f33f: Syscall ordinal 2023 for _SetConsoleCursorPosition@8 (None)
7d54f35c: Syscall ordinal 2024 for _SetConsoleCursorInfo@8 (None)
7d54f379: Syscall ordinal 2025 for _SetConsoleWindowInfo@12 (None)
7d54f396: Syscall ordinal 2026 for _ScrollConsoleScreenBufferInternal@24 (None)
7d54f3b3: Syscall ordinal 2027 for _SetConsoleTextAttribute@8 (None)
7d54f3d0: Syscall ordinal 2028 for _SetConsoleFont@8 (None)
7d54f3ed: Syscall ordinal 2029 for _SetConsoleIcon@4 (None)
7d54f40a: Syscall ordinal 202b for _SetConsoleCP@4 (None)
7d54f427: Syscall ordinal 202d for _SetConsoleOutputCPInternal@4 (None)
7d54f444: Syscall ordinal 202e for _GetConsoleKeyboardLayoutNameWorker@8 (None)
7d54f461: Syscall ordinal 202f for _GetConsoleWindow@0 (None)
7d54f47c: Syscall ordinal 2030 for _SetConsoleCursor@8 (None)
7d54f499: Syscall ordinal 2031 for _ShowConsoleCursor@8 (None)
7d54f4b6: Syscall ordinal 2032 for _ConsoleMenuControl@12 (None)
7d54f4d3: Syscall ordinal 2033 for _SetConsolePaletteInternal@12 (None)
7d54f4f0: Syscall ordinal 2034 for _RegisterConsoleVDM@44 (None)
7d54f50d: Syscall ordinal 2035 for _SetConsoleDisplayMode@12 (None)
7d54f52a: Syscall ordinal 2036 for _GetConsoleHardwareState@12 (None)
7d54f547: Syscall ordinal 2037 for _SetConsoleHardwareState@12 (None)
7d54f564: Syscall ordinal 2038 for _GetConsoleDisplayMode@4 (None)
7d54f581: Syscall ordinal 2039 for _SetConsoleKeyShortcuts@16 (None)
7d54f59e: Syscall ordinal 203a for _SetConsoleMenuClose@4 (None)
7d54f5bb: Syscall ordinal 203c for _AllocConsoleInternal@44 (None)
7d54f5d8: Syscall ordinal 203d for _FreeConsoleInternal@0 (None)
7d54f5f3: Syscall ordinal 203e for _AttachConsoleInternal@16 (None)
7d54f610: Syscall ordinal 2040 for _AddConsoleAliasInternal@24 (None)
7d54f62d: Syscall ordinal 2041 for _GetConsoleAliasInternal@24 (None)
7d54f64a: Syscall ordinal 2042 for _GetConsoleAliasesLengthInternal@8 (None)
7d54f667: Syscall ordinal 2043 for _GetConsoleAliasExesLengthInternal@4 (None)
7d54f684: Syscall ordinal 2044 for _GetConsoleAliasesInternal@16 (None)
7d54f6a1: Syscall ordinal 2045 for _GetConsoleAliasExesInternal@12 (None)
7d54f6be: Syscall ordinal 2046 for _ExpungeConsoleCommandHistoryInternal@8 (None)
7d54f6db: Syscall ordinal 2047 for _SetConsoleNumberOfCommandsInternal@12 (None)
7d54f6f8: Syscall ordinal 2048 for _GetConsoleCommandHistoryLengthInternal@8 (None)
7d54f715: Syscall ordinal 2049 for _GetConsoleCommandHistoryInternal@16 (None)
7d54f732: Syscall ordinal 204a for _SetConsoleCommandHistoryMode@4 (None)
7d54f74f: Syscall ordinal 204c for _SetConsoleTitleInternal@12 (None)
7d54f76c: Syscall ordinal 204d for _GetConsoleCharType@12 (None)
7d54f789: Syscall ordinal 204e for _SetConsoleLocalEUDC@16 (None)
7d54f7a6: Syscall ordinal 204f for _SetConsoleCursorMode@12 (None)
7d54f7c3: Syscall ordinal 2050 for _GetConsoleCursorMode@12 (None)
7d54f7e0: Syscall ordinal 2051 for _RegisterConsoleOS2@4 (None)
7d54f7fd: Syscall ordinal 2052 for _SetConsoleOS2OemFormat@4 (None)
7d54f81a: Syscall ordinal 2053 for _GetConsoleNlsMode@8 (None)
7d54f837: Syscall ordinal 2054 for _SetConsoleNlsMode@8 (None)
7d54f854: Syscall ordinal 2055 for _RegisterConsoleIMEInternal@20 (None)
7d54f871: Syscall ordinal 2056 for _UnregisterConsoleIMEInternal@4 (None)