GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-20 14:41:40 Windows 5.1.2600 Service Pack 2 Running: do8o2qt0.exe; Driver: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\fwncrfoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA7D136E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xAA7D1A86] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xAA7D260C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xAA7D2B40] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xAA7D1D78] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xAA7D0460] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xAA7D2A18] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xAA7CFD0A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xAA7D28D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xAA7D1102] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xAA7D2C72] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA7D440E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xAA7D1886] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xAA7D2976] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xAA7D0A20] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xAA7D0CF8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xAA7D221C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xAA7D4980] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAA7D0E3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAA7D0EE4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xAA7D2016] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xAA7D3EA6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xAA7D043C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xAA7D044E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xAA7D1030] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xAA7D2BE2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xAA7D1B08] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xAA7D0604] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xAA7D2AB0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xAA7D156E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xAA7D4438] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xAA7D2D14] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xAA7D1492] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xAA7D0F8E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA7D0BB6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xAA7D08BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xAA7D4128] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xAA7D0B34] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xAA7D00C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xAA7D309E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xAA7D2F64] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA7D3C30] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xAA7D0224] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xAA7D4860] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xAA7CFEC4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xAA7D2312] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xAA7D1984] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xAA7D35F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xAA7D3FA0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xAA7D44C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xAA7D0744] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xAA7D45A6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xAA7D46D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xAA7D3DD2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xAA7D16EA] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xAA7D163C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xAA7D17C8] INT 0x39 ? 86CF0D68 INT 0x3C ? 86CF0D68 INT 0x3E ? 86FD1BF8 INT 0x3F ? 86FD1BF8 Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 117 804E2DE8 16 Bytes [02, 11, 7D, AA, 72, 2C, 7D, ...] {ADD DL, [ECX]; JGE 0xffffffffffffffae; JB 0x32; JGE 0xffffffffffffffb2; PUSH CS; INC ESP; JGE 0xffffffffffffffb6; XCHG [EAX], BL; JGE 0xffffffffffffffba} .text ntoskrnl.exe!_abnormal_termination + 1D3 804E2EA4 12 Bytes [A6, 3E, 7D, AA, 3C, 04, 7D, ...] .text ntoskrnl.exe!_abnormal_termination + 34F 804E3020 16 Bytes [34, 0B, 7D, AA, C2, 00, 7D, ...] .text ntoskrnl.exe!_abnormal_termination + 443 804E3114 12 Bytes [A6, 45, 7D, AA, D2, 46, 7D, ...] .text ntoskrnl.exe!_abnormal_termination + 453 804E3124 8 Bytes JMP 3CAA7D16 .text ntoskrnl.exe!IoIsOperationSynchronous 804E8EBA 5 Bytes JMP AA7C67DE \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) .text ntoskrnl.exe!CcCopyWrite + 686 804F6E00 14 Bytes [45, 08, 8B, 4D, 10, 8D, 3C, ...] .text ntoskrnl.exe!CcCopyWrite + 695 804F6E0F 36 Bytes [8B, 4D, 14, 8B, 75, 0C, 8B, ...] .text ntoskrnl.exe!CcCopyWrite + 6BB 804F6E35 6 Bytes JMP 02409089 .text ntoskrnl.exe!CcCopyWrite + 6C2 804F6E3C 53 Bytes CALL 804E2ACE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!CcCopyWrite + 6F8 804F6E72 11 Bytes [FD, FF, FF, 39, 45, C4, 0F, ...] .text ... .text ntoskrnl.exe!RtlAppendUnicodeStringToString + 5C 804F704A 8 Bytes [33, C0, 5F, 5E, 5B, 5D, C2, ...] .text ntoskrnl.exe!RtlAppendUnicodeStringToString + 65 804F7053 28 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text ntoskrnl.exe!FsRtlCheckLockForWriteAccess + 19 804F7071 6 Bytes [B0, 01, 5E, C9, C2, 08] .text ntoskrnl.exe!FsRtlCheckLockForWriteAccess + 20 804F7078 42 Bytes [F6, 42, 72, 02, 0F, 85, CA, ...] .text ntoskrnl.exe!FsRtlCheckLockForWriteAccess + 4B 804F70A3 33 Bytes [FF, FF, 89, 4A, 6C, 89, 72, ...] .text ntoskrnl.exe!FsRtlCheckLockForWriteAccess + 6D 804F70C5 17 Bytes JMP 804E6213 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlCheckLockForWriteAccess + 80 804F70D8 3 Bytes [80, 7D, 18] .text ... .text ntoskrnl.exe!CcPurgeCacheSection + 15 804F7196 14 Bytes [8A, C8, 8B, 45, 08, 8B, 70, ...] .text ntoskrnl.exe!CcPurgeCacheSection + 24 804F71A5 6 Bytes [00, FF, 15, 70, 76, 4D] .text ntoskrnl.exe!CcPurgeCacheSection + 2B 804F71AC 6 Bytes [3B, FB, 0F, 85, 98, A0] .text ntoskrnl.exe!CcPurgeCacheSection + 33 804F71B4 6 Bytes [3B, F3, 0F, 85, 82, 0D] .text ntoskrnl.exe!CcPurgeCacheSection + 3B 804F71BC 29 Bytes [32, C0, 0F, B6, C0, 50, FF, ...] .text ... .text ntoskrnl.exe!swprintf + 22 804F745C 27 Bytes [00, 00, C7, 45, E4, FF, FF, ...] .text ntoskrnl.exe!swprintf + 3E 804F7478 23 Bytes [8B, 45, E0, C6, 00, 00, FF, ...] .text ntoskrnl.exe!swprintf + 56 804F7490 28 Bytes [8B, C6, 5E, C9, C3, 83, F8, ...] .text ntoskrnl.exe!swprintf + 73 804F74AD 10 Bytes [89, 8D, BC, FB, FF, FF, E9, ...] .text ntoskrnl.exe!swprintf + 7E 804F74B8 11 Bytes [0F, B7, C3, 83, F8, 49, 0F, ...] .text ... .text ntoskrnl.exe!FsRtlUninitializeOplock + 19 804F75BA 291 Bytes CALL 804E2AD2 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlDeleteElementGenericTableAvl + 76 804F76DE 27 Bytes [00, 39, 58, 04, 8B, 4B, 08, ...] .text ntoskrnl.exe!RtlDeleteElementGenericTableAvl + 92 804F76FA 15 Bytes [8B, 3B, 8A, 47, 0C, 3A, C2, ...] .text ntoskrnl.exe!RtlDeleteElementGenericTableAvl + A2 804F770A 9 Bytes [00, F6, DA, 88, 57, 0C, 80, ...] .text ntoskrnl.exe!RtlDeleteElementGenericTableAvl + AC 804F7714 5 Bytes [0F, 85, B9, 50, 00] .text ntoskrnl.exe!RtlDeleteElementGenericTableAvl + B2 804F771A 13 Bytes [8B, 75, 0C, 3B, F3, 75, 5C, ...] .text ... .text ntoskrnl.exe!FsRtlAddLargeMcbEntry + 7 804F77F8 33 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlAddLargeMcbEntry + 29 804F781A 3 Bytes [83, 65, FC] .text ntoskrnl.exe!FsRtlAddLargeMcbEntry + 2D 804F781E 16 Bytes [8D, 45, E0, 50, 53, 56, E8, ...] .text ntoskrnl.exe!FsRtlAddLargeMcbEntry + 40 804F7831 34 Bytes [8B, C3, 8D, 44, 07, FF, 89, ...] .text ntoskrnl.exe!FsRtlAddLargeMcbEntry + 64 804F7855 9 Bytes [8B, 7D, E0, 85, FF, 0F, 84, ...] .text ... .text ntoskrnl.exe!RtlAreBitsClear + 24 804F79B4 63 Bytes [48, 8B, F0, 83, E0, 07, 8B, ...] .text ntoskrnl.exe!RtlAreBitsClear + 64 804F79F4 7 Bytes [41, 3B, CE, 0F, 82, 89, 47] .text ntoskrnl.exe!RtlAreBitsClear + 6C 804F79FC 11 Bytes [00, 8A, 00, 8B, 4D, 0C, 22, ...] .text ntoskrnl.exe!RtlAreBitsClear + 78 804F7A08 45 Bytes [EB, D7, 8A, 18, 40, 84, 9A, ...] .text ntoskrnl.exe!RtlAreBitsSet + 1C 804F7A36 7 Bytes [85, C9, 0F, 84, 15, 10, 00] .text ntoskrnl.exe!RtlAreBitsSet + 24 804F7A3E 33 Bytes [48, 8B, F0, 83, E0, 07, 8B, ...] .text ntoskrnl.exe!RtlAreBitsSet + 46 804F7A60 174 Bytes [00, 8A, 00, F6, D0, 22, 83, ...] .text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntry + 8D 804F7B10 7 Bytes [FF, FF, FF, FF, 00, 00, 00] .text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntry + 95 804F7B18 3 Bytes [21, 7B, 4F] {AND [EBX+0x4f], EDI} .text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntry + 99 804F7B1C 30 Bytes [90, 90, 90, 90, 90, 8B, 45, ...] .text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntry + B9 804F7B3C 39 Bytes [90, 90, 8B, FF, 55, 8B, EC, ...] .text ntoskrnl.exe!FsRtlNumberOfRunsInLargeMcb + 26 804F7B64 62 Bytes [90, 90, 90, 90, 6A, 18, 68, ...] .text ntoskrnl.exe!FsRtlTruncateLargeMcb + 3B 804F7BA3 18 Bytes [0B, 6A, 0F, 5A, 3B, CA, 0F, ...] .text ntoskrnl.exe!FsRtlTruncateLargeMcb + 4E 804F7BB6 9 Bytes CALL 804E2AD0 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlTruncateLargeMcb + 58 804F7BC0 5 Bytes [FF, FF, FF, FF, 00] .text ntoskrnl.exe!FsRtlTruncateLargeMcb + 5E 804F7BC6 1 Byte [00] .text ntoskrnl.exe!FsRtlTruncateLargeMcb + 5E 804F7BC6 5 Bytes [00, 00, DD, 7B, 4F] {ADD [EAX], AL; FNSTSW [EBX+0x4f]} .text ... .text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 2A 804F811E 3 Bytes [C6, 40, 0C] .text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 2E 804F8122 3 Bytes [80, 7E, 0C] .text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 32 804F8126 5 Bytes [0F, 85, 2B, 01, 00] .text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 38 804F812C 7 Bytes [FF, 46, 1C, E9, 23, 01, 00] .text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 40 804F8134 7 Bytes [89, 58, 04, E9, A4, 01, 00] .text ... .text ntoskrnl.exe!RtlInsertElementGenericTableFullAvl + 11 804F82A0 23 Bytes [8B, 45, 10, 8B, 75, 08, 83, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableFullAvl + 29 804F82B8 15 Bytes [57, 33, C0, 8B, FB, AB, AB, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableFullAvl + 39 804F82C8 5 Bytes [0F, 84, 86, 28, 01] .text ntoskrnl.exe!RtlInsertElementGenericTableFullAvl + 3F 804F82CE 49 Bytes [83, 7D, 1C, 02, 8B, 45, 18, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableFullAvl + 71 804F8300 41 Bytes [EB, E4, 80, C9, FF, EB, E8, ...] .text ntoskrnl.exe!FsRtlInitializeLargeMcb + 1E 804F832A 53 Bytes CALL 804EA3ED \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlInitializeLargeMcb + 54 804F8360 15 Bytes [89, 7E, 08, 8B, 45, 0C, 89, ...] .text ntoskrnl.exe!FsRtlInitializeLargeMcb + 64 804F8370 5 Bytes [00, 68, 00, 24, 55] {ADD [EAX+0x0], CH; AND AL, 0x55} .text ntoskrnl.exe!FsRtlInitializeLargeMcb + 6A 804F8376 13 Bytes CALL 804EA3F0 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlInitializeLargeMcb + 78 804F8384 17 Bytes [00, 83, 4D, FC, FF, E8, B3, ...] .text ... .text ntoskrnl.exe!PsGetProcessDebugPort + C 804F8546 1 Byte [00] .text ntoskrnl.exe!PsGetProcessDebugPort + C 804F8546 5 Bytes [00, 00, 5D, C2, 04] .text ntoskrnl.exe!PsGetProcessDebugPort + 12 804F854C 27 Bytes [83, 7D, FC, 04, 0F, 85, BA, ...] .text ntoskrnl.exe!PsGetProcessDebugPort + 2E 804F8568 27 Bytes [83, FB, 04, 0F, 85, 7A, FC, ...] .text ntoskrnl.exe!PsGetProcessDebugPort + 4A 804F8584 3 Bytes JMP 805019E7 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!RtlUnwind + B 804F8744 87 Bytes [A1, 20, 1A, 55, 80, 56, 8B, ...] .text ntoskrnl.exe!RtlUnwind + 63 804F879C 1 Byte [00] .text ntoskrnl.exe!RtlUnwind + 63 804F879C 21 Bytes [00, 00, 83, 4E, 04, 02, 53, ...] .text ntoskrnl.exe!RtlUnwind + 79 804F87B2 1 Byte [01] .text ntoskrnl.exe!RtlUnwind + 79 804F87B2 3 Bytes [01, 00, E8] .text ... .text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 76 804F8A43 76 Bytes [8B, 4D, 0C, F6, D0, 22, 81, ...] .text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + C3 804F8A90 23 Bytes [4F, 10, 8D, 04, 81, E9, 5C, ...] .text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + DB 804F8AA8 22 Bytes [47, 10, 89, 45, 08, E9, 2E, ...] .text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + F2 804F8ABF 39 Bytes JMP 804F7CE7 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 11A 804F8AE7 29 Bytes [75, DC, 89, 74, 02, 0C, 8B, ...] .text ... .text ntoskrnl.exe!mbtowc + 13 804F94FE 46 Bytes [22, 38, 0E, 0F, 84, 93, EE, ...] .text ntoskrnl.exe!mbtowc + 42 804F952D 92 Bytes [80, 00, 00, 85, DE, 0F, 85, ...] .text ntoskrnl.exe!mbtowc + 9F 804F958A 81 Bytes [8B, C3, 0B, C7, 0F, 84, BE, ...] .text ntoskrnl.exe!mbtowc + F1 804F95DC 91 Bytes [85, EC, FB, FF, FF, 85, C0, ...] .text ntoskrnl.exe!mbtowc + 14D 804F9638 36 Bytes [C4, 0C, 85, C0, 89, 85, AC, ...] .text ... .text ntoskrnl.exe!FsRtlFreeFileLock + A4 804F9A87 17 Bytes [00, A3, 44, 6D, 55, 80, C6, ...] .text ntoskrnl.exe!FsRtlFreeFileLock + B6 804F9A99 14 Bytes JMP 80519A8C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoQueueThreadIrp + 4 804F9AA8 11 Bytes [EC, 56, 57, B1, 01, FF, 15, ...] {IN AL, DX ; PUSH ESI; PUSH EDI; MOV CL, 0x1; CALL [0x804d7648]} .text ntoskrnl.exe!IoQueueThreadIrp + 10 804F9AB4 18 Bytes [55, 08, 8D, 72, 10, 8B, 52, ...] {PUSH EBP; OR [EBP+0x528b1072], CL; PUSH EAX; ADD EDX, 0x210; MOV EDI, [EDX]; MOV [ESI], EDI} .text ntoskrnl.exe!IoQueueThreadIrp + 23 804F9AC7 20 Bytes [56, 04, 89, 77, 04, 8A, C8, ...] .text ntoskrnl.exe!IoQueueThreadIrp + 38 804F9ADC 59 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text ntoskrnl.exe!IoFreeWorkItem + 4 804F9B18 96 Bytes [EC, 6A, 00, FF, 75, 08, E8, ...] .text ntoskrnl.exe!IoFreeWorkItem + 65 804F9B79 46 Bytes [FF, 0F, 00, 0F, 84, A9, 05, ...] .text ntoskrnl.exe!IoFreeWorkItem + 95 804F9BA9 65 Bytes [00, C0, 23, D1, 3B, D1, 0F, ...] .text ntoskrnl.exe!KeSetPriorityThread + 26 804F9BEB 26 Bytes [81, 38, 01, 00, 00, 8B, 40, ...] .text ntoskrnl.exe!KeSetPriorityThread + 41 804F9C06 90 Bytes [C6, 5E, 5B, 5D, C2, 08, 00, ...] .text ntoskrnl.exe!KeSetPriorityThread + 9C 804F9C61 27 Bytes [D5, FF, D7, 8B, 35, 20, 0C, ...] .text ntoskrnl.exe!KeSetPriorityThread + B8 804F9C7D 17 Bytes CALL 804DBD00 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeSetPriorityThread + CA 804F9C8F 13 Bytes [55, 8B, EC, 51, 51, 53, 56, ...] .text ... .text ntoskrnl.exe!KeTerminateThread + 2B 804F9D1C 7 Bytes [00, 80, 3D, 24, 0C, 56, 80] .text ntoskrnl.exe!KeTerminateThread + 33 804F9D24 19 Bytes [89, 35, 20, 0C, 56, 80, 75, ...] .text ntoskrnl.exe!KeTerminateThread + 47 804F9D38 59 Bytes [C6, 05, 24, 0C, 56, 80, 01, ...] .text ntoskrnl.exe!KeTerminateThread + 84 804F9D75 111 Bytes [8D, 86, B0, 01, 00, 00, 8B, ...] .text ntoskrnl.exe!KeTerminateThread + F4 804F9DE5 18 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text ... .text ntoskrnl.exe!ZwCancelTimer + 11 804F9FA0 33 Bytes [00, 8A, 80, 40, 01, 00, 00, ...] .text ntoskrnl.exe!ZwCancelTimer + 33 804F9FC2 5 Bytes [1A, 56, 80, 6A, 02] {SBB DL, [ESI-0x80]; PUSH 0x2} .text ntoskrnl.exe!ZwCancelTimer + 39 804F9FC8 14 Bytes CALL 80564466 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!ZwCancelTimer + 48 804F9FD7 16 Bytes [15, 68, 76, 4D, 80, 88, 45, ...] .text ntoskrnl.exe!ZwCancelTimer + 59 804F9FE8 47 Bytes [56, 38, 1A, 0F, 85, E3, 37, ...] .text ... .text ntoskrnl.exe!FsRtlUninitializeFileLock + 4 804FA0D9 102 Bytes [EC, 83, EC, 0C, 8B, 45, 08, ...] .text ntoskrnl.exe!FsRtlUninitializeFileLock + 6B 804FA140 26 Bytes [0D, C4, 19, 55, 80, 66, FF, ...] .text ntoskrnl.exe!FsRtlUninitializeFileLock + 86 804FA15B 137 Bytes CALL 804F56B5 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlUninitializeFileLock + 110 804FA1E5 26 Bytes [00, 0F, 85, 8A, 28, 00, 00, ...] .text ntoskrnl.exe!FsRtlUninitializeFileLock + 12B 804FA200 95 Bytes [80, 0F, 85, 19, 28, 00, 00, ...] .text ... .text ntoskrnl.exe!KeInitializeTimerEx + D 804FA342 82 Bytes [08, 33, D2, 88, 08, 8D, 48, ...] .text ntoskrnl.exe!KeInitializeTimer + 2A 804FA395 30 Bytes [8D, 96, 02, 02, 00, 00, 80, ...] .text ntoskrnl.exe!KeInitializeTimer + 49 804FA3B4 34 Bytes [55, 8B, EC, 81, EC, E0, 02, ...] .text ntoskrnl.exe!KeInitializeTimer + 6D 804FA3D8 7 Bytes [8B, 73, 18, 81, EE, 10, 02] .text ntoskrnl.exe!KeInitializeTimer + 76 804FA3E1 7 Bytes [33, C0, B9, 84, 00, 00, 00] {XOR EAX, EAX; MOV ECX, 0x84} .text ntoskrnl.exe!KeInitializeTimer + 7E 804FA3E9 14 Bytes [FE, F3, AB, 80, 3D, C4, 98, ...] .text ... .text ntoskrnl.exe!RtlAppendUnicodeToString + 4 804FA585 7 Bytes [EC, 83, EC, 0C, 83, 7D, 0C] .text ntoskrnl.exe!RtlAppendUnicodeToString + C 804FA58D 196 Bytes [56, 57, 74, 58, FF, 75, 0C, ...] .text ntoskrnl.exe!RtlAppendUnicodeToString + D1 804FA652 149 Bytes [FF, 55, 8B, EC, FF, 75, 10, ...] .text ntoskrnl.exe!RtlAppendUnicodeToString + 167 804FA6E8 59 Bytes [FE, FF, FF, 89, 95, 04, FE, ...] .text ntoskrnl.exe!RtlAppendUnicodeToString + 1A3 804FA724 23 Bytes [00, 89, 96, 08, 02, 00, 00, ...] .text ... .text ntoskrnl.exe!RtlImageNtHeader + 37 804FAA0C 55 Bytes [3B, D1, 0F, 83, 03, 1A, 01, ...] .text ntoskrnl.exe!RtlImageNtHeader + 6F 804FAA44 9 Bytes [8B, D8, 85, DB, 0F, 84, 17, ...] .text ntoskrnl.exe!RtlImageNtHeader + 79 804FAA4E 23 Bytes [8D, 44, B3, 04, C1, E0, 0A, ...] .text ntoskrnl.exe!RtlImageNtHeader + 91 804FAA66 152 Bytes [8D, 88, 00, D0, FF, FF, 25, ...] .text ntoskrnl.exe!RtlImageNtHeader + 12A 804FAAFF 18 Bytes [C8, 40, FF, 4D, F8, 89, 07, ...] .text ... .text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 1E 804FAB90 45 Bytes [E0, 87, 5F, 80, 90, 90, 90, ...] .text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 4D 804FABBF 16 Bytes [83, F8, 02, 74, 14, 3B, C3, ...] .text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 5F 804FABD1 72 Bytes [00, FF, 15, 60, 76, 4D, 80, ...] .text ntoskrnl.exe!PsGetProcessSectionBaseAddress + A8 804FAC1A 14 Bytes [83, 63, 0C, FD, 33, C9, 89, ...] .text ntoskrnl.exe!PsGetProcessSectionBaseAddress + B7 804FAC29 62 Bytes [37, 76, 02, 00, 89, 0D, EC, ...] .text ... .text ntoskrnl.exe!IoPageRead + E6 804FB25A 36 Bytes [B7, CA, 23, 0D, D4, F4, 55, ...] .text ntoskrnl.exe!IoPageRead + 10B 804FB27F 65 Bytes [55, 08, 33, C0, 03, 55, E4, ...] .text ntoskrnl.exe!IoPageRead + 14D 804FB2C1 106 Bytes [8D, 04, 40, 8D, 04, C1, 6A, ...] .text ntoskrnl.exe!IoPageRead + 1BB 804FB32F 115 Bytes [8B, FF, 55, 8B, EC, 51, 8B, ...] .text ntoskrnl.exe!IoPageRead + 22F 804FB3A3 93 Bytes [0D, 02, 10, 00, 00, 81, EB, ...] .text ... .text ntoskrnl.exe!_strnicmp + 9 804FBF6E 124 Bytes [0F, 84, C5, C3, 02, 00, 5D, ...] .text ntoskrnl.exe!_strnicmp + 86 804FBFEB 28 Bytes JMP 804E8D14 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!_strnicmp + A3 804FC008 2 Bytes [8B, C6] {MOV EAX, ESI} .text ntoskrnl.exe!_strnicmp + A6 804FC00B 6 Bytes [F8, FF, 74, 0F, C7, 05] .text ntoskrnl.exe!_strnicmp + AD 804FC012 94 Bytes [33, 55, 80, 01, 00, 00, 00, ...] .text ntoskrnl.exe!IoMakeAssociatedIrp + 22 804FC071 57 Bytes [33, D2, 38, 45, 0C, 56, 57, ...] .text ntoskrnl.exe!IoMakeAssociatedIrp + 5C 804FC0AB 52 Bytes [FF, 46, 0C, 8B, CE, 89, 45, ...] .text ntoskrnl.exe!IoMakeAssociatedIrp + 91 804FC0E0 13 Bytes [66, 8B, 42, 1C, 66, 89, 45, ...] .text ntoskrnl.exe!IoMakeAssociatedIrp + 9F 804FC0EE 67 Bytes [00, 00, 0F, B7, 4D, F8, 8B, ...] .text ntoskrnl.exe!IoMakeAssociatedIrp + E3 804FC132 16 Bytes [89, 40, 04, 89, 00, 83, 4A, ...] {MOV [EAX+0x4], EAX; MOV [EAX], EAX; OR DWORD [EDX+0x8], 0x8; LEA EAX, [EBX+EBX*8]; LEA EAX, [EDX+EAX*4+0x70]} .text ... .text ntoskrnl.exe!RtlNumberOfSetBits 804FC1F7 35 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...] .text ntoskrnl.exe!RtlNumberOfSetBits + 24 804FC21B 1 Byte [4E] .text ntoskrnl.exe!RtlNumberOfSetBits + 24 804FC21B 24 Bytes [4E, 80, 20, 16, 8B, 40, 04, ...] .text ntoskrnl.exe!RtlNumberOfSetBits + 3E 804FC235 70 Bytes [0F, BE, 92, 50, C2, 4F, 80, ...] .text ntoskrnl.exe!RtlNumberOfSetBits + 85 804FC27C 211 Bytes [05, 04, 04, 03, 06, 05, 05, ...] .text ... .text ntoskrnl.exe!RtlClearAllBits + C1 804FC4F2 67 Bytes [8B, 78, 08, 8B, 40, 0C, 89, ...] .text ntoskrnl.exe!RtlClearAllBits + 105 804FC536 8 Bytes [15, 70, 76, 4D, 80, 83, 65, ...] .text ntoskrnl.exe!RtlClearAllBits + 10E 804FC53F 111 Bytes [FF, 15, 68, 76, 4D, 80, 88, ...] .text ntoskrnl.exe!RtlClearAllBits + 17F 804FC5B0 1 Byte [43] .text ntoskrnl.exe!RtlClearAllBits + 17F 804FC5B0 68 Bytes [43, 10, 8B, 45, 08, 89, 43, ...] .text ... .text ntoskrnl.exe!ZwYieldExecution 804FC679 17 Bytes [83, 3D, 6C, 19, 55, 80, 00, ...] .text ntoskrnl.exe!ZwYieldExecution + 12 804FC68B 31 Bytes [00, 56, 57, 64, A1, 24, 01, ...] .text ntoskrnl.exe!ZwYieldExecution + 32 804FC6AB 25 Bytes [75, 1A, 0F, B6, 8E, 2B, 01, ...] .text ntoskrnl.exe!ZwYieldExecution + 4C 804FC6C5 41 Bytes [00, 00, 0F, BE, 4E, 33, 83, ...] .text ntoskrnl.exe!ZwYieldExecution + 76 804FC6EF 22 Bytes [02, 8B, C8, C6, 46, 6E, 00, ...] .text ... .text ntoskrnl.exe!IoBuildDeviceIoControlRequest + F 804FCC30 17 Bytes [8A, 40, 30, 88, 45, E4, 33, ...] .text ntoskrnl.exe!IoBuildDeviceIoControlRequest + 21 804FCC42 12 Bytes [8B, D8, 89, 5D, DC, 3B, DF, ...] .text ntoskrnl.exe!IoBuildDeviceIoControlRequest + 2E 804FCC4F 47 Bytes CALL A0CD4C78 .text ntoskrnl.exe!IoBuildDeviceIoControlRequest + 5E 804FCC7F 51 Bytes [3B, F7, 75, 08, 3B, D7, 0F, ...] .text ntoskrnl.exe!IoBuildDeviceIoControlRequest + 92 804FCCB3 64 Bytes [00, C7, 43, 08, 30, 00, 00, ...] .text ... .text ntoskrnl.exe!IoGetRequestorSessionId + 19 804FCD8B 110 Bytes CALL 804E7ADF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoGetRequestorSessionId + 88 804FCDFA 27 Bytes [8B, 12, 85, D2, 0F, 84, 54, ...] .text ntoskrnl.exe!IoGetRequestorSessionId + A4 804FCE16 19 Bytes [20, 0F, 85, 9A, 66, 00, 00, ...] .text ntoskrnl.exe!IoGetRequestorSessionId + B8 804FCE2A 15 Bytes CALL 804C8939 .text ntoskrnl.exe!IoGetRequestorSessionId + C9 804FCE3B 7 Bytes [00, C0, 01, 0F, 84, 7B, 66] {ADD AL, AL; ADD [EDI], ECX; TEST [EBX+0x66], BH} .text ... .text ntoskrnl.exe!IoGetAttachedDeviceReference + 30 804FCF85 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP } .text ntoskrnl.exe!IoGetAttachedDeviceReference + 35 804FCF8A 6 Bytes [8B, FF, 55, 8B, EC, 6A] .text ntoskrnl.exe!IoGetAttachedDeviceReference + 3C 804FCF91 11 Bytes [FF, 75, 08, 6A, 00, 6A, 00, ...] .text ntoskrnl.exe!IoGetAttachedDeviceReference + 48 804FCF9D 8 Bytes CALL 804DC750 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoGetAttachedDeviceReference + 51 804FCFA6 23 Bytes [00, 74, E6, 3D, C0, 00, 00, ...] .text ... .text ntoskrnl.exe!KeRundownQueue + 47 804FD04E 16 Bytes [0F, B7, 89, 68, F2, 4F, 80, ...] .text ntoskrnl.exe!KeRundownQueue + 5D 804FD064 11 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...] .text ntoskrnl.exe!KeRundownQueue + 69 804FD070 7 Bytes [57, 8B, 7E, 08, 8D, 8F, E8] .text ntoskrnl.exe!KeRundownQueue + 71 804FD078 24 Bytes [00, 00, 8D, 55, F4, FF, 15, ...] .text ntoskrnl.exe!KeRundownQueue + 8A 804FD091 8 Bytes [8D, 4D, F4, FF, 15, 5C, 76, ...] .text ... .text ntoskrnl.exe!KeQueryRuntimeThread + 19 804FD11D 47 Bytes [5D, C2, 08, 00, 90, 90, 90, ...] .text ntoskrnl.exe!ExNotifyCallback + 27 804FD14D 90 Bytes [88, 45, 0B, 0F, 85, 38, EE, ...] .text ntoskrnl.exe!ExNotifyCallback + 83 804FD1A9 121 Bytes [3B, FA, 0F, 83, B8, C5, 00, ...] .text ntoskrnl.exe!RtlWalkFrameChain + 3A 804FD223 65 Bytes [00, 89, 75, CC, 8B, 78, 20, ...] .text ntoskrnl.exe!ExGetPreviousMode + 6 804FD266 36 Bytes [8A, 80, 40, 01, 00, 00, C3, ...] .text ntoskrnl.exe!ExGetPreviousMode + 2C 804FD28C 12 Bytes [8B, 40, 1C, 8B, 4D, 0C, 89, ...] .text ntoskrnl.exe!ExGetPreviousMode + 39 804FD299 22 Bytes [00, 8B, 80, 68, 01, 00, 00, ...] .text ntoskrnl.exe!ExGetPreviousMode + 50 804FD2B0 14 Bytes [3B, F0, 0F, 87, 45, A3, 02, ...] {CMP ESI, EAX; JA 0x2a34d; MOV [ECX], ESI; MOV AL, 0x1; POP ESI; POP EBP} .text ntoskrnl.exe!ExGetPreviousMode + 5F 804FD2BF 1 Byte [0C] .text ... .text ntoskrnl.exe!PoRegisterSystemState + 24 804FD3C1 13 Bytes [80, 0B, C1, 85, 4D, 0C, 89, ...] .text ntoskrnl.exe!PoRegisterSystemState + 32 804FD3CF 62 Bytes [8B, 4D, 08, 87, 01, 50, FF, ...] .text ntoskrnl.exe!PoRegisterSystemState + 71 804FD40E 100 Bytes [8B, 56, 3C, 39, 55, F8, 8B, ...] .text ntoskrnl.exe!PoRegisterSystemState + D7 804FD474 43 Bytes [3B, C3, 77, B7, 8B, 5D, E8, ...] .text ntoskrnl.exe!PoRegisterSystemState + 103 804FD4A0 83 Bytes [83, F9, 03, 0F, 85, 23, F8, ...] .text ntoskrnl.exe!RtlEqualString + 21 804FD4F4 67 Bytes [8B, 71, 04, 8B, 7A, 04, 03, ...] .text ntoskrnl.exe!RtlEqualString + 65 804FD538 20 Bytes [00, 0F, 83, F6, FC, FF, FF, ...] .text ntoskrnl.exe!RtlEqualString + 7B 804FD54E 12 Bytes [01, 0F, 84, E0, FC, FF, FF, ...] .text ntoskrnl.exe!RtlEqualString + 88 804FD55B 89 Bytes [3C, 02, 0F, 83, D2, FC, FF, ...] .text ntoskrnl.exe!RtlEqualString + E2 804FD5B5 40 Bytes [90, 90, 90, FF, FF, FF, FF, ...] .text ... .text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus 804FD6CD 185 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...] .text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + BB 804FD788 27 Bytes [8B, FE, F3, AB, FF, 15, 68, ...] .text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + D7 804FD7A4 2 Bytes [21, 55] .text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + DA 804FD7A7 16 Bytes JMP 804F4CF2 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + EB 804FD7B8 3 Bytes [35, EE, 59] .text ... .text ntoskrnl.exe!ExSystemTimeToLocalTime + 19 804FD82B 32 Bytes [8B, 45, 0C, 89, 08, 89, 50, ...] .text ntoskrnl.exe!ExSystemTimeToLocalTime + 3A 804FD84C 45 Bytes JMP 804EBB7F \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!ExSystemTimeToLocalTime + 68 804FD87A 31 Bytes [3B, C1, 0F, 84, 32, E3, 00, ...] .text ntoskrnl.exe!ExSystemTimeToLocalTime + 88 804FD89A 4 Bytes [90, 90, 90, 90] {NOP ; NOP ; NOP ; NOP } .text ntoskrnl.exe!ExSystemTimeToLocalTime + 8D 804FD89F 63 Bytes [8B, FF, 55, 8B, EC, 8B, 55, ...] .text ... .text ntoskrnl.exe!wcscat + 6B 804FD962 51 Bytes [68, 00, 2A, 55, 80, E8, 84, ...] .text ntoskrnl.exe!wcscat + 9F 804FD996 41 Bytes [8B, 4D, 10, 8B, 45, 0C, 89, ...] .text ntoskrnl.exe!wcscat + C9 804FD9C0 19 Bytes [FF, FF, FF, FF, 11, 52, 5E, ...] .text ntoskrnl.exe!wcscat + DD 804FD9D4 3 Bytes [AA, 52, 5E] {STOSB ; PUSH EDX; POP ESI} .text ntoskrnl.exe!wcscat + E1 804FD9D8 11 Bytes [FF, FF, FF, FF, 6F, 53, 5E, ...] .text ... .text ntoskrnl.exe!FsRtlPrivateLock + 6A 804FDA7A 18 Bytes [7B, 0C, FF, 15, 68, 76, 4D, ...] .text ntoskrnl.exe!FsRtlPrivateLock + 7E 804FDA8E 13 Bytes [45, A0, 50, 57, 80, 7D, 24, ...] .text ntoskrnl.exe!FsRtlPrivateLock + 8C 804FDA9C 40 Bytes CALL 804FDC9C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlPrivateLock + B5 804FDAC5 16 Bytes [C6, 45, E7, 01, 83, 4D, FC, ...] {MOV BYTE [EBP-0x19], 0x1; OR DWORD [EBP-0x4], -0x1; CALL 0xffffffffffffff24; MOV AL, [EBP-0x19]} .text ntoskrnl.exe!FsRtlPrivateLock + C6 804FDAD6 4 Bytes CALL 804E2AD3 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!FsRtlCheckLockForReadAccess + 17 804FDB08 12 Bytes [0F, 85, 3F, 0B, 00, 00, B0, ...] .text ntoskrnl.exe!FsRtlCheckLockForReadAccess + 24 804FDB15 46 Bytes JMP 804F5438 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlCheckLockForReadAccess + 53 804FDB44 25 Bytes [83, 65, FC, 00, 57, 8B, 7D, ...] .text ntoskrnl.exe!FsRtlCheckLockForReadAccess + 6D 804FDB5E 7 Bytes [00, 00, 33, C0, C9, C2, 14] .text ntoskrnl.exe!FsRtlCheckLockForReadAccess + 75 804FDB66 20 Bytes [89, 45, F0, 8B, 40, 04, 85, ...] .text ... .text ntoskrnl.exe!FsRtlFastUnlockSingle + 2F 804FDD82 80 Bytes [00, 85, C0, 74, 1E, 6A, 01, ...] .text ntoskrnl.exe!FsRtlFastUnlockSingle + 80 804FDDD3 12 Bytes [88, 45, 10, 8B, 47, 08, 85, ...] .text ntoskrnl.exe!FsRtlFastUnlockSingle + 8E 804FDDE1 2 Bytes [BE, 7E] .text ntoskrnl.exe!FsRtlFastUnlockSingle + 91 804FDDE4 39 Bytes [00, C0, 8A, 4D, 10, FF, 15, ...] .text ntoskrnl.exe!FsRtlFastUnlockSingle + B9 804FDE0C 3 Bytes [5E, 54, 5E] {POP ESI; PUSH ESP; POP ESI} .text ... .text ntoskrnl.exe!FsRtlAllocateFileLock + 7 804FE3E1 59 Bytes CALL 804EA3ED \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlFastCheckLockForRead + 17 804FE41D 3 Bytes [0F, 85, A7] .text ntoskrnl.exe!FsRtlFastCheckLockForRead + 1D 804FE423 17 Bytes [B0, 01, 5E, C9, C2, 18, 00, ...] .text ntoskrnl.exe!FsRtlFastCheckLockForRead + 2F 804FE435 5 Bytes [0F, 85, 9B, 91, 00] .text ntoskrnl.exe!FsRtlFastCheckLockForRead + 35 804FE43B 95 Bytes CALL 804EA270 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlFastCheckLockForRead + 95 804FE49B 7 Bytes [00, 3B, CE, 0F, 86, 4F, B8] .text ... .text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 17 804FE595 3 Bytes [83, 7E, 10] .text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 1B 804FE599 5 Bytes [75, 0A, 83, 7E, 14] .text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 21 804FE59F 4 Bytes [0F, 84, 0B, 8E] .text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 26 804FE5A4 18 Bytes [00, 8B, 4D, 10, 8B, 01, 8B, ...] .text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 39 804FE5B7 43 Bytes [8B, 55, 0C, 53, 8B, 1A, 03, ...] .text ... .text ntoskrnl.exe!CcFastCopyWrite + 40 804FE847 22 Bytes [8B, 45, 0C, 89, 45, B4, 89, ...] .text ntoskrnl.exe!CcFastCopyWrite + 57 804FE85E 4 Bytes [5A, B8, FF, 0F] .text ntoskrnl.exe!CcFastCopyWrite + 5D 804FE864 10 Bytes [8B, 7D, 0C, 85, F8, 75, 0C, ...] .text ntoskrnl.exe!CcFastCopyWrite + 68 804FE86F 24 Bytes [10, 00, 00, 72, 03, 6A, 03, ...] .text ntoskrnl.exe!CcFastCopyWrite + 81 804FE888 59 Bytes [F0, FF, FF, 3B, C1, 72, 35, ...] .text ... .text ntoskrnl.exe!KeAreApcsDisabled + 6 804FEA6B 5 Bytes [33, C9, 39, 88, D4] .text ntoskrnl.exe!KeAreApcsDisabled + D 804FEA72 14 Bytes [00, 0F, 95, C1, 8A, C1, C3, ...] .text ntoskrnl.exe!KeAreApcsDisabled + 1C 804FEA81 3 Bytes [8D, 04, 85] .text ntoskrnl.exe!KeAreApcsDisabled + 21 804FEA86 5 Bytes [00, C0, 89, 45, F4] {ADD AL, AL; MOV [EBP-0xc], EAX} .text ntoskrnl.exe!KeAreApcsDisabled + 27 804FEA8C 16 Bytes [58, DE, FE, FF, 8B, 46, 50, ...] .text ... .text ntoskrnl.exe!FsRtlInsertPerStreamContext + 1C 804FEAFE 33 Bytes [8B, 4D, 0C, 8D, 46, 2C, 8B, ...] .text ntoskrnl.exe!FsRtlInsertPerStreamContext + 3E 804FEB20 13 Bytes [B8, 10, 00, 00, C0, EB, F4, ...] .text ntoskrnl.exe!FsRtlInsertPerStreamContext + 4E 804FEB30 56 Bytes [23, FA, 58, 80, FF, 45, D4, ...] .text ntoskrnl.exe!FsRtlInsertPerStreamContext + 87 804FEB69 5 Bytes [33, C0, 40, E9, DC] .text ntoskrnl.exe!FsRtlInsertPerStreamContext + 8E 804FEB70 9 Bytes [00, FF, 15, 68, 76, 4D, 80, ...] {ADD BH, BH; ADC EAX, 0x804d7668; MOV CL, AL} .text ... .text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 2C 804FECB9 5 Bytes [00, 64, A1, 24, 01] .text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 32 804FECBF 9 Bytes [00, 89, 46, 50, 8B, 5E, 60, ...] .text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 3C 804FECC9 69 Bytes [8B, 45, 08, 88, 03, 83, F8, ...] .text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 83 804FED10 130 Bytes [10, 7E, 01, 00, 8B, 45, 10, ...] .text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 106 804FED93 10 Bytes [00, 02, 00, 01, 00, 03, 00, ...] {ADD [EDX], AL; ADD [ECX], AL; ADD [EBX], AL; ADD [ECX], AL; ADD [EDX], AL} .text ... .text ntoskrnl.exe!RtlDeleteNoSplay + 38 804FF06E 9 Bytes [0E, 89, 08, 5F, 5E, 5B, 5D, ...] .text ntoskrnl.exe!RtlDeleteNoSplay + 42 804FF078 198 Bytes [8B, 06, 3B, C6, 74, 0B, 8D, ...] .text ntoskrnl.exe!RtlDeleteNoSplay + 109 804FF13F 67 Bytes [4B, 10, 8B, 45, DC, 8D, 0C, ...] .text ntoskrnl.exe!RtlDeleteNoSplay + 14D 804FF183 36 Bytes [0F, 85, B9, D4, FF, FF, 6A, ...] .text ntoskrnl.exe!RtlDeleteNoSplay + 173 804FF1A9 25 Bytes JMP 804F89B4 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + C 804FFF39 35 Bytes [20, 0F, 85, 96, FB, FF, FF, ...] .text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 30 804FFF5D 5 Bytes [F0, 81, F9, 00, 00] .text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 36 804FFF63 19 Bytes [D0, 0F, 84, B2, 72, 02, 00, ...] .text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 4A 804FFF77 32 Bytes [0F, 82, 1B, FB, FF, FF, 0F, ...] .text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 6C 804FFF99 8 Bytes [0F, 83, 87, 72, 02, 00, EB, ...] {JAE 0x2728d; JMP 0xffffffffffffffd7} .text ... .text ntoskrnl.exe!FsRtlRemovePerStreamContext + 78 8050043F 2 Bytes [EF, 00] .text ntoskrnl.exe!FsRtlRemovePerStreamContext + 7B 80500442 26 Bytes [D0, 3F, 83, 7D, FC, 00, 74, ...] .text ntoskrnl.exe!FsRtlRemovePerStreamContext + 96 8050045D 22 Bytes CALL 804E9BD5 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlRemovePerStreamContext + AD 80500474 9 Bytes CALL C194918F .text ntoskrnl.exe!FsRtlRemovePerStreamContext + B7 8050047E 40 Bytes [3B, 75, F4, 0F, 86, 41, C6, ...] .text ... .text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 11 80500917 59 Bytes [00, 8A, 80, 40, 01, 00, 00, ...] .text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 4D 80500953 45 Bytes [75, E4, 53, 68, 00, 00, 10, ...] .text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 7B 80500981 7 Bytes [41, F0, 3B, 05, C0, 1E, 56] .text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 83 80500989 63 Bytes [0F, 85, AC, 4F, 02, 00, 80, ...] .text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + C3 805009C9 66 Bytes CALL 804D918E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!RtlFindLastBackwardRunClear + B 80500F54 10 Bytes [0F, 84, 5C, 5E, 02, 00, 8B, ...] {JZ 0x25e62; MOV EAX, [EBP+0xc]; PUSH ESI} .text ntoskrnl.exe!RtlFindLastBackwardRunClear + 16 80500F5F 65 Bytes [71, 04, 8B, C8, C1, E9, 05, ...] .text ntoskrnl.exe!RtlFindLastBackwardRunClear + 58 80500FA1 102 Bytes [8B, C8, 83, E1, 1F, 8B, 1C, ...] .text ntoskrnl.exe!RtlFindLastBackwardRunClear + C0 80501009 147 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text ntoskrnl.exe!RtlNumberOfClearBits + 90 8050109E 4 Bytes [45, E4, 83, 38] .text ntoskrnl.exe!RtlNumberOfClearBits + 95 805010A3 17 Bytes JMP 5B3C10A6 .text ntoskrnl.exe!RtlNumberOfClearBits + A7 805010B5 7 Bytes [C0, 89, 45, C0, EB, CA, 3B] {ROR BYTE [ECX-0x35143fbb], 0x3b} .text ntoskrnl.exe!RtlNumberOfClearBits + AF 805010BD 147 Bytes [D4, 0F, 83, 4E, E1, FF, FF, ...] .text ntoskrnl.exe!RtlNumberOfClearBits + 143 80501151 166 Bytes JMP 804F6725 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + 53 8050128D 34 Bytes [FF, 05, 80, 0D, 55, 80, 83, ...] .text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + 76 805012B0 25 Bytes [81, E1, FF, FA, FF, FF, 81, ...] .text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + 91 805012CB 59 Bytes [00, 33, F6, 3B, C1, A3, 1C, ...] .text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + CD 80501307 99 Bytes [53, 8B, 5D, 08, F6, 43, 3E, ...] .text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + 131 8050136B 69 Bytes [C1, E1, 06, 81, C1, E0, AB, ...] .text ... .text ntoskrnl.exe!wcschr + 1 80502665 70 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] .text ntoskrnl.exe!PsGetProcessSessionId + 1E 805026AD 34 Bytes [FF, FF, FF, 17, 6A, 5F, 80, ...] .text ntoskrnl.exe!PsGetProcessSessionId + 41 805026D0 11 Bytes [FF, FF, FF, FF, BA, 6A, 5F, ...] .text ntoskrnl.exe!PsGetProcessSessionId + 51 805026E0 3 Bytes [FF, FF, FF] .text ntoskrnl.exe!PsGetProcessSessionId + 55 805026E4 22 Bytes [FF, 47, 5F, 80, 12, 48, 5F, ...] .text ntoskrnl.exe!RtlImageDirectoryEntryToData 805026FD 2 Bytes [8B, FF] {MOV EDI, EDI} .text ntoskrnl.exe!RtlImageDirectoryEntryToData + 4 80502701 12 Bytes [EC, 53, 8B, 5D, 08, F6, C3, ...] .text ntoskrnl.exe!RtlImageDirectoryEntryToData + 12 8050270F 96 Bytes CALL 804FA9D4 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlImageDirectoryEntryToData + 73 80502770 1 Byte [7D] .text ntoskrnl.exe!RtlImageDirectoryEntryToData + 73 80502770 52 Bytes [7D, 08, 3B, FE, 73, 0D, 53, ...] .text ... .text ntoskrnl.exe!MmMapLockedPages + 31 80502F68 1 Byte [26] .text ntoskrnl.exe!MmMapLockedPages + 31 80502F68 3 Bytes [26, A1, 5F] .text ntoskrnl.exe!MmMapLockedPages + 35 80502F6C 67 Bytes [66, C7, 46, 60, 01, 00, E9, ...] .text ntoskrnl.exe!MmMapLockedPages + 79 80502FB0 21 Bytes [0F, 85, 6F, 1C, 00, 00, 81, ...] .text ntoskrnl.exe!MmMapLockedPages + 8F 80502FC6 8 Bytes [85, FF, 0F, 84, 9C, 8A, FF, ...] {TEST EDI, EDI; JZ 0xffffffffffff8aa4} .text ... .text ntoskrnl.exe!wcsstr + D 80502FF0 59 Bytes [45, 08, 57, 8B, F8, 74, 45, ...] .text ntoskrnl.exe!wcsstr + 49 8050302C 45 Bytes [00, 47, 47, 66, 8B, 17, 40, ...] .text ntoskrnl.exe!wcsstr + 77 8050305A 34 Bytes [FF, FF, B6, 8D, 60, 80, C9, ...] .text ntoskrnl.exe!wcsstr + 9A 8050307D 2 Bytes JMP 804FB926 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!wcsstr + 9E 80503081 55 Bytes [8A, CB, FF, 15, 70, 76, 4D, ...] .text ... .text ntoskrnl.exe!IoGetRequestorProcessId + 36 805031B3 42 Bytes [A0, 0F, 84, B8, 95, 01, 00, ...] .text ntoskrnl.exe!ExLocalTimeToSystemTime + 1A 805031DE 2 Bytes [45, 0C] .text ntoskrnl.exe!ExLocalTimeToSystemTime + 1D 805031E1 46 Bytes [08, 89, 50, 04, 5D, C2, 08, ...] .text ntoskrnl.exe!ExLocalTimeToSystemTime + 4C 80503210 29 Bytes [8D, 55, F4, FF, 15, E4, 75, ...] .text ntoskrnl.exe!ExLocalTimeToSystemTime + 6A 8050322E 21 Bytes [C7, EB, B8, 90, 90, 90, 90, ...] .text ntoskrnl.exe!ExLocalTimeToSystemTime + 80 80503244 70 Bytes [FF, FF, FF, FF, AE, 48, 5F, ...] .text ... .text ntoskrnl.exe!MmCreateMdl + 4E 80503464 13 Bytes [5D, C2, 0C, 00, 83, 7D, C8, ...] .text ntoskrnl.exe!MmCreateMdl + 5C 80503472 104 Bytes [FF, 75, F0, FF, 75, FC, E8, ...] .text ntoskrnl.exe!MmCreateMdl + C5 805034DB 128 Bytes [00, 00, 8B, 40, 44, 05, 50, ...] .text ntoskrnl.exe!MmCreateMdl + 146 8050355C 10 Bytes [00, F6, 46, 23, 10, 0F, 85, ...] .text ntoskrnl.exe!MmCreateMdl + 151 80503567 68 Bytes [5F, 89, 70, 08, 5E, 5D, C2, ...] .text ... .text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + 8 8050418F 29 Bytes [8B, 80, 4C, 01, 00, 00, 5D, ...] .text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + 26 805041AD 60 Bytes [FF, FF, FF, 9A, 1D, 5B, 80, ...] .text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + 63 805041EA 16 Bytes CALL 09A81AE6 .text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + 74 805041FB 50 Bytes [4D, FC, 0F, C1, 01, 2B, C2, ...] .text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + A7 8050422E 9 Bytes [8B, 4D, 08, 0F, C1, 01, 48, ...] .text ... .text ntoskrnl.exe!RtlEnumerateGenericTableWithoutSplayingAvl + C 80504310 48 Bytes [0F, 85, 09, 69, 00, 00, 33, ...] .text ntoskrnl.exe!RtlEnumerateGenericTableAvl + 20 80504341 54 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text ntoskrnl.exe!RtlEnumerateGenericTableAvl + 57 80504378 7 Bytes [84, C9, 0F, 85, 7B, 91, 01] .text ntoskrnl.exe!RtlEnumerateGenericTableAvl + 5F 80504380 56 Bytes CALL 804DBCFF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlEnumerateGenericTableAvl + 98 805043B9 38 Bytes [8B, 87, EC, 00, 00, 00, 8B, ...] .text ntoskrnl.exe!RtlEnumerateGenericTableAvl + BF 805043E0 63 Bytes [00, 25, 00, 0C, 00, 00, 3D, ...] .text ... .text ntoskrnl.exe!RtlSecondsSince1970ToTime + 5D 80504A88 12 Bytes JMP 804F130B \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlSecondsSince1970ToTime + 6A 80504A95 61 Bytes [13, FF, FF, 8B, 46, 0C, 3B, ...] .text ntoskrnl.exe!RtlSecondsSince1970ToTime + A8 80504AD3 121 Bytes JMP 804F5DE1 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!MmForceSectionClosed + 65 80504B4D 13 Bytes [8B, 35, 48, 11, 55, 80, 0F, ...] {MOV ESI, [0x80551148]; JZ 0x1a559; DEC ECX} .text ntoskrnl.exe!MmForceSectionClosed + 73 80504B5B 21 Bytes [84, A0, 88, FF, FF, 49, 0F, ...] .text ntoskrnl.exe!MmForceSectionClosed + 89 80504B71 50 Bytes [15, 68, 76, 4D, 80, 88, 45, ...] .text ntoskrnl.exe!MmForceSectionClosed + BC 80504BA4 10 Bytes [0F, 00, 00, C1, E0, 0C, 0B, ...] .text ntoskrnl.exe!MmForceSectionClosed + C7 80504BAF 71 Bytes [89, 30, 8B, 75, EC, E9, ED, ...] .text ... .text ntoskrnl.exe!wcsncmp + 43 805052DC 4 Bytes [D1, 83, 7A, 04] .text ntoskrnl.exe!wcsncmp + 48 805052E1 49 Bytes [89, 55, FC, 0F, 85, 83, 34, ...] .text ntoskrnl.exe!wcsncmp + 7A 80505313 69 Bytes [FF, FF, FF, 8B, 4D, FC, 0F, ...] .text ntoskrnl.exe!wcsncmp + C0 80505359 71 Bytes [DE, EB, DA, 8B, 46, 10, F6, ...] .text ntoskrnl.exe!wcsncmp + 108 805053A1 158 Bytes [55, F8, 33, D2, F6, C3, 20, ...] .text ... .text ntoskrnl.exe!_vsnprintf + 25 80505762 2 Bytes [75, E8] {JNZ 0xffffffffffffffea} .text ntoskrnl.exe!_vsnprintf + 28 80505765 29 Bytes CALL 805058D7 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!_vsnprintf + 47 80505784 67 Bytes [8B, C7, 5F, 5E, C9, C3, 90, ...] .text ntoskrnl.exe!vDbgPrintExWithPrefix + A 805057C8 23 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!vDbgPrintExWithPrefix + 23 805057E1 53 Bytes [8B, 45, 18, 89, 85, D8, FD, ...] .text ntoskrnl.exe!vDbgPrintExWithPrefix + 59 80505817 18 Bytes [88, 08, 47, 40, 84, C9, 75, ...] .text ntoskrnl.exe!vDbgPrintExWithPrefix + 6C 8050582A 94 Bytes [FF, B8, 00, 02, 00, 00, 2B, ...] .text ntoskrnl.exe!vDbgPrintExWithPrefix + CB 80505889 58 Bytes [80, 0F, 84, 7A, 14, 02, 00, ...] .text ntoskrnl.exe!DbgPrint + 13 805058C4 36 Bytes CALL 805057BC \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!DbgPrint + 38 805058E9 92 Bytes [8B, 4D, 10, 89, 45, FC, 8B, ...] .text ntoskrnl.exe!DbgPrint + 95 80505946 10 Bytes [83, E0, 0F, 0F, BE, 84, C1, ...] .text ntoskrnl.exe!DbgPrint + A0 80505951 22 Bytes [6A, 07, C1, F8, 04, 59, 3B, ...] .text ntoskrnl.exe!DbgPrint + B7 80505968 5 Bytes [8B, 0D, 70, 1A, 55] .text ... .text ntoskrnl.exe!CcScheduleReadAhead + F 80505D91 33 Bytes [49, 04, 56, 8B, 70, 18, 85, ...] .text ntoskrnl.exe!CcScheduleReadAhead + 32 80505DB4 142 Bytes [8B, 55, 10, 53, 8B, 5D, 0C, ...] .text ntoskrnl.exe!CcScheduleReadAhead + C1 80505E43 101 Bytes [FF, FF, 0F, 85, 40, 04, 00, ...] .text ntoskrnl.exe!CcScheduleReadAhead + 127 80505EA9 14 Bytes [54, 6C, 55, 80, 8B, 4D, E0, ...] .text ntoskrnl.exe!CcScheduleReadAhead + 136 80505EB8 20 Bytes [83, 7D, C8, 00, 74, 09, FF, ...] .text ... .text ntoskrnl.exe!KeInitializeQueue + 33 805064DA 27 Bytes [C9, 74, 07, 89, 48, 1C, 5D, ...] .text ntoskrnl.exe!KeInitializeQueue + 4F 805064F6 7 Bytes [5E, 80, CB, 4B, 5E, 80, 00] .text ntoskrnl.exe!KeInitializeQueue + 57 805064FE 59 Bytes [00, 00, 9A, 4B, 5E, 80, A5, ...] .text ntoskrnl.exe!KeInitializeQueue + 93 8050653A 10 Bytes [59, 00, 53, 00, 54, 00, 45, ...] .text ntoskrnl.exe!KeInitializeQueue + 9F 80506546 20 Bytes [90, 90, FF, FF, FF, FF, EE, ...] .text ntoskrnl.exe!IoIsSystemThread + 2 8050655B 34 Bytes [55, 8B, EC, 8B, 45, 08, 8B, ...] .text ntoskrnl.exe!IoIsSystemThread + 26 8050657F 16 Bytes [4D, 0C, BA, 01, 00, 00, 00, ...] .text ntoskrnl.exe!IoIsSystemThread + 37 80506590 72 Bytes [00, 6A, 01, 8D, 86, 3C, 01, ...] .text ntoskrnl.exe!IoIsSystemThread + 82 805065DB 5 Bytes [8D, 86, F8, 00, 00] .text ntoskrnl.exe!IoIsSystemThread + 88 805065E1 10 Bytes [8B, 18, 8B, FA, 2B, 39, 89, ...] .text ... .text ntoskrnl.exe!MmUnlockPagableImageSection + 91 8050677D 27 Bytes [0D, C8, F4, 55, 80, C1, E8, ...] .text ntoskrnl.exe!MmUnlockPagableImageSection + AD 80506799 13 Bytes [83, 78, 08, 01, 72, 06, FF, ...] .text ntoskrnl.exe!MmUnlockPagableImageSection + BB 805067A7 19 Bytes [48, 0E, 83, C6, 04, 3B, F7, ...] .text ntoskrnl.exe!MmUnlockPagableImageSection + D0 805067BC 25 Bytes [FF, FF, 8B, 4D, FC, 0F, C1, ...] .text ntoskrnl.exe!MmUnlockPagableImageSection + EC 805067D8 13 Bytes [74, 07, 5E, 5B, 5F, C9, C2, ...] .text ... .text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + F 8050701C 27 Bytes [32, C0, 5D, C2, 04, 00, 8B, ...] .text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + 2B 80507038 11 Bytes [83, 78, 08, 01, 72, 06, FF, ...] .text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + 37 80507044 16 Bytes [66, FF, 48, 0E, 33, C0, 89, ...] .text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + 48 80507055 50 Bytes [01, 8B, 3D, 70, 76, 4D, 80, ...] .text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + 7B 80507088 14 Bytes [89, 59, 04, 89, 40, 04, 89, ...] .text ... .text ntoskrnl.exe!IoAcquireRemoveLockEx + 9 805070CE 42 Bytes [8D, 53, 04, 89, 55, 08, B8, ...] .text ntoskrnl.exe!IoAcquireRemoveLockEx + 34 805070F9 33 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text ntoskrnl.exe!IoReleaseRemoveLockEx + 1D 8050711B 69 Bytes [FF, FF, FF, 8B, 4D, 10, 0F, ...] .text ntoskrnl.exe!IoReleaseRemoveLockEx + 63 80507161 4 Bytes [8F, 8C, 53, 01] .text ntoskrnl.exe!IoReleaseRemoveLockEx + 68 80507166 55 Bytes [8A, C2, 24, 80, 88, 45, 08, ...] .text ntoskrnl.exe!IoReleaseRemoveLockEx + A0 8050719E 11 Bytes [83, C0, 1C, 89, 45, 10, B8, ...] {ADD EAX, 0x1c; MOV [EBP+0x10], EAX; MOV EAX, 0xffffffff} .text ntoskrnl.exe!IoReleaseRemoveLockEx + AC 805071AA 8 Bytes [4D, 10, 0F, C1, 01, 48, 75, ...] {DEC EBP; ADC [EDI], CL; ROL DWORD [ECX], 0x48; JNZ 0x23} .text ... .text ntoskrnl.exe!IoCancelIrp + 91 805072DA 35 Bytes [68, 53, CF, 4E, 80, 51, 50, ...] .text ntoskrnl.exe!IoCancelIrp + B5 805072FE 37 Bytes [FF, 15, 70, 76, 4D, 80, E9, ...] .text ntoskrnl.exe!IoCancelIrp + DB 80507324 10 Bytes CALL 804FCF8A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoCancelIrp + E6 8050732F 52 Bytes [6A, 00, 68, 00, 15, 56, 80, ...] .text ntoskrnl.exe!IoCancelIrp + 11B 80507364 59 Bytes [00, 00, 00, 00, E7, A8, 60, ...] .text ... .text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 2 80507513 56 Bytes [55, 8B, EC, 8B, 45, 08, 8B, ...] .text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 3B 8050754C 15 Bytes [83, 22, FE, EB, E1, 83, 60, ...] .text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 4B 8050755C 70 Bytes [6C, 04, 0F, 85, C8, 87, FE, ...] .text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 92 805075A3 115 Bytes JMP 804FDC4B \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 106 80507617 20 Bytes [0F, 85, 67, D1, FF, FF, FF, ...] .text ... .text ntoskrnl.exe!KePulseEvent + 88 80507789 4 Bytes [15, 70, 76, 4D] .text ntoskrnl.exe!KePulseEvent + 8D 8050778E 130 Bytes [FF, D6, 88, 45, 1B, E9, B7, ...] .text ntoskrnl.exe!IoBuildSynchronousFsdRequest + 21 80507811 58 Bytes [74, 34, 8B, 45, 1C, 53, 56, ...] .text ntoskrnl.exe!IoBuildSynchronousFsdRequest + 5C 8050784C 111 Bytes [8B, 56, 04, 3B, 53, 08, 0F, ...] .text ntoskrnl.exe!IoBuildSynchronousFsdRequest + CC 805078BC 56 Bytes [4F, 04, 3B, 48, 34, 77, 21, ...] .text ntoskrnl.exe!IoBuildSynchronousFsdRequest + 105 805078F5 28 Bytes [EC, 51, 53, 8B, 5D, 08, 56, ...] .text ntoskrnl.exe!IoBuildSynchronousFsdRequest + 122 80507912 97 Bytes CALL 804FDF83 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!FsRtlGetNextFileLock + D 805079F0 57 Bytes [58, 0C, 85, DB, 0F, 84, 61, ...] .text ntoskrnl.exe!FsRtlGetNextFileLock + 48 80507A2B 6 Bytes [8B, 48, 04, 85, C9, 0F] .text ntoskrnl.exe!FsRtlGetNextFileLock + 4F 80507A32 33 Bytes [4A, FA, FF, FF, 8D, 70, 10, ...] .text ntoskrnl.exe!FsRtlGetNextFileLock + 71 80507A54 15 Bytes [00, 0F, 85, AD, 00, 00, 00, ...] .text ntoskrnl.exe!FsRtlGetNextFileLock + 81 80507A64 3 Bytes [80, 7D, DC] .text ... .text ntoskrnl.exe!PoCallDriver + 6F 80508E03 70 Bytes [0F, 84, 39, C0, 00, 00, 83, ...] .text ntoskrnl.exe!PoCallDriver + B6 80508E4A 9 Bytes [8B, 4D, 08, 8B, D3, E8, F1, ...] .text ntoskrnl.exe!PoCallDriver + C0 80508E54 58 Bytes [EB, E0, 80, F9, 02, 0F, 84, ...] .text ntoskrnl.exe!PoCallDriver + FB 80508E8F 62 Bytes [33, C0, 03, 3B, 13, 43, 04, ...] .text ntoskrnl.exe!PoCallDriver + 13A 80508ECE 5 Bytes [0F, 84, 52, 08, 01] .text ... .text ntoskrnl.exe!KeSetSystemAffinityThread + 2 80508F07 88 Bytes [55, 8B, EC, 53, 56, 57, 64, ...] .text ntoskrnl.exe!KeRevertToUserAffinityThread + B 80508F60 60 Bytes [8B, F0, FF, 15, 68, 76, 4D, ...] .text ntoskrnl.exe!PoRequestPowerIrp + 5 80508FA6 36 Bytes [53, 56, FF, 75, 08, E8, A5, ...] .text ntoskrnl.exe!PoRequestPowerIrp + 2A 80508FCB 111 Bytes [33, D2, 57, 42, 8B, CE, E8, ...] .text ntoskrnl.exe!PoRequestPowerIrp + 9B 8050903C 98 Bytes [80, F9, 01, 0F, 86, F0, 62, ...] .text ntoskrnl.exe!PoRequestPowerIrp + FF 805090A0 56 Bytes CALL 80508D92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!PoRequestPowerIrp + 13B 805090DC 11 Bytes [8B, FF, 55, 8B, EC, 56, BE, ...] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH ESI; MOV ESI, 0x80560678} .text ... .text ntoskrnl.exe!PoStartNextPowerIrp + 4 8050944A 29 Bytes [EC, 83, EC, 0C, 8B, 45, 08, ...] .text ntoskrnl.exe!PoStartNextPowerIrp + 22 80509468 40 Bytes [89, 45, F4, 33, FF, 33, DB, ...] .text ntoskrnl.exe!PoStartNextPowerIrp + 4B 80509491 40 Bytes [00, 8B, 76, 08, 83, FE, 01, ...] .text ntoskrnl.exe!PoStartNextPowerIrp + 74 805094BA 10 Bytes [6A, 01, FF, 75, F8, E8, 9D, ...] {PUSH 0x1; PUSH DWORD [EBP-0x8]; CALL 0xffffffffffffd3a7} .text ntoskrnl.exe!PoStartNextPowerIrp + 7F 805094C5 12 Bytes [D8, 85, DB, 0F, 85, 88, C8, ...] {FADD DWORD [EBP-0x777af025]; ENTER 0x0, 0x8b; INC EBP; HLT } .text ... .text ntoskrnl.exe!MmCommitSessionMappedView + E 80509969 58 Bytes [53, 8B, 5D, 08, 3B, D9, 56, ...] .text ntoskrnl.exe!MmCommitSessionMappedView + 4A 805099A5 6 Bytes [01, 0F, 84, 8C, 66, 01] .text ntoskrnl.exe!MmCommitSessionMappedView + 51 805099AC 39 Bytes [83, 65, F8, 00, 83, 65, FC, ...] .text ntoskrnl.exe!MmCommitSessionMappedView + 79 805099D4 19 Bytes [3F, 00, 8B, D6, C1, EA, 0A, ...] {AAS ; ADD [EBX+0xaeac1d6], CL; AND EDI, EAX; AND EDX, EAX; SUB EDI, EDX; ADD ECX, 0x15c} .text ntoskrnl.exe!MmCommitSessionMappedView + 8D 805099E8 47 Bytes [FF, 02, 89, 4D, F4, 8B, 49, ...] .text ... .text ntoskrnl.exe!KeInitializeMutex + D 80509D6A 39 Bytes [02, C6, 40, 02, 08, C7, 40, ...] .text ntoskrnl.exe!KeInitializeMutex + 35 80509D92 40 Bytes [FF, FF, 22, CE, 5E, 80, 35, ...] .text ntoskrnl.exe!IoGetDriverObjectExtension + 1A 80509DBB 18 Bytes [4E, 04, 3B, 4D, 0C, 0F, 85, ...] {DEC ESI; ADD AL, 0x3b; DEC EBP; OR AL, 0xf; TEST [EAX-0x75ffff97], EBP; ENTER 0x15ff, 0x70; JBE 0x5f} .text ntoskrnl.exe!IoGetDriverObjectExtension + 2D 80509DCE 6 Bytes [85, F6, 0F, 84, 9F, 69] .text ntoskrnl.exe!IoGetDriverObjectExtension + 34 80509DD5 43 Bytes [00, 8D, 46, 08, 5E, 5D, C2, ...] .text ntoskrnl.exe!IoGetDriverObjectExtension + 60 80509E01 77 Bytes [08, 3B, C6, 89, 75, FC, 74, ...] .text ntoskrnl.exe!IoGetDriverObjectExtension + AE 80509E4F 33 Bytes [14, 0F, 85, F8, 51, 00, 00, ...] .text ... .text ntoskrnl.exe!IoDeleteDevice + 23 80509F87 8 Bytes [18, 85, FF, 0F, 85, 1F, 28, ...] {SBB [EBP+0x1f850fff], AL; SUB [ECX], AL} .text ntoskrnl.exe!IoDeleteDevice + 2C 80509F90 12 Bytes [F6, 46, 1C, 40, 5F, 74, 06, ...] .text ntoskrnl.exe!IoDeleteDevice + 39 80509F9D 55 Bytes CALL 8065C49A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoDeleteDevice + 73 80509FD7 8 Bytes [8B, FF, 55, 8B, EC, 51, 56, ...] .text ntoskrnl.exe!IoDeleteDevice + 7C 80509FE0 57 Bytes CALL 804E6B4A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 29 8050A059 13 Bytes [5E, 04, B8, 60, A1, 50, 80, ...] .text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 38 8050A068 22 Bytes [00, 6A, 10, 5F, 57, 50, 53, ...] .text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 50 8050A080 2 Bytes [CB, 00] .text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 54 8050A084 10 Bytes [B8, 70, A1, 50, 80, 3B, D8, ...] .text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 5F 8050A08F 235 Bytes [00, 00, 57, 50, 53, E8, 85, ...] .text ... .text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 2 8050A1EB 31 Bytes [55, 8B, EC, 51, 53, 56, 57, ...] .text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 22 8050A20B 7 Bytes [8B, CB, FF, 15, 9C, 75, 4D] .text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 2A 8050A213 62 Bytes [88, 45, 0F, 8B, 45, 08, 8B, ...] .text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 69 8050A252 167 Bytes JMP 80509FCD \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 111 8050A2FA 10 Bytes [81, C6, 48, FF, FF, FF, 56, ...] .text ... .text ntoskrnl.exe!RtlTimeFieldsToTime + 5 8050A33E 69 Bytes [83, EC, 14, 8B, 45, 08, 0F, ...] .text ntoskrnl.exe!RtlTimeFieldsToTime + 4B 8050A384 25 Bytes [00, 66, 83, 7D, FC, 01, 0F, ...] .text ntoskrnl.exe!RtlTimeFieldsToTime + 65 8050A39E 3 Bytes [3D, 6B, 78] .text ntoskrnl.exe!RtlTimeFieldsToTime + 6A 8050A3A3 4 Bytes [0F, 87, 09, B9] .text ntoskrnl.exe!RtlTimeFieldsToTime + 6F 8050A3A8 4 Bytes [00, 83, FE, 0B] .text ... .text ntoskrnl.exe!toupper + 1 8050AF26 2 Bytes [FF, 55] .text ntoskrnl.exe!toupper + 4 8050AF29 50 Bytes [EC, 83, EC, 10, 8D, 45, 08, ...] .text ntoskrnl.exe!toupper + 37 8050AF5C 22 Bytes [83, 7D, F0, 01, 0F, 85, 90, ...] .text ntoskrnl.exe!toupper + 4F 8050AF74 7 Bytes [8F, 30, 60, 80, A2, 30, 60] .text ntoskrnl.exe!toupper + 57 8050AF7C 48 Bytes [FF, FF, FF, FF, 89, 37, 60, ...] .text ... .text ntoskrnl.exe!ExInitializeNPagedLookasideList + 32 8050B4CB 20 Bytes [89, 48, 0C, 89, 48, 10, 89, ...] .text ntoskrnl.exe!ExInitializeNPagedLookasideList + 47 8050B4E0 13 Bytes [8B, 55, 10, 3B, D1, 75, 28, ...] .text ntoskrnl.exe!ExInitializeNPagedLookasideList + 55 8050B4EE 27 Bytes [89, 48, 38, 89, 48, 3C, 68, ...] .text ntoskrnl.exe!ExInitializeNPagedLookasideList + 71 8050B50A 21 Bytes [89, 50, 28, EB, D1, 89, 50, ...] .text ntoskrnl.exe!ExInitializeNPagedLookasideList + 87 8050B520 3 Bytes [3D, 07, 5F] .text ... .text ntoskrnl.exe!sprintf + 25 8050B652 141 Bytes CALL 69312BE0 .text ntoskrnl.exe!wctomb + E 8050B6E0 16 Bytes [00, 6A, 02, 8D, 45, 0C, 50, ...] .text ntoskrnl.exe!wctomb + 1F 8050B6F1 7 Bytes [FF, 75, 08, E8, AE, 1E, 07] .text ntoskrnl.exe!wctomb + 27 8050B6F9 7 Bytes [85, C0, 0F, 8C, 1C, CD, 01] .text ntoskrnl.exe!wctomb + 2F 8050B701 65 Bytes [8B, 45, 08, 5D, C3, FF, 8D, ...] .text ntoskrnl.exe!wctomb + 71 8050B743 24 Bytes [59, 0F, 84, 95, F3, FF, FF, ...] .text ... .text ntoskrnl.exe!DbgLoadImageSymbols + 9 8050B8AA 2 Bytes [45, 0C] .text ntoskrnl.exe!DbgLoadImageSymbols + C 8050B8AD 182 Bytes [4D, 10, 50, 89, 45, F0, 89, ...] .text ntoskrnl.exe!wcsrchr + 78 8050B964 18 Bytes [89, 72, 04, 89, 16, 89, 15, ...] .text ntoskrnl.exe!wcsrchr + 8B 8050B977 34 Bytes CALL 804DBBCE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeInitializeDeviceQueue + 11 8050B99A 5 Bytes [66, C7, 46, 02, 14] .text ntoskrnl.exe!KeInitializeDeviceQueue + 17 8050B9A0 38 Bytes [89, 40, 04, 89, 00, 8D, 46, ...] .text ntoskrnl.exe!KeInitializeDeviceQueue + 3E 8050B9C7 71 Bytes [80, 8B, 0D, DC, F4, 55, 80, ...] .text ntoskrnl.exe!KeInitializeDeviceQueue + 86 8050BA0F 313 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text ntoskrnl.exe!RtlNumberGenericTableElementsAvl + 7F 8050BB49 149 Bytes [8D, 85, F4, FD, FF, FF, 6A, ...] .text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + 1F 8050BBDF 31 Bytes CALL 804E9C44 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + 3F 8050BBFF 4 Bytes [B8, 01, 00, 00] .text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + 44 8050BC04 117 Bytes [8B, 4D, 08, 0F, C1, 01, 83, ...] .text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + BB 8050BC7B 3 Bytes [C7, 0C, 01] .text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + BF 8050BC7F 13 Bytes [BE, 0E, 01, 00, C0, 8A, C8, ...] {MOV ESI, 0xc000010e; MOV CL, AL; CALL [0x804d7670]} .text ... .text ntoskrnl.exe!MmQuerySystemSize + 3E 8050BE58 15 Bytes [14, D9, 60, 80, 56, E8, 76, ...] {ADC AL, 0xd9; PUSHA ; ADC BYTE [ESI-0x18], 0x76; AND [EDX], CL; ADD CL, CH; MOV SS, [ECX]; ADD [EAX], AL} .text ntoskrnl.exe!MmQuerySystemSize + 4E 8050BE68 57 Bytes [15, 68, 76, 4D, 80, 8A, D8, ...] .text ntoskrnl.exe!MmQuerySystemSize + 88 8050BEA2 42 Bytes [C2, 8B, 42, 0C, C1, E8, 08, ...] .text ntoskrnl.exe!MmQuerySystemSize + B3 8050BECD 21 Bytes CALL 804E7032 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!MmQuerySystemSize + C9 8050BEE3 32 Bytes [4D, 08, 8B, 45, 10, 89, 01, ...] .text ntoskrnl.exe!IoSetHardErrorOrVerifyDevice + 5 8050BF04 101 Bytes [8B, 45, 08, 8B, 40, 50, 85, ...] .text ntoskrnl.exe!RtlInitializeGenericTable + 15 8050BF6A 14 Bytes [48, 0C, 8B, 4D, 0C, 89, 48, ...] .text ntoskrnl.exe!RtlInitializeGenericTable + 24 8050BF79 40 Bytes [4D, 14, 89, 48, 20, 8B, 4D, ...] .text ntoskrnl.exe!RtlInitializeGenericTable + 4D 8050BFA2 48 Bytes [75, 2F, 8A, 55, 0B, 8B, 4D, ...] .text ntoskrnl.exe!RtlInitializeGenericTable + 7E 8050BFD3 15 Bytes [8B, 36, 3B, 75, F8, 75, C4, ...] {MOV ESI, [ESI]; CMP ESI, [EBP-0x8]; JNZ 0xffffffffffffffcb; JMP 0xffffffffffff118c; NOP ; NOP ; NOP } .text ntoskrnl.exe!IoAllocateController 8050BFE4 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP} .text ntoskrnl.exe!IoAllocateController + 4 8050BFE8 2 Bytes [EC, 53] {IN AL, DX ; PUSH EBX} .text ntoskrnl.exe!IoAllocateController + 7 8050BFEB 19 Bytes [5D, 14, 56, 8B, 75, 0C, 57, ...] .text ntoskrnl.exe!IoAllocateController + 1B 8050BFFF 170 Bytes [50, 89, 7E, 44, 89, 5E, 48, ...] .text ntoskrnl.exe!VerSetConditionMask + 52 8050C0AA 48 Bytes [75, F6, 8B, 55, 0C, 8D, 4C, ...] .text ntoskrnl.exe!RtlVerifyVersionInfo + 14 8050C0DB 41 Bytes [56, 8B, 75, 08, 89, 45, FC, ...] .text ntoskrnl.exe!RtlVerifyVersionInfo + 3E 8050C105 10 Bytes [E0, FE, FF, FF, 50, C7, 85, ...] .text ntoskrnl.exe!RtlVerifyVersionInfo + 49 8050C110 20 Bytes CALL 805ACA74 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlVerifyVersionInfo + 5F 8050C126 13 Bytes [80, 0F, 84, A7, 3E, 00, 00, ...] .text ntoskrnl.exe!RtlVerifyVersionInfo + 6D 8050C134 3 Bytes [66, 85, C0] {TEST AX, AX} .text ... .text ntoskrnl.exe!IoWMIHandleToInstanceName + 1C 8050C452 90 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text ntoskrnl.exe!IoWMIWriteEvent + 46 8050C4AD 28 Bytes [0F, 85, E3, 8C, 00, 00, 8B, ...] .text ntoskrnl.exe!IoWMIWriteEvent + 63 8050C4CA 4 Bytes CALL 8054B044 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoWMIWriteEvent + 68 8050C4CF 4 Bytes [8B, F8, 85, FF] {MOV EDI, EAX; TEST EDI, EDI} .text ntoskrnl.exe!IoWMIWriteEvent + 6E 8050C4D5 2 Bytes [1D, 8D] .text ntoskrnl.exe!IoWMIWriteEvent + 72 8050C4D9 31 Bytes [BB, 38, 14, 56, 80, 8B, CB, ...] .text ... .text ntoskrnl.exe!wcsncat + 3C 8050C70D 32 Bytes [5E, 5D, C3, 8B, 08, 8B, 50, ...] .text ntoskrnl.exe!wcsncat + 5D 8050C72E 26 Bytes JMP 8051DD90 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeIsAttachedProcess + 6 8050C74B 5 Bytes [33, C9, 80, B8, 65] .text ntoskrnl.exe!KeIsAttachedProcess + E 8050C753 54 Bytes [01, 0F, 94, C1, 8A, C1, C3, ...] .text ntoskrnl.exe!KeIsAttachedProcess + 46 8050C78B 3 Bytes [83, C0, 30] {ADD EAX, 0x30} .text ntoskrnl.exe!KeIsAttachedProcess + 4A 8050C78F 22 Bytes [45, 08, B8, 01, 00, 00, 00, ...] .text ntoskrnl.exe!KeIsAttachedProcess + 61 8050C7A6 116 Bytes [FF, C6, 46, 0A, 01, E9, FB, ...] .text ntoskrnl.exe!ExInitializeZone + 66 8050C81B 43 Bytes [FF, 0D, F2, 60, 80, 20, F2, ...] .text ntoskrnl.exe!ExInitializeZone + 92 8050C847 58 Bytes [70, 04, 85, F6, 0F, 84, 1A, ...] .text ntoskrnl.exe!ExInitializeZone + CD 8050C882 93 Bytes [74, 15, 6A, 00, 6A, 00, 33, ...] .text ntoskrnl.exe!ExInitializeZone + 12B 8050C8E0 27 Bytes CALL 80572BBF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!ExInitializeZone + 147 8050C8FC 15 Bytes [90, 90, 90, 90, FF, FF, FF, ...] .text ... .text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 1 8050CC4D 11 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] .text ntoskrnl.exe!PsGetJobUIRestrictionsClass + D 8050CC59 62 Bytes [00, 5D, C2, 04, 00, 90, 90, ...] .text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 4C 8050CC98 117 Bytes [38, 1D, 51, 8C, 55, 80, 0F, ...] .text ntoskrnl.exe!PsGetJobUIRestrictionsClass + C3 8050CD0F 3 Bytes [57, 8B, 7D] .text ntoskrnl.exe!PsGetJobUIRestrictionsClass + C7 8050CD13 50 Bytes [3B, FB, 0F, 84, AA, 37, 00, ...] .text ... .text ntoskrnl.exe!IoInvalidateDeviceRelations + A 8050D07A 31 Bytes [86, B0, 00, 00, 00, 8B, 40, ...] .text ntoskrnl.exe!IoInvalidateDeviceRelations + 2A 8050D09A 26 Bytes [D0, 2B, D1, 0F, 85, C2, FC, ...] .text ntoskrnl.exe!IoInvalidateDeviceRelations + 45 8050D0B5 4 Bytes [5E, 5D, C2, 08] .text ntoskrnl.exe!IoInvalidateDeviceRelations + 4A 8050D0BA 8 Bytes JMP EBE47403 .text ntoskrnl.exe!IoInvalidateDeviceRelations + 56 8050D0C6 31 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...] .text ... .text ntoskrnl.exe!_snprintf + 23 8050D334 11 Bytes CALL 693148C2 .text ntoskrnl.exe!_snprintf + 2F 8050D340 18 Bytes [FF, 83, C4, 0C, 85, F6, 8B, ...] .text ntoskrnl.exe!_snprintf + 42 8050D353 18 Bytes [8B, 45, E0, C6, 00, 00, 8B, ...] .text ntoskrnl.exe!_snprintf + 55 8050D366 39 Bytes [00, 00, 48, 0F, 85, DA, D6, ...] .text ntoskrnl.exe!_snprintf + 7D 8050D38E 7 Bytes [FF, 85, C0, 0F, 82, 32, 89] .text ... .text ntoskrnl.exe!RtlTimeToTimeFields + 27 8050D50B 1 Byte [75] .text ntoskrnl.exe!RtlTimeToTimeFields + 27 8050D50B 20 Bytes [75, 0C, 51, 66, 89, 56, 0E, ...] .text ntoskrnl.exe!RtlTimeToTimeFields + 3C 8050D520 24 Bytes [F7, F7, 8B, F9, 69, FF, 93, ...] .text ntoskrnl.exe!RtlTimeToTimeFields + 55 8050D539 41 Bytes [C1, F7, F3, 33, D2, BB, 90, ...] .text ntoskrnl.exe!RtlTimeToTimeFields + 7F 8050D563 55 Bytes [8D, 41, 01, A8, 03, 0F, 85, ...] .text ... .text ntoskrnl.exe!KeSetIdealProcessorThread + 12 8050D813 72 Bytes [9E, BA, 01, 00, 00, 88, 45, ...] .text ntoskrnl.exe!KeSetIdealProcessorThread + 5B 8050D85C 89 Bytes [F6, C3, 40, 0F, 84, C3, 84, ...] .text ntoskrnl.exe!KeSetIdealProcessorThread + B5 8050D8B6 4 Bytes [00, 83, 25, D0] .text ntoskrnl.exe!KeSetIdealProcessorThread + BA 8050D8BB 7 Bytes [55, 80, 00, 6A, 01, 68, D0] {PUSH EBP; ADD BYTE [EAX], 0x6a; ADD [EAX-0x30], EBP} .text ntoskrnl.exe!KeSetIdealProcessorThread + C2 8050D8C3 30 Bytes [55, 80, C7, 05, D8, 7F, 55, ...] .text ... .text ntoskrnl.exe!qsort + 6 8050DAF1 2 Bytes [EC, 00] .text ntoskrnl.exe!qsort + B 8050DAF6 2 Bytes [56, 8B] .text ntoskrnl.exe!qsort + E 8050DAF9 61 Bytes [0C, 83, FE, 02, 0F, 82, D4, ...] .text ntoskrnl.exe!qsort + 4D 8050DB38 19 Bytes CALL 84188A4C .text ntoskrnl.exe!qsort + 61 8050DB4C 4 Bytes [8F, B2, 01, 00] .text ... .text ntoskrnl.exe!IoAllocateErrorLogEntry + 23 8050DD5F 56 Bytes CALL 8050DD6D \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoAllocateErrorLogEntry + 5C 8050DD98 20 Bytes [83, C3, 20, 89, 5D, 10, 8B, ...] .text ntoskrnl.exe!IoAllocateErrorLogEntry + 72 8050DDAE 3 Bytes [0F, 87, 03] .text ntoskrnl.exe!IoAllocateErrorLogEntry + 76 8050DDB2 14 Bytes [00, 00, 68, 49, 6F, 45, 72, ...] .text ntoskrnl.exe!IoAllocateErrorLogEntry + 85 8050DDC1 48 Bytes [8B, F0, 85, F6, 0F, 84, 01, ...] .text ... .text ntoskrnl.exe!IoWriteErrorLogEntry + 8 8050DEAC 11 Bytes [75, 08, 33, DB, 83, C6, E0, ...] .text ntoskrnl.exe!IoWriteErrorLogEntry + 17 8050DEBB 3 Bytes [68, E6, 00] .text ntoskrnl.exe!IoWriteErrorLogEntry + 1B 8050DEBF 14 Bytes CALL 804E412D \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoWriteErrorLogEntry + 2A 8050DECE 17 Bytes [8B, 0D, C4, 84, 55, 80, 88, ...] .text ntoskrnl.exe!IoWriteErrorLogEntry + 3C 8050DEE0 20 Bytes [89, 48, 04, 89, 01, 38, 1D, ...] .text ... .text ntoskrnl.exe!RtlIpv4StringToAddressW + 23 8050DF60 45 Bytes [00, 75, 3A, 47, 47, 33, C0, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressW + 51 8050DF8E 4 Bytes [00, 66, 3D, 58] {ADD [ESI+0x3d], AH; POP EAX} .text ntoskrnl.exe!RtlIpv4StringToAddressW + 56 8050DF93 60 Bytes [0F, 84, 09, 01, 00, 00, C6, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressW + 93 8050DFD0 11 Bytes [83, 7D, FC, 10, 0F, 84, 82, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressW + 9F 8050DFDC 80 Bytes [3F, 2E, 75, 24, 8D, 45, F4, ...] .text ... .text ntoskrnl.exe!PoSetPowerState + 2 8050E0BC 52 Bytes [55, 8B, EC, 83, EC, 0C, 8B, ...] .text ntoskrnl.exe!PoSetPowerState + 38 8050E0F2 21 Bytes [52, 6E, 00, 00, 48, 0F, 85, ...] .text ntoskrnl.exe!PoSetPowerState + 4E 8050E108 156 Bytes [83, E7, 0F, 3B, F8, 0F, 84, ...] .text ntoskrnl.exe!vsprintf + 3A 8050E1A5 12 Bytes [4D, E4, 0F, 88, 56, A2, 01, ...] .text ntoskrnl.exe!vsprintf + 48 8050E1B3 48 Bytes [8B, C7, 5F, 5E, C9, C3, 90, ...] .text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 8 8050E1E4 4 Bytes [81, C1, 48, 02] .text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + D 8050E1E9 46 Bytes [00, 80, 7D, 0C, 00, 74, 0A, ...] .text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 3C 8050E218 12 Bytes [8B, CB, FF, 15, 98, 75, 4D, ...] .text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 49 8050E225 20 Bytes [F6, C4, 40, 0F, 85, 81, B3, ...] .text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 5E 8050E23A 64 Bytes [53, FF, 15, 50, 76, 4D, 80, ...] .text ntoskrnl.exe!InbvCheckDisplayOwnership + 8 8050E27B 27 Bytes [02, 0F, 95, C0, C3, 90, 90, ...] .text ntoskrnl.exe!InbvCheckDisplayOwnership + 24 8050E297 60 Bytes [8D, 45, F8, 50, 6A, 00, 6A, ...] .text ntoskrnl.exe!InbvCheckDisplayOwnership + 61 8050E2D4 22 Bytes [C9, C2, 04, 00, 90, 90, 90, ...] .text ntoskrnl.exe!InbvCheckDisplayOwnership + 78 8050E2EB 17 Bytes CALL 804DAA4D \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!InbvCheckDisplayOwnership + 8A 8050E2FD 4 Bytes [25, 70, 76, 4D] .text ... .text ntoskrnl.exe!MmGetPhysicalAddress + 35 8050E466 13 Bytes [A4, C1, 0C, C1, E0, 0C, 81, ...] .text ntoskrnl.exe!MmGetPhysicalAddress + 43 8050E474 32 Bytes [8B, D1, 5E, 5D, C2, 04, 00, ...] .text ntoskrnl.exe!MmGetPhysicalAddress + 64 8050E495 3 Bytes [3F, 00, 2D] .text ntoskrnl.exe!MmGetPhysicalAddress + 68 8050E499 20 Bytes [00, 00, 40, 8B, 00, A8, 01, ...] .text ntoskrnl.exe!MmGetPhysicalAddress + 80 8050E4B1 67 Bytes [90, 8B, FF, 55, 8B, EC, 51, ...] .text ... .text ntoskrnl.exe!_wcsupr + 14 8050E5AF 35 Bytes [11, 66, 83, FA, 61, 0F, 83, ...] .text ntoskrnl.exe!_wcsupr + 38 8050E5D3 150 Bytes [89, 46, 0C, 85, C0, 0F, 84, ...] .text ntoskrnl.exe!_wcsupr + CF 8050E66A 139 Bytes [FA, B9, FC, FF, 3F, 00, 89, ...] .text ntoskrnl.exe!_wcsupr + 15C 8050E6F7 6 Bytes [3B, 05, 1C, F5, 55, 80] {CMP EAX, [0x8055f51c]} .text ntoskrnl.exe!_wcsupr + 164 8050E6FF 3 Bytes [BF, 59, 01] .text ... .text ntoskrnl.exe!MmMapIoSpace + 11 8050E7C0 132 Bytes [00, 83, FE, 06, 0F, 8D, 1A, ...] .text ntoskrnl.exe!MmMapIoSpace + 96 8050E845 8 Bytes [4D, F0, 0F, 84, 28, 64, 00, ...] .text ntoskrnl.exe!MmMapIoSpace + 9F 8050E84E 7 Bytes [45, FC, 8B, 35, 48, 11, 55] .text ntoskrnl.exe!MmMapIoSpace + A7 8050E856 5 Bytes [8A, 15, 91, 32, 55] .text ntoskrnl.exe!MmMapIoSpace + AD 8050E85C 8 Bytes [8B, F9, C1, E7, 0A, 03, 7D, ...] {MOV EDI, ECX; SHL EDI, 0xa; ADD EDI, [EBP-0x1c]} .text ... .text ntoskrnl.exe!MmUnmapIoSpace + 9 8050E956 31 Bytes [55, 0C, 56, 8B, C8, 57, C1, ...] .text ntoskrnl.exe!MmUnmapIoSpace + 29 8050E976 81 Bytes [00, 40, C1, EE, 0C, 8B, F8, ...] .text ntoskrnl.exe!IoInvalidateDeviceState + 2C 8050E9C8 108 Bytes [74, 04, 5D, C2, 04, 00, 52, ...] .text ntoskrnl.exe!IoInvalidateDeviceState + 99 8050EA35 47 Bytes [40, 3A, CB, F0, 46, D0, 11, ...] .text ntoskrnl.exe!IoInvalidateDeviceState + C9 8050EA65 31 Bytes [00, 74, 18, 83, 4E, 10, 10, ...] .text ntoskrnl.exe!IoInvalidateDeviceState + E9 8050EA85 1 Byte [E6] .text ntoskrnl.exe!IoInvalidateDeviceState + F4 8050EA90 43 Bytes [51, 53, 56, 8B, 75, 08, 8B, ...] .text ... .text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 29 8050EF76 6 Bytes [85, 45, 0C, 0F, 85, A3] .text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 30 8050EF7D 9 Bytes [00, 00, 85, 45, 1C, 0F, 85, ...] .text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 3C 8050EF89 46 Bytes [45, 1C, 8B, 55, 20, 56, B1, ...] .text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 6B 8050EFB8 1 Byte [00] .text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 6B 8050EFB8 15 Bytes [00, FF, 75, FC, FF, 75, 24, ...] .text ... .text ntoskrnl.exe!RtlSetAllBits + C 8050F230 163 Bytes JMP 42505C3A .text ntoskrnl.exe!IoCsqInsertIrp + 41 8050F2D4 66 Bytes [8B, 4D, 08, 87, 01, 80, 7F, ...] .text ntoskrnl.exe!IoCsqInsertIrp + 84 8050F317 6 Bytes [D5, 00, 00, 83, 67, 4C] .text ntoskrnl.exe!IoCsqInsertIrp + 8B 8050F31E 41 Bytes JMP 804E52A3 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!ExIsProcessorFeaturePresent + 2 8050F348 80 Bytes [55, 8B, EC, 8B, 45, 08, 83, ...] .text ntoskrnl.exe!ExIsProcessorFeaturePresent + 54 8050F39A 181 Bytes JMP 80505F7F \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!ExIsProcessorFeaturePresent + 10A 8050F450 26 Bytes [9F, B0, 00, 00, 00, FF, 15, ...] .text ntoskrnl.exe!ExIsProcessorFeaturePresent + 125 8050F46B 4 Bytes [FF, 75, 0C, E8] .text ntoskrnl.exe!ExIsProcessorFeaturePresent + 12A 8050F470 67 Bytes [97, FD, FF, 8B, F0, F6, 46, ...] .text ... .text ntoskrnl.exe!KeSetImportanceDpc + 9 8050F4F9 276 Bytes [4D, 08, 88, 41, 03, 5D, C2, ...] .text ntoskrnl.exe!ExRegisterCallback + 30 8050F60E 100 Bytes [53, 89, 46, 0C, 8B, 45, 10, ...] .text ntoskrnl.exe!ExRegisterCallback + 96 8050F674 7 Bytes [0C, CF, 5E, 80, 15, CF, 5E] .text ntoskrnl.exe!ExRegisterCallback + 9F 8050F67D 50 Bytes [3E, 8B, 07, 89, 06, 6A, 00, ...] .text ntoskrnl.exe!KeInitializeInterrupt + 2 8050F6B0 3 Bytes [55, 8B, EC] {PUSH EBP; MOV EBP, ESP} .text ntoskrnl.exe!KeInitializeInterrupt + 7 8050F6B5 15 Bytes [0C, 53, 56, 8B, 75, 08, 89, ...] {OR AL, 0x53; PUSH ESI; MOV ESI, [EBP+0x8]; MOV [ESI+0xc], EAX; MOV EAX, [EBP+0x10]; MOV [ESI+0x10], EAX} .text ntoskrnl.exe!KeInitializeInterrupt + 17 8050F6C5 23 Bytes [45, 14, 85, C0, 57, 66, C7, ...] .text ntoskrnl.exe!KeInitializeInterrupt + 2F 8050F6DD 30 Bytes [1C, 8B, 45, 18, 83, 4E, 18, ...] .text ntoskrnl.exe!KeInitializeInterrupt + 4E 8050F6FC 68 Bytes [46, 30, 8A, 45, 28, 88, 46, ...] .text ... .text ntoskrnl.exe!KeConnectInterrupt + 2E 8050F8EE 27 Bytes [7D, 38, 46, 29, 72, 78, 38, ...] .text ntoskrnl.exe!KeConnectInterrupt + 4A 8050F90A 69 Bytes [38, 5E, 2B, 88, 45, 0B, 75, ...] .text ntoskrnl.exe!KeConnectInterrupt + 90 8050F950 35 Bytes CALL 804DBCFD \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeConnectInterrupt + B4 8050F974 70 Bytes [00, 84, DB, 0F, 89, 14, 4D, ...] .text ntoskrnl.exe!InbvEnableBootDriver + 34 8050F9BB 55 Bytes [94, C0, A3, 04, 2B, 55, 80, ...] .text ntoskrnl.exe!InbvEnableBootDriver + 6D 8050F9F4 80 Bytes [30, 08, 0F, 85, 06, 96, FE, ...] .text ntoskrnl.exe!InbvEnableBootDriver + BE 8050FA45 59 Bytes [85, EC, FB, FF, FF, 39, 95, ...] .text ntoskrnl.exe!InbvEnableBootDriver + FA 8050FA81 25 Bytes [89, 4D, F8, 74, 09, 8B, 46, ...] .text ntoskrnl.exe!InbvEnableBootDriver + 114 8050FA9B 85 Bytes CALL 804EF21C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!HalExamineMBR + 24 8050FAF1 4 Bytes [B8, 00, 10, 00] .text ntoskrnl.exe!HalExamineMBR + 29 8050FAF6 55 Bytes [3B, F8, 89, 5D, F4, 89, 5D, ...] .text ntoskrnl.exe!HalExamineMBR + 61 8050FB2E 23 Bytes [F4, 50, 57, 56, FF, 75, FC, ...] .text ntoskrnl.exe!HalExamineMBR + 79 8050FB46 81 Bytes [3B, C3, 74, 4C, 8B, 48, 60, ...] .text ntoskrnl.exe!HalExamineMBR + CC 8050FB99 3 Bytes CALL 8054AF08 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!InbvEnableDisplayString + D 8050FBB6 97 Bytes [88, 0D, 01, 2B, 55, 80, 5D, ...] .text ntoskrnl.exe!IoGetDeviceAttachmentBaseRef + 8 8050FC18 102 Bytes [15, 68, 76, 4D, 80, FF, 75, ...] .text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 2C 8050FC7F 26 Bytes [80, 7D, F4, 00, 75, 0A, 80, ...] .text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 47 8050FC9A 69 Bytes [00, 8B, 88, 88, 00, 00, 00, ...] .text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 8D 8050FCE0 108 Bytes [FF, 90, 90, 90, 90, 90, 8B, ...] .text ntoskrnl.exe!KeSetTargetProcessorDpc + 67 8050FD4D 28 Bytes [8B, 50, 04, 8D, 74, 0A, FF, ...] .text ntoskrnl.exe!ExAllocatePool + 4 8050FD6A 47 Bytes [EC, 68, 4E, 6F, 6E, 65, FF, ...] .text ntoskrnl.exe!HeadlessDispatch + A 8050FD9A 7 Bytes [85, C0, 0F, 85, 84, 83, 01] .text ntoskrnl.exe!HeadlessDispatch + 12 8050FDA2 47 Bytes [8B, 45, 08, 83, F8, 01, 0F, ...] .text ntoskrnl.exe!HeadlessDispatch + 42 8050FDD2 32 Bytes [00, 83, F8, 0B, 0F, 84, 2E, ...] .text ntoskrnl.exe!InbvDisplayString + B 8050FDF3 8 Bytes [2B, 55, 80, 0F, 84, B3, 48, ...] .text ntoskrnl.exe!InbvDisplayString + 14 8050FDFC 196 Bytes [39, 1D, 04, 2B, 55, 80, 0F, ...] .text ntoskrnl.exe!InbvDisplayString + DA 8050FEC2 9 Bytes [FF, FF, 9F, 76, 60, 80, B2, ...] .text ntoskrnl.exe!InbvDisplayString + E4 8050FECC 17 Bytes [FF, FF, FF, FF, 6E, 76, 60, ...] .text ntoskrnl.exe!InbvDisplayString + F6 8050FEDE 9 Bytes [FF, 55, 8B, EC, 80, 3D, 1D, ...] .text ... .text ntoskrnl.exe!RtlCopyString + 28 8050FFA7 7 Bytes [C0, 66, 89, 01, 74, 09, 8A] .text ntoskrnl.exe!RtlCopyString + 30 8050FFAF 135 Bytes [88, 0E, 46, 47, 48, 75, F7, ...] .text ntoskrnl.exe!RtlCopyString + B9 80510038 3 Bytes [8B, 70, 01] {MOV ESI, [EAX+0x1]} .text ntoskrnl.exe!RtlCopyString + BD 8051003C 186 Bytes JMP 8050C18B \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlCopyString + 178 805100F7 35 Bytes [40, 14, 8B, 48, 18, 81, F9, ...] .text ... .text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 36 805101A5 47 Bytes [55, 08, 5F, 5E, 5D, C2, 08, ...] .text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 66 805101D5 4 Bytes [FF, 68, 6B, 01] .text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 6B 805101DA 15 Bytes [00, 68, 00, 7E, 55, 80, E8, ...] .text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 7B 805101EA 13 Bytes [6A, 04, 6A, 09, 6A, 06, 56, ...] .text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 89 805101F8 62 Bytes [50, 68, C0, 7D, 55, 80, EB, ...] .text ... .text ntoskrnl.exe!MmIsDriverVerifying + 48 805103C9 18 Bytes [45, D8, 50, 6A, 02, 56, E8, ...] {INC EBP; FCOM DWORD [EAX+0x6a]; ADD DL, [ESI-0x18]; INC EBP; JNP 0x14; ADD [ECX], BH; POP EBP; FMUL QWORD [EDI]; TEST [ESI+0x44], ESP} .text ntoskrnl.exe!MmIsDriverVerifying + 5C 805103DD 29 Bytes [39, 5D, D8, 0F, 85, 5D, 44, ...] .text ntoskrnl.exe!MmIsDriverVerifying + 7A 805103FB 61 Bytes [0F, 85, C5, E5, 00, 00, 83, ...] .text ntoskrnl.exe!ExVerifySuite + 2B 80510439 145 Bytes [75, E5, 32, C0, EB, EF, 90, ...] .text ntoskrnl.exe!IoSetCompletionRoutineEx + 76 805104CB 6 Bytes [B8, 88, 00, 00, 00, E9] .text ntoskrnl.exe!IoSetCompletionRoutineEx + 7D 805104D2 126 Bytes [C8, FF, FF, B8, 9A, 00, 00, ...] .text ntoskrnl.exe!KeRegisterBugCheckCallback + 6D 80510551 20 Bytes CALL 804DAA49 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeRegisterBugCheckCallback + 82 80510566 36 Bytes [5B, C9, C2, 14, 00, 90, 90, ...] .text ntoskrnl.exe!KeRegisterBugCheckCallback + A7 8051058B 84 Bytes [56, 08, 8B, 0E, 8B, F8, E8, ...] .text ntoskrnl.exe!IoCsqInitialize + 35 805105E0 65 Bytes [00, 33, C0, 5D, C2, 1C, 00, ...] .text ntoskrnl.exe!IoCsqInitialize + 78 80510623 49 Bytes [8B, 51, 08, 83, C1, 04, 8D, ...] .text ntoskrnl.exe!IoCsqInitialize + AA 80510655 23 Bytes JMP 8050F8B4 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoCsqInitialize + C2 8051066D 34 Bytes JMP 8050F7EC \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeDisconnectInterrupt + 17 80510690 2 Bytes CALL 80508F06 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeDisconnectInterrupt + 1B 80510694 101 Bytes [FF, 15, 68, 76, 4D, 80, 8A, ...] .text ntoskrnl.exe!KeDisconnectInterrupt + 81 805106FA 157 Bytes [F9, FF, 15, 68, 76, 4D, 80, ...] .text ntoskrnl.exe!KeDisconnectInterrupt + 120 80510799 16 Bytes CALL 80500BCB \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeDisconnectInterrupt + 132 805107AB 16 Bytes [0F, 84, 09, 2A, 01, 00, 66, ...] {JZ 0x12a0f; CMP AX, 0x1; JNZ 0x12a24} .text ... .text ntoskrnl.exe!IoSetStartIoAttributes + 9 805107FC 278 Bytes [8B, 4D, 08, 74, 0A, 8B, 81, ...] .text ntoskrnl.exe!Ke386IoSetAccessProcess + 25 80510913 46 Bytes [00, FF, 15, E0, 75, 4D, 80, ...] .text ntoskrnl.exe!Ke386IoSetAccessProcess + 54 80510942 61 Bytes CALL 8050F74E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!Ke386IoSetAccessProcess + 92 80510980 4 Bytes [C0, 5D, C2, 0C] {RCR BYTE [EBP-0x3e], 0xc} .text ntoskrnl.exe!Ke386IoSetAccessProcess + 97 80510985 13 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] {NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c} .text ntoskrnl.exe!Ke386IoSetAccessProcess + A5 80510993 49 Bytes [45, 08, 8A, 40, 24, 33, C9, ...] .text ... .text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 2 80511667 8 Bytes [55, 8B, EC, 80, 3D, 00, 2B, ...] .text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + B 80511670 31 Bytes [00, 0F, 84, AF, AB, 00, 00, ...] .text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 2B 80511690 6 Bytes [00, 00, A3, 08, 2B, 55] .text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 32 80511697 8 Bytes CALL 8050E2DD \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 3B 805116A0 3 Bytes CALL 8050ED9D \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + 86 80514559 1 Byte [6A] .text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + 86 80514559 24 Bytes CALL 804E4512 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + A2 80514575 16 Bytes [8B, FF, 53, 56, 57, BE, 46, ...] {MOV EDI, EDI; PUSH EBX; PUSH ESI; PUSH EDI; MOV ESI, 0x676d5346; PUSH ESI; MOV EDI, 0x1e4} .text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + B3 80514586 14 Bytes CALL 8054B041 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + C2 80514595 9 Bytes [0F, 84, 16, 7B, 00, 00, 56, ...] .text ... .text ntoskrnl.exe!IoReadDiskSignature + C 8051460F 65 Bytes [02, 00, 00, 3B, F0, 57, 0F, ...] .text ntoskrnl.exe!IoReadDiskSignature + 4E 80514651 44 Bytes [33, C9, 33, D2, 03, 0C, 93, ...] .text ntoskrnl.exe!IoReadDiskSignature + 7B 8051467E 44 Bytes [8B, C6, 5F, 5E, 5B, 5D, C2, ...] .text ntoskrnl.exe!InbvInstallDisplayStringFilter + D 805146AB 84 Bytes [5D, C2, 04, 00, 32, C0, E9, ...] .text ntoskrnl.exe!InbvInstallDisplayStringFilter + 62 80514700 20 Bytes [8B, F0, 85, F6, 74, 37, FE, ...] .text ntoskrnl.exe!InbvInstallDisplayStringFilter + 77 80514715 112 Bytes [60, 08, DF, 8B, 46, 08, 8B, ...] .text ntoskrnl.exe!InbvInstallDisplayStringFilter + E8 80514786 56 Bytes [51, B8, 00, BA, 3C, DC, 50, ...] .text ntoskrnl.exe!InbvInstallDisplayStringFilter + 121 805147BF 13 Bytes [18, 81, F9, 08, 03, 00, 00, ...] .text ... .text ntoskrnl.exe!KeSetTimeIncrement + 7 80514A83 16 Bytes [0C, 8B, 45, 08, B9, 10, 27, ...] {OR AL, 0x8b; INC EBP; OR [ECX+0x2710], BH; CMP EDX, ECX; MOV [0x8055198c], EAX} .text ntoskrnl.exe!KeSetTimeIncrement + 18 80514A94 12 Bytes [15, C0, 9B, 55, 80, 77, 06, ...] .text ntoskrnl.exe!KeSetTimeIncrement + 25 80514AA1 63 Bytes [A3, 90, 19, 55, 80, A3, FC, ...] .text ntoskrnl.exe!KeSetTimeIncrement + 65 80514AE1 51 Bytes [15, 48, 76, 4D, 80, 8B, 75, ...] .text ntoskrnl.exe!KeSetTimeIncrement + 99 80514B15 38 Bytes [DF, FF, 8B, 07, A3, 14, 00, ...] .text ... .text ntoskrnl.exe!KeI386AllocateGdtSelectors + 3E 80514BFC 9 Bytes [12, 46, 46, 4F, 75, EE, 5F, ...] {ADC AL, [ESI+0x46]; DEC EDI; JNZ 0xfffffffffffffff4; POP EDI; MOV CL, AL} .text ntoskrnl.exe!KeI386AllocateGdtSelectors + 48 80514C06 10 Bytes [15, 00, 31, 55, 80, FF, 15, ...] .text ntoskrnl.exe!KeI386AllocateGdtSelectors + 53 80514C11 39 Bytes [33, C0, 5E, 5D, C2, 08, 00, ...] .text ntoskrnl.exe!KeI386AllocateGdtSelectors + 7B 80514C39 25 Bytes [66, AC, 20, 66, C7, 40, 08, ...] .text ntoskrnl.exe!KeI386AllocateGdtSelectors + 95 80514C53 199 Bytes CALL 04154661 .text ntoskrnl.exe!MmAllocateContiguousMemory + 56 80514D1B 88 Bytes [00, 8B, 40, 1C, 3B, 45, 14, ...] .text ntoskrnl.exe!MmAllocateContiguousMemory + AF 80514D74 10 Bytes [00, 8B, 45, 0C, 3B, C3, 0F, ...] .text ntoskrnl.exe!MmAllocateContiguousMemory + BA 80514D7F 29 Bytes CALL 804EA0E8 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!MmAllocateContiguousMemory + D8 80514D9D 4 Bytes [35, 98, AA, 55] .text ntoskrnl.exe!MmAllocateContiguousMemory + DD 80514DA2 17 Bytes [0F, 86, 3B, DD, 00, 00, 3B, ...] .text ... .text ntoskrnl.exe!RtlFindLeastSignificantBit + 2 80514F91 13 Bytes [55, 8B, EC, 8B, 45, 08, 33, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; XOR EDX, EDX; MOV ECX, EAX; PUSH EBX; OR ECX, EDX} .text ntoskrnl.exe!RtlFindLeastSignificantBit + 10 80514F9F 9 Bytes [55, 0C, 56, 0F, 84, 3C, 1E, ...] {PUSH EBP; OR AL, 0x56; JZ 0x11e45} .text ntoskrnl.exe!RtlFindLeastSignificantBit + 1A 80514FA9 6 Bytes [C8, 81, E1, FF, FF, 00] {ENTER 0xe181, 0xff; INC DWORD [EAX]} .text ntoskrnl.exe!RtlFindLeastSignificantBit + 21 80514FB0 48 Bytes [33, F6, 0B, CE, 8B, C8, 0F, ...] .text ntoskrnl.exe!RtlFindLeastSignificantBit + 52 80514FE1 13 Bytes [B3, 08, EB, E3, 8B, 45, FC, ...] .text ... .text ntoskrnl.exe!VfIsVerificationEnabled + 1A 80515198 1 Byte [46] .text ntoskrnl.exe!VfIsVerificationEnabled + 1A 80515198 29 Bytes [46, 08, B9, FF, FF, 00, 00, ...] .text ntoskrnl.exe!VfIsVerificationEnabled + 38 805151B6 76 Bytes [FF, FF, 00, 00, 77, 44, 8B, ...] .text ntoskrnl.exe!VfIsVerificationEnabled + 86 80515204 140 Bytes JMP 8050C558 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!_strupr + 53 80515291 22 Bytes JMP 80505995 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!_strupr + 6B 805152A9 118 Bytes [8B, 01, 8B, 51, 04, 83, C1, ...] .text ntoskrnl.exe!_strupr + E2 80515320 58 Bytes [FF, 83, C1, 04, 80, 8D, F9, ...] .text ntoskrnl.exe!_strupr + 11D 8051535B 120 Bytes JMP 76C825FF .text ntoskrnl.exe!_strupr + 196 805153D4 19 Bytes [C6, 44, 01, FF, 00, 7C, A7, ...] .text ... .text ntoskrnl.exe!atoi + 9 805155D9 3 Bytes [90, 90, 8B] .text ntoskrnl.exe!atol + 2 805155DD 139 Bytes [55, 8B, EC, 56, 8B, 75, 08, ...] .text ntoskrnl.exe!IoEnumerateDeviceObjectList + 14 80515669 12 Bytes [8B, 4D, 08, 8B, 75, 10, 88, ...] {MOV ECX, [EBP+0x8]; MOV ESI, [EBP+0x10]; MOV [EBP-0x1], AL; MOV EAX, [ECX+0x4]} .text ntoskrnl.exe!IoEnumerateDeviceObjectList + 21 80515676 141 Bytes [EE, 02, 85, C0, 75, 44, 3B, ...] .text ntoskrnl.exe!IoEnumerateDeviceObjectList + AF 80515704 15 Bytes JMP 20E88304 .text ntoskrnl.exe!IoEnumerateDeviceObjectList + BF 80515714 14 Bytes [00, 85, 05, EC, 30, 55, 80, ...] {ADD [EBP+0x5530ec05], AL; XOR BYTE [ESI+EDI-0x7d], 0x3d; IN AL, 0x97; PUSH EBP} .text ntoskrnl.exe!IoEnumerateDeviceObjectList + CE 80515723 79 Bytes [00, 75, 27, B9, 71, F1, 4D, ...] .text ... .text ntoskrnl.exe!MmProbeAndLockSelectedPages + 4 80515ED5 6 Bytes [EC, B8, 30, 10, 00, 00] {IN AL, DX ; MOV EAX, 0x1030} .text ntoskrnl.exe!MmProbeAndLockSelectedPages + B 80515EDC 15 Bytes [82, 3A, FC, FF, 83, 65, D8, ...] .text ntoskrnl.exe!MmProbeAndLockSelectedPages + 1B 80515EEC 15 Bytes [00, 8B, D8, 8B, 45, 08, 8B, ...] .text ntoskrnl.exe!MmProbeAndLockSelectedPages + 2C 80515EFD 37 Bytes [F7, D9, 1B, C9, C1, E8, 0C, ...] .text ntoskrnl.exe!MmProbeAndLockSelectedPages + 52 80515F23 25 Bytes [00, 8B, 4D, E0, 8B, 7D, F8, ...] .text ... .text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 11 8051673D 23 Bytes CALL 804F80F2 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 29 80516755 2 Bytes [50, 0E] {PUSH EAX; PUSH CS} .text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 2C 80516758 2 Bytes JMP 805067AA \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 30 8051675C 96 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 4 805167BD 24 Bytes [EC, 51, 8D, 45, FC, 50, FF, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 1D 805167D6 38 Bytes [75, 10, FF, 75, 0C, FF, 75, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 44 805167FD 148 Bytes CALL 804F66C6 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoSetFileOrigin + 52 80516892 78 Bytes [FF, 55, 8B, EC, 53, 57, 8B, ...] .text ntoskrnl.exe!IoSetFileOrigin + A1 805168E1 30 Bytes [74, 15, 8B, 4E, 04, C1, E9, ...] .text ntoskrnl.exe!IoSetFileOrigin + C0 80516900 29 Bytes CALL 804EFCFF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoSetFileOrigin + DE 8051691E 43 Bytes [00, 00, FF, FF, FF, FF, 76, ...] .text ntoskrnl.exe!IoSetFileOrigin + 10A 8051694A 20 Bytes [80, 8D, 48, 18, 4A, 89, 31, ...] .text ... .text ntoskrnl.exe!RtlFindClearRuns + F 8051708D 91 Bytes [8D, 59, 07, C1, EB, 03, 8B, ...] .text ntoskrnl.exe!RtlFindClearRuns + 6B 805170E9 2 Bytes [B6, 4E] {MOV DH, 0x4e} .text ntoskrnl.exe!RtlFindClearRuns + 6E 805170EC 5 Bytes [03, F9, 0F, 85, E6] .text ntoskrnl.exe!RtlFindClearRuns + 76 805170F4 6 Bytes [0F, BE, BE, 68, B8, 4E] .text ntoskrnl.exe!RtlFindClearRuns + 7D 805170FB 17 Bytes [8B, 4D, F4, 2B, CF, 83, C1, ...] .text ... .text ntoskrnl.exe!RtlFindNextForwardRunClear + 13 80517CB8 43 Bytes [8B, 43, 04, 49, C1, E9, 05, ...] .text ntoskrnl.exe!RtlFindNextForwardRunClear + 3F 80517CE4 9 Bytes [0B, 02, 83, F8, FF, 0F, 84, ...] .text ntoskrnl.exe!RtlFindNextForwardRunClear + 49 80517CEE 51 Bytes [00, 3B, 3B, 73, 1A, 8B, 43, ...] .text ntoskrnl.exe!RtlFindNextForwardRunClear + 7D 80517D22 21 Bytes [F7, D1, 85, 0A, 75, 1A, 2B, ...] .text ntoskrnl.exe!RtlFindNextForwardRunClear + 93 80517D38 57 Bytes [75, 08, 83, C2, 04, 83, C0, ...] .text ... .text ntoskrnl.exe!IoInitializeIrp + B 805181F4 15 Bytes [00, 53, 8B, 5D, 10, 56, 8B, ...] .text ntoskrnl.exe!IoInitializeIrp + 1B 80518204 49 Bytes [0F, B7, 4D, 0C, 8B, D1, C1, ...] .text ntoskrnl.exe!IoInitializeIrp + 4D 80518236 5 Bytes [00, 8A, 80, 65, 01] .text ntoskrnl.exe!IoInitializeIrp + 53 8051823C 11 Bytes [00, 88, 46, 26, 8D, 46, 10, ...] .text ntoskrnl.exe!IoInitializeIrp + 5F 80518248 19 Bytes [0F, BE, C3, 8D, 04, C0, 8D, ...] .text ... .text ntoskrnl.exe!KeInsertHeadQueue + D 805182C8 31 Bytes [8B, 55, 0C, 8B, 4D, 08, 6A, ...] .text ntoskrnl.exe!KeInsertHeadQueue + 2D 805182E8 9 Bytes [F6, 45, 0C, 01, 0F, 84, 39, ...] .text ntoskrnl.exe!KeInsertHeadQueue + 37 805182F2 68 Bytes JMP 804F7F15 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeInsertHeadQueue + 7D 80518338 7 Bytes [FF, FF, FF, FF, C1, D1, 5F] .text ntoskrnl.exe!KeInsertHeadQueue + 85 80518340 3 Bytes [D4, D1, 5F] {AAM 0xd1; POP EDI} .text ... .text ntoskrnl.exe!PsGetProcessImageFileName + C 80518360 19 Bytes [00, 5D, C2, 04, 00, 81, 3D, ...] .text ntoskrnl.exe!PsGetProcessImageFileName + 20 80518374 31 Bytes [00, 83, 65, DC, 00, FF, D7, ...] .text ntoskrnl.exe!PsGetProcessImageFileName + 40 80518394 27 Bytes [00, 83, 7D, E0, 00, 0F, 84, ...] .text ntoskrnl.exe!PsGetProcessImageFileName + 5C 805183B0 37 Bytes [83, 7D, E0, 00, 0F, 84, 80, ...] .text ntoskrnl.exe!PsGetProcessImageFileName + 82 805183D6 9 Bytes [00, 8D, 4D, 98, FF, 15, 5C, ...] {ADD [EBP+0x15ff984d], CL; POP ESP; JBE 0x56} .text ... .text ntoskrnl.exe!PoSetSystemState + 12 805185CD 20 Bytes [6A, 00, FF, 75, 08, E8, 0A, ...] .text ntoskrnl.exe!PoSetSystemState + 27 805185E2 11 Bytes [90, 90, 90, 90, 90, 83, 3D, ...] .text ntoskrnl.exe!PoSetSystemState + 33 805185EE 5 Bytes [0F, 85, 80, D9, 00] .text ntoskrnl.exe!PoSetSystemState + 39 805185F4 17 Bytes [A1, F4, 03, 56, 80, 8B, C8, ...] .text ntoskrnl.exe!PoSetSystemState + 4B 80518606 3 Bytes [00, B8, 01] .text ... .text ntoskrnl.exe!CcDeferWrite + B 8052ACF9 52 Bytes [6A, 28, 33, DB, 53, E8, 41, ...] .text ntoskrnl.exe!CcDeferWrite + 40 8052AD2E 60 Bytes [50, 20, 66, C7, 00, FC, 02, ...] .text ntoskrnl.exe!CcDeferWrite + 7D 8052AD6B 16 Bytes CALL 80517F80 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!CcDeferWrite + 8E 8052AD7C 119 Bytes [88, 45, 1F, 75, 06, 53, E8, ...] .text ntoskrnl.exe!CcRepinBcb + 13 8052ADF4 117 Bytes [00, 00, 8D, 55, F4, FF, 15, ...] .text ntoskrnl.exe!CcRepinBcb + 89 8052AE6A 34 Bytes [FF, 85, C0, 0F, 84, BE, 00, ...] .text ntoskrnl.exe!CcRepinBcb + AC 8052AE8D 14 Bytes [89, 48, 28, 66, C7, 40, 04, ...] .text ntoskrnl.exe!CcRepinBcb + BB 8052AE9C 201 Bytes [0F, B7, 0E, 8B, 76, 04, 83, ...] .text ntoskrnl.exe!CcRepinBcb + 185 8052AF66 57 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!CcUnpinRepinnedBcb + 14 8052AFA0 20 Bytes [7D, 10, 89, 1F, 0F, 84, 8E, ...] .text ntoskrnl.exe!CcUnpinRepinnedBcb + 29 8052AFB5 26 Bytes CALL 804E3B44 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!CcUnpinRepinnedBcb + 44 8052AFD0 36 Bytes CALL 804ED6AA \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!CcUnpinRepinnedBcb + 69 8052AFF5 6 Bytes [80, 74, 10, 81, FF, 54] {XOR BYTE [EAX+EDX-0x7f], 0xff; PUSH ESP} .text ntoskrnl.exe!CcUnpinRepinnedBcb + 70 8052AFFC 5 Bytes [00, C0, 74, 08, 81] .text ... .text ntoskrnl.exe!CcIsThereDirtyData + 86 8052B105 12 Bytes [5F, 5E, 8A, C3, 5B, C9, C2, ...] .text ntoskrnl.exe!CcIsThereDirtyData + 93 8052B112 67 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntoskrnl.exe!CcGetLsnForFileObject + 3A 8052B156 21 Bytes [8D, 7E, 10, 8B, 07, 83, E8, ...] .text ntoskrnl.exe!CcGetLsnForFileObject + 50 8052B16C 97 Bytes [50, 80, 78, 02, 00, 74, 4A, ...] .text ntoskrnl.exe!CcGetLsnForFileObject + B2 8052B1CE 5 Bytes [15, 5C, 76, 4D, 80] {ADC EAX, 0x804d765c} .text ntoskrnl.exe!CcGetLsnForFileObject + B8 8052B1D4 12 Bytes [45, 0C, 85, C0, 5F, 74, 0B, ...] {INC EBP; OR AL, 0x85; RCR BYTE [EDI+0x74], 0xb; MOV ECX, [EBP-0x8]; MOV [EAX], ECX} .text ntoskrnl.exe!CcGetLsnForFileObject + C5 8052B1E1 45 Bytes [4D, FC, 89, 48, 04, 8B, 45, ...] .text ... .text ntoskrnl.exe!CcSetDirtyPageThreshold + 1A 8052B279 68 Bytes [00, 8B, 48, 0C, F6, 41, 04, ...] .text ntoskrnl.exe!CcGetFileObjectFromSectionPtrs + 23 8052B2BE 139 Bytes [8B, C6, 5E, 5D, C2, 04, 00, ...] .text ntoskrnl.exe!CcGetFileObjectFromBcb + 77 8052B34A 15 Bytes [89, 4D, F0, 89, 45, F4, 74, ...] .text ntoskrnl.exe!CcGetFileObjectFromBcb + 87 8052B35A 20 Bytes [8B, 06, 89, 45, 08, 74, 06, ...] .text ntoskrnl.exe!CcGetFileObjectFromBcb + 9C 8052B36F 84 Bytes CALL 94C9B2C4 .text ntoskrnl.exe!CcGetFileObjectFromBcb + F1 8052B3C4 47 Bytes [3E, 39, 77, 60, 75, 39, 8D, ...] .text ntoskrnl.exe!CcGetFileObjectFromBcb + 121 8052B3F4 14 Bytes [C6, 05, B1, 6C, 55, 80, 01, ...] .text ... .text ntoskrnl.exe!CcMdlWriteAbort + 1D 8052B463 90 Bytes [74, 04, C6, 45, FF, 01, 80, ...] .text ntoskrnl.exe!CcMdlWriteAbort + 78 8052B4BE 18 Bytes [80, 3D, B0, 6C, 55, 80, 00, ...] .text ntoskrnl.exe!CcMdlWriteAbort + 8B 8052B4D1 40 Bytes CALL 804E550E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!CcPrepareMdlWrite + 7 8052B4FA 94 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!CcPrepareMdlWrite + 66 8052B559 3 Bytes [83, 7D, 10] .text ntoskrnl.exe!CcPrepareMdlWrite + 6A 8052B55D 4 Bytes [0F, 84, AC, 01] .text ntoskrnl.exe!CcPrepareMdlWrite + 70 8052B563 28 Bytes [8D, 4D, E0, 51, 8D, 4D, E4, ...] .text ntoskrnl.exe!CcPrepareMdlWrite + 8D 8052B580 11 Bytes [89, 45, E0, 8B, 4D, E0, 33, ...] {MOV [EBP-0x20], EAX; MOV ECX, [EBP-0x20]; XOR EAX, EAX; MOV EDI, [EBP-0x58]} .text ... .text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 14 8052B82F 165 Bytes [BB, 48, 05, 00, 00, FF, 47, ...] .text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + BA 8052B8D5 81 Bytes [33, C0, 50, 50, 50, 50, 8D, ...] .text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 10D 8052B928 7 Bytes [3B, F3, 75, 1F, 8D, B7, C0] .text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 116 8052B931 21 Bytes [00, 88, 1E, C6, 46, 02, 04, ...] .text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 12E 8052B949 115 Bytes [EB, 03, 89, 5E, 04, FF, 15, ...] .text ... .text ntoskrnl.exe!FsRtlMdlReadCompleteDev + 1 8052BB19 42 Bytes [FF, 55, 8B, EC, FF, 75, 0C, ...] .text ntoskrnl.exe!FsRtlIncrementCcFastReadNoWait 8052BB48 22 Bytes [FF, 05, 50, 6C, 55, 80, C3, ...] .text ntoskrnl.exe!FsRtlIncrementCcFastReadResourceMiss + 6 8052BB5F 102 Bytes [C3, CC, CC, CC, CC, CC, 90, ...] .text ntoskrnl.exe!FsRtlMdlReadComplete + 5C 8052BBC6 98 Bytes [FF, FF, 5F, 5E, 5D, C2, 08, ...] .text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 3E 8052BC29 25 Bytes [FF, 74, 04, 8B, 54, C1, F0, ...] .text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 59 8052BC44 35 Bytes [10, 89, 01, 8B, 46, 08, 8B, ...] .text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 7D 8052BC68 178 Bytes CALL 8052BC9B \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlLookupLastMcbEntry + 42 8052BD1B 46 Bytes [90, 90, 90, 90, 8B, FF, 55, ...] .text ntoskrnl.exe!FsRtlGetNextMcbEntry + 16 8052BD4A 114 Bytes CALL 804F1447 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlSplitLargeMcb + 1A 8052BDBD 208 Bytes [83, 65, FC, 00, 8D, 45, E0, ...] .text ntoskrnl.exe!FsRtlSplitLargeMcb + EB 8052BE8E 128 Bytes [8B, 4E, 10, 83, 4C, 0F, 0C, ...] .text ntoskrnl.exe!FsRtlSplitLargeMcb + 16C 8052BF0F 130 Bytes [C3, FF, FF, FF, FF, 00, 00, ...] .text ntoskrnl.exe!FsRtlRemoveMcbEntry + 1A 8052BF92 3 Bytes [83, 65, FC] .text ntoskrnl.exe!FsRtlRemoveMcbEntry + 1E 8052BF96 44 Bytes [FF, 75, 10, FF, 75, 0C, 56, ...] .text ntoskrnl.exe!FsRtlRemoveMcbEntry + 4B 8052BFC3 9 Bytes [C3, 90, 90, 90, 90, FF, FF, ...] .text ntoskrnl.exe!FsRtlRemoveMcbEntry + 56 8052BFCE 53 Bytes [00, 00, B8, BF, 52, 80, CC, ...] .text ntoskrnl.exe!FsRtlLookupMcbEntry + 26 8052C004 235 Bytes [75, 0C, FF, 75, 08, E8, D9, ...] .text ntoskrnl.exe!FsRtlLookupMcbEntry + 112 8052C0F0 54 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] .text ntoskrnl.exe!FsRtlLookupMcbEntry + 149 8052C127 13 Bytes [90, 90, 90, 90, 8B, FF, 55, ...] .text ntoskrnl.exe!FsRtlLookupMcbEntry + 157 8052C135 94 Bytes CALL 804EA3AF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlLookupMcbEntry + 1B6 8052C194 21 Bytes [57, C6, 45, FF, 00, 74, 14, ...] .text ... .text ntoskrnl.exe!FsRtlFastUnlockAllByKey + 2 8052C47D 127 Bytes [55, 8B, EC, FF, 75, 18, 6A, ...] .text ntoskrnl.exe!FsRtlAllocatePool + 16 8052C4FD 77 Bytes [8B, F0, 85, F6, 75, 0A, 68, ...] .text ntoskrnl.exe!FsRtlAllocatePoolWithQuota + 2D 8052C54B 38 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntoskrnl.exe!FsRtlAllocatePoolWithTag + 1D 8052C572 13 Bytes CALL 804DCB98 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlAllocatePoolWithTag + 2B 8052C580 7 Bytes [CC, CC, CC, CC, CC, 90, 90] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP } .text ntoskrnl.exe!FsRtlAllocatePoolWithTag + 33 8052C588 3 Bytes [90, 90, 8B] .text ntoskrnl.exe!FsRtlAllocatePoolWithQuotaTag + 2 8052C58C 7 Bytes [55, 8B, EC, 56, FF, 75, 10] {PUSH EBP; MOV EBP, ESP; PUSH ESI; PUSH DWORD [EBP+0x10]} .text ntoskrnl.exe!FsRtlAllocatePoolWithQuotaTag + A 8052C594 59 Bytes [75, 0C, FF, 75, 08, E8, 26, ...] .text ntoskrnl.exe!FsRtlNormalizeNtstatus + C 8052C5D0 39 Bytes [FF, 84, C0, 8B, 45, 08, 75, ...] .text ntoskrnl.exe!FsRtlNormalizeNtstatus + 34 8052C5F8 28 Bytes [46, 60, 8B, 48, 18, E8, 8E, ...] .text ntoskrnl.exe!FsRtlNormalizeNtstatus + 51 8052C615 16 Bytes [00, 8B, 4D, 08, 87, 01, 33, ...] {ADD [EBX+0x187084d], CL; XOR EAX, EAX; MOV AL, [EBX]; PUSH EAX; CALL 0xfffffffffffba550} .text ntoskrnl.exe!FsRtlNormalizeNtstatus + 62 8052C626 68 Bytes [07, 8B, 7F, 04, 89, 07, 89, ...] .text ntoskrnl.exe!FsRtlNormalizeNtstatus + A7 8052C66B 3 Bytes CALL 804E2A93 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!FsRtlRemovePerFileObjectContext + 17 8052CDD4 155 Bytes CALL 804F7C21 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!FsRtlIsPagingFile + B 8052CE70 60 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 29 8052CEAD 7 Bytes [00, 56, 53, E8, 6D, AD, FC] .text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 31 8052CEB5 114 Bytes [8B, F0, 3B, F7, 75, 65, 68, ...] .text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + A4 8052CF28 67 Bytes [8B, 4D, 0C, 8D, 46, 20, 8B, ...] .text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + E8 8052CF6C 58 Bytes [00, 8B, 75, 08, C7, 80, 18, ...] .text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 123 8052CFA7 19 Bytes [83, A0, 18, 02, 00, 00, 00, ...] {AND DWORD [EAX+0x218], 0x0; POP ESI; POP EBP; RET 0x4; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ... .text ntoskrnl.exe!FsRtlPostStackOverflow + 2 8052D046 4 Bytes [55, 8B, EC, 6A] .text ntoskrnl.exe!FsRtlPostStackOverflow + 7 8052D04B 3 Bytes [FF, 75, 10] {PUSH DWORD [EBP+0x10]} .text ntoskrnl.exe!FsRtlPostStackOverflow + B 8052D04F 34 Bytes [75, 0C, FF, 75, 08, E8, 6E, ...] .text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + B 8052D072 93 Bytes [75, 0C, FF, 75, 08, E8, 4B, ...] .text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + 69 8052D0D0 59 Bytes [8B, 40, 30, 83, 60, FC, 00, ...] .text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + A5 8052D10C 30 Bytes [EB, 27, 0F, B7, 46, 2E, 8B, ...] .text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + C4 8052D12B 14 Bytes [75, 0C, 56, FF, 50, 0C, 66, ...] .text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + D3 8052D13A 143 Bytes [77, D2, 5E, 5D, C2, 08, 00, ...] .text ... .text ntoskrnl.exe!InbvIsBootDriverInstalled + 7 8052D402 24 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] .text ntoskrnl.exe!InbvResetDisplay + E 8052D41B 41 Bytes [80, 00, 75, 0A, 6A, 01, E8, ...] .text ntoskrnl.exe!InbvResetDisplay + 38 8052D445 108 Bytes [3D, 04, 2B, 55, 80, 00, 75, ...] .text ntoskrnl.exe!InbvSolidColorFill + 21 8052D4B2 83 Bytes [75, 18, 56, FF, 75, 14, FF, ...] .text ntoskrnl.exe!InbvSolidColorFill + 75 8052D506 11 Bytes CALL 8050E2DD \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!InbvSolidColorFill + 82 8052D513 63 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!InbvSetTextColor + 34 8052D553 6 Bytes [A1, 60, C5, 54, 80, 6A] .text ntoskrnl.exe!InbvSetTextColor + 3B 8052D55A 85 Bytes [89, 45, F8, A1, 5C, C5, 54, ...] .text ntoskrnl.exe!InbvSetTextColor + 91 8052D5B0 148 Bytes [01, 5D, C2, 08, 00, 90, CC, ...] .text ntoskrnl.exe!InbvSetScrollRegion + A 8052D645 155 Bytes [00, CC, CC, CC, CC, CC, 90, ...] .text ntoskrnl.exe!IoAllocateAdapterChannel + 6 8052D6E1 135 Bytes [75, 14, 8B, 4D, 0C, FF, 75, ...] .text ntoskrnl.exe!IoCheckQuerySetFileInformation + 37 8052D76A 4 Bytes [C0, 5D, C2, 0C] {RCR BYTE [EBP-0x3e], 0xc} .text ntoskrnl.exe!IoCheckQuerySetFileInformation + 3C 8052D76F 130 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!IoCreateStreamFileObjectEx + 1F 8052D7F2 105 Bytes CALL 804ED3DF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoCreateStreamFileObjectEx + 89 8052D85C 8 Bytes [45, 08, 66, C7, 40, 02, 70, ...] {INC EBP; OR [ESI-0x39], AH; INC EAX; ADD DH, [EAX+0x0]} .text ntoskrnl.exe!IoCreateStreamFileObjectEx + 92 8052D865 45 Bytes [45, 08, 89, 70, 04, 8B, 45, ...] .text ntoskrnl.exe!IoCreateStreamFileObjectEx + C0 8052D893 57 Bytes [8D, 45, 0C, 50, 8D, 45, 08, ...] .text ntoskrnl.exe!IoCreateStreamFileObjectEx + FA 8052D8CD 106 Bytes [45, 10, 3B, C3, 75, 0B, 53, ...] .text ntoskrnl.exe!IoDetachDevice + 9 8052D938 29 Bytes [15, 68, 76, 4D, 80, 8B, 75, ...] .text ntoskrnl.exe!IoDetachDevice + 27 8052D956 12 Bytes [8B, 80, B0, 00, 00, 00, 89, ...] .text ntoskrnl.exe!IoDetachDevice + 34 8052D963 99 Bytes [00, 00, 89, 5E, 10, F6, 40, ...] .text ntoskrnl.exe!IoGetDeviceToVerify + 8 8052D9C7 9 Bytes [8B, 80, 1C, 02, 00, 00, 5D, ...] .text ntoskrnl.exe!IoGetDeviceToVerify + 12 8052D9D1 167 Bytes [90, 90, 90, CC, CC, CC, CC, ...] .text ntoskrnl.exe!IoGetInitialStack + 95 8052DA79 76 Bytes [00, 75, 03, 88, 5D, E7, 83, ...] .text ntoskrnl.exe!IoGetInitialStack + E2 8052DAC6 29 Bytes [88, 5D, E7, 8A, 45, E7, E8, ...] .text ntoskrnl.exe!IoGetInitialStack + 100 8052DAE4 40 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntoskrnl.exe!IoRaiseHardError + 1F 8052DB0D 180 Bytes [66, 1C, 00, B2, 01, 8B, CE, ...] .text ntoskrnl.exe!IoRaiseHardError + D4 8052DBC2 19 Bytes [89, 40, 0C, 89, 70, 10, 89, ...] .text ntoskrnl.exe!IoRaiseHardError + E8 8052DBD6 13 Bytes [90, 90, CC, CC, CC, CC, CC, ...] {NOP ; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP } .text ntoskrnl.exe!IoRaiseInformationalHardError + 1 8052DBE4 147 Bytes [FF, 55, 8B, EC, 8B, 4D, 10, ...] .text ntoskrnl.exe!IoRaiseInformationalHardError + 95 8052DC78 44 Bytes [33, C0, 8B, FB, AB, AB, AB, ...] .text ntoskrnl.exe!IoRaiseInformationalHardError + C2 8052DCA5 12 Bytes [3B, C6, 0F, 84, 79, 01, 00, ...] .text ntoskrnl.exe!IoRaiseInformationalHardError + CF 8052DCB2 48 Bytes [4B, 0C, 66, 8B, 0F, 66, 89, ...] .text ntoskrnl.exe!IoRaiseInformationalHardError + 100 8052DCE3 13 Bytes CALL 8054B044 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!IoSetDeviceToVerify + 15 8052DE5C 49 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntoskrnl.exe!IoSetDeviceToVerify + 47 8052DE8E 13 Bytes [0C, 56, 74, 09, 8D, 45, FC, ...] {OR AL, 0x56; JZ 0xd; LEA EAX, [EBP-0x4]; PUSH EAX; CALL 0xfffffffffffb8cbe} .text ntoskrnl.exe!IoSetDeviceToVerify + 55 8052DE9C 36 Bytes [75, 08, FF, 75, 10, 8D, 46, ...] .text ntoskrnl.exe!IoSetDeviceToVerify + 7A 8052DEC1 123 Bytes [00, 00, F6, 40, 25, 02, 74, ...] .text ntoskrnl.exe!IoStartNextPacketByKey + 2E 8052DF3D 73 Bytes [EB, 0C, FF, 75, 10, FF, 75, ...] .text ntoskrnl.exe!IoStopTimer + 1E 8052DF87 4 Bytes [FB, 5D, C2, 04] .text ntoskrnl.exe!IoStopTimer + 23 8052DF8C 23 Bytes [CC, CC, CC, CC, CC, 90, CC, ...] .text ntoskrnl.exe!IoCallDriver + 2 8052DFA4 9 Bytes [55, 8B, EC, 8B, 55, 0C, 8B, ...] {PUSH EBP; MOV EBP, ESP; MOV EDX, [EBP+0xc]; MOV ECX, [EBP+0x8]} .text ntoskrnl.exe!IoCallDriver + C 8052DFAE 4 Bytes [15, 00, 2E, 55] .text ntoskrnl.exe!IoCallDriver + 11 8052DFB3 3 Bytes [5D, C2, 08] .text ntoskrnl.exe!IoCallDriver + 15 8052DFB7 21 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntoskrnl.exe!IoCompleteRequest + C 8052DFCD 59 Bytes [15, 04, 2E, 55, 80, 5D, C2, ...] .text ntoskrnl.exe!IoCompleteRequest + 48 8052E009 62 Bytes [EC, 51, 51, 83, 65, FC, 00, ...] .text ntoskrnl.exe!IoCompleteRequest + 87 8052E048 87 Bytes [6A, 00, 83, C0, 40, 50, E8, ...] .text ntoskrnl.exe!IoGetDiskDeviceObject + 13 8052E0A0 145 Bytes [C0, EB, 4B, 8D, 45, 08, 50, ...] .text ntoskrnl.exe!IoSetSystemPartition + 3A 8052E132 5 Bytes [3B, C3, 0F, 8C, DE] .text ntoskrnl.exe!IoSetSystemPartition + 42 8052E13A 43 Bytes [53, 53, 8D, 45, DC, 89, 45, ...] .text ntoskrnl.exe!IoSetSystemPartition + 6E 8052E166 5 Bytes [66, C7, 45, E4, 70] .text ntoskrnl.exe!IoSetSystemPartition + 74 8052E16C 20 Bytes [66, 89, 5D, E6, 66, C7, 45, ...] .text ntoskrnl.exe!IoSetSystemPartition + 89 8052E181 18 Bytes [FF, 75, D0, 8B, F8, E8, 4E, ...] .text ... .text ntoskrnl.exe!IoValidateDeviceIoControlAccess + 4 8052E2DD 56 Bytes [EC, F6, 45, 0C, 03, 74, 3D, ...] .text ntoskrnl.exe!IoValidateDeviceIoControlAccess + 3D 8052E316 95 Bytes [F7, D8, 1B, C0, 25, 22, 00, ...] .text ntoskrnl.exe!IoFreeErrorLogEntry + 35 8052E376 112 Bytes [0F, C1, 01, 6A, 00, 56, E8, ...] .text ntoskrnl.exe!IoFreeErrorLogEntry + A6 8052E3E7 30 Bytes [F0, 33, DB, 3B, CE, C6, 45, ...] .text ntoskrnl.exe!IoFreeErrorLogEntry + C5 8052E406 40 Bytes [F9, 0F, 84, 90, 00, 00, 00, ...] .text ntoskrnl.exe!IoFreeErrorLogEntry + EE 8052E42F 71 Bytes [39, 5F, 10, 89, 7D, 08, 74, ...] .text ntoskrnl.exe!IoFreeErrorLogEntry + 136 8052E477 63 Bytes [03, 6A, 01, 6A, 00, 89, 06, ...] .text ... .text ntoskrnl.exe!IoAttachDeviceByPointer + 22 8052E502 75 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!IoAttachDeviceByPointer + 6E 8052E54E 113 Bytes [F7, 83, 66, 1C, 00, 8D, 45, ...] .text ntoskrnl.exe!IoCsqRemoveIrp + 29 8052E5C0 2 Bytes [00, 00] {ADD [EAX], AL} .text ntoskrnl.exe!IoCsqRemoveIrp + 2C 8052E5C3 34 Bytes [8B, 4D, 0C, 87, 01, 85, C0, ...] .text ntoskrnl.exe!IoCsqRemoveIrp + 4F 8052E5E6 34 Bytes [EB, E6, FF, 75, 08, 56, FF, ...] .text ntoskrnl.exe!IoVolumeDeviceToDosName + B 8052E609 10 Bytes [A1, 20, 1A, 55, 80, 53, 56, ...] {MOV EAX, [0x80551a20]; PUSH EBX; PUSH ESI; MOV [EBP-0x4], EAX} .text ntoskrnl.exe!IoVolumeDeviceToDosName + 16 8052E614 3 Bytes [45, 0C, 57] {INC EBP; OR AL, 0x57} .text ntoskrnl.exe!IoVolumeDeviceToDosName + 1A 8052E618 61 Bytes [7D, 08, 89, 85, D4, FD, FF, ...] .text ntoskrnl.exe!IoVolumeDeviceToDosName + 58 8052E656 142 Bytes [4D, 00, 88, 9D, E4, FD, FF, ...] .text ntoskrnl.exe!IoVolumeDeviceToDosName + E7 8052E6E5 101 Bytes [00, 8D, 85, EC, FD, FF, FF, ...] .text ... .text ntoskrnl.exe!KeCapturePersistentThreadState + 36 8052F355 67 Bytes [8B, FB, F3, AB, BF, 50, 41, ...] .text ntoskrnl.exe!KeCapturePersistentThreadState + 7A 8052F399 46 Bytes [89, 43, 14, C7, 43, 18, 20, ...] .text ntoskrnl.exe!KeCapturePersistentThreadState + A9 8052F3C8 38 Bytes [45, 18, 89, 43, 30, 8B, 45, ...] .text ntoskrnl.exe!KeCapturePersistentThreadState + D0 8052F3EF 30 Bytes [00, C7, 83, D0, 07, 00, 00, ...] .text ntoskrnl.exe!KeCapturePersistentThreadState + EF 8052F40E 11 Bytes [00, 89, B3, A4, 0F, 00, 00, ...] .text ... .text ntoskrnl.exe!IoRequestDeviceEject + 23 80531534 19 Bytes CALL 805314AE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoRequestDeviceEject + 37 80531548 73 Bytes CALL 80533993 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoRequestDeviceEject + 81 80531592 11 Bytes [55, 8B, EC, 51, 53, 56, FF, ...] .text ntoskrnl.exe!IoRequestDeviceEject + 8D 8053159E 5 Bytes [8B, 35, 18, 8B, 55] .text ntoskrnl.exe!IoRequestDeviceEject + 93 805315A4 39 Bytes [BB, 18, 8B, 55, 80, 3B, F3, ...] .text ... .text ntoskrnl.exe!KdDisableDebugger + E 80532095 63 Bytes CALL 805321CB \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KdDisableDebugger + 4E 805320D5 9 Bytes [A7, A2, 4F, 80, C6, 05, C1, ...] {CMPSD ; MOV [0x5c6804f], AL; SAL DWORD [EAX], 0x55} .text ntoskrnl.exe!KdDisableDebugger + 58 805320DF 11 Bytes [00, FF, 05, C8, 30, 55, 80, ...] .text ntoskrnl.exe!KdDisableDebugger + 64 805320EB 69 Bytes [8A, 4D, FF, FF, 15, 70, 76, ...] .text ntoskrnl.exe!KdEnableDebugger + 31 80532131 25 Bytes CALL 8067AC87 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KdEnableDebugger + 4B 8053214B 59 Bytes [FF, 15, 70, 76, 4D, 80, C9, ...] .text ntoskrnl.exe!KdPowerTransition + 2A 80532187 19 Bytes [C6, 5E, 5D, C2, 04, 00, 90, ...] .text ntoskrnl.exe!KdPowerTransition + 3E 8053219B 17 Bytes [55, 8B, EC, 53, 6A, 00, E8, ...] {PUSH EBP; MOV EBP, ESP; PUSH EBX; PUSH 0x0; CALL 0x16400; PUSH DWORD [EBP+0x10]; PUSH DWORD [EBP+0xc]} .text ntoskrnl.exe!KdPowerTransition + 50 805321AD 6 Bytes [75, 08, E8, 7F, AE, 14] .text ntoskrnl.exe!KdPowerTransition + 57 805321B4 35 Bytes CALL 805485E7 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KdPowerTransition + 7B 805321D8 171 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] .text ... .text ntoskrnl.exe!KeReleaseInterruptSpinLock + 9 8053272E 50 Bytes CALL 804DAA1C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeReleaseInterruptSpinLock + 3C 80532761 20 Bytes [15, E4, 75, 4D, 80, 8B, 46, ...] .text ntoskrnl.exe!KeReleaseInterruptSpinLock + 51 80532776 47 Bytes [08, EB, 0F, 8D, 8E, 50, FE, ...] .text ntoskrnl.exe!KeReleaseInterruptSpinLock + 81 805327A6 81 Bytes [90, 90, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!KeReleaseInterruptSpinLock + D3 805327F8 4 Bytes [00, 8B, F0, 80] .text ... .text ntoskrnl.exe!KeDeregisterBugCheckCallback + 21 80532BEC 43 Bytes [08, 32, DB, 80, 78, 1C, 01, ...] .text ntoskrnl.exe!KeDeregisterBugCheckCallback + 51 80532C1C 21 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!KeDeregisterBugCheckCallback + 67 80532C32 174 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeDeregisterBugCheckCallback + 119 80532CE4 3 Bytes [B7, 2C, 53] {MOV BH, 0x2c; PUSH EBX} .text ntoskrnl.exe!KeDeregisterBugCheckCallback + 11D 80532CE8 3 Bytes [C0, 2C, 53] .text ... .text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 10 80532D07 118 Bytes [BE, C8, 9B, 55, 80, 8B, CE, ...] .text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 87 80532D7E 27 Bytes [80, 00, 0F, 84, A6, 00, 00, ...] .text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + A3 80532D9A 43 Bytes [00, 8B, F3, 89, 75, D8, 8B, ...] .text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + CF 80532DC6 46 Bytes [1B, 89, 5D, D4, 8B, 4E, 14, ...] .text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + FE 80532DF5 158 Bytes [FC, 50, 50, 56, 6A, 01, FF, ...] .text ... .text ntoskrnl.exe!KeBugCheckEx + 7 8053399A 2 Bytes [FF, 75] .text ntoskrnl.exe!KeBugCheckEx + A 8053399D 6 Bytes [FF, 75, 14, FF, 75, 10] {PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0x10]} .text ntoskrnl.exe!KeBugCheckEx + 11 805339A4 145 Bytes [75, 0C, FF, 75, 08, E8, 9C, ...] .text ntoskrnl.exe!KeBugCheckEx + A4 80533A37 38 Bytes [72, BB, 8A, 4D, 0B, E8, C0, ...] .text ntoskrnl.exe!KeBugCheckEx + CD 80533A60 6 Bytes CALL 80533993 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!KeI386GetLid + 2 80533C05 16 Bytes [55, 8B, EC, 83, EC, 10, 33, ...] {PUSH EBP; MOV EBP, ESP; SUB ESP, 0x10; XOR EAX, EAX; INC EAX; CMP BYTE [0x80550c54], 0x0} .text ntoskrnl.exe!KeI386GetLid + 14 80533C17 6 Bytes [F8, 75, 0A, B8, 0F, 01] .text ntoskrnl.exe!KeI386GetLid + 1B 80533C1E 35 Bytes JMP 80533D62 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeI386GetLid + 40 80533C43 20 Bytes [00, 57, 75, 30, 68, 4B, 65, ...] .text ntoskrnl.exe!KeI386GetLid + 55 80533C58 20 Bytes [8B, F8, 85, FF, 89, 3D, 60, ...] .text ... .text ntoskrnl.exe!KeI386ReleaseLid + 18 80533D8B 38 Bytes [15, 68, 76, 4D, 80, 0F, B7, ...] .text ntoskrnl.exe!KeI386ReleaseLid + 3F 80533DB2 9 Bytes [16, FF, 4E, 04, 8B, 0D, 60, ...] .text ntoskrnl.exe!KeI386ReleaseLid + 49 80533DBC 16 Bytes [03, D1, 83, 7A, 04, 00, 75, ...] .text ntoskrnl.exe!KeI386ReleaseLid + 5A 80533DCD 26 Bytes [C0, 8A, C8, FF, 15, 70, 76, ...] .text ntoskrnl.exe!KeI386AbiosCall 80533DE8 189 Bytes [8B, FF, 55, 8B, EC, 51, 51, ...] .text ntoskrnl.exe!KeI386ReleaseGdtSelectors + 20 80533EA6 50 Bytes [74, 22, 53, 56, 8B, 75, 08, ...] .text ntoskrnl.exe!KeI386ReleaseGdtSelectors + 53 80533ED9 27 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntoskrnl.exe!KeI386FlatToGdtSelector + 12 80533EF5 10 Bytes JMP 80533F80 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!KeI386FlatToGdtSelector + 1D 80533F00 29 Bytes [00, 73, 07, B8, 16, 01, 00, ...] .text ntoskrnl.exe!KeI386FlatToGdtSelector + 3B 80533F1E 55 Bytes [5D, 08, 8D, 14, 0E, 8B, 4D, ...] .text ntoskrnl.exe!KeI386FlatToGdtSelector + 73 80533F56 170 Bytes [0C, BD, E0, 98, 55, 80, 8B, ...] .text ntoskrnl.exe!KeRemoveByKeyDeviceQueueIfBusy + 22 80534001 19 Bytes [08, 3B, C8, 75, 14, 88, 56, ...] .text ntoskrnl.exe!KeRemoveByKeyDeviceQueueIfBusy + 36 80534015 6 Bytes [5E, C9, C2, 08, 00, 57] {POP ESI; LEAVE ; RET 0x8; PUSH EDI} .text ntoskrnl.exe!KeRemoveByKeyDeviceQueueIfBusy + 3D 8053401C 13 Bytes [7D, 0C, 3B, 79, 08, 8B, F1, ...] {JGE 0xe; CMP EDI, [ECX+0x8]; MOV ESI, ECX; JBE 0xf; MOV ECX, [ECX]; CMP ECX, EAX} .text ntoskrnl.exe!KeRemoveByKeyDeviceQueueIfBusy + 4B 8053402A 13 Bytes [F0, 3B, C8, 5F, 74, 0C, 8B, ...] .text ntoskrnl.exe!KeRemoveByKeyDeviceQueueIfBusy + 59 80534038 218 Bytes [48, 04, EB, 09, 8B, 30, 8B, ...] .text ntoskrnl.exe!KeRemoveEntryDeviceQueue + BF 80534113 18 Bytes [75, 25, 80, 7E, 2D, 05, 75, ...] .text ntoskrnl.exe!KeRemoveEntryDeviceQueue + D2 80534126 11 Bytes [6A, 02, BA, 01, 01, 00, 00, ...] .text ntoskrnl.exe!KeRemoveEntryDeviceQueue + DE 80534132 33 Bytes [FA, FF, EB, 04, C6, 46, 2E, ...] .text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 100 80534154 9 Bytes [00, 00, 75, 13, FF, 86, A0, ...] .text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 10A 8053415E 8 Bytes [8D, 8E, 9C, 01, 00, 00, 33, ...] {LEA ECX, [ESI+0x19c]; XOR EDX, EDX} .text ... .text ntoskrnl.exe!KeQueryPriorityThread + F6 805342E6 72 Bytes [00, FF, 80, D4, 00, 00, 00, ...] .text ntoskrnl.exe!KeQueryPriorityThread + 13F 8053432F 12 Bytes [5F, 44, EB, 09, 8D, 4D, F0, ...] .text ntoskrnl.exe!KeQueryPriorityThread + 14C 8053433C 3 Bytes [8D, 4B, 58] {LEA ECX, [EBX+0x58]} .text ntoskrnl.exe!KeQueryPriorityThread + 150 80534340 8 Bytes [55, F0, FF, D6, 80, BF, B8, ...] .text ntoskrnl.exe!KeQueryPriorityThread + 15A 8053434A 14 Bytes [00, 75, E6, 64, A1, 24, 01, ...] .text ... .text ntoskrnl.exe!KeRaiseUserException + C 80534430 22 Bytes [64, A1, 24, 01, 00, 00, 8B, ...] .text ntoskrnl.exe!KeRaiseUserException + 23 80534447 35 Bytes [40, 20, 83, 65, FC, 00, 8B, ...] .text ntoskrnl.exe!KeRaiseUserException + 47 8053446B 6 Bytes [3B, C1, 72, 03, C6, 01] .text ntoskrnl.exe!KeRaiseUserException + 4E 80534472 30 Bytes [8A, 08, 88, 08, 8A, 48, 03, ...] .text ntoskrnl.exe!KeRaiseUserException + 6E 80534492 41 Bytes [46, 68, 8B, C7, EB, 18, 90, ...] .text ... .text ntoskrnl.exe!KeSaveStateForHibernate + 6E 8053455F 18 Bytes [00, 8A, 40, 2C, 33, DB, 39, ...] {ADD [EDX-0x24ccd3c0], CL; CMP [ECX], EBX; MOV [EBP-0x1], AL; JZ 0x32; CMP AL, BL; SETZ BL} .text ntoskrnl.exe!KeSaveStateForHibernate + 81 80534572 123 Bytes [CF, B2, 01, D2, E2, 8B, 4E, ...] .text ntoskrnl.exe!KeSaveStateForHibernate + FD 805345EE 98 Bytes [12, 00, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!KeSaveStateForHibernate + 160 80534651 244 Bytes [C6, 46, 2E, 00, 8B, 46, 0C, ...] .text ntoskrnl.exe!KeSaveStateForHibernate + 255 80534746 54 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] .text ... .text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 26 80535C11 34 Bytes [00, 00, 8D, 84, 08, FF, 0F, ...] .text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 49 80535C34 19 Bytes [40, 83, E3, FE, 3B, CB, 8D, ...] .text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 5D 80535C48 3 Bytes JMP 80535D21 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 61 80535C4C 12 Bytes [00, 00, 8B, 0A, D1, E9, 83, ...] {ADD [EAX], AL; MOV ECX, [EDX]; SHR ECX, 0x1; CMP ECX, 0x2; JA 0x1a; PUSH ECX} .text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 6E 80535C59 6 Bytes [75, 0C, 57, 68, 05, 01] .text ... .text ntoskrnl.exe!MmUnmapReservedMapping + 16 80535EC8 3 Bytes [8B, 88, FC] .text ntoskrnl.exe!MmUnmapReservedMapping + 1B 80535ECD 4 Bytes [BF, 2D, 00, 00] .text ntoskrnl.exe!MmUnmapReservedMapping + 20 80535ED2 25 Bytes [40, 53, 83, E2, FE, 3B, CA, ...] .text ntoskrnl.exe!MmUnmapReservedMapping + 3A 80535EEC 8 Bytes JMP 80535FAA \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!MmUnmapReservedMapping + 43 80535EF5 46 Bytes [83, F9, 02, 77, 11, 51, FF, ...] .text ... .text ntoskrnl.exe!MmAdvanceMdl + 2C 80536037 82 Bytes [00, 8B, 56, 18, 8B, 46, 14, ...] .text ntoskrnl.exe!MmAdvanceMdl + 7F 8053608A 62 Bytes [10, 00, 00, 2B, C3, 2B, CB, ...] .text ntoskrnl.exe!MmAdvanceMdl + BE 805360C9 39 Bytes [06, 01, 89, 56, 18, 89, 7D, ...] .text ntoskrnl.exe!MmAdvanceMdl + E6 805360F1 47 Bytes [46, 08, 33, C9, 85, C0, 66, ...] .text ntoskrnl.exe!MmAdvanceMdl + 116 80536121 25 Bytes [F0, 8B, 4D, 08, 0F, C1, 01, ...] .text ... .text ntoskrnl.exe!MmProtectMdlSystemAddress + 2 8053624C 47 Bytes [55, 8B, EC, 81, EC, 94, 00, ...] .text ntoskrnl.exe!MmProtectMdlSystemAddress + 32 8053627C 35 Bytes [89, 45, F8, 0F, 84, 5F, 02, ...] .text ntoskrnl.exe!MmProtectMdlSystemAddress + 56 805362A0 59 Bytes [83, F8, 07, 0F, 84, 3B, 02, ...] .text ntoskrnl.exe!MmProtectMdlSystemAddress + 92 805362DC 19 Bytes [89, 75, EC, 74, 32, 68, 4D, ...] {MOV [EBP-0x14], ESI; JZ 0x37; PUSH 0x6d506d4d; PUSH 0x14; PUSH 0x0; CALL 0x14d68} .text ntoskrnl.exe!MmProtectMdlSystemAddress + A6 805362F0 8 Bytes [C0, 89, 45, FC, 75, 0A, B8, ...] .text ... .text ntoskrnl.exe!MmFreeContiguousMemorySpecifyCache + 3 805365AE 13 Bytes [8B, EC, FF, 75, 08, E8, C9, ...] .text ntoskrnl.exe!MmFreeContiguousMemorySpecifyCache + 11 805365BC 41 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!MmGetVirtualForPhysical + 1B 805365E6 22 Bytes [8D, 04, 40, 8B, 44, C1, 04, ...] .text ntoskrnl.exe!MmGetVirtualForPhysical + 32 805365FD 54 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!MmGetVirtualForPhysical + 69 80536634 63 Bytes [FF, 0B, F1, 83, C2, 04, FF, ...] .text ntoskrnl.exe!MmIsRecursiveIoFault 80536677 135 Bytes [64, A1, 24, 01, 00, 00, 8B, ...] .text ntoskrnl.exe!MmMapMemoryDumpMdl + 60 805366FF 12 Bytes [8B, 45, 08, 8B, 00, 8B, 4D, ...] .text ntoskrnl.exe!MmMapMemoryDumpMdl + 6D 8053670C 32 Bytes [00, C1, E0, 0C, 0B, C1, 8B, ...] .text ntoskrnl.exe!MmMapMemoryDumpMdl + 8E 8053672D 260 Bytes [4E, 75, CF, 5F, 5E, 5B, C9, ...] .text ntoskrnl.exe!MmMapMemoryDumpMdl + 193 80536832 23 Bytes [E4, 0D, 00, 00, 08, 84, 89, ...] .text ntoskrnl.exe!MmMapMemoryDumpMdl + 1AB 8053684A 38 Bytes [00, 8B, 58, 44, 8B, 45, 14, ...] .text ... .text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + F 8053841A 7 Bytes [72, 08, 3B, 35, 94, A7, 55] .text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + 17 80538422 7 Bytes [76, 27, 56, E8, 51, 1F, 00] .text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + 1F 8053842A 9 Bytes [85, C0, 74, 0D, 56, E8, AD, ...] .text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + 29 80538434 33 Bytes [85, C0, 0F, 95, C0, EB, 16, ...] .text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + 4B 80538456 40 Bytes [CC, CC, CC, CC, CC, 90, CC, ...] .text ... .text ntoskrnl.exe!MmTrimAllSystemPagableMemory + 28 80539056 36 Bytes [00, B8, 01, 00, 00, 00, B9, ...] .text ntoskrnl.exe!MmTrimAllSystemPagableMemory + 4D 8053907B 4 Bytes [00, 9C, 58, 89] .text ntoskrnl.exe!MmTrimAllSystemPagableMemory + 52 80539080 66 Bytes [F8, F6, 45, F9, 02, 75, 12, ...] .text ntoskrnl.exe!MmTrimAllSystemPagableMemory + 95 805390C3 30 Bytes [3B, 05, C4, EF, 55, 80, 0F, ...] .text ntoskrnl.exe!MmTrimAllSystemPagableMemory + B4 805390E2 1 Byte [8B] .text ... .text ntoskrnl.exe!ZwGetWriteWatch + 12 8053B101 57 Bytes [FE, FF, FF, FF, 74, 0A, B8, ...] .text ntoskrnl.exe!ZwGetWriteWatch + 4C 8053B13B 91 Bytes [5D, 10, 3B, D9, 76, 07, B8, ...] .text ntoskrnl.exe!ZwGetWriteWatch + A8 8053B197 80 Bytes JMP 8053B54E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!ZwGetWriteWatch + F9 8053B1E8 28 Bytes [01, 00, 00, 76, 1E, 68, 4D, ...] .text ntoskrnl.exe!ZwGetWriteWatch + 116 8053B205 4 Bytes JMP 8053B54F \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ... .text ntoskrnl.exe!ZwResetWriteWatch + 1E 8053B598 151 Bytes JMP 8053B7AB \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!ZwResetWriteWatch + B6 8053B630 16 Bytes [00, 00, FF, 15, 68, 76, 4D, ...] .text ntoskrnl.exe!ZwResetWriteWatch + C7 8053B641 41 Bytes [88, 45, 13, 8B, 01, EB, 15, ...] .text ntoskrnl.exe!ZwResetWriteWatch + F1 8053B66B 25 Bytes [4D, 13, BE, EF, 00, 00, C0, ...] .text ntoskrnl.exe!ZwResetWriteWatch + 10B 8053B685 5 Bytes [23, F2, B9, 00, 00] .text ... .text ntoskrnl.exe!ObDereferenceObject + 36 8053C9E9 48 Bytes [56, 8D, 45, F8, 50, E8, 44, ...] .text ntoskrnl.exe!ObDereferenceObject + 67 8053CA1A 11 Bytes [8D, 34, 46, 75, CA, 32, C0, ...] .text ntoskrnl.exe!ObDereferenceObject + 73 8053CA26 26 Bytes [B0, 01, EB, F7, 90, 90, CC, ...] .text ntoskrnl.exe!ObDereferenceObject + 8E 8053CA41 69 Bytes [C3, 90, 90, CC, CC, CC, CC, ...] .text ntoskrnl.exe!PoCancelDeviceNotify + F 8053CA87 48 Bytes CALL 804E3B44 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!PoCancelDeviceNotify + 40 8053CAB8 45 Bytes [8B, 11, 56, 8B, 71, 04, 89, ...] .text ntoskrnl.exe!PoCancelDeviceNotify + 6E 8053CAE6 2 Bytes CALL D2D420EE .text ntoskrnl.exe!PoCancelDeviceNotify + 71 8053CAE9 49 Bytes CALL 8054AF05 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!PoCancelDeviceNotify + A4 8053CB1C 30 Bytes [C0, 5F, 5B, C9, C2, 04, 00, ...] .text ... .text ntoskrnl.exe!PoRegisterDeviceNotify + 1C 8053CF8F 44 Bytes [39, 45, 1C, 0F, 84, 82, 00, ...] .text ntoskrnl.exe!PoRegisterDeviceNotify + 49 8053CFBC 19 Bytes CALL 804E3B44 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!PoRegisterDeviceNotify + 5D 8053CFD0 182 Bytes [C0, EB, 3C, 8B, 83, B0, 00, ...] .text ntoskrnl.exe!PoUnregisterSystemState + 20 8053D087 45 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!PoUnregisterSystemState + 4E 8053D0B5 12 Bytes [F7, E2, 89, 01, 89, 51, 04, ...] .text ntoskrnl.exe!PoUnregisterSystemState + 5B 8053D0C2 45 Bytes [90, 90, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!PoUnregisterSystemState + 89 8053D0F0 24 Bytes [B1, AB, FD, FF, 01, 45, FC, ...] .text ntoskrnl.exe!PoUnregisterSystemState + A2 8053D109 1 Byte [04] .text ... .text ntoskrnl.exe!PsGetVersion + 4D 8053E2A3 2 Bytes [89, 48] .text ntoskrnl.exe!PsGetVersion + 50 8053E2A6 4 Bytes [A1, 68, C5, 54] .text ntoskrnl.exe!PsGetVersion + 55 8053E2AB 1 Byte [25] .text ntoskrnl.exe!PsGetVersion + 55 8053E2AB 6 Bytes [25, 00, 00, 00, F0, 3D] .text ntoskrnl.exe!PsGetVersion + 5C 8053E2B2 9 Bytes [00, 00, C0, 0F, 94, C0, 5D, ...] {ADD [EAX], AL; ROR BYTE [EDI], 0x94; RCR BYTE [EBP-0x3e], 0x10} .text ... .text ntoskrnl.exe!PsGetJobSessionId + E 8053E2EE 3 Bytes [5D, C2, 04] .text ntoskrnl.exe!PsGetJobSessionId + 12 8053E2F2 47 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!PsGetProcessExitStatus + 13 8053E322 70 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!PsGetProcessPriorityClass + E 8053E369 100 Bytes [5D, C2, 04, 00, 90, 90, 90, ...] .text ntoskrnl.exe!PsGetCurrentThreadStackBase + 6 8053E3CF 4 Bytes [8B, 80, 68, 01] .text ntoskrnl.exe!PsGetCurrentThreadStackBase + B 8053E3D4 199 Bytes [00, C3, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!PsGetCurrentThreadStackLimit + BC 8053E49C 69 Bytes [00, C0, 5B, C9, C2, 08, 00, ...] .text ntoskrnl.exe!DbgPrintReturnControlC + 22 8053E4E2 2 Bytes [02, 00] {ADD AL, [EAX]} .text ntoskrnl.exe!DbgPrintReturnControlC + 25 8053E4E5 15 Bytes CALL 8050573C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!DbgPrintReturnControlC + 35 8053E4F5 120 Bytes [02, 00, 00, C6, 45, FB, 0A, ...] .text ntoskrnl.exe!DbgPrompt + 3B 8053E56E 35 Bytes [00, 5E, C9, C2, 0C, 00, CC, ...] .text ntoskrnl.exe!DbgQueryDebugFilterState + 7 8053E592 53 Bytes [47, 56, FB, FF, CC, CC, CC, ...] .text ntoskrnl.exe!DbgPrintEx + 17 8053E5C8 8 Bytes CALL 805057BE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!DbgPrintEx + 20 8053E5D1 40 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntoskrnl.exe!vDbgPrintEx + 1F 8053E5FA 49 Bytes [00, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!vDbgPrintEx + 51 8053E62C 4 Bytes [74, 07, B8, 0D] .text ntoskrnl.exe!vDbgPrintEx + 56 8053E631 72 Bytes [00, C0, EB, 4C, 8B, 4D, 0C, ...] .text ntoskrnl.exe!vDbgPrintEx + 9F 8053E67A 10 Bytes [C0, EB, 02, 33, C0, 5F, 5E, ...] .text ntoskrnl.exe!vDbgPrintEx + AA 8053E685 227 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!RtlFindSetBits + 53 8053E76A 90 Bytes [00, EB, 09, 8B, 45, 10, 8B, ...] .text ntoskrnl.exe!RtlFindSetBits + AE 8053E7C5 40 Bytes [22, 8B, EC, 9C, 4E, 80, 47, ...] .text ntoskrnl.exe!RtlFindSetBits + D7 8053E7EE 34 Bytes [F7, D0, 23, C2, 89, 45, EC, ...] .text ntoskrnl.exe!RtlFindSetBits + FB 8053E812 10 Bytes [00, 8B, 45, EC, 0F, BE, 80, ...] {ADD [EBX-0x41f013bb], CL; SUB BYTE [EAX-0x47], 0x4e} .text ntoskrnl.exe!RtlFindSetBits + 106 8053E81D 6 Bytes [3B, C6, 0F, 83, 78, 01] .text ... .text ntoskrnl.exe!RtlFindLongestRunClear + 20 8053EA01 3 Bytes [4D, F8, 89] .text ntoskrnl.exe!RtlFindLongestRunClear + 24 8053EA05 64 Bytes [8B, 45, FC, EB, 05, 83, 20, ...] .text ntoskrnl.exe!RtlFindMostSignificantBit + 6 8053EA46 9 Bytes [55, 0C, 33, C0, 8B, CA, 53, ...] .text ntoskrnl.exe!RtlFindMostSignificantBit + 10 8053EA50 43 Bytes [45, 08, 56, 74, 38, 8B, F2, ...] .text ntoskrnl.exe!RtlFindMostSignificantBit + 3C 8053EA7C 55 Bytes [FF, 00, 00, 33, C9, 0B, CE, ...] .text ntoskrnl.exe!RtlFindMostSignificantBit + 75 8053EAB5 168 Bytes [33, F6, 0B, CE, 74, 04, B3, ...] .text ntoskrnl.exe!RtlFindFirstRunClear + 25 8053EB5E 293 Bytes [00, A1, 20, 1A, 55, 80, 89, ...] .text ntoskrnl.exe!RtlFindFirstRunClear + 14C 8053EC85 11 Bytes [00, 46, 75, 6E, 63, 74, 69, ...] {ADD [ESI+0x75], AL; OUTSB ; ARPL [ECX+EBP*2+0x6f], SI; OUTSB ; CMP AH, [EAX]} .text ntoskrnl.exe!RtlFindFirstRunClear + 158 8053EC91 74 Bytes [00, 00, 00, 00, 00, 0A, 2A, ...] .text ntoskrnl.exe!RtlFindFirstRunClear + 1A4 8053ECDD 9 Bytes [00, 42, 72, 65, 61, 6B, 20, ...] .text ntoskrnl.exe!RtlFindFirstRunClear + 1AE 8053ECE7 46 Bytes [65, 61, 74, 65, 64, 6C, 79, ...] .text ... .text ntoskrnl.exe!RtlCaptureStackBackTrace + 3C 8053EDD1 7 Bytes [85, FF, 76, 24, 8D, 94, B5] .text ntoskrnl.exe!RtlCaptureStackBackTrace + 44 8053EDD9 55 Bytes [FF, FF, FF, 53, 8D, 0C, 06, ...] .text ntoskrnl.exe!RtlCaptureStackBackTrace + 7D 8053EE12 36 Bytes [00, 00, 83, C1, 04, 4A, 75, ...] .text ntoskrnl.exe!RtlCaptureStackBackTrace + A2 8053EE37 4 Bytes [BE, 54, EE, 53] .text ntoskrnl.exe!RtlCaptureStackBackTrace + A7 8053EE3C 6 Bytes [A5, 66, A5, 5F, C6, 00] .text ... .text ntoskrnl.exe!RtlSubtreeSuccessor + 2 8053EF5B 166 Bytes [55, 8B, EC, 8B, 45, 08, 8B, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableFull + 1D 8053F002 21 Bytes [D8, 85, DB, 75, 0D, 8B, 45, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableFull + 33 8053F018 45 Bytes [83, 63, 08, 00, 89, 1B, 8D, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableFull + 61 8053F046 45 Bytes [05, 89, 58, 04, EB, 03, 89, ...] .text ntoskrnl.exe!RtlInsertElementGenericTableFull + 8F 8053F074 86 Bytes [08, 89, 01, 8B, 45, 14, 85, ...] .text ntoskrnl.exe!RtlGetElementGenericTable + 10 8053F0CC 55 Bytes [8B, 71, 10, 57, 8B, 7D, 0C, ...] .text ntoskrnl.exe!RtlGetElementGenericTable + 48 8053F104 69 Bytes [00, 75, FB, EB, 23, 8B, FB, ...] .text ntoskrnl.exe!RtlGetElementGenericTable + 8E 8053F14A 15 Bytes [90, 8B, FF, 55, 8B, EC, 8B, ...] .text ntoskrnl.exe!RtlNumberGenericTableElements + F 8053F15A 62 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntoskrnl.exe!RtlEnumerateGenericTableWithoutSplaying + 35 8053F199 229 Bytes [48, 04, 85, C9, 75, F7, EB, ...] .text ntoskrnl.exe!RtlDeleteElementGenericTable + 45 8053F27F 114 Bytes [57, 20, B0, 01, 5E, EB, 02, ...] .text ntoskrnl.exe!RtlEnumerateGenericTable + 13 8053F2F2 94 Bytes [25, 80, 7D, 0C, 00, 75, 27, ...] .text ntoskrnl.exe!RtlLookupElementGenericTable + 1C 8053F351 47 Bytes [90, 90, 90, CC, CC, CC, CC, ...] .text ntoskrnl.exe!RtlLookupElementGenericTable + 4C 8053F381 121 Bytes [8B, 41, 04, 85, C0, 74, 0F, ...] .text ntoskrnl.exe!RtlGetElementGenericTableAvl + 30 8053F3FB 6 Bytes [46, 08, EB, 02, 8B, C1] .text ntoskrnl.exe!RtlGetElementGenericTableAvl + 37 8053F402 37 Bytes [48, 04, 85, C9, 75, F7, 21, ...] .text ntoskrnl.exe!RtlGetElementGenericTableAvl + 5D 8053F428 101 Bytes [4A, 75, F7, EB, 5A, 8B, 46, ...] .text ntoskrnl.exe!RtlGetElementGenericTableAvl + C3 8053F48E 41 Bytes [C0, 10, EB, 02, 33, C0, 5F, ...] .text ntoskrnl.exe!RtlGetElementGenericTableAvl + ED 8053F4B8 25 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + 3 8053F4D2 2 Bytes [8B, EC] {MOV EBP, ESP} .text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + 6 8053F4D5 5 Bytes [8B, 45, 18, 53, 56] {MOV EAX, [EBP+0x18]; PUSH EBX; PUSH ESI} .text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + C 8053F4DB 38 Bytes [30, 57, 8B, 7D, 08, 33, DB, ...] .text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + 33 8053F502 33 Bytes [45, 1C, 8B, 00, 3B, 47, 24, ...] .text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + 55 8053F524 82 Bytes [74, 14, 83, F8, 03, 89, 5D, ...] .text ... .text ntoskrnl.exe!RtlIpv6AddressToStringA + 16 8053F74F 5 Bytes [00, 00, 0F, 85, B0] .text ntoskrnl.exe!RtlIpv6AddressToStringA + 1C 8053F755 40 Bytes [00, 00, 66, 39, 56, 02, 0F, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringA + 45 8053F77E 117 Bytes [00, 66, 8B, 4E, 08, 66, 3B, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringA + BB 8053F7F4 23 Bytes CALL 8050B62A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlIpv6AddressToStringA + D3 8053F80C 73 Bytes [F7, 46, 08, FD, FF, 89, 55, ...] .text ... .text ntoskrnl.exe!RtlIpv6AddressToStringExA + 1D 8053F983 4 Bytes [FC, 0F, 84, 92] .text ntoskrnl.exe!RtlIpv6AddressToStringExA + 22 8053F988 7 Bytes [00, 00, 85, FF, 0F, 84, 8A] .text ntoskrnl.exe!RtlIpv6AddressToStringExA + 2B 8053F991 58 Bytes [00, 85, DB, 0F, 84, 82, 00, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringExA + 66 8053F9CC 15 Bytes CALL 8050B62C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlIpv6AddressToStringExA + 76 8053F9DC 3 Bytes [74, 1C, 66] .text ... .text ntoskrnl.exe!RtlIpv4AddressToStringA + 24 8053FA6F 135 Bytes CALL 8050B62A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlIpv4AddressToStringExA + 5E 8053FAF7 40 Bytes [D6, 39, 13, 73, 07, B8, 0D, ...] .text ntoskrnl.exe!RtlIpv4AddressToStringExA + 87 8053FB20 19 Bytes [00, C0, 8B, 4D, FC, 5F, 5B, ...] .text ntoskrnl.exe!RtlIpv4AddressToStringExA + 9B 8053FB34 40 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringW + 1D 8053FB5D 4 Bytes [00, 66, 39, 56] {ADD [ESI+0x39], AH; PUSH ESI} .text ntoskrnl.exe!RtlIpv6AddressToStringW + 22 8053FB62 191 Bytes [0F, 85, A8, 00, 00, 00, 66, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringW + E2 8053FC22 12 Bytes [81, 7E, 0A, 5E, FE, 75, 07, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringW + EF 8053FC2F 238 Bytes [00, 53, 8B, 5D, F8, 3B, DA, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringW + 1DE 8053FD1E 1 Byte [00] .text ... .text ntoskrnl.exe!RtlIpv6AddressToStringExW + 2D 8053FDD6 65 Bytes [00, 00, 85, DB, 0F, 84, 84, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringExW + 6F 8053FE18 16 Bytes CALL 804F7439 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlIpv6AddressToStringExW + 80 8053FE29 48 Bytes [74, 1D, 66, 8B, 45, 10, 8A, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringExW + B1 8053FE5A 35 Bytes [CE, 8B, F0, F3, 66, A5, 33, ...] .text ntoskrnl.exe!RtlIpv6AddressToStringExW + D5 8053FE7E 18 Bytes [25, 00, 25, 00, 75, 00, 00, ...] .text ... .text ntoskrnl.exe!RtlIpv4AddressToStringW + 2 8053FEA0 25 Bytes [55, 8B, EC, 8B, 45, 08, 0F, ...] .text ntoskrnl.exe!RtlIpv4AddressToStringW + 1C 8053FEBA 4 Bytes [51, 25, FF, 00] .text ntoskrnl.exe!RtlIpv4AddressToStringW + 22 8053FEC0 35 Bytes [50, 68, D8, FE, 53, 80, 56, ...] .text ntoskrnl.exe!RtlIpv4AddressToStringW + 46 8053FEE4 9 Bytes [25, 00, 75, 00, 2E, 00, 25, ...] .text ntoskrnl.exe!RtlIpv4AddressToStringW + 50 8053FEEE 9 Bytes [00, 00, CC, CC, CC, CC, CC, ...] {ADD [EAX], AL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ... .text ntoskrnl.exe!RtlIpv4AddressToStringExW + D 8053FF09 17 Bytes [89, 45, FC, 8B, 45, 08, 85, ...] .text ntoskrnl.exe!RtlIpv4AddressToStringExW + 1F 8053FF1B 95 Bytes [85, FF, 74, 59, 85, DB, 74, ...] .text ntoskrnl.exe!RtlIpv4AddressToStringExW + 7F 8053FF7B 14 Bytes [00, C0, 8B, 4D, FC, 5F, 5B, ...] .text ntoskrnl.exe!RtlIpv4AddressToStringExW + 8E 8053FF8A 7 Bytes [00, 90, 3A, 00, 25, 00, 75] .text ntoskrnl.exe!RtlIpv4AddressToStringExW + 98 8053FF94 61 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressA + 2F 8053FFD3 94 Bytes [EB, 02, 33, D2, 8B, 45, F4, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressA + 8E 80540032 5 Bytes [0F, 87, A6, 01, 00] .text ntoskrnl.exe!RtlIpv6StringToAddressA + 94 80540038 17 Bytes JMP 805401CF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlIpv6StringToAddressA + A6 8054004A 14 Bytes [0F, 87, 8E, 01, 00, 00, 83, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressA + B6 8054005A 25 Bytes [8D, 47, 01, 38, 18, 75, 23, ...] .text ... .text ntoskrnl.exe!RtlIpv6StringToAddressExA + 2C 805402F5 56 Bytes [88, 4D, 0B, 75, 05, C6, 45, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressExA + 65 8054032E 48 Bytes [00, 85, C0, 59, 75, 5D, B8, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressExA + 96 8054035F 11 Bytes [45, F0, 6A, 0A, 59, F7, E1, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressExA + A2 8054036B 79 Bytes [C7, 99, 03, C8, 13, DA, 83, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressExA + F2 805403BB 99 Bytes [00, 00, 0F, 85, 01, 01, 00, ...] .text ... .text ntoskrnl.exe!RtlIpv4StringToAddressA + 68 80540577 69 Bytes [74, 0A, 83, 7D, FC, 0A, 0F, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressA + AE 805405BD 8 Bytes [FC, 10, 75, 56, 56, E8, C3, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressA + B8 805405C7 21 Bytes [85, C0, 59, 74, 4B, 56, E8, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressA + CE 805405DD 43 Bytes [85, C0, 59, 74, 0F, 56, E8, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressA + FA 80540609 50 Bytes [C0, C6, 45, 0B, 01, 89, 75, ...] .text ... .text ntoskrnl.exe!RtlIpv4StringToAddressExA + E 80540731 12 Bytes [84, 5C, 01, 00, 00, 39, 75, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressExA + 1B 8054073E 17 Bytes [00, 39, 75, 14, 0F, 84, 4A, ...] {ADD [ECX], BH; JNZ 0x18; JZ 0x154; PUSH DWORD [EBP+0x10]; LEA EAX, [EBP+0x10]; PUSH EAX} .text ntoskrnl.exe!RtlIpv4StringToAddressExA + 2D 80540750 17 Bytes [75, 0C, FF, 75, 08, E8, B5, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressExA + 3F 80540762 12 Bytes [8B, 7D, 10, 8A, 07, 3C, 3A, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressExA + 4C 8054076F 16 Bytes [47, 80, 3F, 30, C6, 45, 13, ...] .text ... .text ntoskrnl.exe!RtlIpv6StringToAddressW + 28 805408EB 61 Bytes [00, 8B, 45, F0, 2B, C2, 0F, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressW + 67 8054092A 6 Bytes [00, 56, E8, 47, 83, FC] .text ntoskrnl.exe!RtlIpv6StringToAddressW + 6E 80540931 111 Bytes [85, C0, 59, 59, 74, 16, FF, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressW + DE 805409A1 18 Bytes [80, 7D, 0B, 00, 0F, 85, 35, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressW + F1 805409B4 9 Bytes [00, 83, 7D, FC, 06, 0F, 87, ...] .text ... .text ntoskrnl.exe!RtlIpv6StringToAddressExW + 1 80540BC7 2 Bytes [FF, 55] .text ntoskrnl.exe!RtlIpv6StringToAddressExW + 4 80540BCA 37 Bytes [EC, 83, EC, 10, 8B, 45, 08, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressExW + 2A 80540BF0 61 Bytes [39, 5D, 14, 0F, 84, 1F, 02, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressExW + 69 80540C2F 26 Bytes [00, 47, 47, 33, F6, 66, 8B, ...] .text ntoskrnl.exe!RtlIpv6StringToAddressExW + 84 80540C4A 25 Bytes [85, C0, 59, 59, 0F, 84, C4, ...] .text ... .text ntoskrnl.exe!RtlIpv4StringToAddressExW + 13 80540E4A 16 Bytes [39, 5D, 10, 0F, 84, 3D, 01, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressExW + 25 80540E5C 41 Bytes [FF, 75, 10, 8D, 45, 10, 50, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressExW + 4F 80540E86 14 Bytes [47, 47, 66, 83, 3F, 30, C6, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressExW + 5E 80540E95 58 Bytes [00, 00, 75, 21, 47, 47, 66, ...] .text ntoskrnl.exe!RtlIpv4StringToAddressExW + 9A 80540ED1 36 Bytes [47, 47, 66, 81, FE, 80, 00, ...] .text ... .text ntoskrnl.exe!RtlLargeIntegerDivide + 1 80540FBC 24 Bytes [FF, 55, 8B, EC, 53, 8B, 5D, ...] .text ntoskrnl.exe!RtlLargeIntegerDivide + 1A 80540FD5 4 Bytes CALL 8054241A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlLargeIntegerDivide + 1F 80540FDA 11 Bytes [00, 8B, 55, 0C, 8B, 45, 08, ...] {ADD [EBX+0x458b0c55], CL; OR BH, AL; INC EBP; OR AL, 0x40} .text ntoskrnl.exe!RtlLargeIntegerDivide + 2B 80540FE6 8 Bytes [00, 00, 8B, CE, C1, E9, 1F, ...] .text ntoskrnl.exe!RtlLargeIntegerDivide + 34 80540FEF 100 Bytes [0B, F9, 8B, CA, C1, E9, 1F, ...] .text ntoskrnl.exe!RtlRandomEx + 9 80541054 1 Byte [80] .text ntoskrnl.exe!RtlRandomEx + 9 80541054 85 Bytes [80, 83, E0, 7F, 53, 8D, 0C, ...] .text ntoskrnl.exe!RtlRandomEx + 60 805410AB 40 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!RtlTimeToSecondsSince1980 + 17 805410D4 14 Bytes CALL 804DB605 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlTimeToSecondsSince1980 + 26 805410E3 20 Bytes [2B, C1, 8B, 0D, 6C, 9C, 52, ...] .text ntoskrnl.exe!RtlTimeToSecondsSince1980 + 3B 805410F8 44 Bytes [B0, 01, 5D, C2, 08, 00, CC, ...] .text ntoskrnl.exe!RtlSecondsSince1980ToTime + 1D 80541125 49 Bytes CALL 804DB69B \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlTimeToSecondsSince1970 + 10 80541157 87 Bytes [FF, 35, 70, 9C, 52, 80, FF, ...] .text ntoskrnl.exe!RtlTimeToSecondsSince1970 + 68 805411AF 86 Bytes [C8, 83, E1, 0F, 8D, 4C, 8E, ...] .text ntoskrnl.exe!RtlTimeToSecondsSince1970 + BF 80541206 6 Bytes [45, 14, 85, C0, 74, 02] .text ntoskrnl.exe!RtlTimeToSecondsSince1970 + C6 8054120D 100 Bytes [10, B0, 01, EB, EC, CC, CC, ...] .text ntoskrnl.exe!RtlTimeToSecondsSince1970 + 12B 80541272 85 Bytes [00, 5D, C2, 0C, 00, 90, CC, ...] .text ... .text ntoskrnl.exe!RtlTraceDatabaseEnumerate + 7 8054136E 12 Bytes CALL 805412EE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!RtlTraceDatabaseEnumerate + 14 8054137B 164 Bytes [08, 33, DB, 3B, CB, 75, 0C, ...] .text ntoskrnl.exe!RtlTraceDatabaseCreate + 2C 80541420 126 Bytes [00, 00, 8B, 4D, 10, 83, C9, ...] .text ntoskrnl.exe!RtlTraceDatabaseCreate + AB 8054149F 36 Bytes [10, 00, 00, 8B, 4E, 40, C1, ...] .text ntoskrnl.exe!RtlTraceDatabaseCreate + D0 805414C4 66 Bytes [10, 00, 00, 89, 43, 14, 89, ...] .text ntoskrnl.exe!RtlTraceDatabaseDestroy + 23 80541508 155 Bytes [00, FF, 73, 08, 56, E8, 71, ...] .text ntoskrnl.exe!RtlTraceDatabaseValidate + 26 805415A4 114 Bytes [D0, 8B, 01, EB, 03, 8B, 40, ...] .text ntoskrnl.exe!RtlTraceDatabaseFind + 4A 80541617 185 Bytes [0C, 50, FF, 75, 10, 53, 57, ...] .text ntoskrnl.exe!RtlTraceDatabaseFind + 104 805416D1 22 Bytes [59, 59, EB, 8C, 03, CE, 89, ...] .text ntoskrnl.exe!RtlTraceDatabaseFind + 11B 805416E8 11 Bytes [00, 00, 8D, 46, 20, 89, 46, ...] .text ntoskrnl.exe!RtlTraceDatabaseFind + 127 805416F4 128 Bytes [83, 66, 10, 00, 8B, C3, C1, ...] .text ntoskrnl.exe!RtlTraceDatabaseFind + 1A8 80541775 72 Bytes [6F, 20, 73, 61, 76, 65, 20, ...] .text ntoskrnl.exe!RtlTraceDatabaseUnlock + 2 805417BE 5 Bytes [55, 8B, EC, 5D, E9] .text ntoskrnl.exe!RtlTraceDatabaseUnlock + 8 805417C4 25 Bytes [FB, FF, FF, CC, CC, CC, CC, ...] .text ntoskrnl.exe!RtlTraceDatabaseAdd + E 805417DF 9 Bytes [FF, 75, 14, FF, 75, 10, FF, ...] {PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0x10]; PUSH DWORD [EBP+0xc]} .text ntoskrnl.exe!RtlTraceDatabaseAdd + 18 805417E9 5 Bytes [75, 08, E8, 18, FE] .text ntoskrnl.exe!RtlTraceDatabaseAdd + 1E 805417EF 67 Bytes [FF, FF, 75, 08, 8A, D8, E8, ...] .text ntoskrnl.exe!RtlTraceDatabaseAdd + 62 80541833 68 Bytes [00, 68, 45, 64, 62, 67, 50, ...] .text ntoskrnl.exe!RtlTraceDatabaseAdd + A8 80541879 9 Bytes [00, 53, 56, 57, 8B, 1D, C0, ...] .text ... .text ntoskrnl.exe!VfFailDeviceNode + 1B 80543074 199 Bytes [45, FC, 50, FF, 75, 20, FF, ...] .text ntoskrnl.exe!VfFailDriver + 62 8054313D 4 Bytes [90, 90, 90, 8B] .text ntoskrnl.exe!VfFailDriver + 67 80543142 3 Bytes [55, 8B, EC] {PUSH EBP; MOV EBP, ESP} .text ntoskrnl.exe!VfFailDriver + 6B 80543146 48 Bytes [55, 08, 8D, 42, 4C, 89, 45, ...] .text ntoskrnl.exe!VfFailDriver + 9C 80543177 122 Bytes [90, 90, 90, 90, 8B, FF, 55, ...] .text ntoskrnl.exe!VfFailDriver + 117 805431F2 128 Bytes [EB, 0A, 8B, 51, 0C, 3B, 55, ...] .text ... .text ntoskrnl.exe!WmiGetClock + 3F 805449F7 90 Bytes [F0, EB, 07, 8B, CF, E8, 5C, ...] .text ntoskrnl.exe!WmiGetClock + 9A 80544A52 51 Bytes [EB, 06, FF, 15, A4, 15, 55, ...] .text ntoskrnl.exe!WmiGetClock + CE 80544A86 96 Bytes [88, 55, E4, 8B, F9, 89, 7D, ...] .text ntoskrnl.exe!WmiGetClock + 12F 80544AE7 31 Bytes [0B, 00, 75, 07, C7, 45, D8, ...] .text ntoskrnl.exe!WmiGetClock + 14F 80544B07 12 Bytes [00, 06, 00, 75, 09, C7, 45, ...] {ADD [ESI], AL; ADD [EBP+0x9], DH; MOV DWORD [EBP-0x24], 0xc0000001} .text ... .text ntoskrnl.exe!WmiTraceMessageVa + 3C 805450D5 89 Bytes [8D, 04, 95, 00, 16, 56, 80, ...] .text ntoskrnl.exe!WmiTraceMessageVa + 97 80545130 51 Bytes [D8, 04, 8D, 44, 47, 02, 8B, ...] .text ntoskrnl.exe!WmiTraceMessageVa + CB 80545164 54 Bytes [EB, 02, 33, C9, 89, 4D, C8, ...] .text ntoskrnl.exe!WmiTraceMessageVa + 102 8054519B 5 Bytes [C0, E9, C3, 01, 00] {SHR CL, 0xc3; ADD [EAX], EAX} .text ntoskrnl.exe!WmiTraceMessageVa + 108 805451A1 3 Bytes [8D, 81, BC] .text ... .text ntoskrnl.exe!NtTraceEvent + 64 8054541C 5 Bytes [89, 7D, E4, B8, 01] .text ntoskrnl.exe!NtTraceEvent + 6A 80545422 21 Bytes [00, 00, 8B, 4D, E4, 0F, C1, ...] .text ntoskrnl.exe!NtTraceEvent + 80 80545438 63 Bytes [17, 56, 80, 74, 05, 33, C0, ...] .text ntoskrnl.exe!NtTraceEvent + C1 80545479 15 Bytes [FF, 8B, 4D, DC, 0F, C1, 01, ...] .text ntoskrnl.exe!NtTraceEvent + D1 80545489 4 Bytes [C0, 8D, 04, 9D] .text ... .text ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + 91 805455FC 31 Bytes [83, 66, 18, 00, 8B, C8, C1, ...] .text ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + B1 8054561C 40 Bytes [03, 00, 85, C0, 7D, 03, 89, ...] .text ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + DA 80545645 63 Bytes CALL 8054AF04 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + 11A 80545685 40 Bytes CALL 805455DE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + 143 805456AE 124 Bytes [F4, 6A, 10, 8D, 45, F0, 50, ...] .text ... .text ntoskrnl.exe!ExGetSharedWaiterCount + 1 80545754 99 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] .text ntoskrnl.exe!ExGetSharedWaiterCount + 65 805457B8 7 Bytes [88, 45, 0B, B8, 08, 31, 56] .text ntoskrnl.exe!ExGetSharedWaiterCount + 6D 805457C0 51 Bytes [EB, 10, 3B, F7, 72, 07, 8D, ...] .text ntoskrnl.exe!ExGetSharedWaiterCount + A1 805457F4 35 Bytes [FC, FF, 83, C4, 0C, E8, 16, ...] .text ntoskrnl.exe!ExGetSharedWaiterCount + C5 80545818 78 Bytes [29, 20, 63, 6F, 6E, 74, 61, ...] .text ... .text ntoskrnl.exe!ExQueryPoolBlockSize 80545A8D 11 Bytes [8B, FF, 55, 8B, EC, F6, 05, ...] .text ntoskrnl.exe!ExQueryPoolBlockSize + C 80545A99 31 Bytes [56, 8B, 75, 08, 74, 18, 56, ...] .text ntoskrnl.exe!ExQueryPoolBlockSize + 2C 80545AB9 22 Bytes [C6, FF, 0F, 75, 0D, 8B, 45, ...] .text ntoskrnl.exe!ExQueryPoolBlockSize + 43 80545AD0 146 Bytes [66, 8B, 46, FA, 33, C9, 25, ...] .text ntoskrnl.exe!ExQueryPoolBlockSize + D6 80545B63 52 Bytes [75, 3E, BB, FF, 01, 00, 00, ...] .text ... .text ntoskrnl.exe!ExAllocatePoolWithQuota + 2 805462ED 74 Bytes [55, 8B, EC, 68, 4E, 6F, 6E, ...] .text ntoskrnl.exe!ExUnregisterCallback + 1E 80546338 7 Bytes [FF, D7, 8B, 1D, 98, 75, 4D] .text ntoskrnl.exe!ExUnregisterCallback + 26 80546340 14 Bytes [EB, 25, 8B, 4D, 08, C6, 46, ...] .text ntoskrnl.exe!ExUnregisterCallback + 35 8054634F 39 Bytes [00, FF, D3, 33, C0, 50, 50, ...] .text ntoskrnl.exe!ExUnregisterCallback + 5D 80546377 56 Bytes [79, 04, 8B, 4D, FC, 83, C1, ...] .text ntoskrnl.exe!ExUnregisterCallback + 96 805463B0 21 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!ExDeleteNPagedLookasideList + 2 805463C6 32 Bytes [55, 8B, EC, 56, 57, FF, 15, ...] .text ntoskrnl.exe!ExDeleteNPagedLookasideList + 23 805463E7 53 Bytes [C7, 46, 28, AB, 63, 54, 80, ...] .text ntoskrnl.exe!ExExtendZone + 4 8054641D 26 Bytes [EC, 8B, 4D, 0C, F6, C1, 07, ...] .text ntoskrnl.exe!ExExtendZone + 1F 80546438 87 Bytes [50, 04, 89, 11, 56, 8B, D3, ...] .text ntoskrnl.exe!ExInterlockedExtendZone + D 80546490 8 Bytes [FF, 75, 10, 8A, D8, FF, 75, ...] {PUSH DWORD [EBP+0x10]; MOV BL, AL; PUSH DWORD [EBP+0xc]} .text ntoskrnl.exe!ExInterlockedExtendZone + 16 80546499 80 Bytes CALL 80546417 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!ExInterlockedExtendZone + 67 805464EA 30 Bytes [B8, 01, 00, 00, C0, E9, D4, ...] .text ntoskrnl.exe!ExInterlockedExtendZone + 86 80546509 29 Bytes [89, 75, E0, 21, 55, FC, 8B, ...] .text ntoskrnl.exe!ExInterlockedExtendZone + A4 80546527 110 Bytes [04, 8B, 4B, 5C, 89, 48, 08, ...] .text ... .text ntoskrnl.exe!ExGetCurrentProcessorCpuUsage + 10 80546728 6 Bytes [00, 03, 88, A8, 04, 00] .text ntoskrnl.exe!ExGetCurrentProcessorCpuUsage + 18 80546730 1 Byte [40] .text ntoskrnl.exe!ExGetCurrentProcessorCpuUsage + 18 80546730 14 Bytes [40, 0C, 8B, 80, 44, 01, 00, ...] .text ntoskrnl.exe!ExGetCurrentProcessorCpuUsage + 27 8054673F 16 Bytes CALL 804D9AA2 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!ExGetCurrentProcessorCpuUsage + 38 80546750 33 Bytes [08, 5D, C2, 04, 00, CC, CC, ...] .text ntoskrnl.exe!ExGetCurrentProcessorCounts + 14 80546773 9 Bytes [8B, 55, 08, 89, 0A, 8B, 88, ...] .text ntoskrnl.exe!ExGetCurrentProcessorCounts + 1E 8054677D 98 Bytes [00, 03, 88, A8, 04, 00, 00, ...] .text ntoskrnl.exe!ExGetCurrentProcessorCounts + 81 805467E0 4 Bytes [B9, 50, 1C, 56] .text ntoskrnl.exe!ExGetCurrentProcessorCounts + 86 805467E5 115 Bytes [0F, C1, 01, 40, 83, F8, 01, ...] .text ntoskrnl.exe!ExGetCurrentProcessorCounts + FA 80546859 71 Bytes [00, 00, 7C, DD, 5F, 5E, 5B, ...] .text ntoskrnl.exe!_purecall + 19 805468A1 465 Bytes [EC, 8B, 45, 08, 66, A9, 80, ...] .text ntoskrnl.exe!XIPDispatch + 174 80546A73 127 Bytes [C2, 57, EB, 03, 80, C2, 30, ...] .text ntoskrnl.exe!_itoa + 51 80546AF3 59 Bytes [83, FA, 09, 76, 05, 83, C2, ...] .text ntoskrnl.exe!_itoa + 8D 80546B2F 37 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...] .text ntoskrnl.exe!_itow + 23 80546B55 38 Bytes [FF, FF, 8B, 45, 0C, 5D, C3, ...] .text ntoskrnl.exe!_strlwr + 2 80546B7C 63 Bytes [55, 8B, EC, 8B, 45, 08, 80, ...] .text ntoskrnl.exe!_strlwr + 46 80546BC0 99 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!_vsnwprintf + 40 80546C24 6 Bytes [FF, 45, E0, EB, 0D, 8D] .text ntoskrnl.exe!_vsnwprintf + 47 80546C2B 107 Bytes CALL 8050D86F \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!_wcslwr + 2D 80546C97 39 Bytes [75, E1, 5D, C3, 90, CC, CC, ...] .text ntoskrnl.exe!_wcsnset + 13 80546CBF 8 Bytes [4D, 10, 66, 39, 11, 74, 0E, ...] {DEC EBP; ADC [ESI+0x39], AH; ADC [ESI+ECX+0x66], ESI} .text ntoskrnl.exe!_wcsnset + 1C 80546CC8 14 Bytes [75, 0C, 66, 89, 31, 41, 41, ...] {JNZ 0xe; MOV [ECX], SI; INC ECX; INC ECX; CMP [EBP+0x10], EDX; JNZ 0xfffffffffffffff6; POP ESI; POP EBP} .text ntoskrnl.exe!_wcsnset + 2B 80546CD7 30 Bytes [90, CC, CC, CC, CC, CC, 90, ...] .text ntoskrnl.exe!_wcsrev + 14 80546CF6 62 Bytes JMP F425A7FF .text ntoskrnl.exe!_wcsrev + 53 80546D35 14 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...] {CALL [EBP-0x75]; IN AL, DX ; PUSH ESI; MOV ESI, [EBP+0x8]; TEST ESI, ESI; JNZ 0x15; XOR EAX, EAX} .text ntoskrnl.exe!_wcsrev + 62 80546D44 11 Bytes JMP 80546DE0 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) .text ntoskrnl.exe!_wcsrev + 6E 80546D50 44 Bytes [01, 0F, B6, 06, 7E, 0C, 6A, ...] .text ntoskrnl.exe!_wcsrev + 9B 80546D7D 53 Bytes [FF, 2D, 8B, DF, 74, 05, 83, ...] .text ... .text ntoskrnl.exe!islower + 1E 80546E82 6 Bytes [08, 8B, 0D, 70, 1A, 55] {OR [EBX+0x551a700d], CL} .text ntoskrnl.exe!islower + 25 80546E89 93 Bytes [0F, B6, 04, 41, 83, E0, 02, ...] .text ntoskrnl.exe!isxdigit + 12 80546EE8 8 Bytes [00, FF, 75, 08, E8, 3B, 07, ...] .text ntoskrnl.exe!isxdigit + 1B 80546EF1 78 Bytes [59, 59, 5D, C3, 8B, 45, 08, ...] .text ntoskrnl.exe!isspace + 2D 80546F40 7 Bytes [C3, 90, CC, CC, CC, CC, CC] {RET ; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ntoskrnl.exe!isspace + 35 80546F48 93 Bytes [90, 90, 90, 90, 8B, FF, 55, ...] .text ntoskrnl.exe!mbstowcs 80546FA6 65 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...] .text ntoskrnl.exe!mbstowcs + 42 80546FE8 3 Bytes [2A, 00, 00] .text ntoskrnl.exe!mbstowcs + 46 80546FEC 5 Bytes [83, C8, FF, EB, 22] {OR EAX, -0x1; JMP 0x27} .text ntoskrnl.exe!mbstowcs + 4C 80546FF2 5 Bytes [45, 08, D1, E8, 89] .text ntoskrnl.exe!mbstowcs + 53 80546FF9 5 Bytes [66, 83, 7C, 47, FE] .text ... .text ntoskrnl.exe!rand + C 8054709E 3 Bytes [C3, 9E, 26] .text ntoskrnl.exe!rand + 10 805470A2 21 Bytes [A3, 10, 1A, 55, 80, 33, C0, ...] .text ntoskrnl.exe!rand + 26 805470B8 171 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!tolower + 4 80547164 12 Bytes [EC, 83, 3D, 78, 1A, 55, 80, ...] {IN AL, DX ; CMP DWORD [0x80551a78], 0x1; PUSH ESI; MOV ESI, [EBP+0x8]} .text ntoskrnl.exe!tolower + 11 80547171 7 Bytes [0C, 6A, 01, 56, E8, B2, 04] {OR AL, 0x6a; ADD [ESI-0x18], EDX; MOV DL, 0x4} .text ntoskrnl.exe!tolower + 19 80547179 9 Bytes [00, 59, 59, EB, 0C, A1, 70, ...] .text ntoskrnl.exe!tolower + 23 80547183 55 Bytes [0F, B6, 04, 70, 83, E0, 01, ...] .text ntoskrnl.exe!towlower + 16 805471BB 90 Bytes [59, 74, 03, 83, C0, 20, 5D, ...] .text ntoskrnl.exe!wcscspn + 12 80547216 13 Bytes [5D, 0C, 33, FF, 66, 8B, 3B, ...] .text ntoskrnl.exe!wcscspn + 20 80547224 59 Bytes [66, 8B, 30, 8B, CF, 66, 3B, ...] .text ntoskrnl.exe!wcscspn + 5C 80547260 201 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!wcstombs + 5A 8054732A 15 Bytes [85, C0, 7C, 06, 8B, 45, F8, ...] .text ntoskrnl.exe!wcstombs + 6A 8054733A 17 Bytes [2A, 00, 00, 00, 83, C8, FF, ...] {SUB AL, [EAX]; ADD [EAX], AL; OR EAX, -0x1; MOV ECX, [EBP-0x4]; CALL 0xfffffffffff9d5b7; LEAVE ; RET } .text ntoskrnl.exe!wcstombs + 7C 8054734C 243 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntoskrnl.exe!wcstombs + 170 80547440 79 Bytes [74, 0F, 66, 3D, 58, 00, 74, ...] .text ntoskrnl.exe!wcstombs + 1C0 80547490 82 Bytes [F8, FF, 59, 75, 32, 66, 83, ...] .text ... PAGE ntoskrnl.exe!ExWindowStationObjectType + 1240 80563180 5 Bytes [00, 00, 00, 00, 49] {ADD [EAX], AL; ADD [EAX], AL; DEC ECX} PAGE ntoskrnl.exe!ExWindowStationObjectType + 1246 80563186 7 Bytes [6E, 00, 74, 00, 65, 00, 72] PAGE ntoskrnl.exe!ExWindowStationObjectType + 124E 8056318E 7 Bytes [6E, 00, 61, 00, 6C, 00, 00] {OUTSB ; ADD [ECX+0x0], AH; INSB ; ADD [EAX], AL} PAGE ntoskrnl.exe!ExWindowStationObjectType + 1257 80563197 6 Bytes [00, 49, 00, 73, 00, 61] {ADD [ECX+0x0], CL; JAE 0x5; POPA } PAGE ntoskrnl.exe!ExWindowStationObjectType + 125F 8056319F 12 Bytes [00, 45, 00, 69, 00, 73, 00, ...] PAGE ... PAGE ntoskrnl.exe!RtlEqualUnicodeString + 28 805633C5 22 Bytes [7D, 10, 00, 8B, D0, 89, 55, ...] PAGE ntoskrnl.exe!RtlEqualUnicodeString + 3F 805633DC 26 Bytes [66, 8B, 16, 33, C9, 66, 8B, ...] PAGE ntoskrnl.exe!RtlEqualUnicodeString + 5A 805633F7 6 Bytes [3B, 75, 0C, 72, E0, B0] PAGE ntoskrnl.exe!RtlEqualUnicodeString + 61 805633FE 57 Bytes [5F, 5E, 5B, 5D, C2, 0C, 00, ...] PAGE ntoskrnl.exe!RtlEqualUnicodeString + 9B 80563438 41 Bytes [00, 8B, 78, 04, 8A, 4D, 10, ...] PAGE ... PAGE ntoskrnl.exe!PsReferencePrimaryToken + CF 80563A0A 8 Bytes [74, 03, 89, 43, 0C, 8B, 45, ...] {JZ 0x5; MOV [EBX+0xc], EAX; MOV EAX, [EBP+0x18]} PAGE ntoskrnl.exe!PsReferencePrimaryToken + D8 80563A13 2 Bytes [43, 10] PAGE ntoskrnl.exe!PsReferencePrimaryToken + DB 80563A16 52 Bytes [43, 18, 8D, 43, 34, 53, 89, ...] PAGE ntoskrnl.exe!SeCreateAccessState + A 80563A4B 72 Bytes [00, 8B, C8, 64, A1, 24, 01, ...] PAGE ntoskrnl.exe!SeReleaseSubjectContext + 22 80563A94 68 Bytes [5E, 5D, C2, 04, 00, 90, 90, ...] PAGE ntoskrnl.exe!SeDeleteAccessState + 3C 80563ADA 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP} PAGE ntoskrnl.exe!SeDeleteAccessState + 40 80563ADE 2 Bytes [EC, 53] {IN AL, DX ; PUSH EBX} PAGE ntoskrnl.exe!SeDeleteAccessState + 43 80563AE1 104 Bytes [5D, 08, 83, C3, 02, 83, 7D, ...] PAGE ntoskrnl.exe!SeDeleteAccessState + AC 80563B4A 31 Bytes [8B, 7D, 10, 33, D2, 89, 57, ...] PAGE ntoskrnl.exe!SeDeleteAccessState + CC 80563B6A 111 Bytes [00, 8B, 4D, 0C, A1, 34, F5, ...] PAGE ... PAGE ntoskrnl.exe!SeAccessCheck + C 805641D4 25 Bytes [84, D1, E1, 00, 00, 39, 5D, ...] PAGE ntoskrnl.exe!SeAccessCheck + 26 805641EE 24 Bytes [57, 8B, 7D, 14, 3B, FB, 0F, ...] PAGE ntoskrnl.exe!SeAccessCheck + 3F 80564207 70 Bytes [06, 02, 74, 34, 8B, 06, 3B, ...] PAGE ntoskrnl.exe!SeAccessCheck + 86 8056424E 49 Bytes [75, 2C, FF, 75, 1C, FF, 75, ...] PAGE ntoskrnl.exe!SeAccessCheck + B8 80564280 3 Bytes [84, 5F, 23] {TEST [EDI+0x23], BL} PAGE ... PAGE ntoskrnl.exe!SeLockSubjectContext + 2 8056429F 14 Bytes [55, 8B, EC, 56, 64, A1, 24, ...] PAGE ntoskrnl.exe!SeLockSubjectContext + 11 805642AE 62 Bytes [00, 8B, 75, 08, 8B, 46, 08, ...] PAGE ntoskrnl.exe!SeUnlockSubjectContext + 1B 805642ED 6 Bytes [FF, 80, D4, 00, 00, 00] {INC DWORD [EAX+0xd4]} PAGE ntoskrnl.exe!SeUnlockSubjectContext + 22 805642F4 35 Bytes [35, 54, 76, 4D, 80, 0F, 84, ...] PAGE ntoskrnl.exe!SeUnlockSubjectContext + 46 80564318 35 Bytes [EC, 51, 83, 65, FC, 00, 80, ...] PAGE ntoskrnl.exe!SeUnlockSubjectContext + 6A 8056433C 85 Bytes [00, FF, 88, D4, 00, 00, 00, ...] PAGE ntoskrnl.exe!SeUnlockSubjectContext + C0 80564392 61 Bytes [00, FF, 80, D4, 00, 00, 00, ...] PAGE ... PAGE ntoskrnl.exe!ObReferenceObjectByHandle + 10 80564478 58 Bytes [8B, 7D, 18, 33, DB, 39, 5D, ...] PAGE ntoskrnl.exe!ObReferenceObjectByHandle + 4B 805644B3 92 Bytes [17, 8B, 45, 10, 83, E2, F8, ...] PAGE ntoskrnl.exe!ObReferenceObjectByHandle + A8 80564510 4 Bytes [85, 2D, F2, 08] PAGE ntoskrnl.exe!ObReferenceObjectByHandle + AD 80564515 15 Bytes [80, 3D, 50, 34, 55, 80, 00, ...] PAGE ntoskrnl.exe!ObReferenceObjectByHandle + BD 80564525 7 Bytes [00, 00, 8B, 4D, FC, 0F, C1] PAGE ... PAGE ntoskrnl.exe!ObInsertObject + 31 805648D4 31 Bytes [B6, C0, 8B, F3, 2B, F0, 0F, ...] PAGE ntoskrnl.exe!ObInsertObject + 51 805648F4 111 Bytes [45, DC, 40, 89, 45, B4, 8B, ...] PAGE ntoskrnl.exe!ObInsertObject + C1 80564964 112 Bytes [B8, 50, 8D, 85, 3C, FF, FF, ...] PAGE ntoskrnl.exe!ObInsertObject + 132 805649D5 13 Bytes [F6, D0, 25, 01, FF, FF, FF, ...] {NOT AL; AND EAX, 0xffffff01; PUSH EAX; PUSH DWORD [EBP-0x2c]; PUSH DWORD [EDI]} PAGE ntoskrnl.exe!ObInsertObject + 140 805649E3 50 Bytes [75, DC, FF, 77, 04, E8, 45, ...] PAGE ... PAGE ntoskrnl.exe!NtCreateSection + 33 80564B4E 29 Bytes [F7, C2, 00, 00, 00, 08, 74, ...] PAGE ntoskrnl.exe!NtCreateSection + 51 80564B6C 14 Bytes [F6, 45, 18, 01, 0F, 85, 9D, ...] PAGE ntoskrnl.exe!NtCreateSection + 61 80564B7C 7 Bytes [33, DB, 38, 98, 40, 01, 00] PAGE ntoskrnl.exe!NtCreateSection + 69 80564B84 127 Bytes [0F, 84, 8B, B8, 01, 00, 89, ...] PAGE ntoskrnl.exe!NtCreateSection + E9 80564C04 202 Bytes [3B, C3, 0F, 85, 55, F3, 00, ...] PAGE ... PAGE ntoskrnl.exe!ObCreateObject + 18 80564DE6 13 Bytes [FF, 46, 0C, 8B, CE, E8, FF, ...] PAGE ntoskrnl.exe!ObCreateObject + 26 80564DF4 22 Bytes [0F, 84, A1, 41, 01, 00, 8B, ...] PAGE ntoskrnl.exe!ObCreateObject + 3D 80564E0B 52 Bytes CALL 80563C13 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ObCreateObject + 72 80564E40 81 Bytes [00, 00, 89, 47, 14, 8D, 45, ...] PAGE ntoskrnl.exe!ObCreateObject + C4 80564E92 62 Bytes [68, 4F, 62, 4E, 6D, 53, 6A, ...] PAGE ... PAGE ntoskrnl.exe!SeOpenObjectAuditAlarm + A 805653DA 7 Bytes [DB, 38, 5D, 24, C6, 45, FF] PAGE ntoskrnl.exe!SeOpenObjectAuditAlarm + 12 805653E2 25 Bytes [C6, 45, FE, 00, 89, 5D, F0, ...] PAGE ntoskrnl.exe!SeOpenObjectAuditAlarm + 2C 805653FC 92 Bytes [00, 00, 56, 8B, 75, 18, 8B, ...] PAGE ntoskrnl.exe!SeOpenObjectAuditAlarm + 89 80565459 31 Bytes [33, DB, 80, 7D, 20, 01, 75, ...] PAGE ntoskrnl.exe!SeOpenObjectAuditAlarm + A9 80565479 60 Bytes [00, 0F, 85, C1, C6, 09, 00, ...] PAGE ntoskrnl.exe!ObGetObjectSecurity + 20 805654B6 33 Bytes [1E, A7, 56, 80, 0F, 85, 34, ...] PAGE ntoskrnl.exe!ObGetObjectSecurity + 42 805654D8 10 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] {NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP} PAGE ntoskrnl.exe!ObCheckObjectAccess + 6 805654E3 19 Bytes [EC, 10, 8B, 45, 08, 56, 57, ...] {IN AL, DX ; ADC [EBX+0x57560845], CL; MOV EDI, [EAX-0x10]; LEA ECX, [EBP-0x10]; PUSH ECX; LEA ECX, [EBP-0x4]; XOR ESI, ESI} PAGE ntoskrnl.exe!ObCheckObjectAccess + 1A 805654F7 44 Bytes [50, 89, 75, F4, 89, 75, FC, ...] PAGE ntoskrnl.exe!ObCheckObjectAccess + 48 80565525 17 Bytes [75, 18, 8D, 45, F4, 50, FF, ...] {JNZ 0x1a; LEA EAX, [EBP-0xc]; PUSH EAX; PUSH DWORD [EBP+0x14]; LEA EAX, [EDI+0x68]; PUSH EAX; LEA EAX, [EBP-0x8]; PUSH EAX} PAGE ntoskrnl.exe!ObCheckObjectAccess + 5A 80565537 176 Bytes [76, 14, FF, 76, 10, 6A, 01, ...] PAGE ntoskrnl.exe!ObReleaseObjectSecurity + 41 805655E9 4 Bytes [8D, 47, 01, 89] PAGE ntoskrnl.exe!ObReleaseObjectSecurity + 46 805655EE 15 Bytes [F8, 8B, 45, FC, 8B, 4D, F4, ...] {CLC ; MOV EAX, [EBP-0x4]; MOV ECX, [EBP-0xc]; MOV EDX, [EBP-0x8]; CMPXCHG [ECX], EDX; CMP EAX, EDI} PAGE ntoskrnl.exe!ObReleaseObjectSecurity + 57 805655FF 3 Bytes [42, E5, 08] {INC EDX; IN EAX, 0x8} PAGE ntoskrnl.exe!ObReleaseObjectSecurity + 5B 80565603 2 Bytes [F6, 46] PAGE ntoskrnl.exe!ObReleaseObjectSecurity + 5E 80565606 74 Bytes [80, 0F, 85, ED, E5, 08, 00, ...] PAGE ... PAGE ntoskrnl.exe!ObDereferenceSecurityDescriptor + 51 805656EB 87 Bytes [F6, 40, 0F, 10, 0F, 85, F2, ...] PAGE ntoskrnl.exe!ObDereferenceSecurityDescriptor + A9 80565743 33 Bytes [8D, 45, E0, 50, 53, 53, 8D, ...] PAGE ntoskrnl.exe!ObDereferenceSecurityDescriptor + CB 80565765 9 Bytes [8B, 4D, 08, 3B, C8, 0F, 85, ...] PAGE ntoskrnl.exe!ObDereferenceSecurityDescriptor + D5 8056576F 28 Bytes [00, 64, A1, 24, 01, 00, 00, ...] PAGE ntoskrnl.exe!ObDereferenceSecurityDescriptor + F2 8056578C 32 Bytes [40, 08, 6A, 01, 8D, 84, 07, ...] PAGE ... PAGE ntoskrnl.exe!NtWaitForSingleObject + 62 80565A6D 16 Bytes CALL 80564466 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtWaitForSingleObject + 73 80565A7E 69 Bytes [41, F0, 8B, 40, 48, 3B, C3, ...] PAGE ntoskrnl.exe!NtWaitForSingleObject + B9 80565AC4 36 Bytes [10, 5C, 56, 80, 0C, 5D, 56, ...] PAGE ntoskrnl.exe!NtWaitForSingleObject + DE 80565AE9 56 Bytes [A8, 0F, 74, 3A, 8B, 7E, 1C, ...] PAGE ntoskrnl.exe!NtWaitForSingleObject + 117 80565B22 58 Bytes [5F, 8B, E5, 5D, C3, 33, C0, ...] PAGE ... PAGE ntoskrnl.exe!ProbeForWrite + 2 80565F85 84 Bytes [55, 8B, EC, 8B, 45, 0C, 85, ...] PAGE ntoskrnl.exe!ProbeForWrite + 57 80565FDA 71 Bytes [EB, ED, 90, 90, 90, 90, 90, ...] PAGE ntoskrnl.exe!ZwDelayExecution + 41 80566022 173 Bytes [03, 89, 45, D8, 8B, 43, 04, ...] PAGE ntoskrnl.exe!ZwReleaseMutant + 84 805660D0 18 Bytes CALL 804E2ACF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwReleaseMutant + 97 805660E3 57 Bytes JMP 80565223 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwReleaseMutant + D1 8056611D 44 Bytes [FF, 90, 90, 90, 90, 90, 8B, ...] PAGE ntoskrnl.exe!ZwReleaseMutant + FE 8056614A 28 Bytes [0F, 87, 7C, 9A, 08, 00, 8B, ...] PAGE ntoskrnl.exe!ZwReleaseMutant + 11B 80566167 9 Bytes [0C, 03, F8, 81, E3, 00, 00, ...] {OR AL, 0x3; CLC ; AND EBX, 0x8000000} PAGE ... PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + 5 805662B6 160 Bytes [68, A8, 53, 4E, 80, E8, D2, ...] PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + A7 80566358 7 Bytes [F8, 89, 7D, A8, FF, 8F, D4] PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + AF 80566360 22 Bytes [00, 00, C6, 45, E7, 01, 8B, ...] PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + C6 80566377 19 Bytes [00, 00, 80, 23, D1, 3B, D1, ...] PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + DA 8056638B 34 Bytes [00, 00, 89, 4D, C8, FF, 75, ...] PAGE ... PAGE ntoskrnl.exe!RtlAreAllAccessesGranted + 7D 80566675 80 Bytes [C6, 5E, 5B, 5F, C9, C2, 08, ...] PAGE ntoskrnl.exe!KeUserModeCallback + 1E 805666C7 23 Bytes [75, 10, 89, 75, CC, 2B, DE, ...] PAGE ntoskrnl.exe!KeUserModeCallback + 36 805666DF 1 Byte [FF] PAGE ntoskrnl.exe!KeUserModeCallback + 36 805666DF 3 Bytes [FF, 8B, CE] PAGE ntoskrnl.exe!KeUserModeCallback + 3A 805666E3 128 Bytes [75, 0C, 8B, FB, 8B, C1, C1, ...] PAGE ntoskrnl.exe!KeUserModeCallback + BB 80566764 1 Byte [F7] PAGE ... PAGE ntoskrnl.exe!ZwQueryDefaultLocale + 2B 80566799 5 Bytes [11, A1, 34, F5, 55] PAGE ntoskrnl.exe!ZwQueryDefaultLocale + 31 8056679F 10 Bytes [3B, F0, 0F, 83, 9C, 0A, 0A, ...] {CMP ESI, EAX; JAE 0xa0aa4; MOV EAX, [ESI]} PAGE ntoskrnl.exe!ZwQueryDefaultLocale + 3C 805667AA 8 Bytes [06, 38, 4D, 08, 0F, 84, 5B, ...] PAGE ntoskrnl.exe!ZwQueryDefaultLocale + 45 805667B3 3 Bytes CALL 805667CD \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwQueryDefaultLocale + 49 805667B7 7 Bytes [00, 00, 89, 06, 83, 4D, FC] PAGE ... PAGE ntoskrnl.exe!RtlUpcaseUnicodeChar + 1D 8056681D 84 Bytes CALL 8518C542 PAGE ntoskrnl.exe!RtlUpcaseUnicodeChar + 72 80566872 9 Bytes [64, A1, 24, 01, 00, 00, FF, ...] PAGE ntoskrnl.exe!RtlUpcaseUnicodeChar + 7C 8056687C 23 Bytes [00, 00, 5E, 75, 0B, 8D, 48, ...] PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + 2 80566894 18 Bytes [55, 8B, EC, 80, 7D, 10, 00, ...] {PUSH EBP; MOV EBP, ESP; CMP BYTE [EBP+0x10], 0x0; PUSH ESI; MOV ESI, [EBP+0xc]; MOV AX, [ESI]; PUSH EDI; MOV EDI, [EBP+0x8]} PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + 15 805668A7 4 Bytes [85, C1, 6E, 09] PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + 1A 805668AC 199 Bytes [66, 3B, 47, 02, 0F, 87, DA, ...] PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + E2 80566974 3 Bytes [B8, 01, 00] PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + E6 80566978 23 Bytes [00, 8B, 4D, FC, 0F, C1, 01, ...] PAGE ... PAGE ntoskrnl.exe!ZwRemoveIoCompletion + C 80566ABE 33 Bytes [33, F6, 89, 75, FC, 89, 75, ...] PAGE ntoskrnl.exe!ZwRemoveIoCompletion + 2E 80566AE0 24 Bytes [A1, 34, F5, 55, 80, 8B, 4D, ...] PAGE ntoskrnl.exe!ZwRemoveIoCompletion + 47 80566AF9 26 Bytes [8B, 4D, 0C, 3B, C8, 0F, 83, ...] PAGE ntoskrnl.exe!ZwRemoveIoCompletion + 62 80566B14 4 Bytes [83, 40, E1, 07] {ADD DWORD [EAX-0x1f], 0x7} PAGE ntoskrnl.exe!ZwRemoveIoCompletion + 67 80566B19 128 Bytes [8B, 08, 89, 08, 8B, 48, 04, ...] PAGE ... PAGE ntoskrnl.exe!ZwClearEvent + 1 80566C12 72 Bytes [FF, 55, 8B, EC, 51, 56, 64, ...] PAGE ntoskrnl.exe!ZwClearEvent + 4A 80566C5B 18 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] {NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH ESI; CALL 0x4f; MOV ESI, 0x80560aa0} PAGE ntoskrnl.exe!ZwClearEvent + 5D 80566C6E 26 Bytes [CE, FF, 15, 60, 76, 4D, 80, ...] PAGE ntoskrnl.exe!ZwClearEvent + 78 80566C89 80 Bytes [FF, 35, 60, CF, 68, 80, 68, ...] PAGE ntoskrnl.exe!ZwClearEvent + C9 80566CDA 12 Bytes [00, 06, 0F, 85, EC, 4A, 09, ...] PAGE ... PAGE ntoskrnl.exe!NtQueryInformationThread + 4D 80566D53 1 Byte [04] PAGE ntoskrnl.exe!NtQueryInformationThread + 4D 80566D53 49 Bytes [04, 59, 8B, 45, 0C, 83, F8, ...] PAGE ntoskrnl.exe!NtQueryInformationThread + 7F 80566D85 31 Bytes [75, E4, FF, 35, DC, 0C, 56, ...] PAGE ntoskrnl.exe!NtQueryInformationThread + 9F 80566DA5 35 Bytes [33, C0, 50, 53, 50, 8B, 75, ...] PAGE ntoskrnl.exe!NtQueryInformationThread + C3 80566DC9 52 Bytes CALL 804D9929 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!RtlAddAtomToAtomTable + 35 80566FD2 48 Bytes [00, 66, 39, 3E, 0F, 84, 97, ...] PAGE ntoskrnl.exe!RtlAddAtomToAtomTable + 66 80567003 73 Bytes [0F, 84, 7B, 52, 09, 00, 33, ...] PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + C 8056704D 42 Bytes [64, A1, 24, 01, 00, 00, 8A, ...] PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 37 80567078 38 Bytes [F6, C3, 03, 0F, 85, B6, 12, ...] PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 5E 8056709F 37 Bytes [9E, 12, 0A, 00, A8, 03, 0F, ...] PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 84 805670C5 53 Bytes [45, 0C, 85, C0, 74, 0B, 8B, ...] PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + BA 805670FB 28 Bytes [75, 08, 51, FF, 70, 78, FF, ...] PAGE ... PAGE ntoskrnl.exe!NtClose + B6 8056768F 90 Bytes [4D, E4, 0F, C1, 01, 01, 45, ...] PAGE ntoskrnl.exe!NtClose + 111 805676EA 128 Bytes [00, 01, 00, 3B, D6, 89, 4D, ...] PAGE ntoskrnl.exe!NtClose + 192 8056776B 23 Bytes CALL 805643BE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtClose + 1AA 80567783 37 Bytes [00, 00, 8D, 5C, 83, 0C, 8B, ...] PAGE ntoskrnl.exe!NtClose + 1D0 805677A9 18 Bytes [C7, 0F, 85, 9E, EE, 09, 00, ...] PAGE ... PAGE ntoskrnl.exe!SeTokenIsRestricted + 3D 80567A6A 39 Bytes [00, F6, 46, 03, F0, 0F, 85, ...] PAGE ntoskrnl.exe!SeTokenIsRestricted + 65 80567A92 5 Bytes [0F, 85, CE, C3, 08] PAGE ntoskrnl.exe!SeTokenIsRestricted + 6B 80567A98 3 Bytes JMP 8056464A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!SeTokenIsRestricted + 70 80567A9D 22 Bytes [F6, 40, 04, 10, 0F, 85, DF, ...] PAGE ntoskrnl.exe!SeTokenIsRestricted + 87 80567AB4 54 Bytes JMP 805F41EF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlCreateSecurityDescriptor + 2C 80567AEB 36 Bytes [90, 90, 8B, FF, 55, 8B, EC, ...] PAGE ntoskrnl.exe!RtlMapGenericMask + 23 80567B10 5 Bytes [00, 8B, 10, F7, C2] PAGE ntoskrnl.exe!RtlMapGenericMask + 29 80567B16 23 Bytes [00, 00, 20, 0F, 85, 9F, 09, ...] PAGE ntoskrnl.exe!RtlMapGenericMask + 41 80567B2E 56 Bytes [80, 60, 03, 0F, 5D, C2, 08, ...] PAGE ntoskrnl.exe!RtlCopySid + 1C 80567B67 9 Bytes [50, 51, FF, 75, 0C, E8, 09, ...] PAGE ntoskrnl.exe!RtlCopySid + 26 80567B71 22 Bytes [83, C4, 0C, 33, C0, 5D, C2, ...] PAGE ntoskrnl.exe!ObOpenObjectByName 80567B88 60 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...] PAGE ntoskrnl.exe!ObOpenObjectByName + 3D 80567BC5 56 Bytes [8D, 7B, 74, 57, 8D, 45, EC, ...] PAGE ntoskrnl.exe!ObOpenObjectByName + 76 80567BFE 44 Bytes [00, 00, 50, 53, 89, 5D, 14, ...] PAGE ntoskrnl.exe!ObOpenObjectByName + A3 80567C2B 8 Bytes [85, C0, 89, 45, 08, 0F, 8C, ...] PAGE ntoskrnl.exe!ObOpenObjectByName + AC 80567C34 9 Bytes [00, 00, 8D, 45, FC, 50, 8D, ...] PAGE ... PAGE ntoskrnl.exe!ZwOpenKey + 34 80568509 109 Bytes [80, 65, 0D, FC, 80, 3D, 24, ...] PAGE ntoskrnl.exe!ZwOpenKey + A2 80568577 415 Bytes [52, 04, 89, 55, AC, 89, 4D, ...] PAGE ntoskrnl.exe!ZwOpenKey + 242 80568717 71 Bytes [89, 50, 04, 89, 02, A3, 5C, ...] PAGE ntoskrnl.exe!ZwOpenKey + 28A 8056875F 18 Bytes CALL 80567DB0 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwOpenKey + 29D 80568772 9 Bytes [90, 90, 90, 90, 90, 68, 04, ...] PAGE ntoskrnl.exe!NtAllocateVirtualMemory + 5 8056877C 18 Bytes [68, 00, 99, 4E, 80, E8, 0C, ...] PAGE ntoskrnl.exe!NtAllocateVirtualMemory + 18 8056878F 14 Bytes [0F, 87, 24, 6B, 08, 00, 8B, ...] PAGE ntoskrnl.exe!NtAllocateVirtualMemory + 27 8056879E 34 Bytes [0F, 85, 30, 6B, 08, 00, F7, ...] PAGE ntoskrnl.exe!NtAllocateVirtualMemory + 4A 805687C1 65 Bytes [20, 00, 0F, 85, 1A, 40, 07, ...] PAGE ntoskrnl.exe!NtAllocateVirtualMemory + 8C 80568803 10 Bytes [00, 88, 85, 3C, FF, FF, FF, ...] PAGE ... PAGE ntoskrnl.exe!NtFreeVirtualMemory + 4 80568FC8 25 Bytes [00, 68, 48, 9E, 4E, 80, E8, ...] PAGE ntoskrnl.exe!NtFreeVirtualMemory + 1E 80568FE2 161 Bytes [B8, 00, C0, 00, 00, 23, C8, ...] PAGE ntoskrnl.exe!NtFreeVirtualMemory + C0 80569084 30 Bytes [FF, 0F, 85, A7, 8D, 08, 00, ...] PAGE ntoskrnl.exe!NtFreeVirtualMemory + DF 805690A3 27 Bytes [02, 00, 00, 20, 0F, 85, CD, ...] PAGE ntoskrnl.exe!NtFreeVirtualMemory + FB 805690BF 53 Bytes [89, 7D, D0, C1, 6D, D0, 0C, ...] PAGE ... PAGE ntoskrnl.exe!MmSecureVirtualMemory + A 80569743 33 Bytes [FF, 75, 0C, FF, 75, 08, E8, ...] PAGE ntoskrnl.exe!PsSetProcessPriorityByClass + F 80569766 3 Bytes [54, 02, 00] {PUSH ESP; ADD AL, [EAX]} PAGE ntoskrnl.exe!PsSetProcessPriorityByClass + 13 8056976A 5 Bytes [0F, B6, C8, 8B, 0C] PAGE ntoskrnl.exe!PsSetProcessPriorityByClass + 19 80569770 23 Bytes [B8, 97, 56, 80, 74, 7B, 33, ...] PAGE ntoskrnl.exe!PsSetProcessPriorityByClass + 31 80569788 69 Bytes [00, 85, C0, 0F, 85, 05, B2, ...] PAGE ntoskrnl.exe!PsSetProcessPriorityByClass + 78 805697CF 27 Bytes [00, 0A, 00, 00, 00, 90, 90, ...] PAGE ... PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + 1 80569806 21 Bytes [FF, 55, 8B, EC, 53, 56, 57, ...] PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + 18 8056981D 35 Bytes [18, 3B, FB, 72, 56, 8B, 45, ...] PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + 3C 80569841 47 Bytes [04, 78, 03, D7, 5F, 83, FE, ...] PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + 6C 80569871 73 Bytes [8D, 0C, 1B, 89, 08, EB, B1, ...] PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + B6 805698BB 25 Bytes [04, 43, 66, 89, 01, 42, 41, ...] PAGE ... PAGE ntoskrnl.exe!NtSetEvent + 12 80569CE0 5 Bytes [8A, 80, 40, 01, 00] PAGE ntoskrnl.exe!NtSetEvent + 18 80569CE6 42 Bytes [88, 45, E4, 33, DB, 89, 5D, ...] PAGE ntoskrnl.exe!NtSetEvent + 43 80569D11 29 Bytes CALL 80564466 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtSetEvent + 61 80569D2F 37 Bytes CALL 804E3F15 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtSetEvent + 87 80569D55 35 Bytes [C2, 08, 00, 90, 90, 90, 90, ...] PAGE ... PAGE ntoskrnl.exe!CcPreparePinWrite + 4A 8056A111 27 Bytes [45, CC, 50, FF, 75, 08, E8, ...] PAGE ntoskrnl.exe!CcPreparePinWrite + 67 8056A12E 24 Bytes [C8, 1B, 45, D0, 33, DB, 3B, ...] PAGE ntoskrnl.exe!CcPreparePinWrite + 80 8056A147 139 Bytes [8D, 45, E0, 3B, F0, 75, 08, ...] PAGE ntoskrnl.exe!CcUnpinDataForThread + 1 8056A1D3 56 Bytes [FF, 55, 8B, EC, 53, 8B, 5D, ...] PAGE ntoskrnl.exe!CcUnpinDataForThread + 3A 8056A20C 10 Bytes [90, 90, 90, 90, 6A, 78, 68, ...] PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 7 8056A217 47 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 37 8056A247 4 Bytes [84, 9D, 2A, 04] PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3C 8056A24C 14 Bytes [89, 5D, FC, 8B, 4D, 0C, 3B, ...] PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 4B 8056A25B 146 Bytes [3B, C8, 0F, 83, AC, 49, 08, ...] PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + DE 8056A2EE 13 Bytes [53, 8D, 45, BC, 50, FF, 75, ...] PAGE ... PAGE ntoskrnl.exe!ZwReplyWaitReceivePort + 8 8056A705 2 Bytes [75, 14] {JNZ 0x16} PAGE ntoskrnl.exe!ZwReplyWaitReceivePort + B 8056A708 11 Bytes [75, 10, FF, 75, 0C, FF, 75, ...] PAGE ntoskrnl.exe!ZwReplyWaitReceivePort + 17 8056A714 11 Bytes [FF, 5D, C2, 10, 00, 90, 90, ...] PAGE ntoskrnl.exe!ZwReplyWaitReceivePort + 23 8056A720 15 Bytes [55, 8B, EC, 8B, 45, 0C, 33, ...] PAGE ntoskrnl.exe!ZwReplyWaitReceivePort + 33 8056A730 17 Bytes [48, 0F, 84, 15, A7, 03, 00, ...] {DEC EAX; JZ 0x3a71c; DEC EAX; JZ 0x3e; DEC EAX; JNZ 0x982a1} PAGE ... PAGE ntoskrnl.exe!ExReleaseRundownProtection + 6C 8056A859 20 Bytes [B1, 11, 3B, C6, 75, DC, 5F, ...] PAGE ntoskrnl.exe!ExReleaseRundownProtection + 83 8056A870 3 Bytes [90, 90, 8B] PAGE ntoskrnl.exe!ExReleaseRundownProtection + 87 8056A874 9 Bytes [55, 8B, EC, 51, 8B, 15, 0C, ...] PAGE ntoskrnl.exe!ExReleaseRundownProtection + 91 8056A87E 3 Bytes [8B, CA, E8] PAGE ntoskrnl.exe!ExReleaseRundownProtection + 95 8056A882 29 Bytes [EB, 10, 00, 85, C0, 0F, 85, ...] PAGE ... PAGE ntoskrnl.exe!ObCloseHandle + 42 8056A944 28 Bytes JMP 8057E3D1 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ObCloseHandle + 5F 8056A961 11 Bytes [8B, 5D, 0C, 8B, 53, 50, 81, ...] PAGE ntoskrnl.exe!ObCloseHandle + 6B 8056A96D 183 Bytes [8B, 3A, 8D, 73, 10, 89, 3E, ...] PAGE ntoskrnl.exe!ObCloseHandle + 123 8056AA25 41 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] PAGE ntoskrnl.exe!FsRtlOplockIsFastIoPossible + 25 8056AA4F 8 Bytes [85, A0, 8C, 08, 00, 81, 75, ...] {TEST [EAX-0x7efff774], ESP; JNZ 0x10} PAGE ntoskrnl.exe!FsRtlOplockIsFastIoPossible + 2E 8056AA58 22 Bytes [00, 00, 80, A1, B8, 02, 56, ...] PAGE ntoskrnl.exe!FsRtlOplockIsFastIoPossible + 45 8056AA6F 35 Bytes [83, 7D, 08, FE, 0F, 84, 04, ...] PAGE ntoskrnl.exe!FsRtlOplockIsFastIoPossible + 69 8056AA93 39 Bytes JMP 8DFFFFCA PAGE ntoskrnl.exe!FsRtlOplockIsFastIoPossible + 91 8056AABB 13 Bytes [0F, 84, 0C, 8F, FF, FF, FF, ...] {JZ 0xffffffffffff8f12; PUSH DWORD [EBP+0x1c]; LEA EAX, [EBP+0x18]; PUSH EAX} PAGE ... PAGE ntoskrnl.exe!SeTokenType + 7 8056AB9E 1 Byte [08] PAGE ntoskrnl.exe!SeTokenType + 7 8056AB9E 16 Bytes [08, 8B, 80, 80, 00, 00, 00, ...] {OR [EBX+0x8080], CL; ADD [EBP-0x3e], BL; ADD AL, 0x0; NOP ; NOP ; NOP ; OUT 0x3, AL} PAGE ntoskrnl.exe!SeTokenType + 18 8056ABAF 47 Bytes [00, 00, 00, 00, 00, 3B, DF, ...] PAGE ntoskrnl.exe!SeTokenType + 48 8056ABDF 34 Bytes [B6, ED, 08, 00, 8B, CB, 2B, ...] PAGE ntoskrnl.exe!SeTokenType + 6B 8056AC02 153 Bytes [8B, 45, 08, 83, C0, 0C, 89, ...] PAGE ... PAGE ntoskrnl.exe!SePrivilegeCheck + 50 8056AE6E 101 Bytes [CE, 33, FF, FF, 15, 60, 76, ...] PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 38 8056AED4 37 Bytes [33, C0, 40, EB, F6, 90, 90, ...] PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 5E 8056AEFA 28 Bytes [00, F6, 43, 2D, 08, 0F, 85, ...] PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 7C 8056AF18 47 Bytes [8D, 45, E4, 89, 45, E8, 89, ...] PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + AC 8056AF48 7 Bytes [8B, 46, 60, 83, E8, 24, C6] PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + B4 8056AF50 22 Bytes [02, 89, 58, 18, 8D, 45, EC, ...] PAGE ... PAGE ntoskrnl.exe!NtCreateEvent + 50 8056B5A3 26 Bytes [45, D4, 50, 53, 53, 6A, 10, ...] PAGE ntoskrnl.exe!NtCreateEvent + 6B 8056B5BE 24 Bytes [FF, 89, 45, DC, 3B, C3, 7C, ...] PAGE ntoskrnl.exe!NtCreateEvent + 84 8056B5D7 44 Bytes [41, 04, 8D, 41, 08, 89, 40, ...] PAGE ntoskrnl.exe!NtCreateEvent + B1 8056B604 27 Bytes [8B, 45, E4, 89, 06, 83, 4D, ...] PAGE ntoskrnl.exe!NtCreateEvent + CD 8056B620 58 Bytes JMP 8056B591 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CcMapData + 2F 8056B65B 70 Bytes [86, 40, 02, 00, 00, 0F, B6, ...] PAGE ntoskrnl.exe!CcMapData + 76 8056B6A2 13 Bytes [8D, 45, DC, 50, 8D, 45, E0, ...] {LEA EAX, [EBP-0x24]; PUSH EAX; LEA EAX, [EBP-0x20]; PUSH EAX; PUSH DWORD [ECX+0x4]; PUSH DWORD [ECX]} PAGE ntoskrnl.exe!CcMapData + 84 8056B6B0 7 Bytes CALL 804ED700 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CcMapData + 8C 8056B6B8 2 Bytes [4D, 1C] PAGE ntoskrnl.exe!CcMapData + 8F 8056B6BB 68 Bytes [01, F6, 45, 14, 10, 75, 3F, ...] PAGE ntoskrnl.exe!CcUnpinData + 2C 8056B700 53 Bytes [00, C7, 05, A8, C4, 54, 80, ...] PAGE ntoskrnl.exe!CcUnpinData + 64 8056B738 47 Bytes [8B, 4D, 1C, 8B, 09, 8B, 55, ...] PAGE ntoskrnl.exe!CcUnpinData + 94 8056B768 20 Bytes CALL 804E2CD0 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CcUnpinData + A9 8056B77D 21 Bytes JMP 8056B68C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CcUnpinData + BF 8056B793 32 Bytes [0F, 84, 97, 1A, 06, 00, B9, ...] PAGE ... PAGE ntoskrnl.exe!RtlInitializeBitMap + 1D 8056B81A 2 Bytes [FF, 55] PAGE ntoskrnl.exe!RtlInitializeBitMap + 20 8056B81D 15 Bytes [EC, 8B, 45, 0C, 8B, C8, C1, ...] PAGE ntoskrnl.exe!RtlInitializeBitMap + 30 8056B82D 130 Bytes [00, F7, D9, 56, 8B, 75, 08, ...] PAGE ntoskrnl.exe!RtlInitializeBitMap + B3 8056B8B0 23 Bytes [75, DC, FF, 75, 08, E8, 99, ...] PAGE ntoskrnl.exe!RtlInitializeBitMap + CB 8056B8C8 54 Bytes [0F, 84, FE, 10, 00, 00, 6A, ...] PAGE ... PAGE ntoskrnl.exe!ZwQueryValueKey + 25 8056B9CD 5 Bytes [0F, 85, B9, DE, 09] PAGE ntoskrnl.exe!ZwQueryValueKey + 2B 8056B9D3 35 Bytes [8B, 7D, 10, 3B, FE, 74, 18, ...] PAGE ntoskrnl.exe!ZwQueryValueKey + 4F 8056B9F7 11 Bytes [00, 8A, 98, 40, 01, 00, 00, ...] PAGE ntoskrnl.exe!ZwQueryValueKey + 5B 8056BA03 13 Bytes [57, 8D, 45, D0, 50, FF, 75, ...] PAGE ntoskrnl.exe!ZwQueryValueKey + 69 8056BA11 98 Bytes [6A, 01, FF, 75, 08, E8, 4D, ...] PAGE ... PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 49 8056BC3A 5 Bytes [00, 74, 0A, 3B, CB] {ADD [EDX+ECX+0x3b], DH; RETF } PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 50 8056BC41 3 Bytes [14, 6D, 09] PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 54 8056BC45 45 Bytes [03, C8, 89, 4D, B8, 8B, 48, ...] PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 82 8056BC73 4 Bytes [84, CE, EF, 06] {TEST DH, CL; OUT DX, EAX; PUSH ES} PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 87 8056BC78 66 Bytes [03, C8, 8B, F9, 89, 7D, C4, ...] PAGE ... PAGE ntoskrnl.exe!NtOpenThreadTokenEx + 26 8056C317 213 Bytes [8A, 80, 40, 01, 00, 00, 88, ...] PAGE ntoskrnl.exe!NtOpenThreadToken + 6A 8056C3ED 91 Bytes [FF, FF, 84, C0, 74, 15, 83, ...] PAGE ntoskrnl.exe!NtOpenThreadToken + C6 8056C449 55 Bytes [80, 7D, 3C, 00, 0F, 85, 57, ...] PAGE ntoskrnl.exe!ObOpenObjectByPointer + 4 8056C481 72 Bytes [EC, 81, EC, 94, 00, 00, 00, ...] PAGE ntoskrnl.exe!ObOpenObjectByPointer + 4D 8056C4CA 111 Bytes [FF, 3B, C7, 0F, 8C, A7, 75, ...] PAGE ntoskrnl.exe!NtQueryInformationProcess + 5 8056C53C 4 Bytes [68, 40, 16, 4F] PAGE ntoskrnl.exe!NtQueryInformationProcess + A 8056C541 14 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtQueryInformationProcess + 19 8056C550 23 Bytes [00, 00, 88, 45, E4, 84, C0, ...] PAGE ntoskrnl.exe!NtQueryInformationProcess + 31 8056C568 18 Bytes CALL 80565F80 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtQueryInformationProcess + 44 8056C57B 56 Bytes [83, 4D, FC, FF, 6A, 04, 5A, ...] PAGE ... PAGE ntoskrnl.exe!NtSetInformationProcess + 1D 8056C625 88 Bytes [88, 45, E4, 84, C0, 8B, 45, ...] PAGE ntoskrnl.exe!NtSetInformationProcess + 76 8056C67E 16 Bytes [0F, 87, 80, 9F, 06, 00, 83, ...] {JA 0x69f86; OR DWORD [EBP-0x4], -0x1; MOV EAX, [EBP+0xc]; PUSH 0x4; POP ECX} PAGE ntoskrnl.exe!NtSetInformationProcess + 87 8056C68F 54 Bytes [CA, FF, 83, F8, 11, 0F, 8F, ...] PAGE ntoskrnl.exe!NtSetInformationProcess + BE 8056C6C6 59 Bytes [00, 00, 8B, 1F, 89, 9D, F0, ...] PAGE ntoskrnl.exe!NtSetInformationProcess + FB 8056C703 10 Bytes [F6, C3, 04, 0F, 85, 5B, C5, ...] PAGE ... PAGE ntoskrnl.exe!RtlCompareUnicodeString + 4 8056C91E 122 Bytes [EC, 83, EC, 0C, 8B, 45, 08, ...] PAGE ntoskrnl.exe!RtlCompareUnicodeString + 7F 8056C999 80 Bytes [55, 8B, EC, 8B, 45, 0C, 8B, ...] PAGE ntoskrnl.exe!RtlCompareUnicodeString + D0 8056C9EA 74 Bytes JMP 8056B8DF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlCompareUnicodeString + 11C 8056CA36 202 Bytes [34, 70, 8B, F9, C1, EF, 04, ...] PAGE ntoskrnl.exe!NtOpenProcessTokenEx + C 8056CB01 10 Bytes [64, A1, 24, 01, 00, 00, 8A, ...] PAGE ntoskrnl.exe!NtOpenProcessTokenEx + 17 8056CB0C 45 Bytes [00, 88, 45, D8, F7, 45, 10, ...] PAGE ntoskrnl.exe!NtOpenProcessTokenEx + 45 8056CB3A 15 Bytes [8B, 07, 89, 07, 83, 4D, FC, ...] {MOV EAX, [EDI]; MOV [EDI], EAX; OR DWORD [EBP-0x4], -0x1; MOV [EBP+0x10], EBX; LEA EAX, [EBP-0x1c]; PUSH EAX} PAGE ntoskrnl.exe!NtOpenProcessTokenEx + 56 8056CB4B 38 Bytes CALL 8056CB9D \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtOpenProcessTokenEx + 7D 8056CB72 60 Bytes CALL 804D918C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!ZwQueryVirtualMemory + A 8056CBFD 30 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwQueryVirtualMemory + 29 8056CC1C 15 Bytes [83, 7D, 18, 1C, 0F, 82, 28, ...] PAGE ntoskrnl.exe!ZwQueryVirtualMemory + 39 8056CC2C 7 Bytes [89, 45, BC, 8A, 80, 40, 01] PAGE ntoskrnl.exe!ZwQueryVirtualMemory + 41 8056CC34 17 Bytes [00, 88, 45, B8, 84, C0, 0F, ...] {ADD [EAX-0x3f7b47bb], CL; JZ 0x33555; MOV [EBP-0x4], ESI; PUSH 0x4} PAGE ntoskrnl.exe!ZwQueryVirtualMemory + 53 8056CC46 111 Bytes [75, 18, 8B, 7D, 14, 57, E8, ...] PAGE ... PAGE ntoskrnl.exe!NtQueryInformationToken + 2D 8056DED8 37 Bytes [75, 14, 8B, 7D, 10, 57, E8, ...] PAGE ntoskrnl.exe!NtQueryInformationToken + 53 8056DEFE 58 Bytes [48, 6A, 10, 5E, 3B, C6, 0F, ...] PAGE ntoskrnl.exe!NtQueryInformationToken + 8E 8056DF39 33 Bytes [88, D4, 00, 00, 00, 8B, 75, ...] PAGE ntoskrnl.exe!NtQueryInformationToken + B0 8056DF5B 16 Bytes [00, 00, 89, 5D, FC, 8B, 4D, ...] PAGE ntoskrnl.exe!NtQueryInformationToken + C1 8056DF6C 152 Bytes [0F, 82, 68, 69, 01, 00, C7, ...] PAGE ... PAGE ntoskrnl.exe!ZwCreateKey + 29 8056F08C 42 Bytes [0F, 85, D6, AD, 09, 00, 80, ...] PAGE ntoskrnl.exe!ZwCreateKey + 54 8056F0B7 13 Bytes [5D, A8, 89, 5D, AC, 3C, 01, ...] {POP EBP; TEST AL, 0x89; POP EBP; LODSB ; CMP AL, 0x1; JNZ 0x113f7} PAGE ntoskrnl.exe!ZwCreateKey + 62 8056F0C5 39 Bytes [55, 18, A1, 34, F5, 55, 80, ...] PAGE ntoskrnl.exe!ZwCreateKey + 8A 8056F0ED 3 Bytes [85, D3, AA] {TEST EBX, EDX; STOSB } PAGE ntoskrnl.exe!ZwCreateKey + 8F 8056F0F2 116 Bytes [8B, 7D, 08, 3B, F8, 0F, 83, ...] PAGE ... PAGE ntoskrnl.exe!ZwQueryKey + C 8056F47F 54 Bytes [33, FF, 89, 7D, E0, 39, 3D, ...] PAGE ntoskrnl.exe!ZwQueryKey + 43 8056F4B6 30 Bytes [88, 5D, DC, 83, FE, 03, 0F, ...] PAGE ntoskrnl.exe!ZwQueryKey + 62 8056F4D5 6 Bytes [75, 08, E8, 8C, 4F, FF] PAGE ntoskrnl.exe!ZwQueryKey + 69 8056F4DC 145 Bytes [8B, 75, CC, 89, 75, D8, 89, ...] PAGE ntoskrnl.exe!ZwQueryKey + FB 8056F56E 14 Bytes [33, FF, 39, 3D, F4, DF, 68, ...] {XOR EDI, EDI; CMP [0x8068dff4], EDI; JNZ 0x9b9c1} PAGE ... PAGE ntoskrnl.exe!ZwEnumerateKey + F 8056F779 41 Bytes [75, E0, 39, 35, F4, DF, 68, ...] PAGE ntoskrnl.exe!ZwEnumerateKey + 3A 8056F7A4 34 Bytes [88, 5D, D0, 56, 8D, 45, DC, ...] PAGE ntoskrnl.exe!ZwEnumerateKey + 5D 8056F7C7 60 Bytes [7D, DC, 39, 35, F4, DF, 68, ...] PAGE ntoskrnl.exe!ZwEnumerateKey + 9A 8056F804 82 Bytes [89, 06, 83, 4D, FC, FF, 33, ...] PAGE ntoskrnl.exe!ZwEnumerateKey + ED 8056F857 91 Bytes [C2, 18, 00, BE, 1A, 00, 00, ...] PAGE ... PAGE ntoskrnl.exe!SeFreePrivileges + 7 8056F9D2 21 Bytes CALL 8054AF04 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 5 8056F9E8 72 Bytes [68, 00, 1E, 4F, 80, E8, A0, ...] PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 4E 8056FA31 27 Bytes [00, 6A, 05, 59, 8B, F3, 8D, ...] PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 6A 8056FA4D 30 Bytes [85, D2, 22, 09, 00, 83, 4D, ...] PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 89 8056FA6C 2 Bytes [4B, 02] PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 8C 8056FA6F 19 Bytes [D1, 33, F6, 8B, 43, 04, 81, ...] PAGE ... PAGE ntoskrnl.exe!RtlAnsiCharToUnicodeChar + 12 8056FEBF 35 Bytes [06, 57, 6A, 20, 5F, 89, 7D, ...] PAGE ntoskrnl.exe!RtlAnsiCharToUnicodeChar + 36 8056FEE3 11 Bytes [85, C0, 0F, 8C, 7A, D8, 08, ...] PAGE ntoskrnl.exe!RtlAnsiCharToUnicodeChar + 42 8056FEEF 14 Bytes [45, FC, 5F, 5E, 5B, C9, C2, ...] {INC EBP; CLD ; POP EDI; POP ESI; POP EBX; LEAVE ; RET 0x4; PUSH EDI; LEA EAX, [EBP-0x38]; PUSH EAX} PAGE ntoskrnl.exe!RtlAnsiCharToUnicodeChar + 51 8056FEFE 15 Bytes CALL EAD767E2 PAGE ntoskrnl.exe!RtlAnsiCharToUnicodeChar + 61 8056FF0E 180 Bytes [FF, FF, 8B, 75, C8, 89, 75, ...] PAGE ... PAGE ntoskrnl.exe!SeImpersonateClientEx + 16 8057004B 9 Bytes [0C, 85, C0, 75, 06, 64, A1, ...] PAGE ntoskrnl.exe!SeImpersonateClientEx + 20 80570055 35 Bytes [00, FF, 71, 04, FF, 75, 08, ...] PAGE ntoskrnl.exe!SeImpersonateClientEx + 44 80570079 168 Bytes [EC, 83, EC, 10, 53, 56, 57, ...] PAGE ntoskrnl.exe!RtlLengthRequiredSid + 4F 80570122 4 Bytes [84, F1, F4, 06] {TEST CL, DH; HLT ; PUSH ES} PAGE ntoskrnl.exe!RtlLengthRequiredSid + 54 80570127 129 Bytes [80, 7D, 10, 00, 8B, 5D, 08, ...] PAGE ntoskrnl.exe!SeCreateClientSecurity + 42 805701A9 9 Bytes [00, 80, 7E, 08, 00, 0F, 84, ...] PAGE ntoskrnl.exe!SeCreateClientSecurity + 4C 805701B3 59 Bytes [00, 5F, 5E, 8B, C3, 5B, C9, ...] PAGE ntoskrnl.exe!SeCreateClientSecurity + 88 805701EF 98 Bytes [84, C0, 0F, 84, BD, 1C, 09, ...] PAGE ntoskrnl.exe!SeCreateClientSecurity + EB 80570252 120 Bytes [FF, 80, 7D, 0C, 00, 0F, 84, ...] PAGE ntoskrnl.exe!SeCreateClientSecurity + 164 805702CB 122 Bytes [76, 02, 00, C7, 45, FC, 04, ...] PAGE ... PAGE ntoskrnl.exe!ZwAccessCheck + D 805706FC 25 Bytes [20, FF, 75, 1C, FF, 75, 18, ...] PAGE ntoskrnl.exe!ZwAccessCheck + 27 80570716 4 Bytes [FF, 5D, C2, 20] PAGE ntoskrnl.exe!ZwAccessCheck + 2C 8057071B 14 Bytes [90, 90, 90, 90, 90, 68, 48, ...] PAGE ntoskrnl.exe!ZwAccessCheck + 3B 8057072A 27 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwAccessCheck + 57 80570746 51 Bytes [8B, F8, 39, 45, 18, 77, 03, ...] PAGE ... PAGE ntoskrnl.exe!SeSetAccessStateGenericMapping + 2 80571140 34 Bytes [55, 8B, EC, 8B, 45, 08, 56, ...] PAGE ntoskrnl.exe!SeSetAccessStateGenericMapping + 26 80571164 57 Bytes [8B, 71, 04, 3B, 35, 9C, 3D, ...] PAGE ntoskrnl.exe!SeSetAccessStateGenericMapping + 60 8057119E 22 Bytes [0F, B7, D0, 89, 4D, E0, 8B, ...] PAGE ntoskrnl.exe!SeSetAccessStateGenericMapping + 77 805711B5 11 Bytes CALL 8056ACCE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!SeSetAccessStateGenericMapping + 84 805711C2 9 Bytes [90, 90, 90, 90, 90, B8, D0, ...] PAGE ntoskrnl.exe!IoGetFileObjectGenericMapping + 5 805711CC 7 Bytes [C3, 90, 90, 90, 89, 00, 12] PAGE ntoskrnl.exe!IoGetFileObjectGenericMapping + D 805711D4 3 Bytes [16, 01, 12] {PUSH SS; ADD [EDX], EDX} PAGE ntoskrnl.exe!IoGetFileObjectGenericMapping + 11 805711D8 7 Bytes [A0, 00, 12, 00, FF, 01, 1F] {MOV AL, [0xff001200]; ADD [EDI], EBX} PAGE ntoskrnl.exe!IoGetFileObjectGenericMapping + 19 805711E0 6 Bytes [90, 90, 90, 90, 90, 8B] PAGE ntoskrnl.exe!FsRtlAreNamesEqual + 2 805711E7 18 Bytes [55, 8B, EC, 83, EC, 10, 8B, ...] {PUSH EBP; MOV EBP, ESP; SUB ESP, 0x10; MOV EAX, [EBP+0x8]; MOV CX, [EAX]; PUSH ESI; MOV ESI, [EBP+0xc]; XOR DL, DL} PAGE ntoskrnl.exe!FsRtlAreNamesEqual + 15 805711FA 45 Bytes [3B, 0E, 0F, 85, C5, B6, FF, ...] PAGE ntoskrnl.exe!FsRtlAreNamesEqual + 43 80571228 3 Bytes [83, 65, 10] PAGE ntoskrnl.exe!FsRtlAreNamesEqual + 47 8057122C 1 Byte [85] PAGE ntoskrnl.exe!FsRtlAreNamesEqual + 47 8057122C 95 Bytes [85, FF, 76, 27, 8B, 76, 04, ...] PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 27 8057128C 3 Bytes JMP 80570F1B \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 2B 80571290 15 Bytes [FF, 83, 7E, 10, 00, 0F, 84, ...] {INC DWORD [EBX+0xf00107e]; TEST [ESI-0x16ffffe5], DL; MOVSB ; SBB EAX, [EAX]} PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 3B 805712A0 19 Bytes JMP 80572E6E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 4F 805712B4 23 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 68 805712CD 51 Bytes [85, 75, 3C, 0F, 85, 6E, 0F, ...] PAGE ... PAGE ntoskrnl.exe!IoCreateFile + 15 8057150C 14 Bytes [F6, C3, 01, 0F, 85, 7C, 34, ...] {TEST BL, 0x1; JNZ 0x73485; PUSH ESI; PUSH ESI; PUSH DWORD [EBP+0x3c]} PAGE ntoskrnl.exe!IoCreateFile + 24 8057151B 11 Bytes [75, 38, FF, 75, 34, FF, 75, ...] {JNZ 0x3a; PUSH DWORD [EBP+0x34]; PUSH DWORD [EBP+0x30]; PUSH DWORD [EBP+0x2c]} PAGE ntoskrnl.exe!IoCreateFile + 30 80571527 11 Bytes [75, 28, FF, 75, 24, FF, 75, ...] {JNZ 0x2a; PUSH DWORD [EBP+0x24]; PUSH DWORD [EBP+0x20]; PUSH DWORD [EBP+0x1c]} PAGE ntoskrnl.exe!IoCreateFile + 3C 80571533 11 Bytes [75, 18, FF, 75, 14, FF, 75, ...] {JNZ 0x1a; PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0x10]; PUSH DWORD [EBP+0xc]} PAGE ntoskrnl.exe!IoCreateFile + 48 8057153F 20 Bytes CALL 805712AB \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!NtOpenFile + 1A 80571601 2 Bytes [75, 10] {JNZ 0x12} PAGE ntoskrnl.exe!NtOpenFile + 1D 80571604 8 Bytes [75, 0C, FF, 75, 08, E8, E9, ...] PAGE ntoskrnl.exe!NtOpenFile + 27 8057160E 11 Bytes [5D, C2, 18, 00, F6, C1, 40, ...] PAGE ntoskrnl.exe!NtOpenFile + 34 8057161B 22 Bytes [F7, C1, CC, 0E, 5F, FF, 0F, ...] PAGE ntoskrnl.exe!NtOpenFile + 4B 80571632 36 Bytes [01, 0F, 84, 23, FD, FF, FF, ...] PAGE ntoskrnl.exe!NtCreateFile + B 80571657 11 Bytes [75, 30, FF, 75, 2C, FF, 75, ...] {JNZ 0x32; PUSH DWORD [EBP+0x2c]; PUSH DWORD [EBP+0x28]; PUSH DWORD [EBP+0x24]} PAGE ntoskrnl.exe!NtCreateFile + 17 80571663 11 Bytes [75, 20, FF, 75, 1C, FF, 75, ...] {JNZ 0x22; PUSH DWORD [EBP+0x1c]; PUSH DWORD [EBP+0x18]; PUSH DWORD [EBP+0x14]} PAGE ntoskrnl.exe!NtCreateFile + 23 8057166F 11 Bytes [75, 10, FF, 75, 0C, FF, 75, ...] PAGE ntoskrnl.exe!NtCreateFile + 30 8057167C 3 Bytes [5D, C2, 2C] PAGE ntoskrnl.exe!NtCreateFile + 34 80571680 10 Bytes [8B, 71, 04, 0B, F2, 89, 30, ...] PAGE ... PAGE ntoskrnl.exe!IoRemoveShareAccess + 11 805716D0 11 Bytes [00, 32, D2, 38, 50, 26, 0F, ...] PAGE ntoskrnl.exe!IoRemoveShareAccess + 1D 805716DC 53 Bytes [8B, 4D, 0C, FF, 09, 38, 50, ...] PAGE ntoskrnl.exe!IoRemoveShareAccess + 53 80571712 10 Bytes [49, 14, EB, EE, 90, 90, 90, ...] PAGE ntoskrnl.exe!IoSetShareAccess + 2 8057171D 55 Bytes [55, 8B, EC, 51, 8B, 4D, 08, ...] PAGE ntoskrnl.exe!IoSetShareAccess + 3A 80571755 8 Bytes [00, 84, D2, 0F, 84, A4, 0E, ...] PAGE ntoskrnl.exe!IoSetShareAccess + 43 8057175E 105 Bytes [8B, 4D, 0C, 8A, D1, 22, D3, ...] PAGE ntoskrnl.exe!IoSetShareAccess + AD 805717C8 16 Bytes [00, 00, 8B, 45, 08, 85, C0, ...] PAGE ntoskrnl.exe!IoSetShareAccess + BE 805717D9 2 Bytes [48, 02] PAGE ... PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 4B 805718DA 47 Bytes [0F, 82, AB, 47, 07, 00, 89, ...] PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 7B 8057190A 24 Bytes [83, 4D, FC, FF, 8B, 04, B5, ...] PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 94 80571923 123 Bytes CALL 80564464 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 110 8057199F 123 Bytes [01, 17, 00, 00, C7, 45, FC, ...] PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 18C 80571A1B 16 Bytes [00, 90, 90, 90, 90, 00, 00, ...] {ADD [EAX+0x909090], DL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} PAGE ... PAGE ntoskrnl.exe!NtReadFile + 7 80571B37 4 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtReadFile + C 80571B3C 40 Bytes [33, F6, 89, 75, E0, 89, 75, ...] PAGE ntoskrnl.exe!NtReadFile + 35 80571B65 14 Bytes [35, D8, 83, 55, 80, 6A, 01, ...] PAGE ntoskrnl.exe!NtReadFile + 44 80571B74 6 Bytes [3B, C6, 0F, 8C, 68, 01] PAGE ntoskrnl.exe!NtReadFile + 4B 80571B7B 5 Bytes [00, 8B, 5D, D0, 53] PAGE ... PAGE ntoskrnl.exe!FsRtlIncrementCcFastReadWait + D4 80571DC5 18 Bytes CALL 804EF16B \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlIncrementCcFastReadWait + E8 80571DD9 50 Bytes [FF, 8B, 45, D0, 8B, 40, 08, ...] PAGE ntoskrnl.exe!FsRtlIncrementCcFastReadWait + 11B 80571E0C 32 Bytes [4A, 14, 51, FF, 77, 3C, 56, ...] PAGE ntoskrnl.exe!FsRtlIncrementCcFastReadWait + 13C 80571E2D 14 Bytes [04, 01, 00, 00, 0F, 84, B7, ...] PAGE ntoskrnl.exe!FsRtlIncrementCcFastReadWait + 14B 80571E3C 70 Bytes [74, 0A, 6A, 00, FF, 73, 34, ...] PAGE ... PAGE ntoskrnl.exe!ZwQueryAttributesFile + 6C 80571F37 10 Bytes [F3, AB, 66, C7, 85, E4, FE, ...] PAGE ntoskrnl.exe!ZwQueryAttributesFile + 77 80571F42 15 Bytes [66, C7, 85, E6, FE, FF, FF, ...] PAGE ntoskrnl.exe!ZwQueryAttributesFile + 87 80571F52 17 Bytes [07, 00, C7, 85, 18, FF, FF, ...] PAGE ntoskrnl.exe!ZwQueryAttributesFile + 99 80571F64 45 Bytes [00, 40, 20, 00, 89, 9D, 1C, ...] PAGE ntoskrnl.exe!ZwQueryAttributesFile + C9 80571F94 21 Bytes CALL 804E8F21 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!IoCheckShareAccess 80571FE3 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP} PAGE ntoskrnl.exe!IoCheckShareAccess + 4 80571FE7 2 Bytes [EC, 51] {IN AL, DX ; PUSH ECX} PAGE ntoskrnl.exe!IoCheckShareAccess + 7 80571FEA 20 Bytes [45, 08, 8B, 4D, 10, A8, 21, ...] PAGE ntoskrnl.exe!IoCheckShareAccess + 1C 80571FFF 24 Bytes [84, DB, 56, 57, 88, 59, 26, ...] PAGE ntoskrnl.exe!IoCheckShareAccess + 36 80572019 353 Bytes [45, 0C, 8A, D0, 80, E2, 01, ...] PAGE ntoskrnl.exe!FsRtlDoesNameContainWildCards + 50 8057217B 61 Bytes [32, C0, EB, F7, 83, C0, FE, ...] PAGE ntoskrnl.exe!FsRtlDoesNameContainWildCards + 8E 805721B9 5 Bytes [30, 0F, 84, 28, F2] PAGE ntoskrnl.exe!FsRtlDoesNameContainWildCards + 94 805721BF 63 Bytes [FF, 68, 49, 6F, 45, 61, FF, ...] PAGE ntoskrnl.exe!FsRtlDoesNameContainWildCards + D4 805721FF 58 Bytes [8B, F0, 85, F6, 0F, 8C, F7, ...] PAGE ntoskrnl.exe!FsRtlDoesNameContainWildCards + 10F 8057223A 17 Bytes [8B, 4D, 28, 33, D2, E9, 34, ...] PAGE ... PAGE ntoskrnl.exe!RtlFreeAnsiString + 7 80572415 38 Bytes [7D, 08, 8B, 47, 04, 85, C0, ...] PAGE ntoskrnl.exe!RtlFreeAnsiString + 2E 8057243C 84 Bytes [8D, 45, E0, 50, 57, E8, 1D, ...] PAGE ntoskrnl.exe!RtlFreeAnsiString + 83 80572491 2 Bytes [75, 20] {JNZ 0x22} PAGE ntoskrnl.exe!RtlFreeAnsiString + 86 80572494 355 Bytes [75, 1C, FF, 75, 18, FF, 75, ...] PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + E6 805725F8 129 Bytes [82, 1C, 04, F7, FF, E9, C2, ...] PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + 168 8057267A 21 Bytes [1B, 00, 00, 66, 83, FB, 7A, ...] PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + 17E 80572690 31 Bytes [FF, C6, 47, 02, 01, E9, F6, ...] PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + 19E 805726B0 82 Bytes [00, 33, DB, 8B, 4D, 0C, E9, ...] PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + 1F1 80572703 19 Bytes [39, 45, FC, 0F, 84, 8B, 03, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 37 8057276F 22 Bytes [C2, 04, 00, 90, 90, 90, 90, ...] PAGE ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 4E 80572786 48 Bytes [C3, 80, 7D, FE, 00, 0F, 85, ...] PAGE ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 7F 805727B7 3 Bytes [83, 7E, 1C] PAGE ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 83 805727BB 22 Bytes [0F, 85, 74, 77, FF, FF, E9, ...] PAGE ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 9A 805727D2 21 Bytes [89, 45, E0, 8B, 30, 89, 75, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlReleaseFile + F 80572BCE 1 Byte [53] PAGE ntoskrnl.exe!FsRtlReleaseFile + F 80572BCE 22 Bytes [53, 56, 57, FF, 75, 08, 8D, ...] PAGE ntoskrnl.exe!FsRtlReleaseFile + 26 80572BE5 31 Bytes CALL 804E8B22 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlReleaseFile + 46 80572C05 26 Bytes [70, 18, 33, C9, 3B, F1, 0F, ...] PAGE ntoskrnl.exe!FsRtlReleaseFile + 61 80572C20 19 Bytes [CC, FE, FF, FF, 57, FF, 75, ...] PAGE ... PAGE ntoskrnl.exe!NtQueryInformationFile + 22 80572D34 81 Bytes [CC, 8B, 75, 18, 84, C0, 0F, ...] PAGE ntoskrnl.exe!NtQueryInformationFile + 75 80572D87 1 Byte [10] PAGE ntoskrnl.exe!NtQueryInformationFile + 75 80572D87 4 Bytes CALL 80565F82 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtQueryInformationFile + 7C 80572D8E 111 Bytes [4D, FC, FF, 8B, 04, B5, 10, ...] PAGE ntoskrnl.exe!NtQueryInformationFile + EC 80572DFE 4 Bytes [85, FC, 11, 00] {TEST ESP, EDI; ADC [EAX], EAX} PAGE ... PAGE ntoskrnl.exe!CcCopyRead + 1F 80573152 25 Bytes [89, 7D, E0, 8B, 83, 40, 02, ...] PAGE ntoskrnl.exe!CcCopyRead + 39 8057316C 2 Bytes [50, 14] PAGE ntoskrnl.exe!CcCopyRead + 3C 8057316F 13 Bytes [52, 04, 89, 55, C8, 8B, 70, ...] PAGE ntoskrnl.exe!CcCopyRead + 4A 8057317D 46 Bytes [02, 0F, 85, 5A, 8D, 03, 00, ...] PAGE ntoskrnl.exe!CcCopyRead + 79 805731AC 53 Bytes [8D, 45, B8, 50, 8D, 45, C0, ...] PAGE ... PAGE ntoskrnl.exe!ZwUnmapViewOfSection + 6 8057378F 12 Bytes [56, 64, A1, 24, 01, 00, 00, ...] PAGE ntoskrnl.exe!ZwUnmapViewOfSection + 13 8057379C 15 Bytes [3C, 01, 8B, 75, 0C, 88, 45, ...] PAGE ntoskrnl.exe!ZwUnmapViewOfSection + 23 805737AC 7 Bytes [0F, 87, 0E, E6, 07, 00, 6A] PAGE ntoskrnl.exe!ZwUnmapViewOfSection + 2B 805737B4 4 Bytes [8D, 45, 0C, 50] {LEA EAX, [EBP+0xc]; PUSH EAX} PAGE ntoskrnl.exe!ZwUnmapViewOfSection + 30 805737B9 2 Bytes [75, FC] {JNZ 0xfffffffffffffffe} PAGE ... PAGE ntoskrnl.exe!MmMapViewOfSection + A 80573B0B 17 Bytes [20, 8B, 08, 83, 65, FC, 00, ...] PAGE ntoskrnl.exe!MmMapViewOfSection + 1C 80573B1D 33 Bytes [20, 00, 00, 7C, 0F, 0F, 8F, ...] PAGE ntoskrnl.exe!MmMapViewOfSection + 3E 80573B3F 139 Bytes [B8, 00, 02, 00, 00, 85, 46, ...] PAGE ntoskrnl.exe!MmMapViewOfSection + CA 80573BCB 24 Bytes [75, 08, FF, 75, 24, 56, FF, ...] PAGE ntoskrnl.exe!MmMapViewOfSection + E4 80573BE5 124 Bytes [0C, FF, 15, 64, 76, 4D, 80, ...] PAGE ntoskrnl.exe!NtMapViewOfSection + 5E 80573C62 72 Bytes CALL 09D79176 PAGE ntoskrnl.exe!NtMapViewOfSection + A7 80573CAB 27 Bytes [71, DE, 07, 00, 8B, 06, 89, ...] PAGE ntoskrnl.exe!NtMapViewOfSection + C3 80573CC7 2 Bytes [0F, 89] PAGE ntoskrnl.exe!NtMapViewOfSection + C6 80573CCA 17 Bytes [E4, 8B, 3E, 89, 7D, E0, 83, ...] PAGE ntoskrnl.exe!NtMapViewOfSection + D8 80573CDC 92 Bytes [00, FF, FF, 3B, CA, 0F, 87, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlGetFileSize + 1 80573F7E 8 Bytes [FF, 55, 8B, EC, 83, EC, 30, ...] {CALL [EBP-0x75]; IN AL, DX ; SUB ESP, 0x30; PUSH EBX} PAGE ntoskrnl.exe!FsRtlGetFileSize + A 80573F87 4 Bytes [5D, 08, 56, 57] {POP EBP; OR [ESI+0x57], DL} PAGE ntoskrnl.exe!FsRtlGetFileSize + F 80573F8C 69 Bytes CALL 804E8B26 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlGetFileSize + 55 80573FD2 39 Bytes [8B, 4D, D8, 8B, 45, 0C, 89, ...] PAGE ntoskrnl.exe!FsRtlGetFileSize + 7D 80573FFA 18 Bytes JMP 80572DD3 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!IoUpdateShareAccess + 27 80574186 88 Bytes [00, 0F, B6, 51, 26, 01, 50, ...] PAGE ntoskrnl.exe!IoUpdateShareAccess + 80 805741DF 15 Bytes [DC, 0F, 84, 5D, 93, 00, 00, ...] PAGE ntoskrnl.exe!IoUpdateShareAccess + 90 805741EF 17 Bytes CALL 805744D5 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoUpdateShareAccess + A2 80574201 43 Bytes [00, 39, 78, 44, 0F, 85, FF, ...] PAGE ntoskrnl.exe!IoUpdateShareAccess + CE 8057422D 4 Bytes JMP 80000802 PAGE ... PAGE ntoskrnl.exe!NtDuplicateObject + 1D 805743DB 53 Bytes [88, 45, E0, 8B, 75, 14, 3B, ...] PAGE ntoskrnl.exe!NtDuplicateObject + 53 80574411 90 Bytes [6A, 40, FF, 75, 08, E8, 4D, ...] PAGE ntoskrnl.exe!NtDuplicateObject + AE 8057446C 29 Bytes CALL 805741B8 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtDuplicateObject + CD 8057448B 60 Bytes CALL 804D918E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtDuplicateObject + 10A 805744C8 2 Bytes CALL 8056A7EE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!SeSinglePrivilegeCheck + 2E 80574562 17 Bytes [45, F0, 50, 8D, 45, DC, 50, ...] PAGE ntoskrnl.exe!SeSinglePrivilegeCheck + 40 80574574 19 Bytes [0C, 74, 12, FF, 75, 0C, 8D, ...] PAGE ntoskrnl.exe!SeSinglePrivilegeCheck + 54 80574588 9 Bytes [00, 8D, 45, F0, 50, E8, E0, ...] PAGE ntoskrnl.exe!SeSinglePrivilegeCheck + 5E 80574592 141 Bytes [8A, 45, 0C, C9, C2, 0C, 00, ...] PAGE ntoskrnl.exe!NtOpenProcess + 82 80574620 36 Bytes [3B, C8, 0F, 83, E5, 36, 08, ...] PAGE ntoskrnl.exe!NtOpenProcess + A7 80574645 61 Bytes [A1, D8, 0C, 56, 80, 83, C0, ...] PAGE ntoskrnl.exe!NtOpenProcess + E5 80574683 4 Bytes [85, 53, D1, 00] PAGE ntoskrnl.exe!NtOpenProcess + EA 80574688 13 Bytes [80, 7D, E6, 00, 0F, 85, C0, ...] PAGE ntoskrnl.exe!NtOpenProcess + F8 80574696 161 Bytes [0F, 84, FE, F4, 02, 00, 89, ...] PAGE ntoskrnl.exe!PsLookupProcessByProcessId + 13 80574738 52 Bytes [8E, D4, 00, 00, 00, FF, 35, ...] PAGE ntoskrnl.exe!PsLookupProcessByProcessId + 48 8057476D 133 Bytes [84, C0, 74, 09, 8B, 45, 0C, ...] PAGE ntoskrnl.exe!PsLookupProcessByProcessId + CE 805747F3 16 Bytes [E0, 83, F8, FF, 0F, 84, 57, ...] {LOOPNZ 0xffffffffffffff85; CLC ; DEC DWORD [EDI]; TEST [EDI-0x1c], DL; POP ES; ADD [EBP-0x7e00e084], CL; IRET } PAGE ntoskrnl.exe!PsLookupProcessByProcessId + E2 80574807 61 Bytes [89, 7D, A8, 81, E3, 00, F0, ...] PAGE ntoskrnl.exe!PsLookupProcessByProcessId + 120 80574845 9 Bytes CALL 80568C83 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 7 80574954 26 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 22 8057496F 19 Bytes [64, A1, 24, 01, 00, 00, 8B, ...] PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 36 80574983 103 Bytes [D4, 84, C0, 0F, 84, 38, C0, ...] PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 9E 805749EB 112 Bytes [82, 01, E5, 07, 00, 85, D2, ...] PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 10F 80574A5C 48 Bytes [74, 33, A1, 34, F5, 55, 80, ...] PAGE ... PAGE ntoskrnl.exe!NtQueryDirectoryFile + 25 80574DD2 11 Bytes [75, 24, FF, 75, 20, FF, 75, ...] {JNZ 0x26; PUSH DWORD [EBP+0x20]; PUSH DWORD [EBP+0x1c]; PUSH DWORD [EBP+0x18]} PAGE ntoskrnl.exe!NtQueryDirectoryFile + 31 80574DDE 42 Bytes [75, 14, FF, 75, 10, FF, 75, ...] PAGE ntoskrnl.exe!NtQueryDirectoryFile + 5D 80574E0A 80 Bytes [5D, C2, 2C, 00, 90, 90, 90, ...] PAGE ntoskrnl.exe!FsRtlIsNameInExpression + 48 80574E5B 2 Bytes [C2, 10] PAGE ntoskrnl.exe!FsRtlIsNameInExpression + 4B 80574E5E 61 Bytes [90, 90, 90, 90, 90, 39, 5D, ...] PAGE ntoskrnl.exe!FsRtlIsNameInExpression + 89 80574E9C 26 Bytes [FF, FF, C6, 45, BB, 00, 0F, ...] PAGE ntoskrnl.exe!FsRtlIsNameInExpression + A4 80574EB7 19 Bytes [02, 0F, 85, 9D, 01, 00, 00, ...] PAGE ntoskrnl.exe!FsRtlIsNameInExpression + B8 80574ECB 31 Bytes [B0, 01, 8B, 4D, FC, 5F, 5E, ...] PAGE ... PAGE ntoskrnl.exe!ZwCreateSemaphore + 25 805750FD 1 Byte [89] PAGE ntoskrnl.exe!ZwCreateSemaphore + 25 805750FD 3 Bytes [89, 5D, FC] {MOV [EBP-0x4], EBX} PAGE ntoskrnl.exe!ZwCreateSemaphore + 29 80575101 39 Bytes [75, 08, A1, 34, F5, 55, 80, ...] PAGE ntoskrnl.exe!ZwCreateSemaphore + 51 80575129 24 Bytes [7D, 18, 7F, 78, 8D, 45, DC, ...] PAGE ntoskrnl.exe!ZwCreateSemaphore + 6A 80575142 58 Bytes CALL 80564DCB \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!ZwSetValueKey + 26 8057554D 10 Bytes [0F, 85, 6B, 45, 09, 00, 64, ...] PAGE ntoskrnl.exe!ZwSetValueKey + 31 80575558 14 Bytes [00, 8A, 98, 40, 01, 00, 00, ...] PAGE ntoskrnl.exe!ZwSetValueKey + 40 80575567 3 Bytes [FF, 75, D4] {PUSH DWORD [EBP-0x2c]} PAGE ntoskrnl.exe!ZwSetValueKey + 44 8057556B 4 Bytes CALL EAD7BE4F PAGE ntoskrnl.exe!ZwSetValueKey + 49 80575570 41 Bytes [6A, 02, FF, 75, 08, E8, EE, ...] PAGE ... PAGE ntoskrnl.exe!RtlFreeHeap + 23 80575CD3 3 Bytes [C7, 79, 08] PAGE ntoskrnl.exe!RtlFreeHeap + 29 80575CD9 5 Bytes [0C, 0B, 4E, 10, F7] {OR AL, 0xb; DEC ESI; ADC BH, DH} PAGE ntoskrnl.exe!RtlFreeHeap + 2F 80575CDF 266 Bytes [60, 0F, 01, 3C, 0F, 85, BC, ...] PAGE ntoskrnl.exe!RtlFreeHeap + 13A 80575DEA 64 Bytes [8B, 56, 0C, 8D, 4E, 08, 8B, ...] PAGE ntoskrnl.exe!RtlFreeHeap + 17B 80575E2B 14 Bytes [30, 10, 8A, 46, 05, A8, 04, ...] PAGE ... PAGE ntoskrnl.exe!RtlAllocateHeap + 5 80575F25 55 Bytes [68, E0, 75, 4E, 80, E8, 63, ...] PAGE ntoskrnl.exe!RtlAllocateHeap + 3D 80575F5D 4 Bytes JMP 85000876 PAGE ntoskrnl.exe!RtlAllocateHeap + 42 80575F62 43 Bytes [85, C9, 0F, 84, FC, 73, 08, ...] PAGE ntoskrnl.exe!RtlAllocateHeap + 6E 80575F8E 4 Bytes [83, 0E, 38, 00] PAGE ntoskrnl.exe!RtlAllocateHeap + 73 80575F93 66 Bytes [8D, 84, FE, 78, 01, 00, 00, ...] PAGE ... PAGE ntoskrnl.exe!NtAddAtom + 4 80576420 35 Bytes [00, 68, 48, 1D, 4F, 80, E8, ...] PAGE ntoskrnl.exe!NtAddAtom + 28 80576444 4 Bytes CALL 80578A54 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtAddAtom + 2E 8057644A 57 Bytes [89, 85, 4C, FF, FF, FF, 85, ...] PAGE ntoskrnl.exe!NtAddAtom + 69 80576485 15 Bytes [84, C0, 0F, 84, A9, 00, 00, ...] PAGE ntoskrnl.exe!NtAddAtom + 79 80576495 70 Bytes [A1, 34, F5, 55, 80, 3B, F0, ...] PAGE ... PAGE ntoskrnl.exe!ZwOpenSection + 7 805766D3 9 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwOpenSection + 12 805766DE 4 Bytes [8A, 80, 40, 01] PAGE ntoskrnl.exe!ZwOpenSection + 18 805766E4 23 Bytes [88, 45, DC, 33, C9, 3A, C1, ...] PAGE ntoskrnl.exe!ZwOpenSection + 30 805766FC 6 Bytes [3B, F0, 0F, 83, 18, 95] PAGE ntoskrnl.exe!ZwOpenSection + 37 80576703 26 Bytes [00, 8B, 06, 89, 06, 83, 4D, ...] PAGE ... PAGE ntoskrnl.exe!ZwFlushInstructionCache + 7 805769B2 9 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwFlushInstructionCache + 11 805769BC 63 Bytes [00, 8A, 80, 40, 01, 00, 00, ...] PAGE ntoskrnl.exe!ZwFlushInstructionCache + 51 805769FC 35 Bytes [83, 4D, FC, FF, 89, 5D, E4, ...] PAGE ntoskrnl.exe!ZwFlushInstructionCache + 75 80576A20 18 Bytes [00, 83, 4D, FC, FF, 39, 5D, ...] PAGE ntoskrnl.exe!ZwFlushInstructionCache + 88 80576A33 4 Bytes [33, C0, E8, 98] PAGE ... PAGE ntoskrnl.exe!CcSetLogHandleForFile + 17 80576AD1 12 Bytes [8B, 4D, 10, 89, 88, A4, 00, ...] PAGE ntoskrnl.exe!CcSetLogHandleForFile + 24 80576ADE 25 Bytes [6A, 1C, 5B, 3B, F3, 0F, 85, ...] PAGE ntoskrnl.exe!CcSetLogHandleForFile + 3E 80576AF8 34 Bytes [6A, 40, FF, 75, 08, E8, 66, ...] PAGE ntoskrnl.exe!CcSetLogHandleForFile + 61 80576B1B 8 Bytes [C7, 85, 60, FF, FF, FF, 03, ...] PAGE ntoskrnl.exe!CcSetLogHandleForFile + 6A 80576B24 14 Bytes [00, 8B, 46, 20, 89, 85, 64, ...] PAGE ... PAGE ntoskrnl.exe!ZwSetIoCompletion + 85 80576D97 296 Bytes [8B, 7D, 08, 83, 7F, 08, 02, ...] PAGE ntoskrnl.exe!NtSetInformationThread + 63 80576EC0 42 Bytes [8D, 04, 1E, 3B, C6, 0F, 82, ...] PAGE ntoskrnl.exe!NtSetInformationThread + 8E 80576EEB 5 Bytes [0F, 84, 78, 50, 00] PAGE ntoskrnl.exe!NtSetInformationThread + 94 80576EF1 16 Bytes [8B, C1, 2B, C7, 0F, 84, 25, ...] PAGE ntoskrnl.exe!NtSetInformationThread + A5 80576F02 13 Bytes [48, 0F, 84, 13, E0, 01, 00, ...] PAGE ntoskrnl.exe!NtSetInformationThread + B3 80576F10 13 Bytes [83, FB, 04, 0F, 85, F1, 14, ...] PAGE ... PAGE ntoskrnl.exe!PsAssignImpersonationToken + 7 80576F74 15 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsAssignImpersonationToken + 17 80576F84 11 Bytes [89, 45, D4, 39, 5D, 0C, 0F, ...] PAGE ntoskrnl.exe!PsAssignImpersonationToken + 23 80576F90 7 Bytes [8B, 7D, 08, 57, E8, 70, 00] PAGE ntoskrnl.exe!PsAssignImpersonationToken + 2B 80576F98 13 Bytes [00, 89, 5D, E0, 39, 5D, E0, ...] PAGE ntoskrnl.exe!PsAssignImpersonationToken + 39 80576FA6 19 Bytes [00, 8B, 77, 20, 3B, F3, 74, ...] PAGE ... PAGE ntoskrnl.exe!PsRevertThreadToSelf + 11 8057701A 6 Bytes [F6, 03, 08, 0F, 84, 84] PAGE ntoskrnl.exe!PsRevertThreadToSelf + 1A 80577023 5 Bytes [56, 64, A1, 24, 01] PAGE ntoskrnl.exe!PsRevertThreadToSelf + 21 8057702A 5 Bytes [8B, F0, FF, 8E, D4] PAGE ntoskrnl.exe!PsRevertThreadToSelf + 29 80577032 4 Bytes [8D, 87, 38, 02] PAGE ntoskrnl.exe!PsRevertThreadToSelf + 2F 80577038 7 Bytes [89, 45, FC, 89, 45, 08, B8] PAGE ... PAGE ntoskrnl.exe!PsImpersonateClient + 12 805770C8 24 Bytes [33, C0, 39, 45, 0C, 56, 57, ...] PAGE ntoskrnl.exe!PsImpersonateClient + 2B 805770E1 4 Bytes [8D, BB, 0C, 02] PAGE ntoskrnl.exe!PsImpersonateClient + 31 805770E7 8 Bytes [8B, 37, 3B, F0, 0F, 84, F7, ...] PAGE ntoskrnl.exe!PsImpersonateClient + 3B 805770F1 32 Bytes CALL 80563938 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsImpersonateClient + 5C 80577112 1 Byte [00] PAGE ... PAGE ntoskrnl.exe!MmUnmapViewOfSection + 16 80577270 15 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] PAGE ntoskrnl.exe!ZwSetEventBoostPriority + B 80577280 5 Bytes [00, 00, 8A, 80, 40] PAGE ntoskrnl.exe!ZwSetEventBoostPriority + 11 80577286 105 Bytes [00, 00, 6A, 00, 88, 45, FC, ...] PAGE ntoskrnl.exe!ZwSetEventBoostPriority + 7B 805772F0 9 Bytes [00, 00, FF, 88, D4, 00, 00, ...] PAGE ntoskrnl.exe!ZwSetEventBoostPriority + 85 805772FA 33 Bytes [BB, 4C, 43, 55, 80, 53, E8, ...] PAGE ntoskrnl.exe!ZwSetEventBoostPriority + A7 8057731C 12 Bytes [00, 8B, 51, 04, 3B, 56, 08, ...] PAGE ... PAGE ntoskrnl.exe!SeTokenImpersonationLevel + D 805777BA 27 Bytes [00, 5D, C2, 04, 00, 68, 50, ...] PAGE ntoskrnl.exe!SeTokenImpersonationLevel + 29 805777D6 5 Bytes [00, E9, 5B, 6E, 00] PAGE ntoskrnl.exe!SeTokenImpersonationLevel + 2F 805777DC 45 Bytes [8D, 45, D8, 50, FF, 75, B4, ...] PAGE ntoskrnl.exe!SeTokenImpersonationLevel + 5D 8057780A 1 Byte [00] PAGE ntoskrnl.exe!SeTokenImpersonationLevel + 5D 8057780A 9 Bytes [00, 00, 3B, F8, 0F, 82, 61, ...] PAGE ... PAGE ntoskrnl.exe!SeAssignSecurity + 14 80577E8A 85 Bytes [00, FF, 75, 1C, FF, 75, 18, ...] PAGE ntoskrnl.exe!SeAssignSecurity + 6A 80577EE0 8 Bytes [00, 8B, 45, 48, 8B, 55, 10, ...] PAGE ntoskrnl.exe!SeAssignSecurity + 73 80577EE9 14 Bytes [4C, 88, 18, 8A, 45, 18, F6, ...] PAGE ntoskrnl.exe!SeAssignSecurity + 82 80577EF8 17 Bytes [83, E2, 08, 89, 01, 89, 55, ...] PAGE ntoskrnl.exe!SeAssignSecurity + 94 80577F0A 17 Bytes [23, D7, 89, 55, 44, 0F, 85, ...] PAGE ... PAGE ntoskrnl.exe!RtlValidSid + 7 80577F86 45 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlValidSid + 35 80577FB4 125 Bytes [83, 4D, FC, FF, 32, C0, EB, ...] PAGE ntoskrnl.exe!RtlLengthSecurityDescriptor + 1E 80578032 55 Bytes [74, 06, 85, D2, 74, 17, 03, ...] PAGE ntoskrnl.exe!RtlLengthSecurityDescriptor + 58 8057806C 26 Bytes [83, E2, FC, 03, C2, F6, C3, ...] PAGE ntoskrnl.exe!RtlLengthSecurityDescriptor + 73 80578087 68 Bytes [0C, 0F, B7, 52, 02, 83, C2, ...] PAGE ntoskrnl.exe!RtlCreateAcl + 24 805780CC 24 Bytes [77, 20, 8B, 45, 08, 88, 10, ...] PAGE ntoskrnl.exe!RtlCreateAcl + 3D 805780E5 11 Bytes [89, 50, 06, 33, C0, 5D, C2, ...] PAGE ntoskrnl.exe!RtlCreateAcl + 4A 805780F2 60 Bytes [C0, EB, F5, 90, 90, 90, 90, ...] PAGE ntoskrnl.exe!SeReleaseSecurityDescriptor + 35 8057812F 34 Bytes [85, C0, 0F, 84, 54, C7, FE, ...] PAGE ntoskrnl.exe!SeReleaseSecurityDescriptor + 58 80578152 2 Bytes [78, 7C] {JS 0x7e} PAGE ntoskrnl.exe!SeReleaseSecurityDescriptor + 5B 80578155 5 Bytes [0F, 84, 5F, 02, 00] PAGE ntoskrnl.exe!SeReleaseSecurityDescriptor + 61 8057815B 36 Bytes JMP 80578373 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!SeReleaseSecurityDescriptor + 86 80578180 7 Bytes [57, 6A, 08, 8D, 45, 08, 50] {PUSH EDI; PUSH 0x8; LEA EAX, [EBP+0x8]; PUSH EAX} PAGE ... PAGE ntoskrnl.exe!ObLogSecurityDescriptor + 13 805781C8 6 Bytes [33, D2, B9, 01, 01, 00] PAGE ntoskrnl.exe!ObLogSecurityDescriptor + 1A 805781CF 8 Bytes [89, 45, F4, F7, F1, 83, 65, ...] PAGE ntoskrnl.exe!ObLogSecurityDescriptor + 23 805781D8 24 Bytes [8D, 1C, 52, 8D, 1C, 9D, 60, ...] PAGE ntoskrnl.exe!ObLogSecurityDescriptor + 3C 805781F1 2 Bytes [00, 00] {ADD [EAX], AL} PAGE ntoskrnl.exe!ObLogSecurityDescriptor + 3F 805781F4 132 Bytes [33, 83, E6, FC, 8D, 46, 04, ...] PAGE ... PAGE ntoskrnl.exe!ObAssignSecurity + 40 80578351 33 Bytes [FF, 75, FC, 6A, 00, 6A, 03, ...] PAGE ntoskrnl.exe!ObAssignSecurity + 62 80578373 28 Bytes [85, F6, 0F, 85, 82, BB, 00, ...] PAGE ntoskrnl.exe!ObAssignSecurity + 7F 80578390 12 Bytes [89, 45, 10, 0F, 85, 05, BA, ...] PAGE ntoskrnl.exe!ObAssignSecurity + 8C 8057839D 28 Bytes [7C, 25, 33, C0, 8A, 47, 0C, ...] PAGE ntoskrnl.exe!ObAssignSecurity + A9 805783BA 182 Bytes [83, 7D, 10, 00, 0F, 8D, 85, ...] PAGE ... PAGE ntoskrnl.exe!PsLookupProcessThreadByCid + 2 805784D1 13 Bytes [55, 8B, EC, 53, 56, 57, 33, ...] PAGE ntoskrnl.exe!PsLookupProcessThreadByCid + 10 805784DF 19 Bytes [8B, F0, FF, 8E, D4, 00, 00, ...] PAGE ntoskrnl.exe!PsLookupProcessThreadByCid + 24 805784F3 446 Bytes CALL 8056661E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtRequestWaitReplyPort + A3 805786B2 39 Bytes [0F, 85, 56, 9C, 00, 00, 83, ...] PAGE ntoskrnl.exe!NtRequestWaitReplyPort + CB 805786DA 55 Bytes [80, 8D, 78, FF, FF, FF, 01, ...] PAGE ntoskrnl.exe!NtRequestWaitReplyPort + 103 80578712 3 Bytes CALL 80564469 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtRequestWaitReplyPort + 107 80578716 12 Bytes [3B, C7, 0F, 8C, 91, 02, 00, ...] PAGE ntoskrnl.exe!NtRequestWaitReplyPort + 114 80578723 127 Bytes [FF, FF, 8B, 4D, E0, 0F, B7, ...] PAGE ... PAGE ntoskrnl.exe!RtlLookupAtomInAtomTable 805789BC 131 Bytes [6A, 18, 68, D0, 75, 4E, 80, ...] PAGE ntoskrnl.exe!RtlLookupAtomInAtomTable + 84 80578A40 70 Bytes CALL 805669E2 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsLookupThreadByThreadId + 2 80578A87 27 Bytes [55, 8B, EC, 53, 56, 64, A1, ...] PAGE ntoskrnl.exe!PsLookupThreadByThreadId + 1E 80578AA3 30 Bytes CALL 8056661E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsLookupThreadByThreadId + 3F 80578AC4 28 Bytes CALL 804EA4A5 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsLookupThreadByThreadId + 5C 80578AE1 10 Bytes CALL 80564562 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsLookupThreadByThreadId + 68 80578AED 4 Bytes [0F, 84, 0A, 8D] PAGE ... PAGE ntoskrnl.exe!FsRtlInitializeOplock + D 80578C1D 80 Bytes [00, FF, 88, D4, 00, 00, 00, ...] PAGE ntoskrnl.exe!RtlDeleteAtomFromAtomTable + 1D 80578C6E 18 Bytes [33, DB, 89, 5D, FC, C7, 45, ...] PAGE ntoskrnl.exe!RtlDeleteAtomFromAtomTable + 30 80578C81 16 Bytes [C0, 0F, 82, A9, 22, 01, 00, ...] PAGE ntoskrnl.exe!RtlDeleteAtomFromAtomTable + 41 80578C92 67 Bytes [E3, DD, FE, FF, 89, 45, E0, ...] PAGE ntoskrnl.exe!RtlDeleteAtomFromAtomTable + 86 80578CD7 34 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...] PAGE ntoskrnl.exe!RtlDeleteAtomFromAtomTable + A9 80578CFA 75 Bytes [71, 0C, 3B, C6, 8B, 51, 08, ...] PAGE ... PAGE ntoskrnl.exe!ZwCreateMutant + F 80578E82 255 Bytes [5D, FC, 64, A1, 24, 01, 00, ...] PAGE ntoskrnl.exe!ZwOpenMutant + 61 80578F82 1 Byte [00] PAGE ntoskrnl.exe!ZwOpenMutant + 61 80578F82 134 Bytes [00, 00, 8B, 45, E4, 89, 06, ...] PAGE ntoskrnl.exe!ZwOpenMutant + E8 80579009 92 Bytes [41, 04, FF, 41, 14, 66, 3B, ...] PAGE ntoskrnl.exe!ZwOpenMutant + 145 80579066 185 Bytes [83, 3D, 33, 08, 00, 85, C0, ...] PAGE ntoskrnl.exe!RtlQueryAtomInAtomTable + 1B 80579120 71 Bytes [75, 10, 8B, 7D, 14, 8B, 4D, ...] PAGE ntoskrnl.exe!RtlQueryAtomInAtomTable + 63 80579168 372 Bytes [4D, 0C, 66, 39, 48, 06, 0F, ...] PAGE ntoskrnl.exe!RtlQueryAtomInAtomTable + 1D8 805792DD 5 Bytes [0F, 8C, 87, CB, 06] PAGE ntoskrnl.exe!RtlQueryAtomInAtomTable + 1DE 805792E3 67 Bytes JMP 80583284 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlQueryAtomInAtomTable + 222 80579327 339 Bytes [C1, FF, FF, 2B, 4D, CC, 83, ...] PAGE ntoskrnl.exe!ZwReleaseSemaphore + 18 8057947B 48 Bytes [88, 45, D8, 8B, 7D, 10, 33, ...] PAGE ntoskrnl.exe!ZwReleaseSemaphore + 49 805794AC 40 Bytes [53, 8D, 45, DC, 50, FF, 75, ...] PAGE ntoskrnl.exe!ZwReleaseSemaphore + 72 805794D5 271 Bytes [53, FF, 75, 0C, FF, 35, E4, ...] PAGE ntoskrnl.exe!ZwReleaseSemaphore + 182 805795E5 44 Bytes [66, 39, 75, C4, 0F, 86, 22, ...] PAGE ntoskrnl.exe!ZwReleaseSemaphore + 1AF 80579612 424 Bytes [68, 43, 6D, 56, 6E, 0F, B7, ...] PAGE ntoskrnl.exe!ZwFlushBuffersFile + 7 805797BB 18 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwFlushBuffersFile + 1A 805797CE 82 Bytes [00, 88, 45, E3, 33, F6, 84, ...] PAGE ntoskrnl.exe!ZwFlushBuffersFile + 6D 80579821 107 Bytes [00, 68, 49, 6F, 20, 20, 6A, ...] PAGE ntoskrnl.exe!ZwFlushBuffersFile + D9 8057988D 15 Bytes [5E, 2C, 8D, 45, B4, C7, 46, ...] {POP ESI; SUB AL, 0x8d; INC EBP; MOV AH, 0xc7; INC ESI; OR [EAX+EAX], AL; ADD [EAX], AL; MOV [ESI+0x28], EAX} PAGE ntoskrnl.exe!ZwFlushBuffersFile + E9 8057989D 36 Bytes [4E, 30, 8B, 46, 60, 83, E8, ...] PAGE ... PAGE ntoskrnl.exe!ZwAlertThread + D 80579999 75 Bytes [80, 40, 01, 00, 00, 6A, 00, ...] PAGE ntoskrnl.exe!ZwAlertThread + 5A 805799E6 167 Bytes [33, C0, 50, 50, 50, 50, 8D, ...] PAGE ntoskrnl.exe!ZwAlertThread + 102 80579A8E 32 Bytes [00, C6, 45, C8, 00, E9, 60, ...] PAGE ntoskrnl.exe!ZwAlertThread + 123 80579AAF 19 Bytes [10, 89, 55, 90, 8B, 50, 04, ...] PAGE ntoskrnl.exe!ZwAlertThread + 137 80579AC3 12 Bytes [8C, CC, 06, 00, A1, 34, F5, ...] PAGE ... PAGE ntoskrnl.exe!ProbeForRead + 6 80579B0E 22 Bytes [4D, 0C, 85, C9, 74, 1F, 8B, ...] PAGE ntoskrnl.exe!ProbeForRead + 1D 80579B25 17 Bytes [03, C8, 3B, C8, 72, 0C, 3B, ...] PAGE ntoskrnl.exe!ProbeForRead + 2F 80579B37 144 Bytes CALL 806467A0 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwAccessCheckAndAuditAlarm + 57 80579BC8 22 Bytes [0F, 85, 2B, 03, 09, 00, 0F, ...] PAGE ntoskrnl.exe!ZwAccessCheckAndAuditAlarm + 6E 80579BDF 18 Bytes [3B, C8, 0F, 87, 21, 03, 09, ...] {CMP ECX, EAX; JA 0x90329; JMP 0xffffffffffff5513; NOP ; NOP ; NOP ; NOP ; NOP } PAGE ntoskrnl.exe!SeValidSecurityDescriptor + 1 80579BF2 15 Bytes [FF, 55, 8B, EC, 57, 8B, 7D, ...] PAGE ntoskrnl.exe!SeValidSecurityDescriptor + 11 80579C02 177 Bytes [00, 56, 8B, 75, 0C, 80, 3E, ...] PAGE ntoskrnl.exe!SeValidSecurityDescriptor + C3 80579CB4 48 Bytes [0F, B6, C0, 8D, 04, 85, 08, ...] PAGE ntoskrnl.exe!SeValidSecurityDescriptor + F4 80579CE5 65 Bytes [8B, CF, 2B, C8, 83, F9, 08, ...] PAGE ntoskrnl.exe!SeValidSecurityDescriptor + 136 80579D27 28 Bytes [FF, 55, 8B, EC, 83, EC, 0C, ...] PAGE ... PAGE ntoskrnl.exe!NtSetInformationFile 80579E7E 102 Bytes [68, 88, 00, 00, 00, 68, D8, ...] PAGE ntoskrnl.exe!NtSetInformationFile + 67 80579EE5 4 Bytes [83, BF, BD, 06] PAGE ntoskrnl.exe!NtSetInformationFile + 6C 80579EEA 84 Bytes [8B, 01, 89, 01, 8B, 41, 04, ...] PAGE ntoskrnl.exe!NtSetInformationFile + C2 80579F40 8 Bytes [CC, FF, 35, D8, 83, 55, 80, ...] {INT 3 ; PUSH DWORD [0x805583d8]; PUSH EAX} PAGE ntoskrnl.exe!NtSetInformationFile + CB 80579F49 147 Bytes CALL 80564466 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!NtWriteFile + 95 8057A1BA 5 Bytes [3B, 05, 34, F5, 55] PAGE ntoskrnl.exe!NtWriteFile + 9B 8057A1C0 75 Bytes [0F, 87, 6D, 1D, 06, 00, 8B, ...] PAGE ntoskrnl.exe!NtWriteFile + E8 8057A20D 128 Bytes [45, D4, 8B, 40, 08, 8B, 58, ...] PAGE ntoskrnl.exe!NtWriteFile + 169 8057A28E 53 Bytes [75, 1C, FF, 75, CC, 33, FF, ...] PAGE ntoskrnl.exe!NtWriteFile + 19F 8057A2C4 25 Bytes [4D, 84, 8B, 45, 18, 89, 08, ...] PAGE ... PAGE ntoskrnl.exe!CcPinMappedData + CB 8057A5E5 79 Bytes CALL 8057A60E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CcPinMappedData + 11B 8057A635 63 Bytes [0B, 83, 66, 20, 00, 8B, CE, ...] PAGE ntoskrnl.exe!CcPinMappedData + 15B 8057A675 3 Bytes [4B, 14, 66] {DEC EBX; ADC AL, 0x66} PAGE ntoskrnl.exe!CcPinMappedData + 15F 8057A679 26 Bytes [31, 66, 8B, 08, 66, 3B, CE, ...] PAGE ntoskrnl.exe!CcPinMappedData + 17A 8057A694 14 Bytes [00, 8B, 45, C0, 8B, 18, 89, ...] {ADD [EBX+0x188bc045], CL; MOV [EBP-0x40], EBX; MOV ESI, [EBP+0x8]; JMP 0xffffffffffffffae} PAGE ntoskrnl.exe!FsRtlNotifyFilterReportChange 8057A6A7 145 Bytes [6A, 5C, 68, 38, 60, 4F, 80, ...] PAGE ntoskrnl.exe!CcPinRead + 3F 8057A739 163 Bytes [8B, 4D, 08, 8B, 49, 14, 8B, ...] PAGE ntoskrnl.exe!CcPinRead + E3 8057A7DD 30 Bytes [54, 6C, 55, 80, 80, 7D, E7, ...] PAGE ntoskrnl.exe!CcPinRead + 102 8057A7FC 13 Bytes [89, 45, F8, C6, 45, FE, 01, ...] {MOV [EBP-0x8], EAX; MOV BYTE [EBP-0x2], 0x1; MOV EAX, FS:[0x124]} PAGE ntoskrnl.exe!CcPinRead + 110 8057A80A 69 Bytes [0D, D4, 0C, 56, 80, 39, 48, ...] PAGE ntoskrnl.exe!CcPinRead + 156 8057A850 2 Bytes [45, 08] PAGE ... PAGE ntoskrnl.exe!CcFastCopyRead + 18 8057AAC3 75 Bytes [8B, D8, 89, 5D, A8, 33, FF, ...] PAGE ntoskrnl.exe!CcFastCopyRead + 64 8057AB0F 123 Bytes [FF, 05, 08, 6C, 55, 80, 8D, ...] PAGE ntoskrnl.exe!CcFastCopyRead + E0 8057AB8B 20 Bytes [FF, 0F, 00, 00, C1, E8, 0C, ...] PAGE ntoskrnl.exe!CcFastCopyRead + F5 8057ABA0 38 Bytes [00, C6, 83, 54, 02, 00, 00, ...] PAGE ntoskrnl.exe!CcFastCopyRead + 11C 8057ABC7 64 Bytes JMP 0BFD9ECE PAGE ... PAGE ntoskrnl.exe!SePrivilegeObjectAuditAlarm + 9 8057B0DC 29 Bytes [74, 21, FF, 75, 18, 8B, 45, ...] PAGE ntoskrnl.exe!SePrivilegeObjectAuditAlarm + 27 8057B0FA 3 Bytes CALL 8057B18D \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!SePrivilegeObjectAuditAlarm + 2C 8057B0FF 45 Bytes [5D, C2, 18, 00, 90, 90, 90, ...] PAGE ntoskrnl.exe!SeAppendPrivileges + 25 8057B12D 7 Bytes [56, 6A, 2C, 52, E8, 0E, 00] PAGE ntoskrnl.exe!SeAppendPrivileges + 2E 8057B136 8 Bytes [33, C0, 5F, 5E, 5B, C9, C2, ...] PAGE ntoskrnl.exe!SeAppendPrivileges + 37 8057B13F 13 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] PAGE ntoskrnl.exe!SeAppendPrivileges + 45 8057B14D 73 Bytes [85, F6, 57, 0F, 84, 9E, 5A, ...] PAGE ntoskrnl.exe!SeAppendPrivileges + 90 8057B198 287 Bytes [80, 7D, 24, 00, 53, 0F, 94, ...] PAGE ntoskrnl.exe!IoCreateFileSpecifyDeviceObjectHint + 96 8057B2B8 110 Bytes CALL 8057B2C7 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoCreateFileSpecifyDeviceObjectHint + 105 8057B327 18 Bytes [00, C6, 03, 01, C6, 43, 02, ...] {ADD DH, AL; ADD EAX, [ECX]; MOV BYTE [EBX+0x2], 0x4; AND DWORD [EBX+0x4], 0x0; LEA EAX, [EBX+0x8]; MOV [EAX+0x4], EAX} PAGE ntoskrnl.exe!IoCreateFileSpecifyDeviceObjectHint + 118 8057B33A 63 Bytes [00, C6, 45, E6, 00, E9, E0, ...] PAGE ntoskrnl.exe!ZwQueryFullAttributesFile + 31 8057B37A 20 Bytes [74, 2E, 83, 65, FC, 00, 89, ...] PAGE ntoskrnl.exe!ZwQueryFullAttributesFile + 46 8057B38F 66 Bytes [70, 97, 06, 00, F6, C3, 03, ...] PAGE ntoskrnl.exe!ZwQueryFullAttributesFile + 89 8057B3D2 11 Bytes [33, FF, 47, 89, BD, 14, FF, ...] PAGE ntoskrnl.exe!ZwQueryFullAttributesFile + 95 8057B3DE 42 Bytes [FF, FF, FF, 00, 40, 20, 00, ...] PAGE ntoskrnl.exe!ZwQueryFullAttributesFile + C0 8057B409 16 Bytes [FF, FF, 00, 74, 79, 8D, 85, ...] PAGE ... PAGE ntoskrnl.exe!ZwQuerySection 8057B825 40 Bytes [6A, 1C, 68, F0, B9, 4F, 80, ...] PAGE ntoskrnl.exe!ZwQuerySection + 29 8057B84E 46 Bytes [FF, 75, 14, 8B, 7D, 10, 57, ...] PAGE ntoskrnl.exe!ZwQuerySection + 59 8057B87E 1 Byte [F6] PAGE ntoskrnl.exe!ZwQuerySection + 59 8057B87E 5 Bytes [F6, 0F, 84, D3, D6] PAGE ntoskrnl.exe!ZwQuerySection + 60 8057B885 110 Bytes [83, 7D, 14, 30, 0F, 82, EC, ...] PAGE ... PAGE ntoskrnl.exe!ZwReadVirtualMemory + 7 8057BFD8 31 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwReadVirtualMemory + 27 8057BFF8 39 Bytes [00, 8B, 45, 0C, 8D, 14, 06, ...] PAGE ntoskrnl.exe!ZwReadVirtualMemory + 4F 8057C020 99 Bytes [00, 00, 3B, C8, 0F, 87, 8E, ...] PAGE ntoskrnl.exe!ZwReadVirtualMemory + B3 8057C084 114 Bytes [75, 0C, FF, 75, DC, E8, 0A, ...] PAGE ntoskrnl.exe!SeQueryAuthenticationIdToken + 2E 8057C0F7 16 Bytes CALL 804DBBCE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!SeQueryAuthenticationIdToken + 3F 8057C108 15 Bytes [00, 00, 5E, 75, 0B, 8D, 48, ...] PAGE ntoskrnl.exe!SeQueryAuthenticationIdToken + 4F 8057C118 5 Bytes [33, C0, 5D, C2, 08] PAGE ntoskrnl.exe!SeQueryAuthenticationIdToken + 55 8057C11E 44 Bytes [90, 90, 90, 90, 90, 6A, 1C, ...] PAGE ntoskrnl.exe!ZwWriteVirtualMemory + 28 8057C14B 13 Bytes [8B, 45, 0C, 8D, 14, 06, 3B, ...] PAGE ntoskrnl.exe!ZwWriteVirtualMemory + 36 8057C159 114 Bytes [8B, 45, 10, 8D, 0C, 06, 3B, ...] PAGE ntoskrnl.exe!ZwWriteVirtualMemory + A9 8057C1CC 17 Bytes [45, E4, 8B, 4D, DC, E8, BA, ...] PAGE ntoskrnl.exe!ZwWriteVirtualMemory + BB 8057C1DE 10 Bytes CALL 804E2ACF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwWriteVirtualMemory + C6 8057C1E9 1 Byte [8D] PAGE ... PAGE ntoskrnl.exe!ZwImpersonateThread + 7 8057C341 64 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwImpersonateThread + 48 8057C382 7 Bytes [3B, D8, 0F, 83, 15, F6, 07] PAGE ntoskrnl.exe!ZwImpersonateThread + 50 8057C38A 2 Bytes [8B, F3] {MOV ESI, EBX} PAGE ntoskrnl.exe!ZwImpersonateThread + 53 8057C38D 10 Bytes [7D, 84, A5, A5, A5, 83, 4D, ...] PAGE ntoskrnl.exe!ZwImpersonateThread + 5E 8057C398 46 Bytes [8D, 45, A4, 50, FF, 75, 9C, ...] PAGE ... PAGE ntoskrnl.exe!NtQuerySystemInformation 8057CC27 42 Bytes [68, 10, 02, 00, 00, 68, F0, ...] PAGE ntoskrnl.exe!NtQuerySystemInformation + 2B 8057CC52 3 Bytes [00, 88, 45] PAGE ntoskrnl.exe!NtQuerySystemInformation + 2F 8057CC56 48 Bytes [8B, 5D, 0C, 8B, 7D, 10, 84, ...] PAGE ntoskrnl.exe!NtQuerySystemInformation + 60 8057CC87 25 Bytes [8B, 45, 08, 83, F8, 47, 0F, ...] PAGE ntoskrnl.exe!NtQuerySystemInformation + 7A 8057CCA1 44 Bytes [83, FF, 2C, 0F, 85, CB, F8, ...] PAGE ... PAGE ntoskrnl.exe!ZwReplyPort + 7 8057D0F8 7 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwReplyPort + F 8057D100 11 Bytes [01, 00, 00, 89, 45, D8, 64, ...] PAGE ntoskrnl.exe!ZwReplyPort + 1B 8057D10C 4 Bytes [8A, 80, 40, 01] PAGE ntoskrnl.exe!ZwReplyPort + 20 8057D111 31 Bytes [00, 88, 45, DC, 33, DB, 3A, ...] PAGE ntoskrnl.exe!ZwReplyPort + 40 8057D131 10 Bytes [8B, 75, 0C, 3B, F0, 0F, 83, ...] PAGE ... PAGE ntoskrnl.exe!NtDuplicateToken + 3E 8057D435 14 Bytes [A1, 34, F5, 55, 80, 8B, 4D, ...] PAGE ntoskrnl.exe!NtDuplicateToken + 4E 8057D445 73 Bytes [8B, 01, 89, 01, 83, 4D, FC, ...] PAGE ntoskrnl.exe!NtDuplicateToken + 98 8057D48F 23 Bytes [8B, 45, 0C, 3B, C3, 0F, 84, ...] PAGE ntoskrnl.exe!NtDuplicateToken + B0 8057D4A7 1 Byte [06] PAGE ntoskrnl.exe!NtDuplicateToken + B0 8057D4A7 139 Bytes [06, 00, 8B, 4D, B0, 8B, 86, ...] PAGE ... PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + 1A 8057D5C1 10 Bytes [8B, 55, 0C, 3B, F2, 0F, 82, ...] PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + 25 8057D5CC 20 Bytes [8B, 45, 10, 85, C0, 74, 02, ...] PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + 3A 8057D5E1 310 Bytes [8B, FA, 83, E7, 0F, 03, CF, ...] PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + 171 8057D718 19 Bytes [6C, D6, 57, 80, 62, D6, 57, ...] PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + 185 8057D72C 81 Bytes [3A, D6, 57, 80, 30, D6, 57, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToAnsiString + 2E 8057D77E 38 Bytes [38, 5D, 10, 56, 8B, 75, 08, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToAnsiString + 55 8057D7A5 80 Bytes [8D, 45, 0C, 50, 0F, B7, 06, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToAnsiString + A6 8057D7F6 8 Bytes [00, 89, 45, A0, 8A, 80, 40, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToAnsiString + B0 8057D800 67 Bytes [88, 45, D8, 84, C0, 74, 44, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToAnsiString + F4 8057D844 39 Bytes [89, 5D, 24, 83, 4D, FC, FF, ...] PAGE ... PAGE ntoskrnl.exe!NtFsControlFile + 6 8057DA13 236 Bytes [00, FF, 75, 2C, FF, 75, 28, ...] PAGE ntoskrnl.exe!NtFsControlFile + F3 8057DB00 62 Bytes [6A, 02, FF, 75, 0C, E8, 5E, ...] PAGE ntoskrnl.exe!NtFsControlFile + 132 8057DB3F 47 Bytes [00, 8B, 33, 83, E6, FE, 8D, ...] PAGE ntoskrnl.exe!NtFsControlFile + 162 8057DB6F 17 Bytes [0F, 85, 4E, 7A, 07, 00, FF, ...] PAGE ntoskrnl.exe!NtFsControlFile + 176 8057DB83 9 Bytes [85, C0, 89, 45, F8, 0F, 84, ...] PAGE ... PAGE ntoskrnl.exe!RtlFindUnicodePrefix + 28 8057DE79 5 Bytes [0F, 8E, 9E, A6, 01] PAGE ntoskrnl.exe!RtlFindUnicodePrefix + 2E 8057DE7F 9 Bytes [8D, 5E, 0C, 85, DB, 0F, 84, ...] PAGE ntoskrnl.exe!RtlFindUnicodePrefix + 39 8057DE8A 68 Bytes [6A, 00, FF, 75, 0C, 8D, 7B, ...] PAGE ntoskrnl.exe!RtlFindUnicodePrefix + 7F 8057DED0 162 Bytes [00, 8B, 75, 08, 89, 75, 08, ...] PAGE ntoskrnl.exe!RtlFindUnicodePrefix + 122 8057DF73 30 Bytes JMP 8057DED7 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsCreateSystemThread + 15 8057DF92 28 Bytes [33, C9, FF, 75, 20, FF, 75, ...] PAGE ntoskrnl.exe!PsCreateSystemThread + 33 8057DFB0 15 Bytes [5D, C2, 1C, 00, 90, 90, 90, ...] PAGE ntoskrnl.exe!PsCreateSystemThread + 43 8057DFC0 22 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsCreateSystemThread + 5B 8057DFD8 5 Bytes [8B, F0, 83, 65, FC] PAGE ntoskrnl.exe!PsCreateSystemThread + 61 8057DFDE 4 Bytes [F6, 86, 48, 02] PAGE ... PAGE ntoskrnl.exe!SeQuerySessionIdToken + B 8057E0E7 4 Bytes [00, FF, 88, D4] {ADD BH, BH; MOV AH, DL} PAGE ntoskrnl.exe!SeQuerySessionIdToken + 10 8057E0EC 42 Bytes [00, 00, 8B, 75, 08, 6A, 01, ...] PAGE ntoskrnl.exe!SeQuerySessionIdToken + 3B 8057E117 6 Bytes [5E, 0F, 84, 0D, 08, 06] PAGE ntoskrnl.exe!SeQuerySessionIdToken + 42 8057E11E 34 Bytes [33, C0, 5D, C2, 08, 00, 90, ...] PAGE ntoskrnl.exe!PsTerminateSystemThread + 18 8057E141 7 Bytes [FF, 75, 08, 50, E8, 7B, 03] PAGE ntoskrnl.exe!PsTerminateSystemThread + 21 8057E14A 20 Bytes [5D, C2, 04, 00, 90, 90, 90, ...] PAGE ntoskrnl.exe!PsTerminateSystemThread + 36 8057E15F 29 Bytes [0F, 85, CF, 93, 07, 00, 5E, ...] PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + E 8057E17D 8 Bytes [00, 00, 00, 8B, 4D, F8, BA, ...] {ADD [EAX], AL; ADD [EBX+0x1baf84d], CL} PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + 18 8057E187 25 Bytes [00, 0F, B1, 11, 33, DB, 3B, ...] PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + 32 8057E1A1 1 Byte [80] PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + 36 8057E1A5 4 Bytes [68, D0, 9C, 4F] PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + 3B 8057E1AA 9 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!LpcRequestPort + 2 8057E645 68 Bytes [55, 8B, EC, 51, 53, 56, 33, ...] PAGE ntoskrnl.exe!LpcRequestPort + 47 8057E68A 18 Bytes [00, 00, 0F, 84, 0F, FB, 06, ...] {ADD [EAX], AL; JZ 0x6fb17; CMP [EDI+0x6], BX; JNZ 0x6fb2f} PAGE ntoskrnl.exe!LpcRequestPort + 5A 8057E69D 10 Bytes [4D, 08, 0F, BF, 47, 02, 0F, ...] PAGE ntoskrnl.exe!LpcRequestPort + 65 8057E6A8 20 Bytes [00, 00, 3B, C1, 0F, 87, 20, ...] PAGE ntoskrnl.exe!LpcRequestPort + 7A 8057E6BD 4 Bytes [68, 80, 31, 55] PAGE ... PAGE ntoskrnl.exe!ZwTerminateThread + 17 8057E993 20 Bytes [84, 2E, 01, 00, 00, 83, 7D, ...] PAGE ntoskrnl.exe!ZwTerminateThread + 2C 8057E9A8 1 Byte [6A] PAGE ntoskrnl.exe!ZwTerminateThread + 2C 8057E9A8 203 Bytes [6A, 00, 88, 45, FC, 8D, 45, ...] PAGE ntoskrnl.exe!ZwTerminateThread + F8 8057EA74 58 Bytes [01, 0F, 94, C3, 8B, C3, C7, ...] PAGE ntoskrnl.exe!ZwTerminateThread + 133 8057EAAF 2 Bytes [80, 00] PAGE ... PAGE ntoskrnl.exe!ObSetHandleAttributes + 31 8057EB1B 13 Bytes [64, A1, 24, 01, 00, 00, 8B, ...] PAGE ntoskrnl.exe!ObSetHandleAttributes + 40 8057EB2A 43 Bytes [8B, F9, 8D, 45, 10, 50, 68, ...] PAGE ntoskrnl.exe!ObSetHandleAttributes + 6C 8057EB56 43 Bytes [C6, 5E, 5B, C9, C2, 0C, 00, ...] PAGE ntoskrnl.exe!ObSetHandleAttributes + 98 8057EB82 8 Bytes [0F, 84, E5, FD, FF, FF, 09, ...] PAGE ntoskrnl.exe!ObSetHandleAttributes + A1 8057EB8B 123 Bytes [B0, 01, 5D, C2, 08, 00, 90, ...] PAGE ... PAGE ntoskrnl.exe!PsSetThreadWin32Thread + 48 8057EC7B 20 Bytes [84, 1F, 9B, 07, 00, 39, 1D, ...] PAGE ntoskrnl.exe!PsSetThreadWin32Thread + 5D 8057EC90 11 Bytes [00, 00, 80, 9B, 55, 80, 0F, ...] {ADD [EAX], AL; SBB BYTE [EBX-0x7af07fab], 0x17; WAIT ; POP ES} PAGE ntoskrnl.exe!PsSetThreadWin32Thread + 6A 8057EC9D 52 Bytes [46, 44, 89, 45, E0, 38, 9E, ...] PAGE ntoskrnl.exe!PsSetThreadWin32Thread + 9F 8057ECD2 20 Bytes [D0, FF, FF, 50, 57, E8, C2, ...] PAGE ntoskrnl.exe!PsSetThreadWin32Thread + B4 8057ECE7 6 Bytes [53, 57, E8, 9B, B8, F6] PAGE ... PAGE ntoskrnl.exe!ZwCreateThread + 7 8057F269 24 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwCreateThread + 20 8057F282 22 Bytes [0F, 84, CE, 19, 04, 00, A1, ...] PAGE ntoskrnl.exe!ZwCreateThread + 37 8057F299 54 Bytes [01, 89, 01, 8B, 5D, 18, 85, ...] PAGE ntoskrnl.exe!ZwCreateThread + 6E 8057F2D0 9 Bytes [F6, 45, 1C, 03, 0F, 85, BD, ...] PAGE ntoskrnl.exe!ZwCreateThread + 78 8057F2DA 28 Bytes [A1, 34, F5, 55, 80, 39, 45, ...] PAGE ... PAGE ntoskrnl.exe!ZwTestAlert + 88 8057F444 5 Bytes [0F, 85, 47, F9, FF] PAGE ntoskrnl.exe!ZwTestAlert + 8E 8057F44A 24 Bytes JMP 805F9A23 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwTestAlert + A7 8057F463 31 Bytes CALL 8057F7B8 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwTestAlert + C7 8057F483 55 Bytes [8E, 24, 02, 00, 00, 8B, 80, ...] PAGE ntoskrnl.exe!ZwTestAlert + FF 8057F4BB 19 Bytes [8B, 7E, 04, C1, E7, 0C, 53, ...] PAGE ... PAGE ntoskrnl.exe!ZwResumeThread + 1F 8057F8F4 4 Bytes [00, 88, 45, E0] PAGE ntoskrnl.exe!ZwResumeThread + 24 8057F8F9 83 Bytes [75, 0C, 3A, C3, 74, 15, 3B, ...] PAGE ntoskrnl.exe!ZwResumeThread + 78 8057F94D 76 Bytes [00, 00, 3B, F3, 74, 05, 8B, ...] PAGE ntoskrnl.exe!ZwResumeThread + C5 8057F99A 9 Bytes [FF, 8B, 4D, 0C, 85, C9, 74, ...] PAGE ntoskrnl.exe!ZwResumeThread + CF 8057F9A4 49 Bytes [33, C0, 5D, C2, 08, 00, 90, ...] PAGE ntoskrnl.exe!ZwRegisterThreadTerminatePort + 27 8057F9D6 33 Bytes [6A, 00, FF, 75, 08, E8, 88, ...] PAGE ntoskrnl.exe!ZwRegisterThreadTerminatePort + 49 8057F9F8 12 Bytes [84, BF, AC, 07, 00, 89, 48, ...] PAGE ntoskrnl.exe!ZwRegisterThreadTerminatePort + 57 8057FA06 29 Bytes [8B, 11, 89, 10, 89, 01, 33, ...] PAGE ntoskrnl.exe!ZwRegisterThreadTerminatePort + 75 8057FA24 46 Bytes [07, 85, C0, 0F, 84, 88, 1D, ...] PAGE ntoskrnl.exe!ZwRegisterThreadTerminatePort + A5 8057FA54 101 Bytes [31, 07, 83, C7, 04, 89, 7D, ...] PAGE ... PAGE ntoskrnl.exe!NtDeviceIoControlFile + 50 8057FC20 17 Bytes [C9, 74, 1D, 33, C0, 40, 89, ...] PAGE ntoskrnl.exe!NtDeviceIoControlFile + 62 8057FC32 26 Bytes [83, 7D, D4, 02, 0F, 84, 6C, ...] PAGE ntoskrnl.exe!NtDeviceIoControlFile + 7D 8057FC4D 38 Bytes [57, 8D, 45, 90, 50, FF, 75, ...] PAGE ntoskrnl.exe!NtDeviceIoControlFile + A4 8057FC74 105 Bytes [00, 00, 8B, 45, 18, 8B, 4D, ...] PAGE ntoskrnl.exe!NtDeviceIoControlFile + 10E 8057FCDE 5 Bytes [0F, 87, E6, 7A, 05] PAGE ... PAGE ntoskrnl.exe!RtlIntegerToChar + 37 8057FF68 50 Bytes [48, 48, 0F, 85, AB, EB, 07, ...] PAGE ntoskrnl.exe!RtlIntegerToChar + 6A 8057FF9B 16 Bytes [88, 0E, 85, C0, 75, E6, 8D, ...] {MOV [ESI], CL; TEST EAX, EAX; JNZ 0xffffffffffffffec; LEA EAX, [EBP-0x20]; SUB EAX, ESI; MOV EDX, [EBP+0x10]; TEST EDX, EDX} PAGE ntoskrnl.exe!RtlIntegerToChar + 7B 8057FFAC 114 Bytes [8C, A1, EB, 07, 00, 3B, C2, ...] PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeString + 2 8058001F 21 Bytes [55, 8B, EC, 53, 33, DB, 38, ...] PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeString + 18 80580035 5 Bytes [0F, B7, 07, 8D, 44] PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeString + 1E 8058003B 11 Bytes [02, 3D, FF, FF, 00, 00, 0F, ...] PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeString + 2A 80580047 4 Bytes [38, 5D, 10, 56] {CMP [EBP+0x10], BL; PUSH ESI} PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeString + 2F 8058004C 88 Bytes [75, 08, 8D, 48, FE, 66, 89, ...] PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + 6 805800A5 21 Bytes [EC, 1C, A1, 20, 1A, 55, 80, ...] PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + 1C 805800BB 2 Bytes [0C, FF] {OR AL, 0xff} PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + 1F 805800BE 124 Bytes CALL 8057FF30 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + 9C 8058013B 48 Bytes [00, 8D, 5F, 24, 8B, 45, 0C, ...] PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + CD 8058016C 36 Bytes [8D, 4D, E4, 51, 8D, 4D, D8, ...] PAGE ... PAGE ntoskrnl.exe!ZwEnumerateValueKey + 1D 8058021B 85 Bytes [39, 75, 10, 0F, 85, C2, 00, ...] PAGE ntoskrnl.exe!ZwEnumerateValueKey + 73 80580271 55 Bytes [6A, 04, FF, 75, 18, FF, 75, ...] PAGE ntoskrnl.exe!ZwEnumerateValueKey + AB 805802A9 35 Bytes [39, 5D, E4, 7C, 18, 56, FF, ...] PAGE ntoskrnl.exe!ZwEnumerateValueKey + CF 805802CD 91 Bytes [33, F6, 39, 35, F4, DF, 68, ...] PAGE ntoskrnl.exe!ZwOpenEvent + 23 80580329 15 Bytes [83, 65, FC, 00, 8B, 75, 08, ...] PAGE ntoskrnl.exe!ZwOpenEvent + 33 80580339 3 Bytes [B4, 67, 08] PAGE ntoskrnl.exe!ZwOpenEvent + 37 8058033D 19 Bytes [8B, 06, 89, 06, 83, 4D, FC, ...] {MOV EAX, [ESI]; MOV [ESI], EAX; OR DWORD [EBP-0x4], -0x1; LEA EAX, [EBP-0x1c]; PUSH EAX; PUSH 0x0; PUSH DWORD [EBP+0xc]; PUSH 0x0} PAGE ntoskrnl.exe!ZwOpenEvent + 4B 80580351 129 Bytes [75, DC, FF, 35, C0, 1E, 56, ...] PAGE ntoskrnl.exe!ZwOpenEvent + CD 805803D3 9 Bytes JMP 80571BF1 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!ZwSetInformationObject + 7 80580435 4 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwSetInformationObject + C 8058043A 4 Bytes [C7, 45, DC, 03] PAGE ntoskrnl.exe!ZwSetInformationObject + 12 80580440 31 Bytes [C0, 83, 7D, 0C, 04, 0F, 85, ...] PAGE ntoskrnl.exe!ZwSetInformationObject + 33 80580461 6 Bytes [88, 45, E0, 83, 65, FC] PAGE ntoskrnl.exe!ZwSetInformationObject + 3A 80580468 29 Bytes [8B, 75, 10, 84, C0, 74, 17, ...] PAGE ... PAGE ntoskrnl.exe!ZwQueryInstallUILanguage + 20 80580529 14 Bytes [88, 45, E7, 8B, 4D, 08, 3A, ...] PAGE ntoskrnl.exe!ZwQueryInstallUILanguage + 2F 80580538 26 Bytes [3B, C8, 0F, 83, FA, 6E, 08, ...] PAGE ntoskrnl.exe!ZwQueryInstallUILanguage + 4A 80580553 68 Bytes CALL 804E2AD0 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwCompleteConnectPort + 36 80580598 8 Bytes [45, F8, 89, 5D, FC, 0F, 8C, ...] PAGE ntoskrnl.exe!ZwCompleteConnectPort + 3F 805805A1 1 Byte [00] PAGE ntoskrnl.exe!ZwCompleteConnectPort + 3F 805805A1 20 Bytes [00, 00, 8B, 83, 90, 00, 00, ...] PAGE ntoskrnl.exe!ZwCompleteConnectPort + 54 805805B6 57 Bytes [BF, 40, A5, 55, 80, 8B, CF, ...] PAGE ntoskrnl.exe!ZwCompleteConnectPort + 8E 805805F0 26 Bytes [03, 85, C0, 74, 25, 8D, 48, ...] PAGE ... PAGE ntoskrnl.exe!ZwQueueApcThread + 49 80580A49 24 Bytes [57, 68, 50, 73, 61, 70, 6A, ...] PAGE ntoskrnl.exe!ZwQueueApcThread + 62 80580A62 44 Bytes [FF, 75, 10, 6A, 01, FF, 75, ...] PAGE ntoskrnl.exe!ZwQueueApcThread + 8F 80580A8F 24 Bytes CALL 804D918C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwQueueApcThread + A8 80580AA8 90 Bytes [85, 2D, 28, FF, FF, B8, 00, ...] PAGE ntoskrnl.exe!ZwQueueApcThread + 103 80580B03 4 Bytes [89, 7D, F0, B8] PAGE ... PAGE ntoskrnl.exe!ZwAccessCheckByType + 37 80580B93 17 Bytes CALL 805807A1 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwAccessCheckByType + 49 80580BA5 38 Bytes [6A, 01, 57, 57, FF, 75, DC, ...] PAGE ntoskrnl.exe!ZwAccessCheckByType + 70 80580BCC 42 Bytes CALL 8056AB16 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwAccessCheckByType + 9D 80580BF9 56 Bytes [89, 4D, DC, 7F, 21, 39, 4D, ...] PAGE ntoskrnl.exe!ZwAccessCheckByType + D7 80580C33 12 Bytes [8B, 4D, 08, F6, 41, 2E, 10, ...] PAGE ... PAGE ntoskrnl.exe!ExfReleasePushLock + 20 80580CBB 1 Byte [FF] PAGE ntoskrnl.exe!ExfReleasePushLock + 20 80580CBB 13 Bytes [FF, 8B, F2, 33, C9, 80, 7A, ...] {DEC DWORD [EBX-0x7f36cc0e]; JP 0x20; ADD [EDI], CL; TEST [EBX+0x1], EDI} PAGE ntoskrnl.exe!ExfReleasePushLock + 2F 80580CCA 11 Bytes [41, 8B, 42, 10, 85, C0, 0F, ...] PAGE ntoskrnl.exe!ExfReleasePushLock + 3B 80580CD6 12 Bytes [85, C0, 8B, D0, 75, E4, 85, ...] PAGE ntoskrnl.exe!ExfReleasePushLock + 48 80580CE3 74 Bytes [00, 8A, 46, 18, 03, C9, 83, ...] PAGE ... PAGE ntoskrnl.exe!ExfAcquirePushLockShared + 39 80580D97 17 Bytes [75, EC, 0F, 85, E5, 00, 00, ...] {JNZ 0xffffffffffffffee; JNZ 0xed; MOV [EBP-0x18], ESI; LEA EAX, [EBP-0x27]; MOV [EBP-0x4], EAX} PAGE ntoskrnl.exe!ExfAcquirePushLockShared + 4B 80580DA9 1 Byte [45] PAGE ntoskrnl.exe!ExfAcquirePushLockShared + 4B 80580DA9 5 Bytes [45, F8, 8B, 4D, F4] {INC EBP; CLC ; MOV ECX, [EBP-0xc]} PAGE ntoskrnl.exe!ExfAcquirePushLockShared + 51 80580DAF 1 Byte [55] PAGE ntoskrnl.exe!ExfAcquirePushLockShared + 51 80580DAF 35 Bytes [55, FC, 0F, B1, 11, 3B, C3, ...] PAGE ntoskrnl.exe!ExfAcquirePushLockExclusive + 1 80580DD3 26 Bytes [FF, 55, 8B, EC, 83, EC, 28, ...] PAGE ntoskrnl.exe!ExfAcquirePushLockExclusive + 1C 80580DEE 38 Bytes [F6, C3, 01, 8D, 45, E0, C6, ...] PAGE ntoskrnl.exe!ExfAcquirePushLockExclusive + 43 80580E15 11 Bytes CALL 0E4453A3 PAGE ntoskrnl.exe!ExfAcquirePushLockExclusive + 4F 80580E21 18 Bytes [45, F8, 8B, 4D, F4, 8B, 55, ...] PAGE ntoskrnl.exe!ExfAcquirePushLockExclusive + 62 80580E34 82 Bytes [56, 56, 56, 56, 8D, 45, D8, ...] PAGE ... PAGE ntoskrnl.exe!ZwCreateNamedPipeFile + 14 80580F21 26 Bytes [84, 8F, 00, 00, 00, C6, 45, ...] PAGE ntoskrnl.exe!ZwCreateNamedPipeFile + 2F 80580F3C 16 Bytes [89, 5D, FC, F6, C1, 03, 0F, ...] PAGE ntoskrnl.exe!ZwCreateNamedPipeFile + 40 80580F4D 7 Bytes [3B, C8, 0F, 83, E1, 41, 06] PAGE ntoskrnl.exe!ZwCreateNamedPipeFile + 48 80580F55 14 Bytes [8B, 01, 89, 45, D4, 8B, 41, ...] PAGE ntoskrnl.exe!ZwCreateNamedPipeFile + 57 80580F64 144 Bytes [8B, 45, 24, 89, 45, BC, 8B, ...] PAGE ... PAGE ntoskrnl.exe!RtlNtStatusToDosError + 7 80581767 26 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlNtStatusToDosError + 22 80581782 4 Bytes [00, 83, 4D, FC] PAGE ntoskrnl.exe!RtlNtStatusToDosError + 28 80581788 11 Bytes CALL 804FFF2B \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlNtStatusToDosError + 34 80581794 43 Bytes [C2, 04, 00, 8B, 45, 14, 85, ...] PAGE ntoskrnl.exe!RtlNtStatusToDosError + 60 805817C0 8 Bytes JMP 0B581FB8 PAGE ... PAGE ntoskrnl.exe!RtlAddAccessAllowedAce + 7 80581913 59 Bytes [FF, 75, 14, FF, 75, 10, 6A, ...] PAGE ntoskrnl.exe!PsDisableImpersonation + 20 8058194F 6 Bytes [56, 64, A1, 24, 01, 00] PAGE ntoskrnl.exe!PsDisableImpersonation + 27 80581956 5 Bytes [8B, F0, FF, 8E, D4] PAGE ntoskrnl.exe!PsDisableImpersonation + 2F 8058195E 112 Bytes [8D, 87, 38, 02, 00, 00, 89, ...] PAGE ntoskrnl.exe!PsDisableImpersonation + A0 805819CF 14 Bytes [00, 00, 0F, B1, 11, 83, F8, ...] {ADD [EAX], AL; CMPXCHG [ECX], EDX; CMP EAX, 0x2; JNZ 0x77da0} PAGE ntoskrnl.exe!PsDisableImpersonation + AF 805819DE 41 Bytes [86, D4, 00, 00, 00, 75, 0B, ...] PAGE ntoskrnl.exe!RtlSetDaclSecurityDescriptor + 2 80581A08 92 Bytes [55, 8B, EC, 8B, 45, 08, 80, ...] PAGE ntoskrnl.exe!PsRestoreImpersonation + 4 80581A65 140 Bytes [EC, 56, 8B, 75, 0C, FF, 76, ...] PAGE ntoskrnl.exe!PsRestoreImpersonation + 91 80581AF2 8 Bytes [F8, 85, FF, 0F, 84, 67, E4, ...] PAGE ntoskrnl.exe!PsRestoreImpersonation + 9A 80581AFB 34 Bytes [6A, 02, FF, 75, FC, 57, E8, ...] PAGE ntoskrnl.exe!PsRestoreImpersonation + BD 80581B1E 1 Byte [FD] PAGE ntoskrnl.exe!PsRestoreImpersonation + C0 80581B21 5 Bytes [FF, 35, FC, D7, 68] PAGE ... PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + 7 80581B71 23 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + 20 80581B8A 3 Bytes [8A, 80, 40] PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + 26 80581B90 88 Bytes [88, 45, 8C, 33, FF, 84, C0, ...] PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + 7F 80581BE9 6 Bytes [8B, 5D, A0, 8B, 83, 90] PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + 86 80581BF0 34 Bytes [00, 00, 83, E0, 0F, 3C, 03, ...] PAGE ... PAGE ntoskrnl.exe!RtlAreAnyAccessesGranted + 2 80581F53 12 Bytes [55, 8B, EC, 8B, 45, 08, 85, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; TEST [EBP+0xc], EAX; SETNZ AL} PAGE ntoskrnl.exe!RtlAreAnyAccessesGranted + F 80581F60 14 Bytes [C2, 08, 00, 8B, 43, 14, 8B, ...] PAGE ntoskrnl.exe!RtlAreAnyAccessesGranted + 1E 80581F6F 13 Bytes [FF, 07, 00, 33, C8, 89, 4B, ...] PAGE ntoskrnl.exe!RtlAreAnyAccessesGranted + 2C 80581F7D 100 Bytes [8D, 8E, F0, 00, 00, 00, FF, ...] PAGE ntoskrnl.exe!RtlUnicodeToMultiByteSize + 26 80581FE2 29 Bytes [C7, 45, E4, 18, 00, 00, C0, ...] PAGE ntoskrnl.exe!RtlUnicodeToMultiByteSize + 44 80582000 5 Bytes [C7, 45, 0C, 03, 00] PAGE ntoskrnl.exe!RtlUnicodeToMultiByteSize + 4A 80582006 6 Bytes JMP 8057E691 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlUnicodeToMultiByteSize + 54 80582010 104 Bytes [90, 6A, 40, 68, F8, 1E, 4F, ...] PAGE ntoskrnl.exe!RtlUnicodeToMultiByteSize + BD 80582079 98 Bytes [0D, 34, F5, 55, 80, 3B, C1, ...] PAGE ... PAGE ntoskrnl.exe!ZwReadRequestData + 52 80582214 65 Bytes [00, 85, C0, 0F, 84, E2, C6, ...] PAGE ntoskrnl.exe!ZwReadRequestData + 94 80582256 33 Bytes [00, A3, 60, A5, 55, 80, E9, ...] PAGE ntoskrnl.exe!ZwReadRequestData + B6 80582278 6 Bytes [0F, 84, 9F, CB, 06, 00] {JZ 0x6cba5} PAGE ntoskrnl.exe!ZwReadRequestData + BD 8058227F 1 Byte [45] PAGE ntoskrnl.exe!ZwReadRequestData + C0 80582282 36 Bytes [88, 90, 00, 00, 00, 80, E1, ...] PAGE ... PAGE ntoskrnl.exe!ZwWriteRequestData + 22 805823D0 27 Bytes [64, A1, 24, 01, 00, 00, 8D, ...] PAGE ntoskrnl.exe!ZwWriteRequestData + 3E 805823EC 15 Bytes [FF, 75, 18, FF, 70, 44, E9, ...] PAGE ntoskrnl.exe!ZwWriteRequestData + 4E 805823FC 43 Bytes JMP 8058204F \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwCompareTokens + 18 80582428 7 Bytes [89, 75, E0, 64, A1, 24, 01] PAGE ntoskrnl.exe!ZwCompareTokens + 20 80582430 107 Bytes [00, 8A, 80, 40, 01, 00, 00, ...] PAGE ntoskrnl.exe!ZwCompareTokens + 8C 8058249C 31 Bytes CALL 80564464 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwCompareTokens + AC 805824BC 3 Bytes [FF, 88, D4] PAGE ntoskrnl.exe!ZwCompareTokens + B0 805824C0 23 Bytes [00, 00, 6A, 01, FF, 77, 30, ...] PAGE ... PAGE ntoskrnl.exe!ZwNotifyChangeKey + 1 805829DE 16 Bytes [FF, 55, 8B, EC, FF, 75, 2C, ...] {CALL [EBP-0x75]; IN AL, DX ; PUSH DWORD [EBP+0x2c]; PUSH DWORD [EBP+0x28]; PUSH DWORD [EBP+0x24]; PUSH DWORD [EBP+0x20]} PAGE ntoskrnl.exe!ZwNotifyChangeKey + 12 805829EF 25 Bytes [75, 1C, FF, 75, 18, FF, 75, ...] PAGE ntoskrnl.exe!ZwNotifyChangeKey + 2C 80582A09 115 Bytes [5D, C2, 28, 00, 90, 90, 90, ...] PAGE ntoskrnl.exe!ZwNotifyChangeKey + A0 80582A7D 36 Bytes CALL 804E72C0 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwNotifyChangeKey + C5 80582AA2 21 Bytes [90, 90, 90, 90, 6A, 7C, 68, ...] PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + 12 80582AB8 80 Bytes [5D, E0, 33, FF, 47, 89, 7D, ...] PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + 63 80582B09 7 Bytes [89, 5D, FC, 6A, 04, 6A, 08] {MOV [EBP-0x4], EBX; PUSH 0x4; PUSH 0x8} PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + 6B 80582B11 44 Bytes CALL 80565F80 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + 98 80582B3E 1 Byte [00] PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + 98 80582B3E 13 Bytes [00, 00, 8B, 45, 24, 83, E0, ...] PAGE ... PAGE ntoskrnl.exe!NtNotifyChangeDirectoryFile + 3A 80582CCE 22 Bytes [B5, 2B, 06, 00, 8B, 07, 89, ...] PAGE ntoskrnl.exe!NtNotifyChangeDirectoryFile + 51 80582CE5 30 Bytes CALL 80565F7F \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtNotifyChangeDirectoryFile + 70 80582D04 61 Bytes [86, 2B, 06, 00, 56, 8D, 45, ...] PAGE ntoskrnl.exe!NtNotifyChangeDirectoryFile + AE 80582D42 41 Bytes [35, C0, 1E, 56, 80, 6A, 02, ...] PAGE ntoskrnl.exe!NtNotifyChangeDirectoryFile + D8 80582D6C 28 Bytes [C6, 45, D4, 00, 89, 73, 60, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlNotifyFilterChangeDirectory + 7 80582E2A 42 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlNotifyFilterChangeDirectory + 32 80582E55 37 Bytes [8B, 5D, 24, 85, DB, 0F, 84, ...] PAGE ntoskrnl.exe!FsRtlNotifyFilterChangeDirectory + 58 80582E7B 3 Bytes [FF, 75, 10] {PUSH DWORD [EBP+0x10]} PAGE ntoskrnl.exe!FsRtlNotifyFilterChangeDirectory + 5C 80582E7F 6 Bytes [75, 0C, E8, CA, 68, FF] PAGE ntoskrnl.exe!FsRtlNotifyFilterChangeDirectory + 63 80582E86 57 Bytes [8B, F0, 89, 75, E4, 33, D2, ...] PAGE ... PAGE ntoskrnl.exe!ObCheckCreateObjectAccess + DC 80583DEC 39 Bytes [8B, 55, 08, 8D, 0C, 8A, 53, ...] PAGE ntoskrnl.exe!ObCheckCreateObjectAccess + 104 80583E14 92 Bytes JMP 805838EE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ObCheckCreateObjectAccess + 161 80583E71 23 Bytes [B1, 11, 3B, C7, 0F, 85, E6, ...] PAGE ntoskrnl.exe!ObCheckCreateObjectAccess + 179 80583E89 110 Bytes [80, D4, 00, 00, 00, 0F, 84, ...] PAGE ntoskrnl.exe!ObCheckCreateObjectAccess + 1E8 80583EF8 60 Bytes JMP 805783EC \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!NtLockFile + 1 80584302 179 Bytes [64, 68, C0, D9, 4F, 80, E8, ...] PAGE ntoskrnl.exe!NtLockFile + B5 805843B6 68 Bytes [45, A0, 8B, 5D, DC, 39, 7B, ...] PAGE ntoskrnl.exe!NtLockFile + FA 805843FB 33 Bytes [75, 2C, FF, 75, 28, FF, 75, ...] PAGE ntoskrnl.exe!NtLockFile + 11C 8058441D 52 Bytes [45, FC, 01, 00, 00, 00, 8B, ...] PAGE ntoskrnl.exe!NtLockFile + 151 80584452 79 Bytes CALL 804E2AD0 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtUnlockFile + 41 805844A2 59 Bytes [00, 84, DB, 0F, 84, 65, 0F, ...] PAGE ntoskrnl.exe!NtUnlockFile + 7D 805844DE 49 Bytes [A1, 34, F5, 55, 80, 3B, D8, ...] PAGE ntoskrnl.exe!NtUnlockFile + AF 80584510 143 Bytes [43, 04, 89, 45, B0, 83, 4D, ...] PAGE ntoskrnl.exe!NtUnlockFile + 13F 805845A0 39 Bytes JMP 80571BE8 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtUnlockFile + 167 805845C8 25 Bytes [66, 89, 70, 2C, EB, 7D, 0F, ...] PAGE ... PAGE ntoskrnl.exe!RtlMultiByteToUnicodeSize + 1D 805847E0 23 Bytes [33, C0, 5D, C2, 0C, 00, 83, ...] PAGE ntoskrnl.exe!RtlMultiByteToUnicodeSize + 35 805847F8 8 Bytes [FF, FF, 89, 55, FC, 6A, 00, ...] PAGE ntoskrnl.exe!RtlMultiByteToUnicodeSize + 3E 80584801 206 Bytes [6C, FF, FF, FF, 50, FF, 75, ...] PAGE ntoskrnl.exe!RtlMultiByteToUnicodeSize + 10D 805848D0 22 Bytes [75, F8, 56, FF, D0, E9, 29, ...] PAGE ntoskrnl.exe!RtlMultiByteToUnicodeSize + 124 805848E7 38 Bytes JMP 80576955 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!RtlGetDefaultCodePage + 13 80584C56 54 Bytes [45, 0C, 66, 8B, 0D, 74, D1, ...] PAGE ntoskrnl.exe!RtlGetDefaultCodePage + 4A 80584C8D 123 Bytes JMP 80582D06 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlGetDefaultCodePage + C6 80584D09 18 Bytes [8B, 45, 9C, 8B, 75, AC, E9, ...] PAGE ntoskrnl.exe!RtlGetDefaultCodePage + D9 80584D1C 31 Bytes [F6, 43, 02, 10, 0F, 85, FD, ...] PAGE ntoskrnl.exe!RtlGetDefaultCodePage + F9 80584D3C 133 Bytes [00, 8B, D8, 53, 56, 89, 5D, ...] PAGE ... PAGE ntoskrnl.exe!ZwSecureConnectPort + F 80585D8C 37 Bytes [64, A1, 24, 01, 00, 00, 89, ...] PAGE ntoskrnl.exe!ZwSecureConnectPort + 35 80585DB2 33 Bytes [5D, FC, 8B, 4D, 08, A1, 34, ...] PAGE ntoskrnl.exe!ZwSecureConnectPort + 57 80585DD4 42 Bytes [3B, D0, 8B, F0, 73, 02, 8B, ...] PAGE ntoskrnl.exe!ZwSecureConnectPort + 82 80585DFF 18 Bytes [F6, C2, 03, 0F, 85, F5, 86, ...] PAGE ntoskrnl.exe!ZwSecureConnectPort + 95 80585E12 43 Bytes [8B, 5D, 1C, 33, F6, 3B, DE, ...] PAGE ... PAGE ntoskrnl.exe!ObReferenceObjectByName + F6 8058647A 67 Bytes [84, C0, 74, 05, 8B, 45, FC, ...] PAGE ntoskrnl.exe!ObReferenceObjectByName + 13A 805864BE 25 Bytes [74, 22, 56, 8B, 75, 10, 3B, ...] PAGE ntoskrnl.exe!ObReferenceObjectByName + 154 805864D8 116 Bytes [84, C0, 0F, 85, C4, B7, 07, ...] PAGE ntoskrnl.exe!ObReferenceObjectByName + 1C9 8058654D 27 Bytes [75, 14, 83, C3, 68, 53, 8B, ...] PAGE ntoskrnl.exe!ObReferenceObjectByName + 1E5 80586569 31 Bytes [84, C0, 88, 45, 18, 74, 0B, ...] PAGE ... PAGE ntoskrnl.exe!ZwAcceptConnectPort + 1B 805866AC 3 Bytes [88, 45, 90] {MOV [EBP-0x70], AL} PAGE ntoskrnl.exe!ZwAcceptConnectPort + 1F 805866B0 80 Bytes [C0, 0F, 84, 00, C0, 02, 00, ...] PAGE ntoskrnl.exe!ZwAcceptConnectPort + 71 80586702 97 Bytes [DB, 74, 34, 3B, D8, 0F, 83, ...] PAGE ntoskrnl.exe!ZwAcceptConnectPort + D3 80586764 10 Bytes [64, A1, 24, 01, 00, 00, A3, ...] PAGE ntoskrnl.exe!ZwAcceptConnectPort + DE 8058676F 8 Bytes [8B, 55, E4, 8B, 8A, 08, 02, ...] PAGE ... PAGE ntoskrnl.exe!ZwQueryDefaultUILanguage + 1C 80586F75 1 Byte [40] PAGE ntoskrnl.exe!ZwQueryDefaultUILanguage + 1F 80586F78 52 Bytes [00, 88, 45, E7, 8B, 75, 08, ...] PAGE ntoskrnl.exe!ZwQueryDefaultUILanguage + 54 80586FAD 1 Byte [66] PAGE ntoskrnl.exe!ZwQueryDefaultUILanguage + 54 80586FAD 36 Bytes [66, 89, 06, 83, 4D, FC, FF, ...] PAGE ntoskrnl.exe!ZwQueryDefaultUILanguage + 79 80586FD2 15 Bytes [67, 00, 75, 00, 61, 00, 67, ...] {ADD [DI+0x0], DH; POPA ; ADD [EDI+0x0], AH; ADD GS:[ECX+0x0], CL; ADD FS:[EAX], AL} PAGE ... PAGE ntoskrnl.exe!RtlIntegerToUnicode + C 80587133 44 Bytes [A1, 20, 1A, 55, 80, 89, 45, ...] PAGE ntoskrnl.exe!RtlIntegerToUnicode + 39 80587160 31 Bytes [0F, 85, 02, 92, 01, 00, 33, ...] PAGE ntoskrnl.exe!RtlIntegerToUnicode + 59 80587180 18 Bytes [0F, 85, 2E, 91, 01, 00, 33, ...] PAGE ntoskrnl.exe!RtlIntegerToUnicode + 6C 80587193 1 Byte [58] PAGE ntoskrnl.exe!RtlIntegerToUnicode + 6C 80587193 124 Bytes [58, 80, 66, 89, 0E, 85, C0, ...] PAGE ... PAGE ntoskrnl.exe!RtlConvertSidToUnicodeString + B 8058726C 60 Bytes [A1, 20, 1A, 55, 80, 56, 8B, ...] PAGE ntoskrnl.exe!RtlConvertSidToUnicodeString + 48 805872A9 297 Bytes [8A, 46, 02, 84, C0, 59, 59, ...] PAGE ntoskrnl.exe!RtlConvertSidToUnicodeString + 172 805873D3 40 Bytes [5D, 18, 8B, 7D, 10, E9, 1E, ...] PAGE ntoskrnl.exe!RtlConvertSidToUnicodeString + 19C 805873FD 40 Bytes [33, DB, 3B, C3, 6A, 18, 5F, ...] PAGE ntoskrnl.exe!RtlConvertSidToUnicodeString + 1C5 80587426 41 Bytes [00, 89, 5D, EC, 89, 5D, F0, ...] PAGE ... PAGE ntoskrnl.exe!RtlFormatCurrentUserKeyPath + 18 8058746D 78 Bytes [A8, 50, BB, 00, 02, 00, 00, ...] PAGE ntoskrnl.exe!RtlFormatCurrentUserKeyPath + 67 805874BC 20 Bytes [FF, 75, A8, 8B, D8, E8, CF, ...] PAGE ntoskrnl.exe!RtlFormatCurrentUserKeyPath + 7C 805874D1 28 Bytes CALL 80587217 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlFormatCurrentUserKeyPath + 99 805874EE 20 Bytes CALL BBD8CC16 PAGE ntoskrnl.exe!RtlFormatCurrentUserKeyPath + AE 80587503 80 Bytes CALL 804FA580 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + 25 805875A2 10 Bytes [89, 75, FC, 8B, 5D, 0C, F6, ...] PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + 30 805875AD 31 Bytes [77, F4, 06, 00, A1, 34, F5, ...] PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + 50 805875CD 79 Bytes [3B, C1, 0F, 83, 74, F4, 06, ...] PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + A1 8058761E 71 Bytes CALL 80564464 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + E9 80587666 24 Bytes [0F, 84, A6, 10, 00, 00, 66, ...] PAGE ... PAGE ntoskrnl.exe!ZwOpenSymbolicLinkObject + 5B 80587767 28 Bytes [45, D8, C7, 45, FC, 01, 00, ...] PAGE ntoskrnl.exe!ZwOpenSymbolicLinkObject + 78 80587784 30 Bytes [8D, 85, 50, FF, FF, FF, 50, ...] PAGE ntoskrnl.exe!ZwOpenSymbolicLinkObject + 97 805877A3 69 Bytes [8D, 85, 1C, FF, FF, FF, 50, ...] PAGE ntoskrnl.exe!ZwOpenSymbolicLinkObject + DD 805877E9 75 Bytes [C7, 45, 90, 01, 00, 00, 00, ...] PAGE ntoskrnl.exe!ZwOpenSymbolicLinkObject + 12A 80587836 16 Bytes JMP 80574A25 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 7 80587847 10 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 12 80587852 29 Bytes [8A, 80, 40, 01, 00, 00, 88, ...] PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 30 80587870 2 Bytes [3B, F0] {CMP ESI, EAX} PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 33 80587873 30 Bytes [83, 7B, CF, 06, 00, 8B, 06, ...] PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 52 80587892 16 Bytes CALL 80567B85 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!ZwQueryEvent + C 805878C9 25 Bytes [33, FF, 39, 7D, 0C, 0F, 85, ...] PAGE ntoskrnl.exe!ZwQueryEvent + 26 805878E3 44 Bytes [00, 8A, 80, 40, 01, 00, 00, ...] PAGE ntoskrnl.exe!ZwQueryEvent + 53 80587910 82 Bytes [83, 4D, FC, FF, 57, 8D, 45, ...] PAGE ntoskrnl.exe!RtlRandom + 1C 80587963 87 Bytes [FF, FF, 7F, 33, D2, 8B, DF, ...] PAGE ntoskrnl.exe!RtlRandom + 74 805879BB 7 Bytes [8D, 45, 84, 50, FF, 75, E4] {LEA EAX, [EBP-0x7c]; PUSH EAX; PUSH DWORD [EBP-0x1c]} PAGE ntoskrnl.exe!RtlRandom + 7C 805879C3 8 Bytes [35, D8, 0C, 56, 80, 68, 00, ...] PAGE ntoskrnl.exe!RtlRandom + 85 805879CC 28 Bytes CALL 80564464 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlRandom + A2 805879E9 3 Bytes CALL 80569758 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!IoQueryFileInformation + 4D 80587C63 89 Bytes [8B, D8, 89, 5D, CC, 85, DB, ...] PAGE ntoskrnl.exe!IoQueryFileInformation + A7 80587CBD 5 Bytes [00, 8B, F3, 8B, F8] PAGE ntoskrnl.exe!IoQueryFileInformation + AD 80587CC3 142 Bytes JMP 0BFE6FCA PAGE ntoskrnl.exe!IoQueryFileInformation + 13C 80587D52 4 Bytes [0F, 85, 6C, 11] PAGE ntoskrnl.exe!IoQueryFileInformation + 142 80587D58 12 Bytes [8B, 4D, E0, 83, C1, FC, 89, ...] {MOV ECX, [EBP-0x20]; ADD ECX, -0x4; MOV [EBP-0x24], ECX; MOV EAX, [EBP-0x2c]} PAGE ... PAGE ntoskrnl.exe!ZwQueryObject + A 80587E1A 35 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwQueryObject + 2E 80587E3E 51 Bytes [89, 75, FC, 8B, 7D, 10, 83, ...] PAGE ntoskrnl.exe!ZwQueryObject + 62 80587E72 8 Bytes [8D, 45, D0, 50, 8D, 45, A8, ...] {LEA EAX, [EBP-0x30]; PUSH EAX; LEA EAX, [EBP-0x58]; PUSH EAX} PAGE ntoskrnl.exe!ZwQueryObject + 6B 80587E7B 2 Bytes [B5, 78] {MOV CH, 0x78} PAGE ntoskrnl.exe!ZwQueryObject + 6E 80587E7E 15 Bytes [FF, FF, 56, 56, FF, 75, 08, ...] PAGE ... PAGE ntoskrnl.exe!ObQueryNameString + 1E 8058836F 189 Bytes [C6, 45, DE, 01, C6, 45, DF, ...] PAGE ntoskrnl.exe!ObQueryNameString + DC 8058842D 5 Bytes [75, D8, 0F, B7, 7B] PAGE ntoskrnl.exe!ObQueryNameString + E2 80588433 164 Bytes [47, 47, 89, 7D, CC, 8D, 43, ...] PAGE ntoskrnl.exe!PsSetProcessWin32Process + 29 805884D9 5 Bytes [8B, 4D, 08, BA, 02] PAGE ntoskrnl.exe!PsSetProcessWin32Process + 2F 805884DF 14 Bytes [00, 00, 0F, B1, 11, 85, C0, ...] PAGE ntoskrnl.exe!PsSetProcessWin32Process + 3F 805884EF 2 Bytes [85, C9] {TEST ECX, ECX} PAGE ntoskrnl.exe!PsSetProcessWin32Process + 42 805884F2 17 Bytes [84, C1, 24, 00, 00, F6, 87, ...] {TEST CL, AL; AND AL, 0x0; ADD DH, DH; XCHG [EAX+0x2], ECX; ADD [EAX], AL; OR [EDI], CL; TEST ECX, ECX; AND AL, 0x0} PAGE ntoskrnl.exe!PsSetProcessWin32Process + 54 80588504 49 Bytes [8D, 87, 30, 01, 00, 00, 83, ...] PAGE ... PAGE ntoskrnl.exe!ZwCreateProcessEx + 37 8058860A 38 Bytes [83, 4D, FC, FF, 39, 55, 14, ...] PAGE ntoskrnl.exe!ZwCreateProcessEx + 5E 80588631 153 Bytes CALL 804E2ACE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwCreateProcessEx + F9 805886CC 15 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] PAGE ntoskrnl.exe!ZwCreateProcessEx + 109 805886DC 7 Bytes [8B, CE, FF, 15, 60, 76, 4D] PAGE ntoskrnl.exe!ZwCreateProcessEx + 111 805886E4 142 Bytes [8B, 45, 0C, 85, C0, 0F, 84, ...] PAGE ... PAGE ntoskrnl.exe!IoDeleteController + A2 80589017 33 Bytes [84, C0, 0F, 84, 42, 12, 07, ...] PAGE ntoskrnl.exe!IoDeleteController + C4 80589039 3 Bytes CALL 804D915C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoDeleteController + C8 8058903D 4 Bytes [F5, FF, 33, F6] PAGE ntoskrnl.exe!IoDeleteController + CD 80589042 137 Bytes CALL 8056A7EC \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsSetProcessWindowStation + 15 805890CC 94 Bytes CALL 804D9190 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!PsSetProcessWindowStation + 74 8058912B 119 Bytes [00, 8B, F8, 85, FF, 0F, 84, ...] PAGE ntoskrnl.exe!PsSetProcessWindowStation + EE 805891A5 40 Bytes [00, 8B, 4D, 08, 87, 01, 33, ...] PAGE ntoskrnl.exe!PsSetProcessWindowStation + 117 805891CE 92 Bytes [FF, 55, 8B, EC, 56, 8B, 4D, ...] PAGE ntoskrnl.exe!PsSetProcessWindowStation + 174 8058922B 104 Bytes [0F, B6, 05, 80, 19, 55, 80, ...] PAGE ... PAGE ntoskrnl.exe!ZwQueryInformationJobObject + 5C 80589718 37 Bytes [85, 20, FF, FF, FF, 84, C0, ...] PAGE ntoskrnl.exe!ZwQueryInformationJobObject + 82 8058973E 12 Bytes [83, 4D, FC, FF, 39, 5D, 08, ...] PAGE ntoskrnl.exe!ZwQueryInformationJobObject + 8F 8058974B 51 Bytes [8B, 46, 44, 8B, 80, 34, 01, ...] PAGE ntoskrnl.exe!ZwQueryInformationJobObject + C4 80589780 14 Bytes [04, 00, 00, 00, 08, 00, 00, ...] {ADD AL, 0x0; ADD [EAX], AL; OR [EAX], AL; ADD [EAX], AL; PUSHA ; ADD [EAX], AL; ADD [EAX+0x0], DH} PAGE ntoskrnl.exe!ZwQueryInformationJobObject + D4 80589790 6 Bytes [04, 00, 00, 00, 00, 00] {ADD AL, 0x0; ADD [EAX], AL; ADD [EAX], AL} PAGE ... PAGE ntoskrnl.exe!SeTokenIsWriteRestricted + C 8058A032 39 Bytes CALL 8239233F PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 18 8058A05B 1 Byte [88] PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 18 8058A05B 23 Bytes [88, 45, E0, 33, F6, 89, 75, ...] PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 30 8058A073 36 Bytes [A1, 34, F5, 55, 80, 3B, D8, ...] PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 55 8058A098 18 Bytes CALL 80567B85 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 68 8058A0AB 13 Bytes [8B, 4D, E4, 89, 0B, 83, 4D, ...] PAGE ... PAGE ntoskrnl.exe!ZwTerminateProcess + 10 8058AE2E 125 Bytes [00, 83, 7D, 08, 00, 8B, F8, ...] PAGE ntoskrnl.exe!ZwTerminateProcess + 8E 8058AEAC 7 Bytes [6A, 00, 53, C7, 45, 08, 22] PAGE ntoskrnl.exe!ZwTerminateProcess + 96 8058AEB4 58 Bytes CALL 8057BE43 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwTerminateProcess + D2 8058AEF0 3 Bytes [80, 7D, FF] PAGE ntoskrnl.exe!ZwTerminateProcess + D6 8058AEF4 23 Bytes CALL 804D918C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!ExRundownCompleted + 9F 8058B029 68 Bytes [00, 8D, 8F, C8, 00, 00, 00, ...] PAGE ntoskrnl.exe!ExRundownCompleted + E4 8058B06E 30 Bytes CALL 80504343 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ExRundownCompleted + 103 8058B08D 96 Bytes [55, 8B, EC, 56, 8B, 75, 0C, ...] PAGE ntoskrnl.exe!ExRundownCompleted + 164 8058B0EE 47 Bytes [83, C6, 08, FF, 4D, FC, 75, ...] PAGE ntoskrnl.exe!ExRundownCompleted + 194 8058B11E 22 Bytes [0F, B1, 11, 3B, C3, 75, 0A, ...] PAGE ... PAGE ntoskrnl.exe!RtlInsertUnicodePrefix + 29 8058B53F 38 Bytes [89, 57, 08, 8B, 59, 04, 89, ...] PAGE ntoskrnl.exe!RtlInsertUnicodePrefix + 50 8058B566 67 Bytes [FF, 83, F8, 02, 0F, 84, 22, ...] PAGE ntoskrnl.exe!RtlInsertUnicodePrefix + 94 8058B5AA 4 Bytes CALL 804EA220 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!RtlInsertUnicodePrefix + 99 8058B5AF 29 Bytes CALL 81201BC0 PAGE ntoskrnl.exe!RtlInsertUnicodePrefix + B7 8058B5CD 63 Bytes [41, 10, 85, C0, 0F, 84, 8C, ...] PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 10 8058B60D 21 Bytes [BF, 08, 81, F9, 01, 08, 00, ...] PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 26 8058B623 16 Bytes [8F, 74, 07, 07, 00, 8B, 50, ...] PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 37 8058B634 11 Bytes [83, C0, 0C, 8B, F0, 8B, 0E, ...] {ADD EAX, 0xc; MOV ESI, EAX; MOV ECX, [ESI]; CMP ECX, ESI; JZ 0xf} PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 43 8058B640 12 Bytes [F1, EB, F6, 50, 83, C6, F4, ...] {INT1 ; JMP 0xfffffffffffffff9; PUSH EAX; ADD ESI, -0xc; CALL 0xfffffffffff5ec31} PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 50 8058B64D 104 Bytes [C0, 0F, 84, 7E, FC, 04, 00, ...] PAGE ... PAGE ntoskrnl.exe!ZwQueryTimerResolution + 16 8058B9FC 68 Bytes [00, 00, 33, DB, 3A, C3, 0F, ...] PAGE ntoskrnl.exe!ZwQueryTimerResolution + 5B 8058BA41 20 Bytes [BC, 07, 00, 8B, 10, 89, 10, ...] PAGE ntoskrnl.exe!ZwQueryTimerResolution + 70 8058BA56 74 Bytes [89, 11, 8B, 0D, FC, 9A, 55, ...] PAGE ntoskrnl.exe!ZwQueryTimerResolution + BB 8058BAA1 4 Bytes [F6, 43, 10, 01] {TEST BYTE [EBX+0x10], 0x1} PAGE ntoskrnl.exe!ZwQueryTimerResolution + C1 8058BAA7 3 Bytes [33, 3A, 08] PAGE ... PAGE ntoskrnl.exe!SeQueryInformationToken + 28 8058C7C0 8 Bytes [8B, 75, 08, 6A, 01, FF, 76, ...] {MOV ESI, [EBP+0x8]; PUSH 0x1; PUSH DWORD [ESI+0x30]} PAGE ntoskrnl.exe!SeQueryInformationToken + 31 8058C7C9 3 Bytes CALL 804D9536 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!SeQueryInformationToken + 35 8058C7CD 28 Bytes [8B, 46, 68, 8B, 00, 0F, B6, ...] PAGE ntoskrnl.exe!SeQueryInformationToken + 52 8058C7EA 30 Bytes [8B, F8, 85, FF, 0F, 84, 31, ...] PAGE ntoskrnl.exe!SeQueryInformationToken + 72 8058C80A 2 Bytes [4E, 30] PAGE ... PAGE ntoskrnl.exe!ZwQueryDirectoryObject + 64 8058D5C1 74 Bytes [8B, CE, 33, C0, 8B, FB, 8B, ...] PAGE ntoskrnl.exe!ZwQueryDirectoryObject + AF 8058D60C 116 Bytes [88, D4, 00, 00, 00, 8D, B9, ...] PAGE ntoskrnl.exe!ZwQueryDirectoryObject + 124 8058D681 76 Bytes [45, DC, 39, 45, E0, 74, 5A, ...] PAGE ntoskrnl.exe!ZwQueryDirectoryObject + 171 8058D6CE 18 Bytes [0F, 85, 73, C0, 00, 00, 8B, ...] PAGE ntoskrnl.exe!ZwQueryDirectoryObject + 184 8058D6E1 17 Bytes [FF, 8B, 77, 04, 83, EE, 18, ...] PAGE ... PAGE ntoskrnl.exe!MmPrefetchPages + 2B 8058E888 19 Bytes [3B, FE, 53, 89, 75, FC, 89, ...] {CMP EDI, ESI; PUSH EBX; MOV [EBP-0x4], ESI; MOV [EBP-0x8], ESI; JBE 0x3c; MOV EBX, [EBP+0xc]; MOV ESI, EAX; SUB EBX, EAX; PUSH ESI} PAGE ntoskrnl.exe!MmPrefetchPages + 3F 8058E89C 17 Bytes CALL 8058E4C2 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!MmPrefetchPages + 51 8058E8AE 5 Bytes [0F, 85, 2F, 43, 00] PAGE ntoskrnl.exe!MmPrefetchPages + 57 8058E8B4 15 Bytes [83, C6, 04, 4F, 75, E0, 83, ...] PAGE ntoskrnl.exe!MmPrefetchPages + 67 8058E8C4 2 Bytes [6A, 00] {PUSH 0x0} PAGE ... PAGE ntoskrnl.exe!SeDeassignSecurity + 1 8058F8BE 71 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...] PAGE ntoskrnl.exe!SeDeassignSecurity + 49 8058F906 37 Bytes [32, C0, 5F, 5E, 5B, C9, C2, ...] PAGE ntoskrnl.exe!RtlInitializeSid + 18 8058F92C 19 Bytes [57, 88, 48, 01, C6, 00, 01, ...] PAGE ntoskrnl.exe!RtlInitializeSid + 2C 8058F940 96 Bytes [00, 90, 90, 90, 90, 90, 8B, ...] PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + 7 8058F9A1 14 Bytes CALL 804E2A92 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + 16 8058F9B0 26 Bytes [00, 0F, 84, A9, 31, 05, 00, ...] PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + 32 8058F9CC 8 Bytes [45, D8, 50, 56, E8, 51, A3, ...] PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + 3B 8058F9D5 108 Bytes [8B, 76, 20, 85, F6, 74, 5A, ...] PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + A8 8058FA42 15 Bytes [00, 38, 5D, FF, 0F, 85, 8E, ...] {ADD [EAX], BH; POP EBP; DEC DWORD [EDI]; TEST [ESI+0x32000006], ECX; SHR CL, 0xa6; PUSH ES} PAGE ... PAGE ntoskrnl.exe!FsRtlAddToTunnelCache + 2 8058FC82 122 Bytes [55, 8B, EC, 83, EC, 14, 83, ...] PAGE ntoskrnl.exe!FsRtlAddToTunnelCache + 7E 8058FCFE 26 Bytes [FF, 75, F4, 8B, 06, FF, 75, ...] PAGE ntoskrnl.exe!FsRtlAddToTunnelCache + 99 8058FD19 7 Bytes [FF, 0F, 8D, 4D, FE, FF, FF] PAGE ntoskrnl.exe!FsRtlAddToTunnelCache + A1 8058FD21 110 Bytes [75, F8, 83, C6, 08, EB, CD, ...] PAGE ntoskrnl.exe!ObQueryObjectAuditingByHandle + 30 8058FD90 22 Bytes CALL 8056661A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ObQueryObjectAuditingByHandle + 47 8058FDA7 14 Bytes [8B, 45, 0C, C0, EB, 02, 80, ...] {MOV EAX, [EBP+0xc]; SHR BL, 0x2; AND BL, 0x1; MOV [EAX], BL; XOR EDI, EDI; POP EBX} PAGE ntoskrnl.exe!ObQueryObjectAuditingByHandle + 56 8058FDB6 73 Bytes [86, D4, 00, 00, 00, 0F, 84, ...] PAGE ntoskrnl.exe!ObQueryObjectAuditingByHandle + A0 8058FE00 97 Bytes JMP 0BFEF107 PAGE ntoskrnl.exe!RtlHashUnicodeString + 3F 8058FE62 3 Bytes [16, 46, 46] {PUSH SS; INC ESI; INC ESI} PAGE ntoskrnl.exe!RtlHashUnicodeString + 43 8058FE66 161 Bytes [83, FA, 61, 0F, B7, CA, 72, ...] PAGE ntoskrnl.exe!RtlUnicodeToOemN + 5A 8058FF08 242 Bytes [0F, B7, 58, 06, 8A, 1C, 33, ...] PAGE ntoskrnl.exe!RtlUnicodeToOemN + 14D 8058FFFB 110 Bytes [6C, FF, 58, 80, 62, FF, 58, ...] PAGE ntoskrnl.exe!FsRtlIsFatDbcsLegal + 32 8059006A 39 Bytes [38, 5D, 14, 0F, 85, FE, 33, ...] PAGE ntoskrnl.exe!FsRtlIsFatDbcsLegal + 5A 80590092 44 Bytes [FF, 8A, 04, 31, 3C, 80, 0F, ...] PAGE ntoskrnl.exe!FsRtlIsFatDbcsLegal + 87 805900BF 50 Bytes [55, 18, 0F, 84, 85, F9, FF, ...] PAGE ntoskrnl.exe!FsRtlIsFatDbcsLegal + BA 805900F2 44 Bytes [84, 55, F9, FF, FF, B0, 01, ...] PAGE ntoskrnl.exe!FsRtlIsFatDbcsLegal + E7 8059011F 64 Bytes [80, 7C, 31, FF, 20, 0F, 84, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToCountedOemString + 2C 80590161 44 Bytes [00, 00, 0F, 87, DF, D8, 06, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToCountedOemString + 59 8059018E 30 Bytes [50, 0F, B7, 06, 50, FF, 76, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToCountedOemString + 78 805901AD 13 Bytes [C0, 0F, 84, C8, D8, 06, 00, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToCountedOemString + 86 805901BB 9 Bytes [00, 33, C0, 5E, 5F, 5B, 5D, ...] PAGE ntoskrnl.exe!RtlUnicodeStringToCountedOemString + 90 805901C5 42 Bytes [0F, B7, D7, 8B, C2, C1, E8, ...] PAGE ... PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 13 8059022D 7 Bytes [5D, 10, 56, 89, 45, FC, 8B] PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 1B 80590235 2 Bytes [14, 57] {ADC AL, 0x57} PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 1E 80590238 3 Bytes [7D, 08, 89] PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 22 8059023C 27 Bytes [E0, 89, 45, D4, C6, 45, DF, ...] PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 3F 80590259 10 Bytes [43, 20, 83, 7B, 20, 04, 0F, ...] PAGE ... PAGE ntoskrnl.exe!NtAllocateLocallyUniqueId + C 8059056A 64 Bytes [83, 65, FC, 00, 64, A1, 24, ...] PAGE ntoskrnl.exe!NtAllocateLocallyUniqueId + 4D 805905AB 32 Bytes CALL 804E342A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtAllocateLocallyUniqueId + 6E 805905CC 21 Bytes [6A, 34, 5F, 68, 56, 61, 64, ...] PAGE ntoskrnl.exe!NtAllocateLocallyUniqueId + 84 805905E2 33 Bytes CALL 804DB7D5 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtAllocateLocallyUniqueId + A6 80590604 23 Bytes [F8, 85, FF, 0F, 84, 38, 13, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlNotifyCleanup + 16 805906C0 21 Bytes [00, 8B, F0, 8B, 7D, 08, 3B, ...] PAGE ntoskrnl.exe!FsRtlNotifyCleanup + 2C 805906D6 54 Bytes [47, 24, 89, 5D, FC, FF, 75, ...] PAGE ntoskrnl.exe!FsRtlNotifyCleanup + 63 8059070D 32 Bytes [8D, 46, 18, 89, 45, D8, 8B, ...] PAGE ntoskrnl.exe!FsRtlNotifyCleanup + 84 8059072E 18 Bytes [8B, 4D, E0, 0F, C1, 01, 39, ...] PAGE ntoskrnl.exe!FsRtlNotifyCleanup + 97 80590741 56 Bytes [39, 5E, 14, 74, 06, 8B, 46, ...] PAGE ... PAGE ntoskrnl.exe!ExUuidCreate + 20 8059091B 62 Bytes [15, A8, DD, 68, 80, 8B, 3D, ...] PAGE ntoskrnl.exe!ExUuidCreate + 60 8059095B 35 Bytes [4D, F4, 99, 2B, C8, 1B, FA, ...] PAGE ntoskrnl.exe!ExUuidCreate + 84 8059097F 144 Bytes [00, 0F, 84, 58, 73, 07, 00, ...] PAGE ntoskrnl.exe!ExUuidCreate + 115 80590A10 126 Bytes [0F, 85, 4F, F8, FF, FF, 80, ...] PAGE ntoskrnl.exe!ExUuidCreate + 194 80590A8F 93 Bytes [B7, 04, 41, 8B, DA, C1, EB, ...] PAGE ... PAGE ntoskrnl.exe!RtlQueryRegistryValues + D 805919E6 33 Bytes [8D, 45, F0, 50, 33, FF, 57, ...] PAGE ntoskrnl.exe!RtlQueryRegistryValues + 31 80591A0A 31 Bytes [40, 8D, 45, DC, 0F, 84, 30, ...] PAGE ntoskrnl.exe!RtlQueryRegistryValues + 51 80591A2A 5 Bytes [00, 00, E8, CA, 01] PAGE ntoskrnl.exe!RtlQueryRegistryValues + 57 80591A30 64 Bytes [00, 8B, F0, 3B, F7, 0F, 84, ...] PAGE ntoskrnl.exe!RtlQueryRegistryValues + 98 80591A71 31 Bytes [47, 08, 0F, 85, 72, A3, 01, ...] PAGE ... PAGE ntoskrnl.exe!IoGetDeviceProperty + D 80592066 44 Bytes [8B, 55, 08, 53, 8B, 5D, 14, ...] PAGE ntoskrnl.exe!IoGetDeviceProperty + 3A 80592093 37 Bytes [F6, 46, 7E, 02, 0F, 85, B7, ...] PAGE ntoskrnl.exe!IoGetDeviceProperty + 60 805920B9 69 Bytes [75, 10, 57, 53, FF, 75, E8, ...] PAGE ntoskrnl.exe!IoGetDeviceProperty + A6 805920FF 91 Bytes [6A, 00, 8D, 45, FC, 50, E8, ...] PAGE ntoskrnl.exe!IoGetDeviceProperty + 103 8059215C 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP} PAGE ... PAGE ntoskrnl.exe!ZwCreatePort + 2E 805926C7 25 Bytes [C0, B8, 01, 00, 00, 00, 8B, ...] PAGE ntoskrnl.exe!ZwCreatePort + 48 805926E1 55 Bytes [B0, 01, 84, C0, 0F, 84, 24, ...] PAGE ntoskrnl.exe!ZwCreatePort + 80 80592719 7 Bytes [50, 8A, 45, D8, 88, 47, 20] {PUSH EAX; MOV AL, [EBP-0x28]; MOV [EDI+0x20], AL} PAGE ntoskrnl.exe!ZwCreatePort + 88 80592721 94 Bytes [45, E0, 89, 47, 2C, 89, 77, ...] PAGE ntoskrnl.exe!ZwCreatePort + E7 80592780 3 Bytes CALL 804E72C5 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!ZwFlushKey + 39 8059495E 1 Byte [57] PAGE ntoskrnl.exe!ZwFlushKey + 39 8059495E 49 Bytes CALL 80564464 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwFlushKey + 6B 80594990 86 Bytes [46, 04, FF, 70, 14, FF, 70, ...] PAGE ntoskrnl.exe!ZwFlushKey + C2 805949E7 3 Bytes [45, 15, 01] PAGE ntoskrnl.exe!ZwFlushKey + C6 805949EB 4 Bytes [85, 71, E3, 05] PAGE ... PAGE ntoskrnl.exe!LdrAccessResource + C 80595354 11 Bytes [45, C0, 83, F8, 07, 0F, 87, ...] {INC EBP; ROL BYTE [EBX-0x78f0f808], 0x1d; ADD DWORD [EBX], 0x0} PAGE ntoskrnl.exe!LdrAccessResource + 18 80595360 15 Bytes [24, 85, 19, 55, 59, 80, 80, ...] PAGE ntoskrnl.exe!LdrAccessResource + 28 80595370 5 Bytes [66, A1, 28, CF, 68] PAGE ntoskrnl.exe!LdrAccessResource + 2E 80595376 41 Bytes [66, 89, 45, E0, 66, 39, 7D, ...] PAGE ntoskrnl.exe!LdrAccessResource + 58 805953A0 1 Byte [90] PAGE ... PAGE ntoskrnl.exe!RtlFindMessage + 2A 80595606 131 Bytes CALL 805951D7 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + 1A 8059568A 88 Bytes [8A, 80, 40, 01, 00, 00, 88, ...] PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + 73 805956E3 3 Bytes [00, 84, C0] PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + 77 805956E7 4 Bytes [84, 21, BA, 06] PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + 7C 805956EC 79 Bytes [89, 5D, FC, 8D, 45, E0, 50, ...] PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + CC 8059573C 40 Bytes [00, 00, 89, 7D, C4, 85, FF, ...] PAGE ... PAGE ntoskrnl.exe!NtAllocateUuids + 10 80595811 26 Bytes [64, A1, 24, 01, 00, 00, 89, ...] PAGE ntoskrnl.exe!NtAllocateUuids + 2B 8059582C 88 Bytes [00, 00, 89, 5D, C8, A1, 34, ...] PAGE ntoskrnl.exe!NtAllocateUuids + 84 80595885 70 Bytes [A8, 03, 0F, 85, 8E, 23, 07, ...] PAGE ntoskrnl.exe!NtAllocateUuids + CB 805958CC 52 Bytes [8D, 45, E0, 50, 8D, 45, D8, ...] PAGE ntoskrnl.exe!NtAllocateUuids + 100 80595901 11 Bytes [0F, 85, 53, 23, 07, 00, C7, ...] PAGE ... PAGE ntoskrnl.exe!ZwSetTimerResolution + 3B 80595C0A 49 Bytes [64, A1, 24, 01, 00, 00, 8B, ...] PAGE ntoskrnl.exe!ZwSetTimerResolution + 6D 80595C3C 67 Bytes [D0, 23, D1, F0, 0F, B1, 17, ...] PAGE ntoskrnl.exe!ZwSetTimerResolution + B1 80595C80 111 Bytes [00, 80, B8, 40, 01, 00, 00, ...] PAGE ntoskrnl.exe!ZwSetTimerResolution + 121 80595CF0 8 Bytes [C1, 75, 06, FF, 05, 7C, DD, ...] PAGE ntoskrnl.exe!ZwSetTimerResolution + 12A 80595CF9 153 Bytes [8B, 7D, 08, A1, C0, 9B, 55, ...] PAGE ... PAGE ntoskrnl.exe!ZwPlugPlayControl + 71 80595E5D 58 Bytes [00, 53, 8B, 5D, FC, 6A, 01, ...] PAGE ntoskrnl.exe!ZwPlugPlayControl + AC 80595E98 74 Bytes [53, 6A, 04, 57, FF, 75, 10, ...] PAGE ntoskrnl.exe!ZwPlugPlayControl + F7 80595EE3 2 Bytes [5D, 10] PAGE ntoskrnl.exe!ZwPlugPlayControl + FA 80595EE6 1 Byte [DE] PAGE ntoskrnl.exe!ZwPlugPlayControl + FA 80595EE6 135 Bytes [DE, 0F, 84, E2, 98, 04, 00, ...] PAGE ... ? spyn.sys Das System kann die angegebene Datei nicht finden. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF315A000, 0x1C5D38, 0xE8000020] .text USBPORT.SYS!DllUnload F105B62C 5 Bytes JMP 86CF0348 .text akxgepid.SYS F100B386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text akxgepid.SYS F100B3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text akxgepid.SYS F100B3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text akxgepid.SYS F100B3C9 1 Byte [30] .text akxgepid.SYS F100B3C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xA9679F00, 0x24000, 0x48000000] ---- User code sections - GMER 1.0.15 ---- ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[568] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[568] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[568] USER32.dll!VRipOutput + FFFA5010 77D12A78 4 Bytes [70, 11, 32, 6D] ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[904] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; ? C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[904] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[904] USER32.dll!VRipOutput + FFFA5010 77D12A78 4 Bytes [70, 11, 32, 6D] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F6A2D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F761EC4C] spyn.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F761ECA0] spyn.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F75EE042] spyn.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F75EE13E] spyn.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F75EE0C0] spyn.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F75EE800] spyn.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F75EE6D6] spyn.sys IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRequest] [F7B2354E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7B2320E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7B23256] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B2352C] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7B234FE] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7B234FE] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRequest] [F7B2354E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7B23256] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7B2320E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B2352C] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRequest] [F7B2354E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B2352C] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7B234FE] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7B23256] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7B2320E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86CF0448 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlInitUnicodeString] 00021083 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!swprintf] 01B05E00 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeSetEvent] 5DE58B5B IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 7E8366C3 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 0F740028 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 89320C8D IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmFreeMappingAddress] 0002288B IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 46B70F00 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 66D00328 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmUnmapIoSpace] 002A7E83 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 0C8D1574 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IofCompleteRequest] 248B8932 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 0F000002 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IofCallDriver] 832A46B7 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmAllocateMappingAddress] E08303C0 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 66D003FC IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoConnectInterrupt] 002C7E83 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoDetachDevice] 0C8D1E74 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeWaitForSingleObject] 208B8932 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeInitializeEvent] 8A000002 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 83880846 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlInitAnsiString] 000001C0 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 2C4EB70F IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoQueueWorkItem] 8303C183 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmMapIoSpace] D103FCE1 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2E7E8366 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoReportDetectedDevice] 8D1C7400 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoReportResourceForDetection] 83893204 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 00000218 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!NlsMbCodePageTag] 2E4EB70F IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!PoRequestPowerIrp] 021C8B89 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] B70F0000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] E0C12E46 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!sprintf] 03D00304 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0CB389F2 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ObfDereferenceObject] 80000002 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0975013E IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 1B42E853 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ZwClose] C4830000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] B05E5F04 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] E58B5B01 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CCCCC35D IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!PoStartNextPowerIrp] CCCCCCCC IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!PoCallDriver] 53EC8B55 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoCreateDevice] 08758B56 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0214BE83 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 57000000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ZwOpenKey] 45C60674 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 1EEB010B IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoStartTimer] 020C868B IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeInitializeTimer] C0850000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoInitializeTimer] 808A1074 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeInitializeDpc] 00000804 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeInitializeSpinLock] A03CF024 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoInitializeIrp] 0B45950F IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ZwCreateKey] 45C604EB IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 458A000B IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 88C0840B IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ZwSetValueKey] 840F0946 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000C1 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 14B30E8B IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoStartPacket] 1C8286C6 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 88010000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C859E IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoFreeMdl] A19E8800 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmUnlockPages] C600001C IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 001C8686 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 86C60100 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 00001CA2 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 70518B01 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8D52006A IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoStartNextPacket] 001C8886 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeBugCheckEx] 55E85000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 8B000023 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeSetTimer] 70518B0E IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeCancelTimer] 8D52016A IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!_allmul] 001CA486 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmProbeAndLockPages] 41E85000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!_except_handler3] 8B000023 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!PoSetPowerState] 18C4830E IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 1C8D9E88 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 9E880000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!_aulldiv] 00001CA9 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!strstr] 0E798366 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!_strupr] 74AAB000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeQuerySystemTime] 8186C636 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 1A00001C IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!KeTickCount] 1C8386C6 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] C6020000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoDeleteDevice] 001C8E86 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 86C60200 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00001CAA IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoAllocateIrp] 959E8802 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoAllocateMdl] 8800001C IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB19E IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmLockPagableDataSection] 96868800 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8800001C IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CB286 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!ExFreePoolWithTag] C61AEB00 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoFreeIrp] 001C8186 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!IoFreeWorkItem] 86C61200 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!InitSafeBootMode] 00001C83 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlCompareMemory] 8E868801 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 8800001C IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!memmove] 001CAA86 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[ntoskrnl.exe!MmHighestUserAddress] 80968B00 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!KeGetCurrentIrql] 89000001 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!KfRaiseIrql] 0001BC83 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!KfLowerIrql] 24468B00 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!HalGetInterruptVector] 89820C8D IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!KfReleaseSpinLock] 000000BD IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!READ_PORT_USHORT] 83660000 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E IAT \SystemRoot\System32\Drivers\akxgepid.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00 IAT \SystemRoot\System32\Drivers\akxgepid.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F75FDE9C] spyn.sys IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7B234FE] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7B2320E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRequest] [F7B2354E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7B23256] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7B2352C] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7B2320E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRequest] [F7B2354E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7B234FE] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7B23256] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6F65CC0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B2352C] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7B234FE] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7B23256] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7B2320E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRequest] [F7B2354E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F7B2320E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F7B23256] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRequest] [F7B2354E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B2352C] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F7B234FE] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\USBSTOR.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\usbccgp.sys[NTOSKRNL.EXE!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\point32.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6F65CC0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7B234FE] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7B2352C] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRequest] [F7B2354E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7B2320E] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7B23256] PDDSLHND.sys (ProDyne DSL Handler/ProDyne) IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\Udfs.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] [F6F65B70] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 86FD01F8 Device \FileSystem\Udfs \UdfsCdRom 8605A500 Device \FileSystem\Udfs \UdfsDisk 8605A500 AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Device \Driver\NetBT \Device\NetBT_Tcpip_{5094C683-1C85-4735-B611-430DC8FE67D9} 86C7D500 Device \Driver\usbohci \Device\USBPDO-0 86C37500 Device \Driver\PCI_PNP3360 \Device\00000051 spyn.sys Device \Driver\PCI_PNP3360 \Device\00000051 spyn.sys Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F681F8 Device \Driver\dmio \Device\DmControl\DmConfig 86F681F8 Device \Driver\dmio \Device\DmControl\DmPnP 86F681F8 Device \Driver\dmio \Device\DmControl\DmInfo 86F681F8 Device \Driver\usbohci \Device\USBPDO-1 86C37500 Device \Driver\NetBT \Device\NetBT_Tcpip_{FA4A76BC-7D38-4792-8C9C-3BDD26C3A608} 86C7D500 Device \Driver\usbohci \Device\USBPDO-2 86C37500 Device \Driver\usbstor \Device\00000060 86C66500 Device \Driver\usbehci \Device\USBPDO-3 86B5B500 Device \Driver\usbstor \Device\00000061 86C66500 AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Device \Driver\usbstor \Device\00000062 86C66500 Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD21F8 Device \Driver\Cdrom \Device\CdRom0 86C65500 Device \Driver\Cdrom \Device\CdRom1 86C65500 Device \Driver\atapi \Device\Ide\IdePort0 86FD11F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 86FD11F8 Device \Driver\atapi \Device\Ide\IdePort1 86FD11F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 86FD11F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 86FD11F8 Device \Driver\Cdrom \Device\CdRom2 86C65500 Device \Driver\Cdrom \Device\CdRom3 86C65500 Device \Driver\usbstor \Device\00000068 86C66500 Device \Driver\NetBT \Device\NetBt_Wins_Export 86C7D500 Device \Driver\usbstor \Device\0000005c 86C66500 AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Device \Driver\usbstor \Device\0000005e 86C66500 Device \Driver\usbstor \Device\0000005f 86C66500 Device \Driver\sptd \Device\2277903792 spyn.sys Device \Driver\usbohci \Device\USBFDO-0 86C37500 Device \Driver\usbohci \Device\USBFDO-1 86C37500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86C63500 Device \Driver\usbohci \Device\USBFDO-2 86C37500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 86C63500 Device \Driver\usbehci \Device\USBFDO-3 86B5B500 Device \Driver\NetBT \Device\NetBT_Tcpip_{F5E6229E-D95B-4E46-A2EF-B9ED59C37A1A} 86C7D500 Device \Driver\Ftdisk \Device\FtControl 86FD21F8 Device \Driver\akxgepid \Device\Scsi\akxgepid1Port2Path0Target0Lun0 86D67500 Device \Driver\akxgepid \Device\Scsi\akxgepid1 86D67500 Device \FileSystem\Cdfs \Cdfs 86C67500 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] gdndzogr <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\gdndzogr@DisplayName Universal System Reg HKLM\SYSTEM\CurrentControlSet\Services\gdndzogr@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\gdndzogr@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\gdndzogr@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\gdndzogr@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\gdndzogr@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\gdndzogr@Description Erm?glicht Windows-basierten Programmen, Internet-basierte Dateien zu erstellen, darauf zuzugreifen und sie zu ver?ndern. Wenn dieser Dienst beendet wird, werden diese Funktionen nicht mehr zur Verf?gung stehen. Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abh?ngigen Dienste nicht gestartet werden k?nnen. Reg HKLM\SYSTEM\CurrentControlSet\Services\gdndzogr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\gdndzogr\Parameters@ServiceDll C:\WINDOWS\system32\xmbfnzfx.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6C 0x83 0x43 0x22 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x67 0x38 0x68 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB0 0x55 0xF4 0x77 ... Reg HKLM\SYSTEM\ControlSet002\Services\gdndzogr@DisplayName Universal System Reg HKLM\SYSTEM\ControlSet002\Services\gdndzogr@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\gdndzogr@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\gdndzogr@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\gdndzogr@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\gdndzogr@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\gdndzogr@Description Erm?glicht Windows-basierten Programmen, Internet-basierte Dateien zu erstellen, darauf zuzugreifen und sie zu ver?ndern. Wenn dieser Dienst beendet wird, werden diese Funktionen nicht mehr zur Verf?gung stehen. Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abh?ngigen Dienste nicht gestartet werden k?nnen. Reg HKLM\SYSTEM\ControlSet002\Services\gdndzogr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\gdndzogr\Parameters@ServiceDll C:\WINDOWS\system32\xmbfnzfx.dll Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6C 0x83 0x43 0x22 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x67 0x38 0x68 0xE4 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB0 0x55 0xF4 0x77 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- EOF - GMER 1.0.15 ----