Generic Iterative Dataflow Analysis in Python

Here is an example of a remarkably simple yet powerful dataflow analysis technique. The algorithm is very generic and can be used to implement a number of forward and backward analyses such as constant propagation, reaching definitions, value-set analysis, or in my case type inference.

The algorithm, adapted from the maximal fixedpoint algorithm in the dragon book, takes a control flow graph as input and outputs IN and OUT (maps from basic block to abstract state at their entry and exit (an abstract state maps variables to abstract values)). It is parametric, you must supply it with a few functions that will determine the output of your analysis:

analysis.meet, takes two abstract states and returns an abstract state (see lattices). To guarantee that the algorithm terminates, this function should be monotone (and your lattice of abstract values of finite height).
analysis.step_forward (resp. analysis.step_backward), a function that takes an instruction and an abstract state at its entry (resp. exit) and “executes” it, transforming the abstract state. They are used to automatically compute the transfer function for each basic block in the cfg.

It looks like this:

def forward_transfer_function(analysis, bb, IN_bb):
    OUT_bb = IN_bb.copy()
    for insn in bb:
        analysis.step_forward(insn, OUT_bb)
    return OUT_bb

def backward_transfer_function(analysis, bb, OUT_bb):
    IN_bb = OUT_bb.copy()
    for insn in reversed(bb):
        analysis.step_backward(insn, IN_bb)
    return IN_bb

def update(env, bb, newval, todo_set, todo_candidates):
    if newval != env[bb]:
        print '{0} has changed, adding {1}'.format(bb, todo_candidates)
        env[bb] = newval
        todo_set |= todo_candidates

def maximal_fixed_point(analysis, cfg, init={}):
    # state at the entry and exit of each basic block
    IN, OUT = {}, {}
    for bb in cfg.nodes:
        IN[bb] = {}
        OUT[bb] = {}
    IN[cfg.entry_point] = init

    # first make a pass over each basic block
    todo_forward = cfg.nodes
    todo_backward = cfg.nodes

    while todo_backward or todo_forward:
        while todo_forward:
            bb = todo_forward.pop()

            ####
            # compute the environment at the entry of this BB
            new_IN = reduce(analysis.meet, map(OUT.get, cfg.pred[bb]), IN[bb])
            update(IN, bb, new_IN, todo_backward, cfg.pred[bb])

            ####
            # propagate information for this basic block
            new_OUT = forward_transfer_function(analysis, bb, IN[bb])
            update(OUT, bb, new_OUT, todo_forward, cfg.succ[bb])

        while todo_backward:
            bb = todo_backward.pop()

            ####
            # compute the environment at the exit of this BB
            new_OUT = reduce(analysis.meet, map(IN.get, succ[bb]), OUT[bb])
            update(OUT, bb, new_OUT, todo_forward, cfg.succ[bb])

            ####
            # propagate information for this basic block (backwards)
            new_IN = backward_transfer_function(analysis, bb, OUT[bb])
            update(IN, bb, new_IN, todo_backward, cfg.pred[bb])

    ####
    # IN and OUT have converged
    return IN, OUT

Ideally, to propagate dataflow information in one pass, you would like to have visited every predecessors of a basic block B for a forward pass before analyzing B. Unfortunately, due to irreducible flow graphs you are not guaranteed to be able to do this. Instead, this algorithm

starts with an empty state at some arbitrary basic block
makes a forward pass and a backward pass over each basic block, adding the successors/predecessors to a worklist when changes are detected
continues until the worklist is empty.

The meet function is here to “combine” information from multiple paths, for instance if B2 is reachable from B0 and B1, then IN(B2) = meet(OUT(B1), OUT(B2)). If you wanted to collect value set information and you had:

OUT(B0) = [a->{1}]
OUT(B1) = [a-> {-1}]
then meet could output IN(B2) = [a -> {1, -1}]

Depending on how meet is defined, it can look for information true for all paths coming to a basic block, or for information from at least one path.

Now, some sample code to implement a simple constant propagation analysis. It is forward only for simplicity, but the algorithm works for bidirectional analyses such as type inference.


def meet_val(lhs, rhs):
    result = None

    if lhs == 'NAC' or rhs == 'NAC':
        result = 'NAC'

    elif lhs == 'UNDEF' or rhs == 'UNDEF':
        result = 'UNDEF'

    else:
        result = 'CONST'

    return result

def meet_env(lhs, rhs):
    lhs_keys = set(lhs.keys())
    rhs_keys = set(rhs.keys())
    result = {}

    for var in lhs_keys - rhs_keys:
        result[var] = lhs[var]

    for var in rhs_keys - lhs_keys:
        result[var] = rhs[var]

    for var in lhs_keys & rhs_keys:
        result[var] = meet_val(lhs[var], rhs[var])

    return result

def abstract_value(env, expr):
    if expr.isdigit():
        return 'CONST'

    try:
        return env[expr]
    except KeyError:
        return 'UNDEF'

def step_forward(insn, env_in):
    if type(insn) == str:
        return 

    var, op, expr = insn

    # insn is var = c
    if len(expr) == 1:
        env_in[var] = abstract_value(env_in, expr)

    else:
        e1, op, e2 = expr
        val1 = abstract_value(env_in, e1)
        val2 = abstract_value(env_in, e2)
        env_in[var] = meet_val(val1, val2)

def step_backward(insn, env_in):
    pass

The function step_forward defines the abstract semantics for the statements or instructions of the language you want to analyze and for the analysis you want to implement. For instance here we only collect if a variable at some program point is constant, undefined, or not a constant (NAC). To do the actual propagation, we could also collect the allocation site of the constant.

Let’s consider a super simple language, where variables are numbers that can only be affected to or added together. The function meet_val computes the meet for two abstract values, according to this table:

        UNDEF  CONST  NAC
       -----------------
UNDEF | UNDEF  UNDEF  NAC
CONST | UNDEF  CONST  NAC
NAC   | NAC    NAC    NAC

Let’s consider a simple program in this “language” where we don’t specify the constructs for the control flow. The algorithm just assumes that every edge in the CFG is reachable. This is obviously not the case in practice, but that only means that we are going to miss some patterns (the analysis is sound but imprecise in order to terminate).

Now, we want to find if a and ret are constants. Here is the code necessary to setup and run the example (you need networkx to run it):


import networkx as nx    

class SomeObject:
    pass

def instructionify(somestr):
    toks = somestr.split()
    if '+' in somestr:
        return (toks[0], toks[1], (toks[2], toks[3], toks[4]))
    return tuple(somestr.split())

# setup the program's cfg
prog = nx.DiGraph()
s0 = ('entry'),
s1 = instructionify('b = x'),
s2 = instructionify('c = 2'),
s3 = instructionify('a = 40 + c'),
s4 = instructionify('ret = a + x'),
prog.add_edge(s0, s1)
prog.add_edge(s1, s2)
prog.add_edge(s2, s1)
prog.add_edge(s1, s3)
prog.add_edge(s3, s3)
prog.add_edge(s3, s4)

# initialize pred and succ
pred, succ = {}, {}
for bb in prog:
    pred[bb] = set(prog.predecessors(bb))
    succ[bb] = set(prog.successors(bb))

cfg             = SomeObject()
cfg.nodes       = set(prog.nodes())
cfg.pred        = pred
cfg.succ        = succ
cfg.entry_point = s0

analysis               = SomeObject()
analysis.meet          = meet_env
analysis.step_forward  = step_forward
analysis.step_backward = step_backward

# run the whole thing
IN, OUT = maximal_fixed_point(analysis, cfg)
print 'a   at program point s3 is', OUT[s3]['a']
print 'ret at program point s4 is', OUT[s4]['ret']

And the output is:

a   at program point s3 is CONST
ret at program point s4 is UNDEF

As a final note: it is possible to speed things up a bit by choosing a better ordering for basic blocks than just going randomly at first (because we initially fail to propagate lots of information). This might end up in another blog post. Cheers!

Merry Christmas everybody!

android obey!python

Command your shiny Android in Python

I am the happy owner of an Android phone. I love it. But what I love even more, is rolling some sweet Python on my precious.

In case you have a vanilla phone like I do, you will need to follow these steps:

download and install the Android SDK for your platform
add the SDK tools to your system path, for instance on Windows run this in a shell:

> set PATH=%PATH%;path_to_android_sdk\tools

activate USB debugging on your phone (Parameters > Applications > Development > USB Debugging)
setup your system to detect your device as explained here (on Windows, it means installing the usb driver from the SDK)
check that your phone is detected correctly by running adb get-state (if everything is ok, the result should be ‘device’)
check out the Android Scripting Environment svn repository on your computer (see this page)

Your system is almost configured, let’s install the necessary applications on the phone:

install the Android Scripting Environment on your phone
(optionally) install the Text-to-Speech library (by Charles Chen) on your phone if you want to use it in your scripts, via the Android Market
run ASE on your phone, type menu and start a Python shell, you will notice a line like ‘export AP_PORT = “49508”‘.
setup port forwarding on your system with the value you just noted:

> set AP_PORT=49508
> adb forward tcp:%AP_PORT% tcp:%AP_PORT%

go to the ASE directory on your computer containing the android.py module

> cd path_to_ASE\python\ase

run your favorite Python 2.6 interpreter and enjoy the magic:

> python
Python 2.6 (r26:66721, Oct  2 2008, 11:35:03) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import android
>>> droid = android.Android()
# now your phone is ready to acknowledge your awesomeness
>>> droid.speak('hello, my master')
{u'result': None, u'id': 2, u'error': None}
# or alternatively, if you don't have the TTS library installed:
>>> droid.makeToast('hello, my master')
{u'result': None, u'id': 1, u'error': None}

Now you have all the information you need to start exploring the API and roll more interesting examples.

benchmark concatenation ididthisinsteadofmyrealwork join python string

Python Idioms: + versus join

I was told to use ”.join([]) instead of the ‘+’ operator in Python. However a (bad) benchmark showed ‘+’ to be a lot faster. I think it is reasonable to say that in some cases ‘+’ is faster, here is my test:

def test0(b, c, d, e, f):
    for i in xrange(10**7):
        a = b + c + d + e + f
    print(a)

def test1():
    l = ['hello ', 'world ', 'with ', '+ ', 'operator']
    for i in xrange(10**7):
        a = ''
	for j in l:
            a += j
    print(a)

def test2():
    l = ['hello', 'world', 'with', 'join', 'function']
    for i in xrange(10**7):
	a = ' '.join(l)
    print(a)

test0('hello ', 'world ', 'with ', '+ ', 'operator')
test1()
test2()

And the result of the test:

$ python -m cProfile -s cumulative test.py
hello world with + operator
hello world with + operator
hello world with join function

   10000007 function calls in 14.968 CPU seconds
   Ordered by: cumulative time

   ncalls  tottime  percall  cumtime  percall filename:lineno(function)
        ...
        1    6.838    6.838    6.838    6.838 test.py:7(test1)
        1    2.683    2.683    5.113    5.113 test.py:15(test2)
        1    3.016    3.016    3.016    3.016 test.py:2(test0)

So clearly the worst way of using ‘+’ is when iterating over a list of strings and accumulating the concatenations in a variable (function test1). But there is nothing wrong with performing multiple ‘+’ operations in a single line and then storing the result in a variable (function test0).

A quick look at the bytecode of the function confirms this intuition, we can see a bunch of LOADs and ADDs and only one STORE:

>>> import dis
>>> dis.dis(test0)
...
             19 LOAD_FAST                0 (b)
             22 LOAD_FAST                1 (c)
             25 BINARY_ADD          
             26 LOAD_FAST                2 (d)
             29 BINARY_ADD          
             30 LOAD_FAST                3 (e)
             33 BINARY_ADD          
             34 LOAD_FAST                4 (f)
             37 BINARY_ADD          
             38 STORE_FAST               6 (a)

The test was performed with Python 2.5.4 on a Debian sid. Would be nice to see if the results hold for new versions of the Python interpreter.

ain'tItCoolNews?cProfile profiling python sets

UPDATED: Don’t use set.add() in python when running cProfile

UPDATE: As pointed out in the comments, my original conclusion was wrong and is due to the effect of the profiler on the performance. When using the time command instead with Python 3.2 on OS X Lion (averaged over 3 runs), the version with set.add takes 1.37s versus 4.85s for the version with set union (results are 2.17s and 7.12s respectively with Python 2.7.1). Sorry for the “d’oh” moment. Take-home lesson: use a profiler to count events, not to time them.

~~Use the union operator instead, it’s 2 to 3x faster on my machine.~~

$ cat sets.py
def mister():
    s = set([1,2,3])
    for i in range(10**7):
        s.add(1)

def hankey():
    s = set([1,2,3])
    for i in range(10**7):
        s |= set([1])
mister()
hankey()

$ python -m cProfile sets.py
10000008 function calls in 28.257 CPU seconds

Ordered by: standard name

ncalls tottime percall cumtime percall filename:lineno(function)
 1 11.507 11.507 22.978 22.978 sets.py:1(mister) 1 5.138 5.138 5.278 5.278 sets.py:6(hankey)

(tested on Python 2.5, 2.6 and 3.1 on Windows and Linux)

idapythonrules ordinals syscalls windows x64

Digging up System Calls Ordinals – on XP SP2 x64

In case anybody needs system call ordinals for an x64 system, I have retrieved them on my test machine since I couldn’t find them anywhere (not even metasploit’s system call table).

Ero Carrera posted a compact IDAPython script that did the trick, so I adapted the code a little. In ntdll.dll, there are two patterns that we need to look for:

mov     eax, XXXX          ; XXXX is the system call ordinal we need
xor     ecx, ecx
lea     edx, [esp+arg_0]
call    large dword ptr fs:0C0h

and

mov     eax, XXXX          ; again, we need XXXX
mov     ecx, 1Ah
lea     edx, [esp+arg_0]
call    large dword ptr fs:0C0h

This translates to the following byte sequences: ‘B8 ? ? 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00’ and ‘B8 ? ? 00 00 B9 ? 00 00 00 8D 54 24 04 64 FF 15 C0 00 00 00’. Here is the adapted IDAPython script:

syscall_ordinal_code = 'B8 ? ? 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00'
syscall_ordinal_code2 = 'B8 ? ? 00 00 B9 ? 00 00 00 8D 54 24 04 64 FF 15 C0 00 00 00'

out = open('c:\\temp\\idapython.txt', 'w')

for seg in Segments():
  for func in Functions(seg, SegEnd(seg)):
    address = FindBinary(func, SEARCH_DOWN, syscall_ordinal_code)
    address2 = FindBinary(func, SEARCH_DOWN, syscall_ordinal_code2)
    if address == func or address2 == func:
      out.write('%08x: Syscall ordinal %04x for %s (%s)\n' % (func, Dword(func+1), Name(func), Comment(func)))

out.close()

UPDATE: user32.dll and kernel32.dll also contain references to system call ordinals, using the following pattern:

mov     eax, XXXXh
lea     edx, [esp+arg_0]
mov     ecx, 4
call    large dword ptr fs:0C0h

so we must also look for byte sequence ‘B8 ? ? 00 00 8D 54 24 04 B9 ? 00 00 00 64 FF 15 C0’ in user32.dll.

And finally, the output of the script (on Windows XP SP2 x64):

7d61c7fb: Syscall ordinal 0000 for _ZwMapUserPhysicalPagesScatter@12 (NtMapUserPhysicalPagesScatter)
7d61c813: Syscall ordinal 0001 for _ZwWaitForSingleObject@12 (NtWaitForSingleObject)
7d61c82b: Syscall ordinal 0002 for _ZwCallbackReturn@12 (NtCallbackReturn)
7d61c843: Syscall ordinal 0003 for _NtReadFile@36 (NtReadFile)
7d61c85b: Syscall ordinal 0004 for _ZwDeviceIoControlFile@40 (NtDeviceIoControlFile)
7d61c873: Syscall ordinal 0005 for _NtWriteFile@36 (NtWriteFile)
7d61c88b: Syscall ordinal 0006 for _ZwRemoveIoCompletion@20 (NtRemoveIoCompletion)
7d61c8a3: Syscall ordinal 0007 for _NtReleaseSemaphore@12 (NtReleaseSemaphore)
7d61c8bb: Syscall ordinal 0008 for _NtReplyWaitReceivePort@16 (NtReplyWaitReceivePort)
7d61c8d3: Syscall ordinal 0009 for _ZwReplyPort@8 (NtReplyPort)
7d61c8eb: Syscall ordinal 000a for _ZwSetInformationThread@16 (NtSetInformationThread)
7d61c903: Syscall ordinal 000b for _NtSetEvent@8 (NtSetEvent)
7d61c91b: Syscall ordinal 000c for _NtClose@4 (NtClose)
7d61c933: Syscall ordinal 000d for _NtQueryObject@20 (NtQueryObject)
7d61c94b: Syscall ordinal 000e for _ZwQueryInformationFile@20 (NtQueryInformationFile)
7d61c963: Syscall ordinal 000f for _ZwOpenKey@12 (NtOpenKey)
7d61c97b: Syscall ordinal 0010 for _NtEnumerateValueKey@24 (NtEnumerateValueKey)
7d61c993: Syscall ordinal 0011 for _NtFindAtom@12 (NtFindAtom)
7d61c9ab: Syscall ordinal 0012 for _NtQueryDefaultLocale@8 (NtQueryDefaultLocale)
7d61c9c3: Syscall ordinal 0013 for _ZwQueryKey@20 (NtQueryKey)
7d61c9db: Syscall ordinal 0014 for _ZwQueryValueKey@24 (NtQueryValueKey)
7d61c9f3: Syscall ordinal 0015 for _NtAllocateVirtualMemory@24 (NtAllocateVirtualMemory)
7d61ca0b: Syscall ordinal 0016 for _ZwQueryInformationProcess@20 (NtQueryInformationProcess)
7d61ca23: Syscall ordinal 0017 for _NtWaitForMultipleObjects32@20 (NtWaitForMultipleObjects32)
7d61ca3b: Syscall ordinal 0018 for _NtWriteFileGather@36 (NtWriteFileGather)
7d61ca53: Syscall ordinal 0019 for _ZwSetInformationProcess@16 (NtSetInformationProcess)
7d61ca6b: Syscall ordinal 001a for _ZwCreateKey@28 (NtCreateKey)
7d61ca83: Syscall ordinal 001b for _NtFreeVirtualMemory@16 (NtFreeVirtualMemory)
7d61ca9b: Syscall ordinal 001c for _ZwImpersonateClientOfPort@8 (NtImpersonateClientOfPort)
7d61cab3: Syscall ordinal 001d for _ZwReleaseMutant@8 (NtReleaseMutant)
7d61cacb: Syscall ordinal 001e for _ZwQueryInformationToken@20 (NtQueryInformationToken)
7d61cae3: Syscall ordinal 001f for _NtRequestWaitReplyPort@12 (NtRequestWaitReplyPort)
7d61cafb: Syscall ordinal 0020 for _NtQueryVirtualMemory@24 (NtQueryVirtualMemory)
7d61cb13: Syscall ordinal 0021 for _NtOpenThreadToken@16 (NtOpenThreadToken)
7d61cb2b: Syscall ordinal 0022 for _NtQueryInformationThread@20 (NtQueryInformationThread)
7d61cb43: Syscall ordinal 0023 for _ZwOpenProcess@16 (NtOpenProcess)
7d61cb5b: Syscall ordinal 0024 for _ZwSetInformationFile@20 (NtSetInformationFile)
7d61cb73: Syscall ordinal 0025 for _ZwMapViewOfSection@40 (NtMapViewOfSection)
7d61cb8b: Syscall ordinal 0026 for _ZwAccessCheckAndAuditAlarm@44 (NtAccessCheckAndAuditAlarm)
7d61cba3: Syscall ordinal 0027 for _NtUnmapViewOfSection@8 (NtUnmapViewOfSection)
7d61cbbb: Syscall ordinal 0028 for _NtReplyWaitReceivePortEx@20 (NtReplyWaitReceivePortEx)
7d61cbd3: Syscall ordinal 0029 for _ZwTerminateProcess@8 (NtTerminateProcess)
7d61cbeb: Syscall ordinal 002a for _NtSetEventBoostPriority@4 (NtSetEventBoostPriority)
7d61cc03: Syscall ordinal 002b for _NtReadFileScatter@36 (NtReadFileScatter)
7d61cc1b: Syscall ordinal 002c for _NtOpenThreadTokenEx@20 (NtOpenThreadTokenEx)
7d61cc33: Syscall ordinal 002d for _ZwOpenProcessTokenEx@16 (NtOpenProcessTokenEx)
7d61cc4b: Syscall ordinal 002e for _NtQueryPerformanceCounter@8 (NtQueryPerformanceCounter)
7d61cc63: Syscall ordinal 002f for _ZwEnumerateKey@24 (NtEnumerateKey)
7d61cc7b: Syscall ordinal 0030 for _NtOpenFile@24 (NtOpenFile)
7d61cc93: Syscall ordinal 0031 for _ZwDelayExecution@8 (NtDelayExecution)
7d61ccab: Syscall ordinal 0032 for _ZwQueryDirectoryFile@44 (NtQueryDirectoryFile)
7d61ccc3: Syscall ordinal 0033 for _NtQuerySystemInformation@16 (NtQuerySystemInformation)
7d61ccdb: Syscall ordinal 0034 for _NtOpenSection@12 (NtOpenSection)
7d61ccf3: Syscall ordinal 0035 for _ZwQueryTimer@20 (NtQueryTimer)
7d61cd0b: Syscall ordinal 0036 for _NtFsControlFile@40 (NtFsControlFile)
7d61cd23: Syscall ordinal 0037 for _NtWriteVirtualMemory@20 (NtWriteVirtualMemory)
7d61cd3b: Syscall ordinal 0038 for _ZwCloseObjectAuditAlarm@12 (NtCloseObjectAuditAlarm)
7d61cd53: Syscall ordinal 0039 for _ZwDuplicateObject@28 (NtDuplicateObject)
7d61cd6b: Syscall ordinal 003a for _ZwQueryAttributesFile@8 (NtQueryAttributesFile)
7d61cd83: Syscall ordinal 003b for _NtClearEvent@4 (NtClearEvent)
7d61cd9b: Syscall ordinal 003c for _NtReadVirtualMemory@20 (NtReadVirtualMemory)
7d61cdb3: Syscall ordinal 003d for _NtOpenEvent@12 (NtOpenEvent)
7d61cdcb: Syscall ordinal 003e for _ZwAdjustPrivilegesToken@24 (NtAdjustPrivilegesToken)
7d61cde3: Syscall ordinal 003f for _NtDuplicateToken@24 (NtDuplicateToken)
7d61cdfb: Syscall ordinal 0040 for _ZwContinue@8 (NtContinue)
7d61ce13: Syscall ordinal 0041 for _ZwQueryDefaultUILanguage@4 (NtQueryDefaultUILanguage)
7d61ce2b: Syscall ordinal 0042 for _NtQueueApcThread@20 (NtQueueApcThread)
7d61ce43: Syscall ordinal 0043 for _ZwYieldExecution@0 (NtYieldExecution)
7d61ce5c: Syscall ordinal 0044 for _NtAddAtom@12 (NtAddAtom)
7d61ce74: Syscall ordinal 0045 for _NtCreateEvent@20 (NtCreateEvent)
7d61ce8c: Syscall ordinal 0046 for _NtQueryVolumeInformationFile@20 (NtQueryVolumeInformationFile)
7d61cea4: Syscall ordinal 0047 for _NtCreateSection@28 (NtCreateSection)
7d61cebc: Syscall ordinal 0048 for _ZwFlushBuffersFile@8 (NtFlushBuffersFile)
7d61ced4: Syscall ordinal 0049 for _NtApphelpCacheControl@8 (NtApphelpCacheControl)
7d61ceec: Syscall ordinal 004a for _ZwCreateProcessEx@36 (NtCreateProcessEx)
7d61cf04: Syscall ordinal 004b for _NtCreateThread@32 (NtCreateThread)
7d61cf1c: Syscall ordinal 004c for _ZwIsProcessInJob@8 (NtIsProcessInJob)
7d61cf34: Syscall ordinal 004d for _ZwProtectVirtualMemory@20 (NtProtectVirtualMemory)
7d61cf4c: Syscall ordinal 004e for _ZwQuerySection@20 (NtQuerySection)
7d61cf64: Syscall ordinal 004f for _ZwResumeThread@8 (NtResumeThread)
7d61cf7c: Syscall ordinal 0050 for _ZwTerminateThread@8 (NtTerminateThread)
7d61cf94: Syscall ordinal 0051 for _ZwReadRequestData@24 (NtReadRequestData)
7d61cfac: Syscall ordinal 0052 for _NtCreateFile@44 (NtCreateFile)
7d61cfc4: Syscall ordinal 0053 for _NtQueryEvent@20 (NtQueryEvent)
7d61cfdc: Syscall ordinal 0054 for _NtWriteRequestData@24 (NtWriteRequestData)
7d61cff4: Syscall ordinal 0055 for _ZwOpenDirectoryObject@12 (NtOpenDirectoryObject)
7d61d00c: Syscall ordinal 0056 for _NtAccessCheckByTypeAndAuditAlarm@64 (NtAccessCheckByTypeAndAuditAlarm)
7d61d024: Syscall ordinal 0057 for _NtQuerySystemTime@4 (NtQuerySystemTime)
7d61d03c: Syscall ordinal 0058 for _NtWaitForMultipleObjects@20 (NtWaitForMultipleObjects)
7d61d054: Syscall ordinal 0059 for _ZwSetInformationObject@16 (NtSetInformationObject)
7d61d06c: Syscall ordinal 005a for _ZwCancelIoFile@8 (NtCancelIoFile)
7d61d084: Syscall ordinal 005b for _NtTraceEvent@16 (NtTraceEvent)
7d61d09c: Syscall ordinal 005c for _ZwPowerInformation@20 (NtPowerInformation)
7d61d0b4: Syscall ordinal 005d for _ZwSetValueKey@24 (NtSetValueKey)
7d61d0cc: Syscall ordinal 005e for _ZwCancelTimer@8 (NtCancelTimer)
7d61d0e4: Syscall ordinal 005f for _ZwSetTimer@28 (NtSetTimer)
7d61d0fc: Syscall ordinal 0060 for _NtAcceptConnectPort@24 (NtAcceptConnectPort)
7d61d114: Syscall ordinal 0061 for _NtAccessCheck@32 (NtAccessCheck)
7d61d12c: Syscall ordinal 0062 for _NtAccessCheckByType@44 (NtAccessCheckByType)
7d61d144: Syscall ordinal 0063 for _NtAccessCheckByTypeResultList@44 (NtAccessCheckByTypeResultList)
7d61d15c: Syscall ordinal 0064 for _NtAccessCheckByTypeResultListAndAuditAlarm@64 (NtAccessCheckByTypeResultListAndAuditAlarm)
7d61d174: Syscall ordinal 0065 for _ZwAccessCheckByTypeResultListAndAuditAlarmByHandle@68 (NtAccessCheckByTypeResultListAndAuditAlarmByHandle)
7d61d18c: Syscall ordinal 0066 for _ZwAddBootEntry@8 (NtAddBootEntry)
7d61d1a4: Syscall ordinal 0067 for _NtAddDriverEntry@8 (NtAddDriverEntry)
7d61d1bc: Syscall ordinal 0068 for _ZwAdjustGroupsToken@24 (NtAdjustGroupsToken)
7d61d1d4: Syscall ordinal 0069 for _NtAlertResumeThread@8 (NtAlertResumeThread)
7d61d1ec: Syscall ordinal 006a for _NtAlertThread@4 (NtAlertThread)
7d61d204: Syscall ordinal 006b for _ZwAllocateLocallyUniqueId@4 (NtAllocateLocallyUniqueId)
7d61d21c: Syscall ordinal 006c for _NtAllocateUserPhysicalPages@12 (NtAllocateUserPhysicalPages)
7d61d234: Syscall ordinal 006d for _NtAllocateUuids@16 (NtAllocateUuids)
7d61d24c: Syscall ordinal 006e for _ZwAreMappedFilesTheSame@8 (NtAreMappedFilesTheSame)
7d61d264: Syscall ordinal 006f for _ZwAssignProcessToJobObject@8 (NtAssignProcessToJobObject)
7d61d27c: Syscall ordinal 0070 for _NtCancelDeviceWakeupRequest@4 (NtCancelDeviceWakeupRequest)
7d61d294: Syscall ordinal 0071 for _NtCompactKeys@8 (NtCompactKeys)
7d61d2ac: Syscall ordinal 0072 for _ZwCompareTokens@12 (NtCompareTokens)
7d61d2c4: Syscall ordinal 0073 for _NtCompleteConnectPort@4 (NtCompleteConnectPort)
7d61d2dc: Syscall ordinal 0074 for _ZwCompressKey@4 (NtCompressKey)
7d61d2f4: Syscall ordinal 0075 for _NtConnectPort@32 (NtConnectPort)
7d61d30c: Syscall ordinal 0076 for _ZwCreateDebugObject@16 (NtCreateDebugObject)
7d61d324: Syscall ordinal 0077 for _ZwCreateDirectoryObject@12 (NtCreateDirectoryObject)
7d61d33c: Syscall ordinal 0078 for _NtCreateEventPair@12 (NtCreateEventPair)
7d61d354: Syscall ordinal 0079 for _NtCreateIoCompletion@16 (NtCreateIoCompletion)
7d61d36c: Syscall ordinal 007a for _ZwCreateJobObject@12 (NtCreateJobObject)
7d61d384: Syscall ordinal 007b for _NtCreateJobSet@12 (NtCreateJobSet)
7d61d39c: Syscall ordinal 007c for _ZwCreateKeyedEvent@16 (NtCreateKeyedEvent)
7d61d3b4: Syscall ordinal 007d for _ZwCreateMailslotFile@32 (NtCreateMailslotFile)
7d61d3cc: Syscall ordinal 007e for _ZwCreateMutant@16 (NtCreateMutant)
7d61d3e4: Syscall ordinal 007f for _ZwCreateNamedPipeFile@56 (NtCreateNamedPipeFile)
7d61d3fc: Syscall ordinal 0080 for _NtCreatePagingFile@16 (NtCreatePagingFile)
7d61d414: Syscall ordinal 0081 for _ZwCreatePort@20 (NtCreatePort)
7d61d42c: Syscall ordinal 0082 for _ZwCreateProcess@32 (NtCreateProcess)
7d61d444: Syscall ordinal 0083 for _ZwCreateProfile@36 (NtCreateProfile)
7d61d45c: Syscall ordinal 0084 for _NtCreateSemaphore@20 (NtCreateSemaphore)
7d61d474: Syscall ordinal 0085 for _ZwCreateSymbolicLinkObject@16 (NtCreateSymbolicLinkObject)
7d61d48c: Syscall ordinal 0086 for _ZwCreateTimer@16 (NtCreateTimer)
7d61d4a4: Syscall ordinal 0087 for _NtCreateToken@52 (NtCreateToken)
7d61d4bc: Syscall ordinal 0088 for _ZwCreateWaitablePort@20 (NtCreateWaitablePort)
7d61d4d4: Syscall ordinal 0089 for _NtDebugActiveProcess@8 (NtDebugActiveProcess)
7d61d4ec: Syscall ordinal 008a for _ZwDebugContinue@12 (NtDebugContinue)
7d61d504: Syscall ordinal 008b for _ZwDeleteAtom@4 (NtDeleteAtom)
7d61d51c: Syscall ordinal 008c for _NtDeleteBootEntry@4 (NtDeleteBootEntry)
7d61d534: Syscall ordinal 008d for _ZwDeleteDriverEntry@4 (NtDeleteDriverEntry)
7d61d54c: Syscall ordinal 008e for _NtDeleteFile@4 (NtDeleteFile)
7d61d564: Syscall ordinal 008f for _ZwDeleteKey@4 (NtDeleteKey)
7d61d57c: Syscall ordinal 0090 for _NtDeleteObjectAuditAlarm@12 (NtDeleteObjectAuditAlarm)
7d61d594: Syscall ordinal 0091 for _NtDeleteValueKey@8 (NtDeleteValueKey)
7d61d5ac: Syscall ordinal 0092 for _NtDisplayString@4 (NtDisplayString)
7d61d5c4: Syscall ordinal 0093 for _ZwEnumerateBootEntries@8 (NtEnumerateBootEntries)
7d61d5dc: Syscall ordinal 0094 for _NtEnumerateDriverEntries@8 (NtEnumerateDriverEntries)
7d61d5f4: Syscall ordinal 0095 for _ZwEnumerateSystemEnvironmentValuesEx@12 (NtEnumerateSystemEnvironmentValuesEx)
7d61d60c: Syscall ordinal 0096 for _ZwExtendSection@8 (NtExtendSection)
7d61d624: Syscall ordinal 0097 for _NtFilterToken@24 (NtFilterToken)
7d61d63c: Syscall ordinal 0098 for _ZwFlushInstructionCache@12 (NtFlushInstructionCache)
7d61d654: Syscall ordinal 0099 for _NtFlushKey@4 (NtFlushKey)
7d61d66c: Syscall ordinal 009a for _ZwFlushVirtualMemory@16 (NtFlushVirtualMemory)
7d61d684: Syscall ordinal 009b for _NtFlushWriteBuffer@0 (NtFlushWriteBuffer)
7d61d69c: Syscall ordinal 009c for _NtFreeUserPhysicalPages@12 (NtFreeUserPhysicalPages)
7d61d6b4: Syscall ordinal 009d for _NtGetContextThread@8 (NtGetContextThread)
7d61d6cc: Syscall ordinal 009e for _NtGetCurrentProcessorNumber@0 (NtGetCurrentProcessorNumber
RtlGetCurrentProcessorNumber)
7d61d6e4: Syscall ordinal 009f for _NtGetDevicePowerState@8 (NtGetDevicePowerState)
7d61d6fc: Syscall ordinal 00a0 for _ZwGetPlugPlayEvent@16 (NtGetPlugPlayEvent)
7d61d714: Syscall ordinal 00a1 for _NtGetWriteWatch@28 (NtGetWriteWatch)
7d61d72c: Syscall ordinal 00a2 for _NtImpersonateAnonymousToken@4 (NtImpersonateAnonymousToken)
7d61d744: Syscall ordinal 00a3 for _ZwImpersonateThread@12 (NtImpersonateThread)
7d61d75c: Syscall ordinal 00a4 for _ZwInitializeRegistry@4 (NtInitializeRegistry)
7d61d774: Syscall ordinal 00a5 for _NtInitiatePowerAction@16 (NtInitiatePowerAction)
7d61d78c: Syscall ordinal 00a6 for _NtIsSystemResumeAutomatic@0 (NtIsSystemResumeAutomatic)
7d61d7a4: Syscall ordinal 00a7 for _ZwListenPort@8 (NtListenPort)
7d61d7bc: Syscall ordinal 00a8 for _NtLoadDriver@4 (NtLoadDriver)
7d61d7d4: Syscall ordinal 00a9 for _NtLoadKey@8 (NtLoadKey)
7d61d7ec: Syscall ordinal 00aa for _NtLoadKey2@12 (NtLoadKey2)
7d61d804: Syscall ordinal 00ab for _NtLoadKeyEx@16 (NtLoadKeyEx)
7d61d81c: Syscall ordinal 00ac for _NtLockFile@40 (NtLockFile)
7d61d834: Syscall ordinal 00ad for _ZwLockProductActivationKeys@8 (NtLockProductActivationKeys)
7d61d84c: Syscall ordinal 00ae for _NtLockRegistryKey@4 (NtLockRegistryKey)
7d61d864: Syscall ordinal 00af for _ZwLockVirtualMemory@16 (NtLockVirtualMemory)
7d61d87c: Syscall ordinal 00b0 for _ZwMakePermanentObject@4 (NtMakePermanentObject)
7d61d894: Syscall ordinal 00b1 for _NtMakeTemporaryObject@4 (NtMakeTemporaryObject)
7d61d8ac: Syscall ordinal 00b2 for _NtMapUserPhysicalPages@12 (NtMapUserPhysicalPages)
7d61d8c4: Syscall ordinal 00b3 for _NtModifyBootEntry@4 (NtModifyBootEntry)
7d61d8dc: Syscall ordinal 00b4 for _ZwModifyDriverEntry@4 (NtModifyDriverEntry)
7d61d8f4: Syscall ordinal 00b5 for _NtNotifyChangeDirectoryFile@36 (NtNotifyChangeDirectoryFile)
7d61d90c: Syscall ordinal 00b6 for _NtNotifyChangeKey@40 (NtNotifyChangeKey)
7d61d924: Syscall ordinal 00b7 for _NtNotifyChangeMultipleKeys@48 (NtNotifyChangeMultipleKeys)
7d61d93c: Syscall ordinal 00b8 for _NtOpenEventPair@12 (NtOpenEventPair)
7d61d954: Syscall ordinal 00b9 for _ZwOpenIoCompletion@12 (NtOpenIoCompletion)
7d61d96c: Syscall ordinal 00ba for _ZwOpenJobObject@12 (NtOpenJobObject)
7d61d984: Syscall ordinal 00bb for _NtOpenKeyedEvent@12 (NtOpenKeyedEvent)
7d61d99c: Syscall ordinal 00bc for _NtOpenMutant@12 (NtOpenMutant)
7d61d9b4: Syscall ordinal 00bd for _ZwOpenObjectAuditAlarm@48 (NtOpenObjectAuditAlarm)
7d61d9cc: Syscall ordinal 00be for _ZwOpenProcessToken@12 (NtOpenProcessToken)
7d61d9e4: Syscall ordinal 00bf for _NtOpenSemaphore@12 (NtOpenSemaphore)
7d61d9fc: Syscall ordinal 00c0 for _NtOpenSymbolicLinkObject@12 (NtOpenSymbolicLinkObject)
7d61da14: Syscall ordinal 00c1 for _ZwOpenThread@16 (NtOpenThread)
7d61da2c: Syscall ordinal 00c2 for _ZwOpenTimer@12 (NtOpenTimer)
7d61da44: Syscall ordinal 00c3 for _NtPlugPlayControl@12 (NtPlugPlayControl)
7d61da5c: Syscall ordinal 00c4 for _ZwPrivilegeCheck@12 (NtPrivilegeCheck)
7d61da74: Syscall ordinal 00c5 for _ZwPrivilegeObjectAuditAlarm@24 (NtPrivilegeObjectAuditAlarm)
7d61da8c: Syscall ordinal 00c6 for _NtPrivilegedServiceAuditAlarm@20 (NtPrivilegedServiceAuditAlarm)
7d61daa4: Syscall ordinal 00c7 for _ZwPulseEvent@8 (NtPulseEvent)
7d61dabc: Syscall ordinal 00c8 for _ZwQueryBootEntryOrder@8 (NtQueryBootEntryOrder)
7d61dad4: Syscall ordinal 00c9 for _ZwQueryBootOptions@8 (NtQueryBootOptions)
7d61daec: Syscall ordinal 00ca for _NtQueryDebugFilterState@8 (NtQueryDebugFilterState)
7d61db04: Syscall ordinal 00cb for _ZwQueryDirectoryObject@28 (NtQueryDirectoryObject)
7d61db1c: Syscall ordinal 00cc for _NtQueryDriverEntryOrder@8 (NtQueryDriverEntryOrder)
7d61db34: Syscall ordinal 00cd for _ZwQueryEaFile@36 (NtQueryEaFile)
7d61db4c: Syscall ordinal 00ce for _ZwQueryFullAttributesFile@8 (NtQueryFullAttributesFile)
7d61db64: Syscall ordinal 00cf for _NtQueryInformationAtom@20 (NtQueryInformationAtom)
7d61db7c: Syscall ordinal 00d0 for _ZwQueryInformationJobObject@20 (NtQueryInformationJobObject)
7d61db94: Syscall ordinal 00d1 for _ZwQueryInformationPort@20 (NtQueryInformationPort)
7d61dbac: Syscall ordinal 00d2 for _NtQueryInstallUILanguage@4 (NtQueryInstallUILanguage)
7d61dbc4: Syscall ordinal 00d3 for _NtQueryIntervalProfile@8 (NtQueryIntervalProfile)
7d61dbdc: Syscall ordinal 00d4 for _NtQueryIoCompletion@20 (NtQueryIoCompletion)
7d61dbf4: Syscall ordinal 00d5 for _NtQueryMultipleValueKey@24 (NtQueryMultipleValueKey)
7d61dc0c: Syscall ordinal 00d6 for _NtQueryMutant@20 (NtQueryMutant)
7d61dc24: Syscall ordinal 00d7 for _NtQueryOpenSubKeys@8 (NtQueryOpenSubKeys)
7d61dc3c: Syscall ordinal 00d8 for _NtQueryOpenSubKeysEx@16 (NtQueryOpenSubKeysEx)
7d61dc54: Syscall ordinal 00d9 for _ZwQueryPortInformationProcess@0 (NtQueryPortInformationProcess)
7d61dc6c: Syscall ordinal 00da for _ZwQueryQuotaInformationFile@36 (NtQueryQuotaInformationFile)
7d61dc84: Syscall ordinal 00db for _NtQuerySecurityObject@20 (NtQuerySecurityObject)
7d61dc9c: Syscall ordinal 00dc for _ZwQuerySemaphore@20 (NtQuerySemaphore)
7d61dcb4: Syscall ordinal 00dd for _ZwQuerySymbolicLinkObject@12 (NtQuerySymbolicLinkObject)
7d61dccc: Syscall ordinal 00de for _ZwQuerySystemEnvironmentValue@16 (NtQuerySystemEnvironmentValue)
7d61dce4: Syscall ordinal 00df for _ZwQuerySystemEnvironmentValueEx@20 (NtQuerySystemEnvironmentValueEx)
7d61dcfc: Syscall ordinal 00e0 for _NtQueryTimerResolution@12 (NtQueryTimerResolution)
7d61dd14: Syscall ordinal 00e1 for _ZwRaiseException@12 (NtRaiseException)
7d61dd2c: Syscall ordinal 00e2 for _ZwRaiseHardError@24 (NtRaiseHardError)
7d61dd44: Syscall ordinal 00e3 for _ZwRegisterThreadTerminatePort@4 (NtRegisterThreadTerminatePort)
7d61dd5c: Syscall ordinal 00e4 for _NtReleaseKeyedEvent@16 (NtReleaseKeyedEvent)
7d61dd74: Syscall ordinal 00e5 for _ZwRemoveProcessDebug@8 (NtRemoveProcessDebug)
7d61dd8c: Syscall ordinal 00e6 for _ZwRenameKey@8 (NtRenameKey)
7d61dda4: Syscall ordinal 00e7 for _ZwReplaceKey@12 (NtReplaceKey)
7d61ddbc: Syscall ordinal 00e8 for _NtReplyWaitReplyPort@8 (NtReplyWaitReplyPort)
7d61ddd4: Syscall ordinal 00e9 for _ZwRequestDeviceWakeup@4 (NtRequestDeviceWakeup)
7d61ddec: Syscall ordinal 00ea for _ZwRequestPort@8 (NtRequestPort)
7d61de04: Syscall ordinal 00eb for _ZwRequestWakeupLatency@4 (NtRequestWakeupLatency)
7d61de1c: Syscall ordinal 00ec for _NtResetEvent@8 (NtResetEvent)
7d61de34: Syscall ordinal 00ed for _ZwResetWriteWatch@12 (NtResetWriteWatch)
7d61de4c: Syscall ordinal 00ee for _NtRestoreKey@12 (NtRestoreKey)
7d61de64: Syscall ordinal 00ef for _ZwResumeProcess@4 (NtResumeProcess)
7d61de7c: Syscall ordinal 00f0 for _NtSaveKey@8 (NtSaveKey)
7d61de94: Syscall ordinal 00f1 for _NtSaveKeyEx@12 (NtSaveKeyEx)
7d61deac: Syscall ordinal 00f2 for _NtSaveMergedKeys@12 (NtSaveMergedKeys)
7d61dec4: Syscall ordinal 00f3 for _NtSecureConnectPort@36 (NtSecureConnectPort)
7d61dedc: Syscall ordinal 00f4 for _ZwSetBootEntryOrder@8 (NtSetBootEntryOrder)
7d61def4: Syscall ordinal 00f5 for _ZwSetBootOptions@8 (NtSetBootOptions)
7d61df0c: Syscall ordinal 00f6 for _ZwSetContextThread@8 (NtSetContextThread)
7d61df24: Syscall ordinal 00f7 for _NtSetDebugFilterState@12 (NtSetDebugFilterState)
7d61df3c: Syscall ordinal 00f8 for _NtSetDefaultHardErrorPort@4 (NtSetDefaultHardErrorPort)
7d61df54: Syscall ordinal 00f9 for _NtSetDefaultLocale@8 (NtSetDefaultLocale)
7d61df6c: Syscall ordinal 00fa for _ZwSetDefaultUILanguage@4 (NtSetDefaultUILanguage)
7d61df84: Syscall ordinal 00fb for _NtSetDriverEntryOrder@8 (NtSetDriverEntryOrder)
7d61df9c: Syscall ordinal 00fc for _ZwSetEaFile@16 (NtSetEaFile)
7d61dfb4: Syscall ordinal 00fd for _NtSetHighEventPair@4 (NtSetHighEventPair)
7d61dfcc: Syscall ordinal 00fe for _NtSetHighWaitLowEventPair@4 (NtSetHighWaitLowEventPair)
7d61dfe4: Syscall ordinal 00ff for _ZwSetInformationDebugObject@20 (NtSetInformationDebugObject)
7d61dffc: Syscall ordinal 0100 for _ZwSetInformationJobObject@16 (NtSetInformationJobObject)
7d61e014: Syscall ordinal 0101 for _ZwSetInformationKey@16 (NtSetInformationKey)
7d61e02c: Syscall ordinal 0102 for _ZwSetInformationToken@16 (NtSetInformationToken)
7d61e044: Syscall ordinal 0103 for _NtSetIntervalProfile@8 (NtSetIntervalProfile)
7d61e05c: Syscall ordinal 0104 for _NtSetIoCompletion@20 (NtSetIoCompletion)
7d61e074: Syscall ordinal 0105 for _ZwSetLdtEntries@24 (NtSetLdtEntries)
7d61e08c: Syscall ordinal 0106 for _ZwSetLowEventPair@4 (NtSetLowEventPair)
7d61e0a4: Syscall ordinal 0107 for _ZwSetLowWaitHighEventPair@4 (NtSetLowWaitHighEventPair)
7d61e0bc: Syscall ordinal 0108 for _ZwSetQuotaInformationFile@16 (NtSetQuotaInformationFile)
7d61e0d4: Syscall ordinal 0109 for _NtSetSecurityObject@12 (NtSetSecurityObject)
7d61e0ec: Syscall ordinal 010a for _ZwSetSystemEnvironmentValue@8 (NtSetSystemEnvironmentValue)
7d61e104: Syscall ordinal 010b for _ZwSetSystemEnvironmentValueEx@20 (NtSetSystemEnvironmentValueEx)
7d61e11c: Syscall ordinal 010c for _ZwSetSystemInformation@12 (NtSetSystemInformation)
7d61e134: Syscall ordinal 010d for _ZwSetSystemPowerState@12 (NtSetSystemPowerState)
7d61e14c: Syscall ordinal 010e for _ZwSetSystemTime@8 (NtSetSystemTime)
7d61e164: Syscall ordinal 010f for _ZwSetThreadExecutionState@8 (NtSetThreadExecutionState)
7d61e17c: Syscall ordinal 0110 for _NtSetTimerResolution@12 (NtSetTimerResolution)
7d61e194: Syscall ordinal 0111 for _ZwSetUuidSeed@4 (NtSetUuidSeed)
7d61e1ac: Syscall ordinal 0112 for _NtSetVolumeInformationFile@20 (NtSetVolumeInformationFile)
7d61e1c4: Syscall ordinal 0113 for _ZwShutdownSystem@4 (NtShutdownSystem)
7d61e1dc: Syscall ordinal 0114 for _ZwSignalAndWaitForSingleObject@16 (NtSignalAndWaitForSingleObject)
7d61e1f4: Syscall ordinal 0115 for _NtStartProfile@4 (NtStartProfile)
7d61e20c: Syscall ordinal 0116 for _ZwStopProfile@4 (NtStopProfile)
7d61e224: Syscall ordinal 0117 for _ZwSuspendProcess@4 (NtSuspendProcess)
7d61e23c: Syscall ordinal 0118 for _ZwSuspendThread@8 (NtSuspendThread)
7d61e254: Syscall ordinal 0119 for _NtSystemDebugControl@24 (NtSystemDebugControl)
7d61e26c: Syscall ordinal 011a for _ZwTerminateJobObject@8 (NtTerminateJobObject)
7d61e284: Syscall ordinal 011b for _NtTestAlert@0 (NtTestAlert)
7d61e29c: Syscall ordinal 011c for _NtTranslateFilePath@16 (NtTranslateFilePath)
7d61e2b4: Syscall ordinal 011d for _ZwUnloadDriver@4 (NtUnloadDriver)
7d61e2cc: Syscall ordinal 011e for _NtUnloadKey@4 (NtUnloadKey)
7d61e2e4: Syscall ordinal 011f for _ZwUnloadKey2@8 (NtUnloadKey2)
7d61e2fc: Syscall ordinal 0120 for _ZwUnloadKeyEx@8 (NtUnloadKeyEx)
7d61e314: Syscall ordinal 0121 for _ZwUnlockFile@20 (NtUnlockFile)
7d61e32c: Syscall ordinal 0122 for _NtUnlockVirtualMemory@16 (NtUnlockVirtualMemory)
7d61e344: Syscall ordinal 0123 for _NtVdmControl@8 (NtVdmControl)
7d61e35c: Syscall ordinal 0124 for _NtWaitForDebugEvent@16 (NtWaitForDebugEvent)
7d61e374: Syscall ordinal 0125 for _NtWaitForKeyedEvent@16 (NtWaitForKeyedEvent)
7d61e38c: Syscall ordinal 0126 for _ZwWaitHighEventPair@4 (NtWaitHighEventPair)
7d61e3a4: Syscall ordinal 0127 for _NtWaitLowEventPair@4 (NtWaitLowEventPair)
7d61e3bc: Syscall ordinal 0128 for _ZwWow64CsrClientConnectToServer@20 (NtWow64CsrClientConnectToServer)
7d61e3d4: Syscall ordinal 0129 for _NtWow64CsrNewThread@0 (NtWow64CsrNewThread)
7d61e3e8: Syscall ordinal 012a for _NtWow64CsrIdentifyAlertableThread@0 (NtWow64CsrIdentifyAlertableThread)
7d61e3fc: Syscall ordinal 012b for _NtWow64CsrClientCallServer@16 (NtWow64CsrClientCallServer)
7d61e414: Syscall ordinal 012c for _NtWow64CsrAllocateCaptureBuffer@8 (NtWow64CsrAllocateCaptureBuffer)
7d61e42c: Syscall ordinal 012d for _ZwWow64CsrFreeCaptureBuffer@4 (NtWow64CsrFreeCaptureBuffer)
7d61e444: Syscall ordinal 012e for _ZwWow64CsrAllocateMessagePointer@12 (NtWow64CsrAllocateMessagePointer)
7d61e45c: Syscall ordinal 012f for _ZwWow64CsrCaptureMessageBuffer@16 (NtWow64CsrCaptureMessageBuffer)
7d61e474: Syscall ordinal 0130 for _ZwWow64CsrCaptureMessageString@20 (NtWow64CsrCaptureMessageString)
7d61e48c: Syscall ordinal 0131 for _ZwWow64CsrSetPriorityClass@8 (NtWow64CsrSetPriorityClass)
7d61e4a4: Syscall ordinal 0132 for _NtWow64CsrGetProcessId@0 (NtWow64CsrGetProcessId)
7d61e4b8: Syscall ordinal 0133 for _NtWow64DebuggerCall@20 (NtWow64DebuggerCall)
7d61e4d0: Syscall ordinal 0134 for _ZwWow64GetNativeSystemInformation@16 (NtWow64GetNativeSystemInformation
RtlGetNativeSystemInformation)
7d61e4e8: Syscall ordinal 0135 for _NtWow64QueryInformationProcess64@20 (NtWow64QueryInformationProcess64)
7d61e500: Syscall ordinal 0136 for _NtWow64ReadVirtualMemory64@28 (NtWow64ReadVirtualMemory64)
7d61e518: Syscall ordinal 0137 for _ZwWow64QueryVirtualMemory64@32 (NtWow64QueryVirtualMemory64)

Here is the output for user32.dll:

7d947018: Syscall ordinal 1005 for _NtUserCallNoParam@4 (None)
7d9470ba: Syscall ordinal 106b for _NtUserGetObjectInformation@20 (None)
7d9470f4: Syscall ordinal 1021 for _NtUserGetProcessWindowStation@0 (None)
7d9471dd: Syscall ordinal 100e for _NtUserPostMessage@16 (None)
7d947261: Syscall ordinal 105d for _NtUserMoveWindow@24 (None)
7d94784b: Syscall ordinal 1006 for _NtUserGetMessage@16 (None)
7d947a14: Syscall ordinal 125b for _NtUserInitializeClientPfnArrays@16 (None)
7d948043: Syscall ordinal 1002 for _NtUserCallOneParam@8 (None)
7d948270: Syscall ordinal 1041 for _NtUserSystemParametersInfo@16 (None)
7d948473: Syscall ordinal 1007 for _NtUserMessageCall@28 (None)
7d948535: Syscall ordinal 104b for _NtUserSetProp@12 (None)
7d9485c5: Syscall ordinal 109f for _NtUserCallHwndParam@12 (None)
7d948631: Syscall ordinal 100f for _NtUserQueryWindow@8 (None)
7d948670: Syscall ordinal 1017 for _NtUserSetTimer@16 (None)
7d94868d: Syscall ordinal 101a for _NtUserKillTimer@8 (None)
7d9486aa: Syscall ordinal 103b for _NtUserGetForegroundWindow@0 (None)
7d9488ff: Syscall ordinal 1291 for _NtUserUpdateLayeredWindow@40 (None)
7d9489e6: Syscall ordinal 106e for _NtUserFindWindowEx@20 (None)
7d948a1e: Syscall ordinal 1070 for _NtUserUnhookWindowsHookEx@4 (None)
7d948a3b: Syscall ordinal 10d1 for _NtUserValidateRect@8 (None)
7d948a58: Syscall ordinal 1078 for _NtUserSetParent@8 (None)
7d948a99: Syscall ordinal 10d9 for _NtUserGetWindowPlacement@8 (None)
7d948ab6: Syscall ordinal 105e for _NtUserPostThreadMessage@16 (None)
7d948cdd: Syscall ordinal 1036 for _NtUserRegisterWindowMessage@4 (None)
7d9490f6: Syscall ordinal 1019 for _NtUserSetCursor@4 (None)
7d94913e: Syscall ordinal 1045 for _NtUserRemoveProp@8 (None)
7d949175: Syscall ordinal 1023 for _NtUserSetWindowPos@28 (None)
7d9491f4: Syscall ordinal 1001 for _NtUserPeekMessage@20 (None)
7d949355: Syscall ordinal 100c for _NtUserWaitMessage@0 (None)
7d949370: Syscall ordinal 1035 for _NtUserDispatchMessage@4 (None)
7d94950b: Syscall ordinal 1004 for _NtUserInvalidateRect@12 (None)
7d9496c8: Syscall ordinal 1000 for _NtUserGetThreadState@4 (None)
7d9496f2: Syscall ordinal 1018 for _NtUserEndPaint@8 (None)
7d94970f: Syscall ordinal 1016 for _NtUserBeginPaint@8 (None)
7d94972c: Syscall ordinal 1012 for _NtUserRedrawWindow@16 (None)
7d9499f8: Syscall ordinal 107c for _NtUserGetClassName@12 (None)
7d949a42: Syscall ordinal 10b6 for _NtUserGetAncestor@8 (None)
7d949bbe: Syscall ordinal 1003 for _NtUserGetKeyState@4 (None)
7d949bdb: Syscall ordinal 1026 for _NtUserCallHwndParamLock@12 (None)
7d949da1: Syscall ordinal 1013 for _NtUserWindowFromPoint@8 (None)
7d94a011: Syscall ordinal 10cc for _NtUserInvalidateRgn@12 (None)
7d94a09d: Syscall ordinal 100a for _NtUserGetDC@4 (None)
7d94a183: Syscall ordinal 1057 for _NtUserShowWindow@8 (None)
7d94a312: Syscall ordinal 1063 for _NtUserGetWindowDC@4 (None)
7d94a5c1: Syscall ordinal 105b for _NtUserSetWindowLong@16 (None)
7d94a6df: Syscall ordinal 1048 for _NtUserSetCapture@4 (None)
7d94a722: Syscall ordinal 1058 for _NtUserGetKeyboardLayoutList@8 (None)
7d94ad62: Syscall ordinal 100d for _NtUserTranslateMessage@8 (None)
7d94adfb: Syscall ordinal 1020 for _NtUserCallHwndLock@8 (None)
7d94ae1d: Syscall ordinal 101e for _NtUserHideCaret@4 (None)
7d94ae3a: Syscall ordinal 1024 for _NtUserShowCaret@4 (None)
7d94af58: Syscall ordinal 1029 for _NtUserCallTwoParam@12 (None)
7d94af75: Syscall ordinal 1031 for _NtUserCreateCaret@16 (None)
7d94b0b8: Syscall ordinal 102e for _NtUserIsClipboardFormatAvailable@4 (None)
7d94b0d5: Syscall ordinal 1055 for _NtUserGetClipboardSequenceNumber@0 (None)
7d94b132: Syscall ordinal 102f for _NtUserSetScrollInfo@16 (None)
7d94b29f: Syscall ordinal 1025 for _NtUserEndDeferWindowPosEx@8 (None)
7d94b2bc: Syscall ordinal 1052 for _NtUserDeferWindowPos@32 (None)
7d94c0cf: Syscall ordinal 1050 for _NtUserSetFocus@4 (None)
7d94c268: Syscall ordinal 1090 for _NtUserGetTitleBarInfo@8 (None)
7d94c2ac: Syscall ordinal 1062 for _NtUserInternalGetWindowText@12 (None)
7d94c2c9: Syscall ordinal 1098 for _NtUserCalcMenuBar@20 (None)
7d94c2e6: Syscall ordinal 1093 for _NtUserGetDCEx@12 (None)
7d94c412: Syscall ordinal 105f for _NtUserDrawIconEx@44 (None)
7d94c6b5: Syscall ordinal 101b for _NtUserBuildHwndList@28 (None)
7d94c821: Syscall ordinal 109e for _NtUserDestroyWindow@4 (None)
7d94c856: Syscall ordinal 109d for _NtUserDestroyCursor@8 (None)
7d94c873: Syscall ordinal 104e for _NtUserGetIconInfo@24 (None)
7d94c8bf: Syscall ordinal 10ce for _NtUserSetWindowRgn@12 (None)
7d94cb0e: Syscall ordinal 10ad for _NtUserGetAtomName@8 (None)
7d94cc1b: Syscall ordinal 10bd for _NtUserGetClassInfoEx@20 (None)
7d94cd6a: Syscall ordinal 1099 for _NtUserThunkedMenuItemInfo@24 (None)
7d94cd87: Syscall ordinal 10c0 for _NtUserDeleteMenu@12 (None)
7d94d117: Syscall ordinal 10c2 for _NtUserScrollWindowEx@32 (None)
7d94d195: Syscall ordinal 127b for _NtUserSetLayeredWindowAttributes@16 (None)
7d94d1b2: Syscall ordinal 10c4 for _NtUserSetClassLong@16 (None)
7d94d3fd: Syscall ordinal 1104 for _NtUserGetGUIThreadInfo@8 (None)
7d94da17: Syscall ordinal 1010 for _NtUserTranslateAccelerator@12 (None)
7d94da4c: Syscall ordinal 1015 for _NtUserValidateTimerCallback@4 (None)
7d94deb1: Syscall ordinal 103d for _NtUserFindExistingCursorIcon@12 (None)
7d94df61: Syscall ordinal 103c for _NtUserShowScrollBar@12 (None)
7d94dfb5: Syscall ordinal 10e1 for _NtUserDestroyMenu@4 (None)
7d94e0d2: Syscall ordinal 10ba for _NtUserGetDoubleClickTime@0 (None)
7d94e284: Syscall ordinal 10bf for _NtUserUnregisterClass@12 (None)
7d94e5d6: Syscall ordinal 104d for _NtUserSBGetParms@16 (None)
7d94e66a: Syscall ordinal 1094 for _NtUserGetScrollBarInfo@12 (None)
7d94ed83: Syscall ordinal 10a8 for _NtUserSetCursorIconData@16 (None)
7d94f54e: Syscall ordinal 10f5 for _NtUserCreateAcceleratorTable@8 (None)
7d94f87b: Syscall ordinal 1077 for _NtUserCreateWindowEx@60 (None)
7d94f898: Syscall ordinal 10b4 for _NtUserRegisterClassExWOW@28 (None)
7d95008e: Syscall ordinal 1060 for _NtUserGetSystemMenu@8 (None)
7d9505a3: Syscall ordinal 1049 for _NtUserEnumDisplayMonitors@16 (None)
7d950e13: Syscall ordinal 105a for _NtUserMapVirtualKeyEx@16 (None)
7d950f8c: Syscall ordinal 110a for _NtUserUnhookWinEvent@4 (None)
7d951366: Syscall ordinal 10df for _NtUserTrackMouseEvent@4 (None)
7d9513f4: Syscall ordinal 1112 for _NtUserCallHwnd@8 (None)
7d9514e8: Syscall ordinal 10ec for _NtUserSetWindowWord@12 (None)
7d951835: Syscall ordinal 1089 for _NtUserGetIconSize@16 (None)
7d952548: Syscall ordinal 10f8 for _NtUserGetCaretBlinkTime@0 (None)
7d95256b: Syscall ordinal 123f for _NtUserGetCaretPos@4 (None)
7d9529aa: Syscall ordinal 1043 for _NtUserGetAsyncKeyState@4 (None)
7d952ab8: Syscall ordinal 10d2 for _NtUserCloseClipboard@0 (None)
7d952afd: Syscall ordinal 10d3 for _NtUserOpenClipboard@8 (None)
7d952c07: Syscall ordinal 104f for _NtUserExcludeUpdateRgn@8 (None)
7d952c24: Syscall ordinal 1079 for _NtUserGetKeyboardState@4 (None)
7d952c41: Syscall ordinal 10f3 for _NtUserSetKeyboardState@4 (None)
7d952d4b: Syscall ordinal 1044 for _NtUserGetCPD@12 (None)
7d952dce: Syscall ordinal 1027 for _NtUserVkKeyScanEx@12 (None)
7d952e3c: Syscall ordinal 102c for _NtUserNotifyWinEvent@16 (None)
7d9531f0: Syscall ordinal 1121 for _NtUserSetClipboardViewer@4 (None)
7d95320d: Syscall ordinal 111f for _NtUserChangeClipboardChain@8 (None)
7d953a99: Syscall ordinal 10f2 for _NtUserPaintMenuBar@24 (None)
7d954d8d: Syscall ordinal 108d for _NtUserSetWindowsHookEx@24 (None)
7d954f9a: Syscall ordinal 10b9 for _NtUserCloseWindowStation@4 (None)
7d955278: Syscall ordinal 1080 for _NtUserDefSetText@8 (None)
7d955c20: Syscall ordinal 1096 for _NtUserSetWindowFNID@8 (None)
7d955d70: Syscall ordinal 10dd for _NtUserSetThreadState@8 (None)
7d9566a3: Syscall ordinal 10e4 for _NtUserSetActiveWindow@4 (None)
7d956abc: Syscall ordinal 10f6 for _NtUserGetCursorFrameInfo@16 (None)
7d956b38: Syscall ordinal 101d for _NtUserCallNextHookEx@16 (None)
7d956bce: Syscall ordinal 10e6 for _NtUserSetWindowPlacement@8 (None)
7d956f86: Syscall ordinal 108a for _NtUserFillWindow@16 (None)
7d956fba: Syscall ordinal 1014 for _NtUserCallMsgFilter@8 (None)
7d957d5c: Syscall ordinal 110c for _NtUserLockWindowUpdate@4 (None)
7d958b57: Syscall ordinal 10fb for _NtUserEnumDisplayDevices@16 (None)
7d958cc0: Syscall ordinal 1109 for _NtUserSetWinEventHook@32 (None)
7d959cf6: Syscall ordinal 10aa for _NtUserCloseDesktop@4 (None)
7d959e46: Syscall ordinal 10b2 for _NtUserBuildNameList@16 (None)
7d959eb0: Syscall ordinal 10ab for _NtUserOpenDesktop@12 (None)
7d95a0f5: Syscall ordinal 10a1 for _NtUserOpenWindowStation@8 (None)
7d95a825: Syscall ordinal 107b for _NtUserGetControlBrush@12 (None)
7d9610e1: Syscall ordinal 10d7 for _NtUserAlterWindowStyle@12 (None)
7d9652e2: Syscall ordinal 1106 for _NtUserSetWindowsHookAW@12 (None)
7d96534d: Syscall ordinal 1108 for _NtUserCheckMenuItem@12 (None)
7d967424: Syscall ordinal 110d for _NtUserSetSystemMenu@8 (None)
7d9677a4: Syscall ordinal 110e for _NtUserThunkedMenuInfo@8 (None)
7d967fb4: Syscall ordinal 10cf for _NtUserBitBltSysBmp@32 (None)
7d969411: Syscall ordinal 1114 for _NtUserModifyUserStartupInfoFlags@8 (None)
7d9699bd: Syscall ordinal 1084 for _NtUserGetThreadDesktop@8 (None)
7d969c69: Syscall ordinal 10ed for _NtUserGetClipboardFormatName@12 (None)
7d969cf8: Syscall ordinal 10fc for _NtUserEmptyClipboard@0 (None)
7d969d13: Syscall ordinal 10cd for _NtUserGetClipboardOwner@0 (None)
7d969ef4: Syscall ordinal 10fd for _NtUserGetClipboardData@8 (None)
7d969f66: Syscall ordinal 10ef for _NtUserCreateLocalMemHandle@16 (None)
7d969f93: Syscall ordinal 10d5 for _NtUserSetClipboardData@12 (None)
7d96a120: Syscall ordinal 1102 for _NtUserConvertMemHandle@8 (None)
7d96a6bf: Syscall ordinal 10dc for _NtUserGetOpenClipboardWindow@0 (None)
7d96a6da: Syscall ordinal 1115 for _NtUserCountClipboardFormats@0 (None)
7d96a753: Syscall ordinal 122c for _NtUserClipCursor@4 (None)
7d96a8f2: Syscall ordinal 10c5 for _NtUserGetMenuBarInfo@16 (None)
7d96a963: Syscall ordinal 10fe for _NtUserRemoveMenu@12 (None)
7d96aa0e: Syscall ordinal 111a for _NtUserEnumDisplaySettings@16 (None)
7d96abbb: Syscall ordinal 102b for _NtUserCopyAcceleratorTable@12 (None)
7d96bca8: Syscall ordinal 107a for _NtUserToUnicodeEx@28 (None)
7d96c41c: Syscall ordinal 122b for _NtUserChildWindowFromPointEx@16 (None)
7d96c566: Syscall ordinal 1107 for _NtUserSetMenuDefaultItem@12 (None)
7d96d34e: Syscall ordinal 1113 for _NtUserDdeInitialize@20 (None)
7d96d976: Syscall ordinal 1231 for _NtUserDdeGetQualityOfService@12 (None)
7d96f7d7: Syscall ordinal 127d for _NtUserSetMenu@12 (None)
7d96f996: Syscall ordinal 10ac for _NtUserSetProcessWindowStation@4 (None)
7d96fa81: Syscall ordinal 1092 for _NtUserSetThreadDesktop@4 (None)
7d96fd73: Syscall ordinal 10e7 for _NtUserGetControlColor@16 (None)
7d9819d7: Syscall ordinal 1296 for _NtUserWaitForMsgAndEvent@4 (None)
7d981d9c: Syscall ordinal 1126 for _NtUserActivateKeyboardLayout@8 (None)
7d981db9: Syscall ordinal 1123 for _NtUserSetConsoleReserveKeys@8 (None)
7d981f00: Syscall ordinal 1262 for _NtUserMinMaximize@12 (None)
7d986b17: Syscall ordinal 1286 for _NtUserSetWindowStationUser@16 (None)
7d986b34: Syscall ordinal 1229 for _NtUserCallHwndOpt@8 (None)
7d986b51: Syscall ordinal 122f for _NtUserCreateWindowStation@28 (None)
7d9a0785: Syscall ordinal 1083 for _NtUserSendInput@12 (None)
7d9a07a2: Syscall ordinal 10bb for _NtUserEnableScrollBar@12 (None)
7d9a07bf: Syscall ordinal 10e5 for _NtUserSetInformationThread@16 (None)
7d9a07dc: Syscall ordinal 10ee for _NtUserRealInternalGetMessage@24 (None)
7d9a07f9: Syscall ordinal 10f0 for _NtUserAttachThreadInput@12 (None)
7d9a0816: Syscall ordinal 10f7 for _NtUserGetAltTabInfo@24 (None)
7d9a0833: Syscall ordinal 10fa for _NtUserProcessConnect@12 (None)
7d9a0850: Syscall ordinal 111b for _NtUserPaintDesktop@4 (None)
7d9a086d: Syscall ordinal 1122 for _NtUserShowWindowAsync@8 (None)
7d9a088a: Syscall ordinal 1226 for _NtUserBlockInput@4 (None)
7d9a08a7: Syscall ordinal 1228 for _NtUserBuildPropList@16 (None)
7d9a08c4: Syscall ordinal 122a for _NtUserChangeDisplaySettings@16 (None)
7d9a08e1: Syscall ordinal 122d for _NtUserCreateDesktop@20 (None)
7d9a08fe: Syscall ordinal 1232 for _NtUserDdeSetQualityOfService@12 (None)
7d9a091b: Syscall ordinal 1235 for _NtUserDragDetect@12 (None)
7d9a0938: Syscall ordinal 1236 for _NtUserDragObject@20 (None)
7d9a0955: Syscall ordinal 1237 for _NtUserDrawAnimatedRects@16 (None)
7d9a0972: Syscall ordinal 1238 for _NtUserDrawCaption@16 (None)
7d9a098f: Syscall ordinal 1239 for _NtUserDrawCaptionTemp@28 (None)
7d9a09ac: Syscall ordinal 123a for _NtUserDrawMenuBarTemp@20 (None)
7d9a09c9: Syscall ordinal 123b for _NtUserEndMenu@0 (None)
7d9a09e4: Syscall ordinal 123c for _NtUserEvent@4 (None)
7d9a0a01: Syscall ordinal 123d for _NtUserFlashWindowEx@4 (None)
7d9a0a1e: Syscall ordinal 1240 for _NtUserGetClipCursor@4 (None)
7d9a0a3b: Syscall ordinal 1241 for _NtUserGetClipboardViewer@0 (None)
7d9a0a56: Syscall ordinal 1242 for _NtUserGetComboBoxInfo@8 (None)
7d9a0a73: Syscall ordinal 1243 for _NtUserGetCursorInfo@4 (None)
7d9a0a90: Syscall ordinal 1244 for _NtUserGetGuiResources@8 (None)
7d9a0aad: Syscall ordinal 1245 for _NtUserGetImeHotKey@16 (None)
7d9a0aca: Syscall ordinal 1247 for _NtUserGetInternalWindowPos@12 (None)
7d9a0ae7: Syscall ordinal 1248 for _NtUserGetKeyNameText@12 (None)
7d9a0b04: Syscall ordinal 1249 for _NtUserGetKeyboardLayoutName@4 (None)
7d9a0b21: Syscall ordinal 124a for _NtUserGetLayeredWindowAttributes@16 (None)
7d9a0b3e: Syscall ordinal 124b for _NtUserGetListBoxInfo@4 (None)
7d9a0b5b: Syscall ordinal 124c for _NtUserGetMenuIndex@8 (None)
7d9a0b78: Syscall ordinal 124d for _NtUserGetMenuItemRect@16 (None)
7d9a0b95: Syscall ordinal 124e for _NtUserGetMouseMovePointsEx@20 (None)
7d9a0bb2: Syscall ordinal 124f for _NtUserGetPriorityClipboardFormat@8 (None)
7d9a0bcf: Syscall ordinal 1250 for _NtUserGetRawInputBuffer@12 (None)
7d9a0bec: Syscall ordinal 1251 for _NtUserGetRawInputData@20 (None)
7d9a0c09: Syscall ordinal 1252 for _NtUserGetRawInputDeviceInfo@16 (None)
7d9a0c26: Syscall ordinal 1253 for _NtUserGetRawInputDeviceList@12 (None)
7d9a0c43: Syscall ordinal 1254 for _NtUserGetRegisteredRawInputDevices@12 (None)
7d9a0c60: Syscall ordinal 1255 for _NtUserGetWOWClass@8 (None)
7d9a0c7d: Syscall ordinal 1257 for _NtUserHiliteMenuItem@16 (None)
7d9a0c9a: Syscall ordinal 1258 for _NtUserImpersonateDdeClientWindow@8 (None)
7d9a0cb7: Syscall ordinal 1259 for _NtUserInitTask@48 (None)
7d9a0cd4: Syscall ordinal 125c for _NtUserLoadKeyboardLayoutEx@28 (None)
7d9a0cf1: Syscall ordinal 125d for _NtUserLockWindowStation@4 (None)
7d9a0d0e: Syscall ordinal 125e for _NtUserLockWorkStation@0 (None)
7d9a0d29: Syscall ordinal 125f for _NtUserMNDragLeave@0 (None)
7d9a0d44: Syscall ordinal 1260 for _NtUserMNDragOver@8 (None)
7d9a0d61: Syscall ordinal 1261 for _NtUserMenuItemFromPoint@16 (None)
7d9a0d7e: Syscall ordinal 1263 for _NtUserNotifyIMEStatus@12 (None)
7d9a0d9b: Syscall ordinal 1264 for _NtUserOpenInputDesktop@12 (None)
7d9a0db8: Syscall ordinal 1265 for _NtUserPrintWindow@12 (None)
7d9a0dd5: Syscall ordinal 1268 for _NtUserQuerySendMessage@4 (None)
7d9a0df2: Syscall ordinal 1269 for _NtUserRealChildWindowFromPoint@12 (None)
7d9a0e0f: Syscall ordinal 126a for _NtUserRealWaitMessageEx@8 (None)
7d9a0e2c: Syscall ordinal 126b for _NtUserRegisterHotKey@16 (None)
7d9a0e49: Syscall ordinal 126c for _NtUserRegisterRawInputDevices@12 (None)
7d9a0e66: Syscall ordinal 126d for _NtUserRegisterTasklist@4 (None)
7d9a0e83: Syscall ordinal 126e for _NtUserRegisterUserApiHook@16 (None)
7d9a0ea0: Syscall ordinal 1273 for _NtUserResolveDesktopForWOW@4 (None)
7d9a0ebd: Syscall ordinal 1275 for _NtUserSetClassWord@12 (None)
7d9a0eda: Syscall ordinal 1276 for _NtUserSetCursorContents@8 (None)
7d9a0ef7: Syscall ordinal 1277 for _NtUserSetImeHotKey@20 (None)
7d9a0f14: Syscall ordinal 1279 for _NtUserSetImeOwnerWindow@8 (None)
7d9a0f31: Syscall ordinal 127a for _NtUserSetInternalWindowPos@16 (None)
7d9a0f4e: Syscall ordinal 127c for _NtUserSetLogonNotifyWindow@4 (None)
7d9a0f6b: Syscall ordinal 127e for _NtUserSetMenuContextHelpId@8 (None)
7d9a0f88: Syscall ordinal 127f for _NtUserSetMenuFlagRtoL@4 (None)
7d9a0fa5: Syscall ordinal 1280 for _NtUserSetObjectInformation@16 (SetUserObjectInformationA)
7d9a0fc2: Syscall ordinal 1281 for _NtUserSetShellWindowEx@8 (None)
7d9a0fdf: Syscall ordinal 1282 for _NtUserSetSysColors@16 (None)
7d9a0ffc: Syscall ordinal 1283 for _NtUserSetSystemCursor@8 (None)
7d9a1019: Syscall ordinal 1284 for _NtUserSetSystemTimer@16 (None)
7d9a1036: Syscall ordinal 1288 for _NtUserSwitchDesktop@4 (None)
7d9a1053: Syscall ordinal 1289 for _NtUserTestForInteractiveUser@4 (None)
7d9a1070: Syscall ordinal 128a for _NtUserTrackPopupMenuEx@24 (None)
7d9a108d: Syscall ordinal 128b for _NtUserUnloadKeyboardLayout@4 (None)
7d9a10aa: Syscall ordinal 128c for _NtUserUnlockWindowStation@4 (None)
7d9a10c7: Syscall ordinal 128d for _NtUserUnregisterHotKey@8 (None)
7d9a10e4: Syscall ordinal 128e for _NtUserUnregisterUserApiHook@0 (None)
7d9a10ff: Syscall ordinal 128f for _NtUserUpdateInputContext@12 (None)
7d9a111c: Syscall ordinal 1290 for _NtUserUpdateInstance@12 (None)
7d9a1139: Syscall ordinal 1292 for _NtUserUpdatePerUserSystemParameters@8 (None)
7d9a1156: Syscall ordinal 1293 for _NtUserUserHandleGrantAccess@12 (None)
7d9a1173: Syscall ordinal 1294 for _NtUserValidateHandleSecure@4 (None)
7d9a1190: Syscall ordinal 1295 for _NtUserWaitForInputIdle@12 (None)
7d9a11ad: Syscall ordinal 1297 for _NtUserWin32PoolAllocationStats@24 (None)
7d9a11ca: Syscall ordinal 1298 for _NtUserYieldTask@0 (None)

And here is the output for kernel32.dll:

7d4df1bc: Syscall ordinal 3000 for _NtWow64CsrBasepSoundSentryNotification@4 (None)
7d4df1d4: Syscall ordinal 3001 for _NtWow64CsrBasepRefreshIniFileMapping@4 (None)
7d4df1ec: Syscall ordinal 3002 for _NtWow64CsrBasepDefineDosDevice@12 (None)
7d4df204: Syscall ordinal 3003 for _NtWow64CsrBasepGetTempFile@0 (None)
7d4df218: Syscall ordinal 3004 for _NtWow64CsrBasepCreateProcess@4 (None)
7d4df230: Syscall ordinal 3005 for _NtWow64CsrBasepExitProcess@4 (None)
7d4df248: Syscall ordinal 3006 for _NtWow64CsrBasepSetProcessShutdownParam@8 (None)
7d4df260: Syscall ordinal 3007 for _NtWow64CsrBasepGetProcessShutdownParam@8 (None)
7d4df278: Syscall ordinal 3008 for _NtWow64CsrBasepSetTermsrvAppInstallMode@4 (None)
7d4df290: Syscall ordinal 3009 for _NtWow64CsrBasepSetClientTimeZoneInformation@4 (None)
7d4df2a8: Syscall ordinal 300a for _NtWow64CsrBasepCreateThread@12 (None)
7d4df2c0: Syscall ordinal 300b for _NtWow64CsrBaseClientConnectToServer@12 (None)
7d4df2d8: Syscall ordinal 300c for _NtWow64CsrBasepNlsSetUserInfo@12 (None)
7d4df2f0: Syscall ordinal 300d for _NtWow64CsrBasepNlsSetMultipleUserInfo@28 (None)
7d4df308: Syscall ordinal 300e for _NtWow64CsrBasepNlsCreateSection@12 (None)
7d4df320: Syscall ordinal 300f for _NtWow64CsrBasepCreateActCtx@4 (None)
7d4df338: Syscall ordinal 3010 for _NtWow64CsrBasepNlsUpdateCacheCount@0 (None)
7d4df34c: Syscall ordinal 3011 for _NtWow64CsrBaseCheckRunApp@40 (None)
7d4df364: Syscall ordinal 3012 for _NtWow64CsrBasepNlsGetUserInfo@8 (None)
7d4df37c: Syscall ordinal 3013 for _NtWow64CsrBaseQueryModuleData@20 (None)
7d4e9514: Syscall ordinal 203b for _ConnectConsoleInternal@12 (None)
7d4ea51e: Syscall ordinal 2000 for _OpenConsoleWInternal@16 (None)
7d4eade7: Syscall ordinal 203f for _GetConsoleLangId@4 (None)
7d4eb3ee: Syscall ordinal 204b for _GetConsoleTitleInternal@12 (None)
7d4eb7a2: Syscall ordinal 202a for _GetConsoleCP@0 (None)
7d4ed26f: Syscall ordinal 2007 for _VerifyConsoleIoHandle@4 (None)
7d4ed28c: Syscall ordinal 2012 for _GetConsoleMode@8 (None)
7d4ed2a9: Syscall ordinal 2002 for _WriteConsoleInternal@20 (None)
7d4ed325: Syscall ordinal 2004 for _DuplicateConsoleHandle@16 (None)
7d4ed34c: Syscall ordinal 2003 for _CloseConsoleHandle@4 (None)
7d4ed374: Syscall ordinal 201e for _SetConsoleMode@8 (None)
7d4ed51b: Syscall ordinal 202c for _GetConsoleOutputCP@0 (None)
7d503305: Syscall ordinal 2017 for _GetConsoleScreenBufferInfo@8 (None)
7d54f034: Syscall ordinal 2001 for _ReadConsoleInternal@32 (None)
7d54f051: Syscall ordinal 2005 for _GetConsoleHandleInformation@8 (None)
7d54f06e: Syscall ordinal 2006 for _SetConsoleHandleInformation@12 (None)
7d54f08b: Syscall ordinal 2008 for _SetLastConsoleEventActiveInternal@0 (None)
7d54f0a6: Syscall ordinal 2009 for _GetConsoleInput@24 (None)
7d54f0c3: Syscall ordinal 200a for _WriteConsoleInputInternal@24 (None)
7d54f0e0: Syscall ordinal 200b for _ReadConsoleOutputInternal@24 (None)
7d54f0fd: Syscall ordinal 200c for _WriteConsoleOutputInternal@24 (None)
7d54f11a: Syscall ordinal 200d for _ReadConsoleOutputString@28 (None)
7d54f137: Syscall ordinal 200e for _WriteConsoleOutputString@28 (None)
7d54f154: Syscall ordinal 200f for _FillConsoleOutput@24 (None)
7d54f171: Syscall ordinal 2010 for _CreateConsoleScreenBuffer@20 (None)
7d54f18e: Syscall ordinal 2011 for _InvalidateConsoleDIBits@8 (None)
7d54f1ab: Syscall ordinal 2013 for _GetConsoleProcessList@8 (None)
7d54f1c8: Syscall ordinal 2014 for _GetNumberOfConsoleFonts@0 (None)
7d54f1e3: Syscall ordinal 2015 for _GetNumberOfConsoleInputEvents@8 (None)
7d54f200: Syscall ordinal 2016 for _GetLargestConsoleWindowSize@4 (None)
7d54f21d: Syscall ordinal 2018 for _GetConsoleCursorInfo@8 (None)
7d54f23a: Syscall ordinal 2019 for _GetConsoleSelectionInfo@4 (None)
7d54f257: Syscall ordinal 201a for _GetNumberOfConsoleMouseButtons@4 (None)
7d54f274: Syscall ordinal 201b for _GetConsoleFontInfo@16 (None)
7d54f291: Syscall ordinal 201c for _GetConsoleFontSize@8 (None)
7d54f2ae: Syscall ordinal 201d for _GetCurrentConsoleFont@12 (None)
7d54f2cb: Syscall ordinal 201f for _GenerateConsoleCtrlEvent@8 (None)
7d54f2e8: Syscall ordinal 2020 for _SetConsoleActiveScreenBuffer@4 (None)
7d54f305: Syscall ordinal 2021 for _FlushConsoleInputBuffer@4 (None)
7d54f322: Syscall ordinal 2022 for _SetConsoleScreenBufferSize@8 (None)
7d54f33f: Syscall ordinal 2023 for _SetConsoleCursorPosition@8 (None)
7d54f35c: Syscall ordinal 2024 for _SetConsoleCursorInfo@8 (None)
7d54f379: Syscall ordinal 2025 for _SetConsoleWindowInfo@12 (None)
7d54f396: Syscall ordinal 2026 for _ScrollConsoleScreenBufferInternal@24 (None)
7d54f3b3: Syscall ordinal 2027 for _SetConsoleTextAttribute@8 (None)
7d54f3d0: Syscall ordinal 2028 for _SetConsoleFont@8 (None)
7d54f3ed: Syscall ordinal 2029 for _SetConsoleIcon@4 (None)
7d54f40a: Syscall ordinal 202b for _SetConsoleCP@4 (None)
7d54f427: Syscall ordinal 202d for _SetConsoleOutputCPInternal@4 (None)
7d54f444: Syscall ordinal 202e for _GetConsoleKeyboardLayoutNameWorker@8 (None)
7d54f461: Syscall ordinal 202f for _GetConsoleWindow@0 (None)
7d54f47c: Syscall ordinal 2030 for _SetConsoleCursor@8 (None)
7d54f499: Syscall ordinal 2031 for _ShowConsoleCursor@8 (None)
7d54f4b6: Syscall ordinal 2032 for _ConsoleMenuControl@12 (None)
7d54f4d3: Syscall ordinal 2033 for _SetConsolePaletteInternal@12 (None)
7d54f4f0: Syscall ordinal 2034 for _RegisterConsoleVDM@44 (None)
7d54f50d: Syscall ordinal 2035 for _SetConsoleDisplayMode@12 (None)
7d54f52a: Syscall ordinal 2036 for _GetConsoleHardwareState@12 (None)
7d54f547: Syscall ordinal 2037 for _SetConsoleHardwareState@12 (None)
7d54f564: Syscall ordinal 2038 for _GetConsoleDisplayMode@4 (None)
7d54f581: Syscall ordinal 2039 for _SetConsoleKeyShortcuts@16 (None)
7d54f59e: Syscall ordinal 203a for _SetConsoleMenuClose@4 (None)
7d54f5bb: Syscall ordinal 203c for _AllocConsoleInternal@44 (None)
7d54f5d8: Syscall ordinal 203d for _FreeConsoleInternal@0 (None)
7d54f5f3: Syscall ordinal 203e for _AttachConsoleInternal@16 (None)
7d54f610: Syscall ordinal 2040 for _AddConsoleAliasInternal@24 (None)
7d54f62d: Syscall ordinal 2041 for _GetConsoleAliasInternal@24 (None)
7d54f64a: Syscall ordinal 2042 for _GetConsoleAliasesLengthInternal@8 (None)
7d54f667: Syscall ordinal 2043 for _GetConsoleAliasExesLengthInternal@4 (None)
7d54f684: Syscall ordinal 2044 for _GetConsoleAliasesInternal@16 (None)
7d54f6a1: Syscall ordinal 2045 for _GetConsoleAliasExesInternal@12 (None)
7d54f6be: Syscall ordinal 2046 for _ExpungeConsoleCommandHistoryInternal@8 (None)
7d54f6db: Syscall ordinal 2047 for _SetConsoleNumberOfCommandsInternal@12 (None)
7d54f6f8: Syscall ordinal 2048 for _GetConsoleCommandHistoryLengthInternal@8 (None)
7d54f715: Syscall ordinal 2049 for _GetConsoleCommandHistoryInternal@16 (None)
7d54f732: Syscall ordinal 204a for _SetConsoleCommandHistoryMode@4 (None)
7d54f74f: Syscall ordinal 204c for _SetConsoleTitleInternal@12 (None)
7d54f76c: Syscall ordinal 204d for _GetConsoleCharType@12 (None)
7d54f789: Syscall ordinal 204e for _SetConsoleLocalEUDC@16 (None)
7d54f7a6: Syscall ordinal 204f for _SetConsoleCursorMode@12 (None)
7d54f7c3: Syscall ordinal 2050 for _GetConsoleCursorMode@12 (None)
7d54f7e0: Syscall ordinal 2051 for _RegisterConsoleOS2@4 (None)
7d54f7fd: Syscall ordinal 2052 for _SetConsoleOS2OemFormat@4 (None)
7d54f81a: Syscall ordinal 2053 for _GetConsoleNlsMode@8 (None)
7d54f837: Syscall ordinal 2054 for _SetConsoleNlsMode@8 (None)
7d54f854: Syscall ordinal 2055 for _RegisterConsoleIMEInternal@20 (None)
7d54f871: Syscall ordinal 2056 for _UnregisterConsoleIMEInternal@4 (None)

dynamic binary instrumentation oep unpacking yetanotheruselesstag

Automated Unpacking, Dynamic Binary Instrumentation and You

Howdy fellas,

I was thinking about Google Native Client and their sandbox model, and all of a sudden I realised that you could achieve the same level of control with dynamic binary instrumentation. This is the kind of moment where you think you have a genius idea, just to realise that lots of other people had it before you (including at least Skape, Danny Quist and Ivanlef0u).

Anyway it sounded fun, so here is my toy experiment: finding the original entrypoint of packed executables in 60 lines of Python.

This project uses PIN for the analysis of the file, and even better: we only use the examples in the user guide. I’ll explain how PIN works another day, if you don’t mind. The point of interest is that I apply the usual technique for generic unpacking (record memory writes, compare that with the executed addresses) but with dynamic instrumentation rather than emulation or technical approaches like page permissions and such. For more info on these approaches, see my outrageously brilliant post here.

So let’s take the Linux ls utility as a test binary:

reynaudd@lhs-2:~/test/packed$ cp /bin/ls .

Let’s generate a list of memory references with a pintool:

reynaudd@lhs-2:~/test/packed$ pin -t ../pin-2.5-23100-gcc.4.0.0-ia32_intel64-linux/source/tools/ManualExamples/obj-intel64/pinatrace.so -- ./ls
reynaudd@lhs-2:~/test/packed$ head pinatrace.out
0x7fb878380a63: W 0x7fff80599d98
0x7fb878381070: W 0x7fff80599d90
0x7fb878381074: W 0x7fff80599d88
0x7fb878381076: W 0x7fff80599d80
0x7fb87838107b: W 0x7fff80599d78
0x7fb878381092: R 0x7fb87859bbe0
0x7fb87838109c: R 0x7fb87859bfb8
0x7fb8783810a3: W 0x7fb87859bda8
0x7fb8783810aa: W 0x7fb87859c528
0x7fb8783810b1: R 0x7fb87859be48

Then, let’s generate a hit trace with another pintool (it just prints the address of executed instructions, which is fine for us):

reynaudd@lhs-2:~/test/packed$ pin -t ../pin-2.5-23100-gcc.4.0.0-ia32_intel64-linux/source/tools/ManualExamples/obj-intel64/itrace.so -- ./ls
reynaudd@lhs-2:~/test/packed$ head itrace.out
0x7f313aa1da60
0x7f313aa1da63
0x7f313aa1e070
0x7f313aa1e071
0x7f313aa1e074
0x7f313aa1e076
0x7f313aa1e078
0x7f313aa1e07b
0x7f313aa1e07c
0x7f313aa1e080

Now let’s pack ls with upx and see how it goes:

reynaudd@lhs-2:~/test/packed$ mv itrace.out itrace.out.ls.normal > /dev/null
reynaudd@lhs-2:~/test/packed$ mv pinatrace.out pinatrace.out.ls.normal > /dev/null
reynaudd@lhs-2:~/test/packed$ upx ls
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2008
UPX 3.03        Markus Oberhumer, Laszlo Molnar & John Reiser   Apr 27th 2008

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
ls  1/5  [.......................................................]  100.0%
ls  1/5  [******.................................................]   33.8%
ls  1/5  [************...........................................]   42.6%
ls  1/5  [*****************......................................]   45.4%
ls  1/5  [***********************................................]   43.3%
ls  1/5  [*****************************..........................]   45.5%
ls  1/5  [**********************************.....................]   45.8%
ls  1/5  [****************************************...............]   45.5%
ls  1/5  [*********************************************..........]   44.2%
ls  1/5  [***************************************************....]   41.5%
ls  1/5  [*******************************************************]   41.2%
ls  2/5  [.......................................................]  100.0%
ls  2/5  [******.................................................]   36.0%
ls  2/5  [************...........................................]   45.1%
ls  2/5  [*****************......................................]   49.1%
ls  2/5  [***********************................................]   47.4%
ls  2/5  [*****************************..........................]   49.1%
ls  2/5  [**********************************.....................]   49.5%
ls  2/5  [****************************************...............]   49.2%
ls  2/5  [*********************************************..........]   47.5%
ls  2/5  [***************************************************....]   44.4%
ls  2/5  [*******************************************************]   43.8%
ls  3/5  [.......................................................]  100.0%
ls  3/5  [*******************************************************]   26.2%
ls  4/5  [.......................................................]  100.0%
ls  5/5  [.......................................................]  100.0%
ls  5/5  [*******************************************************]   27.7%
 101992 ->     43612   42.76%  linux/ElfAMD   ls

Packed 1 file.
reynaudd@lhs-2:~/test/packed$ pin -t ../pin-2.5-23100-gcc.4.0.0-ia32_intel64-linux/source/tools/ManualExamples/obj-intel64/pinatrace.so -- ./ls > /dev/null
reynaudd@lhs-2:~/test/packed$ pin -t ../pin-2.5-23100-gcc.4.0.0-ia32_intel64-linux/source/tools/ManualExamples/obj-intel64/itrace.so -- ./ls > /dev/null
reynaudd@lhs-2:~/test/packed$ mv itrace.out itrace.out.ls.packed
reynaudd@lhs-2:~/test/packed$ mv pinatrace.out pinatrace.out.ls.packed
reynaudd@lhs-2:~/test/packed$ wc -l pinatrace.out.ls.*
 198746 pinatrace.out.ls.normal
 646742 pinatrace.out.ls.packed
 845488 total
reynaudd@lhs-2:~/test/packed$ wc -l itrace.out.ls.*
 523197 itrace.out.ls.normal
 2673802 itrace.out.ls.packed
 3196999 total

As you can see, PIN works surprisingly well on a packed executable (upx is quite analysis friendly though). The stats are here to confirm the intuition: there are more instructions executed in the packed executable than in the normal executable, and there are more memory reads and writes. Now let’s roll some highly unoptimised python code to match the memory writes and the hit trace:

#!/usr/bin/python

"""Usage: python tracesurfer.py <pinatrace.out file> <itrace.out file>"""

import sys
import getopt

def parse(pinatrace):
    f = open(pinatrace, 'r')
    writes = []
    for line in f:
        if "W" in line: # indicates a memory write
            tokens = line.split()
            writes.append(eval(tokens[len(tokens)-1]))
    f.close()
    return writes

def match(writes, itrace):
    f = open(itrace, 'r')
    for line in f:
        if "0x" in line:
            eip = eval(line)
            if eip in writes: # this eip has previously been written
                                  # to, we guess this is the oep
                f.close()
                return eip
    return None

def main():
    # parse command line options
    try:
        opts, args = getopt.getopt(sys.argv[1:], "h", ["help"])
    except getopt.error, msg:
        print msg
        print "for help use --help"
        sys.exit(2)
    # process options
    for o, a in opts:
        if o in ("-h", "--help"):
            print __doc__
            sys.exit(0)
    # process arguments

    if len(args) != 2:
        print __doc__
        print "for help use --help"
        sys.exit(2)
    print "parsing", args[0]
    writes = parse(args[0])
    print "done, parsed", len(writes), "memory writes"
    print "looking for hits in", args[1]
    hit = match(writes, args[1])
    if hit == None:
        print "no hits found, the binary doesn't look packed"
    else:
        print "Candidate OEP: 0x%X" % hit

if __name__ == "__main__":
    main()

Finally, let’s execute it with the two generated files for our packed executable (and the normal executable, just to check if everything is fine):

reynaudd@lhs-2:~/test/packed$ ./tracesurfer2.py pinatrace.out.ls.packed itrace.out.ls.packed
parsing pinatrace.out.ls.packed
done, parsed 208638 memory writes
looking for hits in itrace.out.ls.packed
Candidate OEP: 0x129000

reynaudd@lhs-2:~/test/packed$ ./tracesurfer.py pinatrace.out.ls.normal itrace.out.ls.normal
parsing pinatrace.out.ls.normal
done, parsed 55829 memory writes.
sorting the writes list
done
looking for hits in itrace.out.ls.normal
no hits found, the binary doesn't look packed

That’s all folks!

cElementTree my-precious-ram python pyxml xml

Python XML for Real Men Cheat Sheet

Howdy again,

Now let’s do some serious XML output in Python using cElementTree.

# this is included in Python 2.5+
from xml.etree.cElementTree import ElementTree, Element, dump

# let's create the root element
root = Element("teabag")

# give it a child with an attribute
child1 = Element("spam")
child1.attrib["name"] = "value"
root.append(child1)

# and a child with text content
child2 = Element("eggs")
child2.text = "spam and eggs"
root.append(child2)

# print the whole thing to stdout
dump(root)

# or to a file
ElementTree(root).write("teabag.xml")

See the author’s website for downloads and usage information of cElementTree.

Using this API, I was able to create a 47 Mb XML file in a few minutes, burning roughly 300 Mb of heap space. This XML file represents a graph of graphs, namely the control flow graph of each function of IDA Pro. Here are some screenshots, using yEd for the visualization part:

cheating-is-good-for-you python pyxml xml

Python XML Cheat Sheet

[UPDATED] Finally xml.dom.minidom sucks balls, it can burn up to hundreds/gigs of megabytes of sweet memory when working with “large” xml files (10 Mb or more). See this post for a really lightweight implementation.

Howdy,

Here is a quick reference of how to create an XML document and output it in Python.

import xml.dom.minidom

# create the document
doc = xml.dom.minidom.Document()

# populate it with an element
root = doc.createElement("teabag")
doc.appendChild(root)

# time to give some children to the root element, one with an attribute for instance
child1 = doc.createElement("spam")
child1.setAttribute("name", "value")
root.appendChild(child1)

# and another one with some text
child2 = doc.createElement("eggs")
text = doc.createTextNode("spam and eggs!")
child2.appendChild(text)
root.appendChild(child2)

# let's get the output, as a string
print doc.toprettyxml()

# you're supposed to get the following output:
#<?xml version="1.0" ?>
#<teabag>
#    <spam name="value"/>
#    <eggs>
#        spam and eggs!
#    </eggs>
#</teabag>

How nice is that ? Yep, a lot.

Indefinite Studies

Academic ramblings about software security.

python