[求助]内核驱动中哪个底层函数是申请R3进程内存的，哪位大神路过帮忙解答一下呀，谢谢了~！-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (8)
天涯何处雪币： 44 活跃值： (186) 能力值： ( LV2，RANK：10 ) 在线值：发帖 39 回帖 335 粉丝 1 关注私信	天涯何处 2 楼自己给自己顶一个先 2016-4-24 11:48 0
轩辕之风雪币： 2291 活跃值： (933) 能力值： ( LV8，RANK：130 ) 在线值：发帖 34 回帖 322 粉丝 67 关注私信	轩辕之风 1 3 楼 ZwAllocateVirtualMemory The ZwAllocateVirtualMemory routine reserves, commits, or both, a region of pages within the user-mode virtual address space of a specified process. NTSTATUS ZwAllocateVirtualMemory( __in HANDLE ProcessHandle, __inout PVOID *BaseAddress, __in ULONG_PTR ZeroBits, __inout PSIZE_T RegionSize, __in ULONG AllocationType, __in ULONG Protect ); 2016-4-24 11:50 0
天涯何处雪币： 44 活跃值： (186) 能力值： ( LV2，RANK：10 ) 在线值：发帖 39 回帖 335 粉丝 1 关注私信	天涯何处 4 楼为什么我用这个函数总是 BaseAddress返回地址是0呀 2016-4-24 13:36 0
天涯何处雪币： 44 活跃值： (186) 能力值： ( LV2，RANK：10 ) 在线值：发帖 39 回帖 335 粉丝 1 关注私信	天涯何处 5 楼这个函数哪里是申请内存的CALL？？？大神过来指点一下呀 nt!NtAllocateVirtualMemory: 84095e0f 68c0000000 push 0C0h 84095e14 688891ea83 push offset nt!NtBuildGUID+0xf044 (83ea9188) 84095e19 e8ea46e2ff call nt!strchr+0x118 (83eba508) 84095e1e 33f6 xor esi,esi 84095e20 397510 cmp dword ptr [ebp+10h],esi 84095e23 7410 je nt!NtAllocateVirtualMemory+0x26 (84095e35) nt!NtAllocateVirtualMemory+0x16: 84095e25 837d1015 cmp dword ptr [ebp+10h],15h 84095e29 760a jbe nt!NtAllocateVirtualMemory+0x26 (84095e35) nt!NtAllocateVirtualMemory+0x1c: 84095e2b b8f10000c0 mov eax,0C00000F1h 84095e30 e9c7150000 jmp nt!NtAllocateVirtualMemory+0x15ed (840973fc) nt!NtAllocateVirtualMemory+0x26: 84095e35 8975e0 mov dword ptr [ebp-20h],esi 84095e38 648b1d24010000 mov ebx,dword ptr fs:[124h] 84095e3f 8b4350 mov eax,dword ptr [ebx+50h] 84095e42 8945b8 mov dword ptr [ebp-48h],eax 84095e45 8b4d18 mov ecx,dword ptr [ebp+18h] 84095e48 8bc1 mov eax,ecx 84095e4a 83e07f and eax,7Fh 84095e4d 8945dc mov dword ptr [ebp-24h],eax 84095e50 0fb7156829fb83 movzx edx,word ptr [nt!KeLoaderBlock+0x14 (83fb2968)] 84095e57 3bc2 cmp eax,edx 84095e59 760a jbe nt!NtAllocateVirtualMemory+0x56 (84095e65) nt!NtAllocateVirtualMemory+0x4c: 84095e5b b8f30000c0 mov eax,0C00000F3h 84095e60 e997150000 jmp nt!NtAllocateVirtualMemory+0x15ed (840973fc) nt!NtAllocateVirtualMemory+0x56: 84095e65 83e180 and ecx,0FFFFFF80h 84095e68 894d18 mov dword ptr [ebp+18h],ecx 84095e6b f7c1ffcf07df test ecx,0DF07CFFFh 84095e71 75e8 jne nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x64: 84095e73 f7c100300800 test ecx,83000h 84095e79 74e0 je nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x6c: 84095e7b f7c10000e820 test ecx,20E80000h 84095e81 7429 je nt!NtAllocateVirtualMemory+0x9d (84095eac) nt!NtAllocateVirtualMemory+0x74: 84095e83 b800000800 mov eax,80000h 84095e88 85c8 test eax,ecx 84095e8a 7404 je nt!NtAllocateVirtualMemory+0x81 (84095e90) nt!NtAllocateVirtualMemory+0x7d: 84095e8c 3bc8 cmp ecx,eax 84095e8e 75cb jne nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x81: 84095e90 f7c100000020 test ecx,20000000h 84095e96 0f8490000000 je nt!NtAllocateVirtualMemory+0x11d (84095f2c) nt!NtAllocateVirtualMemory+0x8d: 84095e9c f7c100100000 test ecx,1000h 84095ea2 74b7 je nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x95: 84095ea4 f7c10000e800 test ecx,0E80000h 84095eaa 75af jne nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x9d: 84095eac ff751c push dword ptr [ebp+1Ch] 84095eaf e85714dfff call nt!KeCheckProcessorAffinityEx+0xc09 (83e8730b) 84095eb4 8945ac mov dword ptr [ebp-54h],eax 84095eb7 83f8ff cmp eax,0FFFFFFFFh 84095eba 0f848d000000 je nt!NtAllocateVirtualMemory+0x13e (84095f4d) nt!NtAllocateVirtualMemory+0xb1: 84095ec0 8a833a010000 mov al,byte ptr [ebx+13Ah] 84095ec6 8845b4 mov byte ptr [ebp-4Ch],al 84095ec9 8975fc mov dword ptr [ebp-4],esi 84095ecc 84c0 test al,al 84095ece 7425 je nt!NtAllocateVirtualMemory+0xe6 (84095ef5) nt!NtAllocateVirtualMemory+0xc1: 84095ed0 8b450c mov eax,dword ptr [ebp+0Ch] 84095ed3 8b0d1c27fb83 mov ecx,dword ptr [nt!MmUserProbeAddress (83fb271c)] 84095ed9 3bc1 cmp eax,ecx 84095edb 7202 jb nt!NtAllocateVirtualMemory+0xd0 (84095edf) nt!NtAllocateVirtualMemory+0xce: 84095edd 8bc1 mov eax,ecx nt!NtAllocateVirtualMemory+0xd0: 84095edf 8b08 mov ecx,dword ptr [eax] 84095ee1 8908 mov dword ptr [eax],ecx 84095ee3 8b4d14 mov ecx,dword ptr [ebp+14h] 84095ee6 a11c27fb83 mov eax,dword ptr [nt!MmUserProbeAddress (83fb271c)] 84095eeb 3bc8 cmp ecx,eax 84095eed 7202 jb nt!NtAllocateVirtualMemory+0xe2 (84095ef1) nt!NtAllocateVirtualMemory+0xe0: 84095eef 8bc8 mov ecx,eax nt!NtAllocateVirtualMemory+0xe2: 84095ef1 8b01 mov eax,dword ptr [ecx] 84095ef3 8901 mov dword ptr [ecx],eax nt!NtAllocateVirtualMemory+0xe6: 84095ef5 8b450c mov eax,dword ptr [ebp+0Ch] 84095ef8 8b30 mov esi,dword ptr [eax] 84095efa 8975b0 mov dword ptr [ebp-50h],esi 84095efd 8b4514 mov eax,dword ptr [ebp+14h] 84095f00 8b38 mov edi,dword ptr [eax] 84095f02 897dbc mov dword ptr [ebp-44h],edi 84095f05 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh 84095f0c 897d88 mov dword ptr [ebp-78h],edi 84095f0f a11427fb83 mov eax,dword ptr [nt!MmHighestUserAddress (83fb2714)] 84095f14 8d880000ffff lea ecx,[eax-10000h] 84095f1a 3bf1 cmp esi,ecx 84095f1c 0f8692000000 jbe nt!NtAllocateVirtualMemory+0x1a5 (84095fb4) nt!NtAllocateVirtualMemory+0x113: 84095f22 b8f00000c0 mov eax,0C00000F0h 84095f27 e9d0140000 jmp nt!NtAllocateVirtualMemory+0x15ed (840973fc) nt!NtAllocateVirtualMemory+0x11d: 84095f2c f7c100008000 test ecx,800000h 84095f32 7423 je nt!NtAllocateVirtualMemory+0x148 (84095f57) nt!NtAllocateVirtualMemory+0x125: 84095f34 f7c100006000 test ecx,600000h 84095f3a 0f851bffffff jne nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x131: 84095f40 f7451cf9f9ffff test dword ptr [ebp+1Ch],0FFFFF9F9h 84095f47 0f845fffffff je nt!NtAllocateVirtualMemory+0x9d (84095eac) nt!NtAllocateVirtualMemory+0x13e: 84095f4d b8450000c0 mov eax,0C0000045h 84095f52 e9a5140000 jmp nt!NtAllocateVirtualMemory+0x15ed (840973fc) nt!NtAllocateVirtualMemory+0x148: 84095f57 f7c100002000 test ecx,200000h 84095f5d 741d je nt!NtAllocateVirtualMemory+0x16d (84095f7c) nt!NtAllocateVirtualMemory+0x150: 84095f5f f7c100004000 test ecx,400000h 84095f65 0f85f0feffff jne nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x15c: 84095f6b f7c100200000 test ecx,2000h 84095f71 0f8535ffffff jne nt!NtAllocateVirtualMemory+0x9d (84095eac) nt!NtAllocateVirtualMemory+0x168: 84095f77 e9dffeffff jmp nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x16d: 84095f7c f7c100004000 test ecx,400000h 84095f82 0f8424ffffff je nt!NtAllocateVirtualMemory+0x9d (84095eac) nt!NtAllocateVirtualMemory+0x179: 84095f88 f7c100200000 test ecx,2000h 84095f8e 0f84c7feffff je nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x185: 84095f94 f7c1ffdfafff test ecx,0FFAFDFFFh 84095f9a 0f85bbfeffff jne nt!NtAllocateVirtualMemory+0x4c (84095e5b) nt!NtAllocateVirtualMemory+0x191: 84095fa0 837d1c04 cmp dword ptr [ebp+1Ch],4 84095fa4 0f8402ffffff je nt!NtAllocateVirtualMemory+0x9d (84095eac) nt!NtAllocateVirtualMemory+0x19b: 84095faa b8f40000c0 mov eax,0C00000F4h 84095faf e948140000 jmp nt!NtAllocateVirtualMemory+0x15ed (840973fc) nt!NtAllocateVirtualMemory+0x1a5: 84095fb4 2bc6 sub eax,esi 84095fb6 2dffff0000 sub eax,0FFFFh 84095fbb 3bc7 cmp eax,edi 84095fbd 730a jae nt!NtAllocateVirtualMemory+0x1ba (84095fc9) nt!NtAllocateVirtualMemory+0x1b0: 84095fbf b8f20000c0 mov eax,0C00000F2h 84095fc4 e933140000 jmp nt!NtAllocateVirtualMemory+0x15ed (840973fc) nt!NtAllocateVirtualMemory+0x1ba: 84095fc9 85ff test edi,edi 84095fcb 74f2 je nt!NtAllocateVirtualMemory+0x1b0 (84095fbf) nt!NtAllocateVirtualMemory+0x1be: 84095fcd 837d08ff cmp dword ptr [ebp+8],0FFFFFFFFh 84095fd1 7508 jne nt!NtAllocateVirtualMemory+0x1cc (84095fdb) nt!NtAllocateVirtualMemory+0x1c4: 84095fd3 8b45b8 mov eax,dword ptr [ebp-48h] 84095fd6 8945e4 mov dword ptr [ebp-1Ch],eax 84095fd9 eb27 jmp nt!NtAllocateVirtualMemory+0x1f3 (84096002) nt!NtAllocateVirtualMemory+0x1cc: 84095fdb 6a00 push 0 84095fdd 8d458c lea eax,[ebp-74h] 84095fe0 50 push eax 84095fe1 ff75b4 push dword ptr [ebp-4Ch] 84095fe4 ff352c20fb83 push dword ptr [nt!PsProcessType (83fb202c)] 84095fea 6a08 push 8 84095fec ff7508 push dword ptr [ebp+8] 84095fef e81181fdff call nt!ObReferenceObjectByHandle (8406e105) 84095ff4 8b4d8c mov ecx,dword ptr [ebp-74h] 84095ff7 894de4 mov dword ptr [ebp-1Ch],ecx 84095ffa 85c0 test eax,eax 84095ffc 0f8cfa130000 jl nt!NtAllocateVirtualMemory+0x15ed (840973fc) nt!NtAllocateVirtualMemory+0x1f3: 84096002 8b4518 mov eax,dword ptr [ebp+18h] 84096005 2500000020 and eax,20000000h 8409600a 8945d0 mov dword ptr [ebp-30h],eax 8409600d 7424 je nt!NtAllocateVirtualMemory+0x224 (84096033) nt!NtAllocateVirtualMemory+0x200: 8409600f ff75b4 push dword ptr [ebp-4Ch] 84096012 ff3514361b84 push dword ptr [nt!SeSystemDefaultDacl+0x1c (841b3614)] 84096018 ff3510361b84 push dword ptr [nt!SeSystemDefaultDacl+0x18 (841b3610)] 8409601e e89b92ffff call nt!SeSinglePrivilegeCheck (8408f2be) 84096023 84c0 test al,al 84096025 750c jne nt!NtAllocateVirtualMemory+0x224 (84096033) nt!NtAllocateVirtualMemory+0x218: 84096027 c74510610000c0 mov dword ptr [ebp+10h],0C0000061h 8409602e e983130000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x224: 84096033 8b45b8 mov eax,dword ptr [ebp-48h] 84096036 3b45e4 cmp eax,dword ptr [ebp-1Ch] 84096039 7416 je nt!NtAllocateVirtualMemory+0x242 (84096051) nt!NtAllocateVirtualMemory+0x22c: 8409603b 8d8558ffffff lea eax,[ebp-0A8h] 84096041 50 push eax 84096042 ff75e4 push dword ptr [ebp-1Ch] 84096045 e8cd85e4ff call nt!KeStackAttachProcess (83ede617) ring0获取指定进程的PEB 8409604a c745e001000000 mov dword ptr [ebp-20h],1 nt!NtAllocateVirtualMemory+0x242: 84096051 8365c000 and dword ptr [ebp-40h],0 84096055 85f6 test esi,esi 84096057 0f84430d0000 je nt!NtAllocateVirtualMemory+0xf91 (84096da0) nt!NtAllocateVirtualMemory+0x24e: 8409605d f7451800200000 test dword ptr [ebp+18h],2000h 84096064 0f85360d0000 jne nt!NtAllocateVirtualMemory+0xf91 (84096da0) nt!NtAllocateVirtualMemory+0x25b: 8409606a 817d1800000800 cmp dword ptr [ebp+18h],80000h 84096071 7528 jne nt!NtAllocateVirtualMemory+0x28c (8409609b) nt!NtAllocateVirtualMemory+0x264: 84096073 03fe add edi,esi 84096075 b900f0ffff mov ecx,0FFFFF000h 8409607a 23f9 and edi,ecx 8409607c 4f dec edi 8409607d 897db4 mov dword ptr [ebp-4Ch],edi 84096080 8d86ff0f0000 lea eax,[esi+0FFFh] 84096086 23c1 and eax,ecx 84096088 8945d8 mov dword ptr [ebp-28h],eax 8409608b 3bc7 cmp eax,edi 8409608d 7622 jbe nt!NtAllocateVirtualMemory+0x2a2 (840960b1) nt!NtAllocateVirtualMemory+0x280: 8409608f c74510180000c0 mov dword ptr [ebp+10h],0C0000018h 84096096 e91b130000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x28c: 8409609b 8d7c37ff lea edi,[edi+esi-1] 8409609f 81cfff0f0000 or edi,0FFFh 840960a5 897db4 mov dword ptr [ebp-4Ch],edi 840960a8 81e600f0ffff and esi,0FFFFF000h 840960ae 8975d8 mov dword ptr [ebp-28h],esi nt!NtAllocateVirtualMemory+0x2a2: 840960b1 8bc7 mov eax,edi 840960b3 8b4dd8 mov ecx,dword ptr [ebp-28h] 840960b6 2bc1 sub eax,ecx 840960b8 40 inc eax 840960b9 8945bc mov dword ptr [ebp-44h],eax 840960bc 894dd4 mov dword ptr [ebp-2Ch],ecx 840960bf c16dd40c shr dword ptr [ebp-2Ch],0Ch 840960c3 897ddc mov dword ptr [ebp-24h],edi 840960c6 c16ddc0c shr dword ptr [ebp-24h],0Ch 840960ca c1e909 shr ecx,9 840960cd bef8ff7f00 mov esi,7FFFF8h 840960d2 23ce and ecx,esi 840960d4 ba00000040 mov edx,40000000h 840960d9 2bca sub ecx,edx 840960db 8bc7 mov eax,edi 840960dd c1e809 shr eax,9 840960e0 23c6 and eax,esi 840960e2 2bc2 sub eax,edx 840960e4 2bc1 sub eax,ecx 840960e6 c1f803 sar eax,3 840960e9 40 inc eax 840960ea 8945c0 mov dword ptr [ebp-40h],eax 840960ed 8365c400 and dword ptr [ebp-3Ch],0 840960f1 8b45e0 mov eax,dword ptr [ebp-20h] 840960f4 d1e8 shr eax,1 840960f6 83e001 and eax,1 840960f9 8945cc mov dword ptr [ebp-34h],eax 840960fc 7530 jne nt!NtAllocateVirtualMemory+0x31f (8409612e) nt!NtAllocateVirtualMemory+0x2ef: 840960fe 66ff8b86000000 dec word ptr [ebx+86h] 84096105 8b4de4 mov ecx,dword ptr [ebp-1Ch] 84096108 81c100010000 add ecx,100h 8409610e 894dd0 mov dword ptr [ebp-30h],ecx 84096111 6a11 push 11h 84096113 5a pop edx 84096114 8bf1 mov esi,ecx 84096116 33c0 xor eax,eax 84096118 f00fb116 lock cmpxchg dword ptr [esi],edx 8409611c 85c0 test eax,eax 8409611e 7405 je nt!NtAllocateVirtualMemory+0x316 (84096125) nt!NtAllocateVirtualMemory+0x311: 84096120 e8aba8e5ff call nt!ExfAcquirePushLockShared (83ef09d0) nt!NtAllocateVirtualMemory+0x316: 84096125 808b8902000004 or byte ptr [ebx+289h],4 8409612c eb28 jmp nt!NtAllocateVirtualMemory+0x347 (84096156) nt!NtAllocateVirtualMemory+0x31f: 8409612e 66ff8b86000000 dec word ptr [ebx+86h] 84096135 8b4de4 mov ecx,dword ptr [ebp-1Ch] 84096138 81c100010000 add ecx,100h 8409613e 894dd0 mov dword ptr [ebp-30h],ecx 84096141 8bc1 mov eax,ecx 84096143 f00fba2800 lock bts dword ptr [eax],0 84096148 7305 jae nt!NtAllocateVirtualMemory+0x340 (8409614f) nt!NtAllocateVirtualMemory+0x33b: 8409614a e8e435e5ff call nt!ExfAcquirePushLockExclusive (83ee9733) nt!NtAllocateVirtualMemory+0x340: 8409614f 808b8902000002 or byte ptr [ebx+289h],2 nt!NtAllocateVirtualMemory+0x347: 84096156 8b45e4 mov eax,dword ptr [ebp-1Ch] 84096159 f6807002000020 test byte ptr [eax+270h],20h 84096160 740c je nt!NtAllocateVirtualMemory+0x35f (8409616e) nt!NtAllocateVirtualMemory+0x353: 84096162 c745100a0100c0 mov dword ptr [ebp+10h],0C000010Ah 84096169 e9d20b0000 jmp nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x35f: 8409616e 8b45e4 mov eax,dword ptr [ebp-1Ch] 84096171 0578020000 add eax,278h 84096176 ff75dc push dword ptr [ebp-24h] 84096179 ff75d4 push dword ptr [ebp-2Ch] 8409617c e8463de7ff call nt!PsIsSystemProcess+0x93 (83f09ec7) 84096181 8bf0 mov esi,eax 84096183 8975c8 mov dword ptr [ebp-38h],esi 84096186 85f6 test esi,esi 84096188 0f84ab0b0000 je nt!NtAllocateVirtualMemory+0xf2a (84096d39) nt!NtAllocateVirtualMemory+0x37f: 8409618e 8b4e14 mov ecx,dword ptr [esi+14h] 84096191 c1e914 shr ecx,14h 84096194 83e107 and ecx,7 84096197 894d10 mov dword ptr [ebp+10h],ecx 8409619a 33c0 xor eax,eax 8409619c 40 inc eax 8409619d d3e0 shl eax,cl 8409619f a855 test al,55h 840961a1 0f84920b0000 je nt!NtAllocateVirtualMemory+0xf2a (84096d39) nt!NtAllocateVirtualMemory+0x398: 840961a7 8b460c mov eax,dword ptr [esi+0Ch] 840961aa 89459c mov dword ptr [ebp-64h],eax 840961ad 3945d4 cmp dword ptr [ebp-2Ch],eax 840961b0 0f82830b0000 jb nt!NtAllocateVirtualMemory+0xf2a (84096d39) nt!NtAllocateVirtualMemory+0x3a7: 840961b6 8b45dc mov eax,dword ptr [ebp-24h] 840961b9 3b4610 cmp eax,dword ptr [esi+10h] 840961bc 0f87770b0000 ja nt!NtAllocateVirtualMemory+0xf2a (84096d39) nt!NtAllocateVirtualMemory+0x3b3: 840961c2 8b5614 mov edx,dword ptr [esi+14h] 840961c5 b8ffff0700 mov eax,7FFFFh 840961ca 23d0 and edx,eax 840961cc 3bd0 cmp edx,eax 840961ce 0f84650b0000 je nt!NtAllocateVirtualMemory+0xf2a (84096d39) nt!NtAllocateVirtualMemory+0x3c5: 840961d4 83f906 cmp ecx,6 840961d7 7542 jne nt!NtAllocateVirtualMemory+0x40c (8409621b) nt!NtAllocateVirtualMemory+0x3ca: 840961d9 81651cfff9ffff and dword ptr [ebp+1Ch],0FFFFF9FFh 840961e0 8b4e14 mov ecx,dword ptr [esi+14h] 840961e3 8bc1 mov eax,ecx 840961e5 c1e81b shr eax,1Bh 840961e8 83e003 and eax,3 840961eb 83f803 cmp eax,3 840961ee 7511 jne nt!NtAllocateVirtualMemory+0x3f2 (84096201) nt!NtAllocateVirtualMemory+0x3e1: 840961f0 f7c100000007 test ecx,7000000h 840961f6 7409 je nt!NtAllocateVirtualMemory+0x3f2 (84096201) nt!NtAllocateVirtualMemory+0x3e9: 840961f8 814d1c00040000 or dword ptr [ebp+1Ch],400h 840961ff eb0c jmp nt!NtAllocateVirtualMemory+0x3fe (8409620d) nt!NtAllocateVirtualMemory+0x3f2: 84096201 83f801 cmp eax,1 84096204 7507 jne nt!NtAllocateVirtualMemory+0x3fe (8409620d) nt!NtAllocateVirtualMemory+0x3f7: 84096206 814d1c00020000 or dword ptr [ebp+1Ch],200h nt!NtAllocateVirtualMemory+0x3fe: 8409620d ff751c push dword ptr [ebp+1Ch] 84096210 e8f610dfff call nt!KeCheckProcessorAffinityEx+0xc09 (83e8730b) 84096215 8945ac mov dword ptr [ebp-54h],eax 84096218 8b4d10 mov ecx,dword ptr [ebp+10h] nt!NtAllocateVirtualMemory+0x40c: 8409621b b800000800 mov eax,80000h 84096220 394518 cmp dword ptr [ebp+18h],eax 84096223 0f8581000000 jne nt!NtAllocateVirtualMemory+0x49b (840962aa) nt!NtAllocateVirtualMemory+0x41a: 84096229 ff75e4 push dword ptr [ebp-1Ch] 8409622c 56 push esi 8409622d 8bc7 mov eax,edi 8409622f 8b4dd8 mov ecx,dword ptr [ebp-28h] 84096232 e8a9040d00 call nt!IoUnregisterShutdownNotification+0xc10 (841666e0) 84096237 894510 mov dword ptr [ebp+10h],eax 8409623a 8b4dd0 mov ecx,dword ptr [ebp-30h] 8409623d 837dcc00 cmp dword ptr [ebp-34h],0 84096241 751e jne nt!NtAllocateVirtualMemory+0x452 (84096261) nt!NtAllocateVirtualMemory+0x434: 84096243 33d2 xor edx,edx 84096245 8bf1 mov esi,ecx 84096247 6a11 push 11h 84096249 58 pop eax 8409624a f00fb116 lock cmpxchg dword ptr [esi],edx 8409624e 83f811 cmp eax,11h 84096251 7405 je nt!NtAllocateVirtualMemory+0x449 (84096258) nt!NtAllocateVirtualMemory+0x444: 84096253 e84002e5ff call nt!ExfReleasePushLockShared (83ee6498) nt!NtAllocateVirtualMemory+0x449: 84096258 80a389020000fb and byte ptr [ebx+289h],0FBh 8409625f eb1d jmp nt!NtAllocateVirtualMemory+0x46f (8409627e) nt!NtAllocateVirtualMemory+0x452: 84096261 83c8ff or eax,0FFFFFFFFh 84096264 8bd1 mov edx,ecx 84096266 f00fc102 lock xadd dword ptr [edx],eax 8409626a a802 test al,2 8409626c 7409 je nt!NtAllocateVirtualMemory+0x468 (84096277) nt!NtAllocateVirtualMemory+0x45f: 8409626e a804 test al,4 84096270 7505 jne nt!NtAllocateVirtualMemory+0x468 (84096277) nt!NtAllocateVirtualMemory+0x463: 84096272 e89849e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0x468: 84096277 80a389020000fd and byte ptr [ebx+289h],0FDh nt!NtAllocateVirtualMemory+0x46f: 8409627e 66ff8386000000 inc word ptr [ebx+86h] 84096285 0fb78386000000 movzx eax,word ptr [ebx+86h] 8409628c 6685c0 test ax,ax 8409628f 0f85180a0000 jne nt!NtAllocateVirtualMemory+0xe9e (84096cad) nt!NtAllocateVirtualMemory+0x486: 84096295 83c340 add ebx,40h 84096298 391b cmp dword ptr [ebx],ebx 8409629a 0f840d0a0000 je nt!NtAllocateVirtualMemory+0xe9e (84096cad) nt!NtAllocateVirtualMemory+0x491: 840962a0 e845d6ddff call nt!KiCheckForKernelApcDelivery (83e738ea) 840962a5 e9030a0000 jmp nt!NtAllocateVirtualMemory+0xe9e (84096cad) nt!NtAllocateVirtualMemory+0x49b: 840962aa 8b5614 mov edx,dword ptr [esi+14h] 840962ad 85d2 test edx,edx 840962af 0f886e080000 js nt!NtAllocateVirtualMemory+0xd14 (84096b23) nt!NtAllocateVirtualMemory+0x4a6: 840962b5 f7451c00060000 test dword ptr [ebp+1Ch],600h 840962bc 740c je nt!NtAllocateVirtualMemory+0x4bb (840962ca) nt!NtAllocateVirtualMemory+0x4af: 840962be c74510450000c0 mov dword ptr [ebp+10h],0C0000045h 840962c5 e9760a0000 jmp nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x4bb: 840962ca 85d0 test eax,edx 840962cc 741f je nt!NtAllocateVirtualMemory+0x4de (840962ed) nt!NtAllocateVirtualMemory+0x4bf: 840962ce ff75ac push dword ptr [ebp-54h] 840962d1 8b55bc mov edx,dword ptr [ebp-44h] 840962d4 8b75b0 mov esi,dword ptr [ebp-50h] 840962d7 8b4dc8 mov ecx,dword ptr [ebp-38h] 840962da e8c2780200 call nt!PsLookupThreadByThreadId+0x1cb4 (840bdba1) 840962df 894510 mov dword ptr [ebp+10h],eax 840962e2 85c0 test eax,eax 840962e4 0f8c560a0000 jl nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x4db: 840962ea 8b75c8 mov esi,dword ptr [ebp-38h] nt!NtAllocateVirtualMemory+0x4de: 840962ed 8b4624 mov eax,dword ptr [esi+24h] 840962f0 8b00 mov eax,dword ptr [eax] 840962f2 8945b8 mov dword ptr [ebp-48h],eax 840962f5 83782400 cmp dword ptr [eax+24h],0 840962f9 0f847a020000 je nt!NtAllocateVirtualMemory+0x76a (84096579) nt!NtAllocateVirtualMemory+0x4f0: 840962ff 8b7620 mov esi,dword ptr [esi+20h] 84096302 f7c600000020 test esi,20000000h 84096308 750c jne nt!NtAllocateVirtualMemory+0x507 (84096316) nt!NtAllocateVirtualMemory+0x4fb: 8409630a c74510210000c0 mov dword ptr [ebp+10h],0C0000021h 84096311 e92a0a0000 jmp nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x507: 84096316 8b4d9c mov ecx,dword ptr [ebp-64h] 84096319 c1e10c shl ecx,0Ch 8409631c 8bc7 mov eax,edi 8409631e 2bc1 sub eax,ecx 84096320 40 inc eax 84096321 99 cdq 84096322 8bc8 mov ecx,eax 84096324 8bfa mov edi,edx 84096326 8bc6 mov eax,esi 84096328 25ffffff00 and eax,0FFFFFFh 8409632d ba00000100 mov edx,10000h 84096332 f7e2 mul eax,edx 84096334 03c8 add ecx,eax 84096336 13fa adc edi,edx 84096338 898d74ffffff mov dword ptr [ebp-8Ch],ecx 8409633e 89bd78ffffff mov dword ptr [ebp-88h],edi 84096344 8b75b8 mov esi,dword ptr [ebp-48h] 84096347 56 push esi 84096348 e84fe0e7ff call nt!CcGetFileObjectFromSectionPtrsRef+0x2e2 (83f1439c) 8409634d 85c0 test eax,eax 8409634f 750c jne nt!NtAllocateVirtualMemory+0x54e (8409635d) nt!NtAllocateVirtualMemory+0x542: 84096351 c745109a0000c0 mov dword ptr [ebp+10h],0C000009Ah 84096358 e9e3090000 jmp nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x54e: 8409635d 8b4dd0 mov ecx,dword ptr [ebp-30h] 84096360 837dcc00 cmp dword ptr [ebp-34h],0 84096364 751e jne nt!NtAllocateVirtualMemory+0x575 (84096384) nt!NtAllocateVirtualMemory+0x557: 84096366 33d2 xor edx,edx 84096368 8bf9 mov edi,ecx 8409636a 6a11 push 11h 8409636c 58 pop eax 8409636d f00fb117 lock cmpxchg dword ptr [edi],edx 84096371 83f811 cmp eax,11h 84096374 7405 je nt!NtAllocateVirtualMemory+0x56c (8409637b) nt!NtAllocateVirtualMemory+0x567: 84096376 e81d01e5ff call nt!ExfReleasePushLockShared (83ee6498) nt!NtAllocateVirtualMemory+0x56c: 8409637b 80a389020000fb and byte ptr [ebx+289h],0FBh 84096382 eb1d jmp nt!NtAllocateVirtualMemory+0x592 (840963a1) nt!NtAllocateVirtualMemory+0x575: 84096384 83c8ff or eax,0FFFFFFFFh 84096387 8bd1 mov edx,ecx 84096389 f00fc102 lock xadd dword ptr [edx],eax 8409638d a802 test al,2 8409638f 7409 je nt!NtAllocateVirtualMemory+0x58b (8409639a) nt!NtAllocateVirtualMemory+0x582: 84096391 a804 test al,4 84096393 7505 jne nt!NtAllocateVirtualMemory+0x58b (8409639a) nt!NtAllocateVirtualMemory+0x586: 84096395 e87548e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0x58b: 8409639a 80a389020000fd and byte ptr [ebx+289h],0FDh nt!NtAllocateVirtualMemory+0x592: 840963a1 66ff8386000000 inc word ptr [ebx+86h] 840963a8 0fb78386000000 movzx eax,word ptr [ebx+86h] 840963af 6685c0 test ax,ax 840963b2 750c jne nt!NtAllocateVirtualMemory+0x5b1 (840963c0) nt!NtAllocateVirtualMemory+0x5a5: 840963b4 8d4340 lea eax,[ebx+40h] 840963b7 3900 cmp dword ptr [eax],eax 840963b9 7405 je nt!NtAllocateVirtualMemory+0x5b1 (840963c0) nt!NtAllocateVirtualMemory+0x5ac: 840963bb e82ad5ddff call nt!KiCheckForKernelApcDelivery (83e738ea) nt!NtAllocateVirtualMemory+0x5b1: 840963c0 6a0a push 0Ah 840963c2 59 pop ecx 840963c3 33c0 xor eax,eax 840963c5 8dbd30ffffff lea edi,[ebp-0D0h] 840963cb f3ab rep stos dword ptr es:[edi] 840963cd 8b06 mov eax,dword ptr [esi] 840963cf 898544ffffff mov dword ptr [ebp-0BCh],eax 840963d5 8b461c mov eax,dword ptr [esi+1Ch] 840963d8 898550ffffff mov dword ptr [ebp-0B0h],eax 840963de 8b8554ffffff mov eax,dword ptr [ebp-0ACh] 840963e4 2504f0ffff and eax,0FFFFF004h 840963e9 83c804 or eax,4 840963ec 898554ffffff mov dword ptr [ebp-0ACh],eax 840963f2 6a00 push 0 840963f4 8d8574ffffff lea eax,[ebp-8Ch] 840963fa 50 push eax 840963fb 8d8530ffffff lea eax,[ebp-0D0h] 84096401 50 push eax 84096402 e805f5fcff call nt!ObCheckCreateObjectAccess+0x34e (8406590c) 84096407 894510 mov dword ptr [ebp+10h],eax 8409640a 85c0 test eax,eax 8409640c 0f8c5c010000 jl nt!NtAllocateVirtualMemory+0x75f (8409656e) nt!NtAllocateVirtualMemory+0x603: 84096412 66ff8b86000000 dec word ptr [ebx+86h] 84096419 8b7de4 mov edi,dword ptr [ebp-1Ch] 8409641c 8d8f00010000 lea ecx,[edi+100h] 84096422 837dcc00 cmp dword ptr [ebp-34h],0 84096426 7520 jne nt!NtAllocateVirtualMemory+0x639 (84096448) nt!NtAllocateVirtualMemory+0x619: 84096428 6a11 push 11h 8409642a 5a pop edx 8409642b 8bf1 mov esi,ecx 8409642d 33c0 xor eax,eax 8409642f f00fb116 lock cmpxchg dword ptr [esi],edx 84096433 85c0 test eax,eax 84096435 7405 je nt!NtAllocateVirtualMemory+0x62d (8409643c) nt!NtAllocateVirtualMemory+0x628: 84096437 e894a5e5ff call nt!ExfAcquirePushLockShared (83ef09d0) nt!NtAllocateVirtualMemory+0x62d: 8409643c 808b8902000004 or byte ptr [ebx+289h],4 84096443 8b75b8 mov esi,dword ptr [ebp-48h] 84096446 eb15 jmp nt!NtAllocateVirtualMemory+0x64e (8409645d) nt!NtAllocateVirtualMemory+0x639: 84096448 8bc1 mov eax,ecx 8409644a f00fba2800 lock bts dword ptr [eax],0 8409644f 7305 jae nt!NtAllocateVirtualMemory+0x647 (84096456) nt!NtAllocateVirtualMemory+0x642: 84096451 e8dd32e5ff call nt!ExfAcquirePushLockExclusive (83ee9733) nt!NtAllocateVirtualMemory+0x647: 84096456 808b8902000002 or byte ptr [ebx+289h],2 nt!NtAllocateVirtualMemory+0x64e: 8409645d 56 push esi 8409645e e8891bddff call nt!FsRtlOplockKeysEqual+0x3ff (83e67fec) 84096463 f6877002000020 test byte ptr [edi+270h],20h 8409646a 0f85d0080000 jne nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x661: 84096470 ff75dc push dword ptr [ebp-24h] 84096473 ff75d4 push dword ptr [ebp-2Ch] 84096476 8b45e4 mov eax,dword ptr [ebp-1Ch] 84096479 0578020000 add eax,278h 8409647e e8443ae7ff call nt!PsIsSystemProcess+0x93 (83f09ec7) 84096483 8bf8 mov edi,eax 84096485 85ff test edi,edi 84096487 0f84b3080000 je nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x67e: 8409648d 8b4f14 mov ecx,dword ptr [edi+14h] 84096490 8bd1 mov edx,ecx 84096492 b800000080 mov eax,80000000h 84096497 23d0 and edx,eax 84096499 3bd0 cmp edx,eax 8409649b 0f849f080000 je nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x692: 840964a1 8b4724 mov eax,dword ptr [edi+24h] 840964a4 3b30 cmp esi,dword ptr [eax] 840964a6 0f8594080000 jne nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x69d: 840964ac 8bd1 mov edx,ecx 840964ae b8ffff0700 mov eax,7FFFFh 840964b3 23d0 and edx,eax 840964b5 3bd0 cmp edx,eax 840964b7 0f8483080000 je nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x6ae: 840964bd 8b45d4 mov eax,dword ptr [ebp-2Ch] 840964c0 3b470c cmp eax,dword ptr [edi+0Ch] 840964c3 0f8277080000 jb nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x6ba: 840964c9 8b45dc mov eax,dword ptr [ebp-24h] 840964cc 3b4710 cmp eax,dword ptr [edi+10h] 840964cf 0f876b080000 ja nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x6c6: 840964d5 f7c100000800 test ecx,80000h 840964db 7418 je nt!NtAllocateVirtualMemory+0x6e6 (840964f5) nt!NtAllocateVirtualMemory+0x6ce: 840964dd ff75ac push dword ptr [ebp-54h] 840964e0 8b55bc mov edx,dword ptr [ebp-44h] 840964e3 8b75b0 mov esi,dword ptr [ebp-50h] 840964e6 8bcf mov ecx,edi 840964e8 e8b4760200 call nt!PsLookupThreadByThreadId+0x1cb4 (840bdba1) 840964ed 85c0 test eax,eax 840964ef 0f8c4b080000 jl nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x6e6: 840964f5 f7472000000020 test dword ptr [edi+20h],20000000h 840964fc 0f843e080000 je nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0x6f3: 84096502 837dcc00 cmp dword ptr [ebp-34h],0 84096506 7511 jne nt!NtAllocateVirtualMemory+0x70a (84096519) nt!NtAllocateVirtualMemory+0x6f9: 84096508 8d4f18 lea ecx,[edi+18h] 8409650b 8bc1 mov eax,ecx 8409650d f00fba2800 lock bts dword ptr [eax],0 84096512 7305 jae nt!NtAllocateVirtualMemory+0x70a (84096519) nt!NtAllocateVirtualMemory+0x705: 84096514 e81a32e5ff call nt!ExfAcquirePushLockExclusive (83ee9733) nt!NtAllocateVirtualMemory+0x70a: 84096519 8d857cffffff lea eax,[ebp-84h] 8409651f 50 push eax 84096520 6a01 push 1 84096522 8d4594 lea eax,[ebp-6Ch] 84096525 50 push eax 84096526 ff751c push dword ptr [ebp+1Ch] 84096529 ff75b4 push dword ptr [ebp-4Ch] 8409652c 57 push edi 8409652d 8b75e4 mov esi,dword ptr [ebp-1Ch] 84096530 56 push esi 84096531 8b4dd8 mov ecx,dword ptr [ebp-28h] 84096534 e82dece5ff call nt!IoSetThreadHardErrorMode+0x6e8 (83ef5166) 84096539 83c8ff or eax,0FFFFFFFFh 8409653c 837dcc00 cmp dword ptr [ebp-34h],0 84096540 7521 jne nt!NtAllocateVirtualMemory+0x754 (84096563) nt!NtAllocateVirtualMemory+0x733: 84096542 8d4f18 lea ecx,[edi+18h] 84096545 8bd1 mov edx,ecx 84096547 f00fc102 lock xadd dword ptr [edx],eax 8409654b a802 test al,2 8409654d 7409 je nt!NtAllocateVirtualMemory+0x749 (84096558) nt!NtAllocateVirtualMemory+0x740: 8409654f a804 test al,4 84096551 7505 jne nt!NtAllocateVirtualMemory+0x749 (84096558) nt!NtAllocateVirtualMemory+0x744: 84096553 e8b746e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0x749: 84096558 8d8e00010000 lea ecx,[esi+100h] 8409655e e9ec070000 jmp nt!NtAllocateVirtualMemory+0xf40 (84096d4f) nt!NtAllocateVirtualMemory+0x754: 84096563 8d8e00010000 lea ecx,[esi+100h] 84096569 e916080000 jmp nt!NtAllocateVirtualMemory+0xf75 (84096d84) nt!NtAllocateVirtualMemory+0x75f: 8409656e 56 push esi 8409656f e8781addff call nt!FsRtlOplockKeysEqual+0x3ff (83e67fec) 84096574 e93d0e0000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x76a: 84096579 ff75d4 push dword ptr [ebp-2Ch] 8409657c 8b4dc8 mov ecx,dword ptr [ebp-38h] 8409657f e801e0e6ff call nt!SeTokenIsRestricted+0x51 (83f04585) 84096584 8bf0 mov esi,eax 84096586 8975c0 mov dword ptr [ebp-40h],esi 84096589 ff75dc push dword ptr [ebp-24h] 8409658c 8b4dc8 mov ecx,dword ptr [ebp-38h] 8409658f e8f1dfe6ff call nt!SeTokenIsRestricted+0x51 (83f04585) 84096594 8945dc mov dword ptr [ebp-24h],eax 84096597 8975d4 mov dword ptr [ebp-2Ch],esi 8409659a 8bf8 mov edi,eax 8409659c 2bfe sub edi,esi 8409659e 83c708 add edi,8 840965a1 c1ff03 sar edi,3 840965a4 8b45ac mov eax,dword ptr [ebp-54h] 840965a7 83e005 and eax,5 840965aa 3c05 cmp al,5 840965ac 0f85cc010000 jne nt!NtAllocateVirtualMemory+0x96f (8409677e) nt!NtAllocateVirtualMemory+0x7a3: 840965b2 897dc4 mov dword ptr [ebp-3Ch],edi 840965b5 57 push edi 840965b6 8b45e4 mov eax,dword ptr [ebp-1Ch] 840965b9 e844dc0200 call nt!NtConnectPort+0x196e (840c4202) 840965be 894510 mov dword ptr [ebp+10h],eax 840965c1 33f6 xor esi,esi 840965c3 3bc6 cmp eax,esi 840965c5 7d6f jge nt!NtAllocateVirtualMemory+0x827 (84096636) nt!NtAllocateVirtualMemory+0x7b8: 840965c7 8b4dd0 mov ecx,dword ptr [ebp-30h] 840965ca 3975cc cmp dword ptr [ebp-34h],esi 840965cd 751e jne nt!NtAllocateVirtualMemory+0x7de (840965ed) nt!NtAllocateVirtualMemory+0x7c0: 840965cf 33d2 xor edx,edx 840965d1 8bf9 mov edi,ecx 840965d3 6a11 push 11h 840965d5 58 pop eax 840965d6 f00fb117 lock cmpxchg dword ptr [edi],edx 840965da 83f811 cmp eax,11h 840965dd 7405 je nt!NtAllocateVirtualMemory+0x7d5 (840965e4) nt!NtAllocateVirtualMemory+0x7d0: 840965df e8b4fee4ff call nt!ExfReleasePushLockShared (83ee6498) nt!NtAllocateVirtualMemory+0x7d5: 840965e4 80a389020000fb and byte ptr [ebx+289h],0FBh 840965eb eb1d jmp nt!NtAllocateVirtualMemory+0x7fb (8409660a) nt!NtAllocateVirtualMemory+0x7de: 840965ed 83c8ff or eax,0FFFFFFFFh 840965f0 8bd1 mov edx,ecx 840965f2 f00fc102 lock xadd dword ptr [edx],eax 840965f6 a802 test al,2 840965f8 7409 je nt!NtAllocateVirtualMemory+0x7f4 (84096603) nt!NtAllocateVirtualMemory+0x7eb: 840965fa a804 test al,4 840965fc 7505 jne nt!NtAllocateVirtualMemory+0x7f4 (84096603) nt!NtAllocateVirtualMemory+0x7ef: 840965fe e80c46e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0x7f4: 84096603 80a389020000fd and byte ptr [ebx+289h],0FDh nt!NtAllocateVirtualMemory+0x7fb: 8409660a 66ff8386000000 inc word ptr [ebx+86h] 84096611 0fb78386000000 movzx eax,word ptr [ebx+86h] 84096618 663bc6 cmp ax,si nt!NtAllocateVirtualMemory+0x80c: 8409661b 0f85950d0000 jne nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x812: 84096621 8d4340 lea eax,[ebx+40h] 84096624 3900 cmp dword ptr [eax],eax 84096626 0f848a0d0000 je nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x81d: 8409662c e8b9d2ddff call nt!KiCheckForKernelApcDelivery (83e738ea) 84096631 e9800d0000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x827: 84096636 57 push edi 84096637 8b55e4 mov edx,dword ptr [ebp-1Ch] 8409663a e88f10e7ff call nt!EtwProviderEnabled+0xd72 (83f076ce) 8409663f 85c0 test eax,eax 84096641 0f8588000000 jne nt!NtAllocateVirtualMemory+0x8c0 (840966cf) nt!NtAllocateVirtualMemory+0x838: 84096647 8b4dd0 mov ecx,dword ptr [ebp-30h] 8409664a 3975cc cmp dword ptr [ebp-34h],esi 8409664d 752f jne nt!NtAllocateVirtualMemory+0x86f (8409667e) nt!NtAllocateVirtualMemory+0x840: 8409664f 33d2 xor edx,edx 84096651 8bf1 mov esi,ecx 84096653 6a11 push 11h 84096655 58 pop eax 84096656 f00fb116 lock cmpxchg dword ptr [esi],edx 8409665a 83f811 cmp eax,11h 8409665d 7405 je nt!NtAllocateVirtualMemory+0x855 (84096664) nt!NtAllocateVirtualMemory+0x850: 8409665f e834fee4ff call nt!ExfReleasePushLockShared (83ee6498) nt!NtAllocateVirtualMemory+0x855: 84096664 80a389020000fb and byte ptr [ebx+289h],0FBh 8409666b 66ff8386000000 inc word ptr [ebx+86h] 84096672 0fb78386000000 movzx eax,word ptr [ebx+86h] 84096679 6685c0 test ax,ax 8409667c eb2e jmp nt!NtAllocateVirtualMemory+0x89d (840966ac) nt!NtAllocateVirtualMemory+0x86f: 8409667e 83c8ff or eax,0FFFFFFFFh 84096681 8bd1 mov edx,ecx 84096683 f00fc102 lock xadd dword ptr [edx],eax 84096687 a802 test al,2 84096689 7409 je nt!NtAllocateVirtualMemory+0x885 (84096694) nt!NtAllocateVirtualMemory+0x87c: 8409668b a804 test al,4 8409668d 7505 jne nt!NtAllocateVirtualMemory+0x885 (84096694) nt!NtAllocateVirtualMemory+0x880: 8409668f e87b45e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0x885: 84096694 80a389020000fd and byte ptr [ebx+289h],0FDh 8409669b 66ff8386000000 inc word ptr [ebx+86h] 840966a2 0fb78386000000 movzx eax,word ptr [ebx+86h] 840966a9 663bc6 cmp ax,si nt!NtAllocateVirtualMemory+0x89d: 840966ac 750c jne nt!NtAllocateVirtualMemory+0x8ab (840966ba) nt!NtAllocateVirtualMemory+0x89f: 840966ae 83c340 add ebx,40h 840966b1 391b cmp dword ptr [ebx],ebx 840966b3 7405 je nt!NtAllocateVirtualMemory+0x8ab (840966ba) nt!NtAllocateVirtualMemory+0x8a6: 840966b5 e830d2ddff call nt!KiCheckForKernelApcDelivery (83e738ea) nt!NtAllocateVirtualMemory+0x8ab: 840966ba 8b45e4 mov eax,dword ptr [ebp-1Ch] nt!NtAllocateVirtualMemory+0x8ae: 840966bd 57 push edi nt!NtAllocateVirtualMemory+0x8af: 840966be e809540200 call nt!SeQueryAuthenticationIdToken+0xe31 (840bbacc) nt!NtAllocateVirtualMemory+0x8b4: 840966c3 c745102d0100c0 mov dword ptr [ebp+10h],0C000012Dh 840966ca e9e70c0000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x8c0: 840966cf 8b45e4 mov eax,dword ptr [ebp-1Ch] 840966d2 f6806c02000010 test byte ptr [eax+26Ch],10h 840966d9 0f849f000000 je nt!NtAllocateVirtualMemory+0x96f (8409677e) nt!NtAllocateVirtualMemory+0x8d0: 840966df 57 push edi 840966e0 6a10 push 10h 840966e2 e866480300 call nt!ObGetObjectSecurity+0xa54 (840caf4d) 840966e7 84c0 test al,al 840966e9 0f858b000000 jne nt!NtAllocateVirtualMemory+0x96b (8409677a) nt!NtAllocateVirtualMemory+0x8e0: 840966ef 8b4dd0 mov ecx,dword ptr [ebp-30h] 840966f2 3975cc cmp dword ptr [ebp-34h],esi 840966f5 752f jne nt!NtAllocateVirtualMemory+0x917 (84096726) nt!NtAllocateVirtualMemory+0x8e8: 840966f7 33d2 xor edx,edx 840966f9 8bf1 mov esi,ecx 840966fb 6a11 push 11h 840966fd 58 pop eax 840966fe f00fb116 lock cmpxchg dword ptr [esi],edx 84096702 83f811 cmp eax,11h 84096705 7405 je nt!NtAllocateVirtualMemory+0x8fd (8409670c) nt!NtAllocateVirtualMemory+0x8f8: 84096707 e88cfde4ff call nt!ExfReleasePushLockShared (83ee6498) nt!NtAllocateVirtualMemory+0x8fd: 8409670c 80a389020000fb and byte ptr [ebx+289h],0FBh 84096713 66ff8386000000 inc word ptr [ebx+86h] 8409671a 0fb78386000000 movzx eax,word ptr [ebx+86h] 84096721 6685c0 test ax,ax 84096724 eb2e jmp nt!NtAllocateVirtualMemory+0x945 (84096754) nt!NtAllocateVirtualMemory+0x917: 84096726 83c8ff or eax,0FFFFFFFFh 84096729 8bd1 mov edx,ecx 8409672b f00fc102 lock xadd dword ptr [edx],eax 8409672f a802 test al,2 84096731 7409 je nt!NtAllocateVirtualMemory+0x92d (8409673c) nt!NtAllocateVirtualMemory+0x924: 84096733 a804 test al,4 84096735 7505 jne nt!NtAllocateVirtualMemory+0x92d (8409673c) nt!NtAllocateVirtualMemory+0x928: 84096737 e8d344e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0x92d: 8409673c 80a389020000fd and byte ptr [ebx+289h],0FDh 84096743 66ff8386000000 inc word ptr [ebx+86h] 8409674a 0fb78386000000 movzx eax,word ptr [ebx+86h] 84096751 663bc6 cmp ax,si nt!NtAllocateVirtualMemory+0x945: 84096754 750c jne nt!NtAllocateVirtualMemory+0x953 (84096762) nt!NtAllocateVirtualMemory+0x947: 84096756 83c340 add ebx,40h 84096759 391b cmp dword ptr [ebx],ebx 8409675b 7405 je nt!NtAllocateVirtualMemory+0x953 (84096762) nt!NtAllocateVirtualMemory+0x94e: 8409675d e888d1ddff call nt!KiCheckForKernelApcDelivery (83e738ea) nt!NtAllocateVirtualMemory+0x953: 84096762 8bc7 mov eax,edi 84096764 f7d8 neg eax 84096766 8bc8 mov ecx,eax 84096768 8b45e4 mov eax,dword ptr [ebp-1Ch] 8409676b 8d90d0000000 lea edx,[eax+0D0h] 84096771 f00fc10a lock xadd dword ptr [edx],ecx 84096775 e943ffffff jmp nt!NtAllocateVirtualMemory+0x8ae (840966bd) nt!NtAllocateVirtualMemory+0x96b: 8409677a 834de008 or dword ptr [ebp-20h],8 nt!NtAllocateVirtualMemory+0x96f: 8409677e 8b45b8 mov eax,dword ptr [ebp-48h] 84096781 8b30 mov esi,dword ptr [eax] 84096783 8b45c4 mov eax,dword ptr [ebp-3Ch] 84096786 8d0c38 lea ecx,[eax+edi] 84096789 e8f705dfff call nt!KeCheckProcessorAffinityEx+0x683 (83e86d85) 8409678e 8d4e1c lea ecx,[esi+1Ch] 84096791 83f801 cmp eax,1 84096794 8bc1 mov eax,ecx 84096796 7551 jne nt!NtAllocateVirtualMemory+0x9da (840967e9) nt!NtAllocateVirtualMemory+0x989: 84096798 f00fba2800 lock bts dword ptr [eax],0 8409679d 7305 jae nt!NtAllocateVirtualMemory+0x995 (840967a4) nt!NtAllocateVirtualMemory+0x990: 8409679f e88f2fe5ff call nt!ExfAcquirePushLockExclusive (83ee9733) nt!NtAllocateVirtualMemory+0x995: 840967a4 8b4608 mov eax,dword ptr [esi+8] 840967a7 c1e811 shr eax,11h 840967aa 83e01f and eax,1Fh 840967ad 83651000 and dword ptr [ebp+10h],0 840967b1 8b4d10 mov ecx,dword ptr [ebp+10h] 840967b4 0fa4c105 shld ecx,eax,5 840967b8 894d88 mov dword ptr [ebp-78h],ecx 840967bb c1e005 shl eax,5 840967be 83651000 and dword ptr [ebp+10h],0 840967c2 8b4dc0 mov ecx,dword ptr [ebp-40h] 840967c5 3b4ddc cmp ecx,dword ptr [ebp-24h] 840967c8 0f8744010000 ja nt!NtAllocateVirtualMemory+0xb03 (84096912) nt!NtAllocateVirtualMemory+0x9bf: 840967ce 8b55d4 mov edx,dword ptr [ebp-2Ch] nt!NtAllocateVirtualMemory+0x9c2: 840967d1 8b0a mov ecx,dword ptr [edx] 840967d3 0b4a04 or ecx,dword ptr [edx+4] 840967d6 0f8527010000 jne nt!NtAllocateVirtualMemory+0xaf4 (84096903) nt!NtAllocateVirtualMemory+0x9cd: 840967dc 8902 mov dword ptr [edx],eax 840967de 8b4d88 mov ecx,dword ptr [ebp-78h] 840967e1 894a04 mov dword ptr [edx+4],ecx 840967e4 e91d010000 jmp nt!NtAllocateVirtualMemory+0xaf7 (84096906) nt!NtAllocateVirtualMemory+0x9da: 840967e9 834de004 or dword ptr [ebp-20h],4 840967ed f00fba2800 lock bts dword ptr [eax],0 840967f2 7305 jae nt!NtAllocateVirtualMemory+0x9ea (840967f9) nt!NtAllocateVirtualMemory+0x9e5: 840967f4 e83a2fe5ff call nt!ExfAcquirePushLockExclusive (83ee9733) nt!NtAllocateVirtualMemory+0x9ea: 840967f9 8b55c0 mov edx,dword ptr [ebp-40h] 840967fc 3b55dc cmp edx,dword ptr [ebp-24h] 840967ff 7713 ja nt!NtAllocateVirtualMemory+0xa05 (84096814) nt!NtAllocateVirtualMemory+0x9f2: 84096801 8b4dd4 mov ecx,dword ptr [ebp-2Ch] nt!NtAllocateVirtualMemory+0x9f5: 84096804 8b01 mov eax,dword ptr [ecx] 84096806 0b4104 or eax,dword ptr [ecx+4] 84096809 7401 je nt!NtAllocateVirtualMemory+0x9fd (8409680c) nt!NtAllocateVirtualMemory+0x9fc: 8409680b 4f dec edi nt!NtAllocateVirtualMemory+0x9fd: 8409680c 83c108 add ecx,8 8409680f 3b4ddc cmp ecx,dword ptr [ebp-24h] 84096812 76f0 jbe nt!NtAllocateVirtualMemory+0x9f5 (84096804) nt!NtAllocateVirtualMemory+0xa05: 84096814 8955d4 mov dword ptr [ebp-2Ch],edx 84096817 8b45c4 mov eax,dword ptr [ebp-3Ch] 8409681a 8d0c38 lea ecx,[eax+edi] 8409681d 85c9 test ecx,ecx 8409681f 7522 jne nt!NtAllocateVirtualMemory+0xa34 (84096843) nt!NtAllocateVirtualMemory+0xa12: 84096821 8d4e1c lea ecx,[esi+1Ch] 84096824 83c8ff or eax,0FFFFFFFFh 84096827 8bd1 mov edx,ecx 84096829 f00fc102 lock xadd dword ptr [edx],eax 8409682d a802 test al,2 8409682f 7409 je nt!NtAllocateVirtualMemory+0xa2b (8409683a) nt!NtAllocateVirtualMemory+0xa22: 84096831 a804 test al,4 84096833 7505 jne nt!NtAllocateVirtualMemory+0xa2b (8409683a) nt!NtAllocateVirtualMemory+0xa26: 84096835 e8d543e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0xa2b: 8409683a 83651000 and dword ptr [ebp+10h],0 8409683e e951010000 jmp nt!NtAllocateVirtualMemory+0xb85 (84096994) nt!NtAllocateVirtualMemory+0xa34: 84096843 e83d05dfff call nt!KeCheckProcessorAffinityEx+0x683 (83e86d85) 84096848 85c0 test eax,eax 8409684a 0f8554ffffff jne nt!NtAllocateVirtualMemory+0x995 (840967a4) nt!NtAllocateVirtualMemory+0xa41: 84096850 8d4e1c lea ecx,[esi+1Ch] 84096853 83c8ff or eax,0FFFFFFFFh 84096856 8bd1 mov edx,ecx 84096858 f00fc102 lock xadd dword ptr [edx],eax 8409685c a802 test al,2 8409685e 7409 je nt!NtAllocateVirtualMemory+0xa5a (84096869) nt!NtAllocateVirtualMemory+0xa51: 84096860 a804 test al,4 84096862 7505 jne nt!NtAllocateVirtualMemory+0xa5a (84096869) nt!NtAllocateVirtualMemory+0xa55: 84096864 e8a643e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0xa5a: 84096869 8b75e4 mov esi,dword ptr [ebp-1Ch] 8409686c 8d8e00010000 lea ecx,[esi+100h] 84096872 f645e002 test byte ptr [ebp-20h],2 84096876 751e jne nt!NtAllocateVirtualMemory+0xa87 (84096896) nt!NtAllocateVirtualMemory+0xa69: 84096878 33d2 xor edx,edx 8409687a 8bf9 mov edi,ecx 8409687c 6a11 push 11h 8409687e 58 pop eax 8409687f f00fb117 lock cmpxchg dword ptr [edi],edx 84096883 83f811 cmp eax,11h 84096886 7405 je nt!NtAllocateVirtualMemory+0xa7e (8409688d) nt!NtAllocateVirtualMemory+0xa79: 84096888 e80bfce4ff call nt!ExfReleasePushLockShared (83ee6498) nt!NtAllocateVirtualMemory+0xa7e: 8409688d 80a389020000fb and byte ptr [ebx+289h],0FBh 84096894 eb1d jmp nt!NtAllocateVirtualMemory+0xaa4 (840968b3) nt!NtAllocateVirtualMemory+0xa87: 84096896 83c8ff or eax,0FFFFFFFFh 84096899 8bd1 mov edx,ecx 8409689b f00fc102 lock xadd dword ptr [edx],eax 8409689f a802 test al,2 840968a1 7409 je nt!NtAllocateVirtualMemory+0xa9d (840968ac) nt!NtAllocateVirtualMemory+0xa94: 840968a3 a804 test al,4 840968a5 7505 jne nt!NtAllocateVirtualMemory+0xa9d (840968ac) nt!NtAllocateVirtualMemory+0xa98: 840968a7 e86343e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0xa9d: 840968ac 80a389020000fd and byte ptr [ebx+289h],0FDh nt!NtAllocateVirtualMemory+0xaa4: 840968b3 8d8386000000 lea eax,[ebx+86h] 840968b9 66ff00 inc word ptr [eax] 840968bc 0fb700 movzx eax,word ptr [eax] 840968bf 6685c0 test ax,ax 840968c2 750c jne nt!NtAllocateVirtualMemory+0xac1 (840968d0) nt!NtAllocateVirtualMemory+0xab5: 840968c4 83c340 add ebx,40h 840968c7 391b cmp dword ptr [ebx],ebx 840968c9 7405 je nt!NtAllocateVirtualMemory+0xac1 (840968d0) nt!NtAllocateVirtualMemory+0xabc: 840968cb e81ad0ddff call nt!KiCheckForKernelApcDelivery (83e738ea) nt!NtAllocateVirtualMemory+0xac1: 840968d0 837dc400 cmp dword ptr [ebp-3Ch],0 840968d4 0f84e9fdffff je nt!NtAllocateVirtualMemory+0x8b4 (840966c3) nt!NtAllocateVirtualMemory+0xacb: 840968da 8b45c4 mov eax,dword ptr [ebp-3Ch] 840968dd f7d8 neg eax 840968df 8bc8 mov ecx,eax 840968e1 8d96d0000000 lea edx,[esi+0D0h] 840968e7 f00fc10a lock xadd dword ptr [edx],ecx 840968eb f645e008 test byte ptr [ebp-20h],8 840968ef 7408 je nt!NtAllocateVirtualMemory+0xaea (840968f9) nt!NtAllocateVirtualMemory+0xae2: 840968f1 50 push eax 840968f2 6a10 push 10h 840968f4 e854460300 call nt!ObGetObjectSecurity+0xa54 (840caf4d) nt!NtAllocateVirtualMemory+0xaea: 840968f9 ff75c4 push dword ptr [ebp-3Ch] 840968fc 8bc6 mov eax,esi 840968fe e9bbfdffff jmp nt!NtAllocateVirtualMemory+0x8af (840966be) nt!NtAllocateVirtualMemory+0xaf4: 84096903 ff4510 inc dword ptr [ebp+10h] nt!NtAllocateVirtualMemory+0xaf7: 84096906 83c208 add edx,8 84096909 3b55dc cmp edx,dword ptr [ebp-24h] 8409690c 0f86bffeffff jbe nt!NtAllocateVirtualMemory+0x9c2 (840967d1) nt!NtAllocateVirtualMemory+0xb03: 84096912 f645e004 test byte ptr [ebp-20h],4 84096916 7505 jne nt!NtAllocateVirtualMemory+0xb0e (8409691d) nt!NtAllocateVirtualMemory+0xb09: 84096918 2b7d10 sub edi,dword ptr [ebp+10h] 8409691b eb04 jmp nt!NtAllocateVirtualMemory+0xb12 (84096921) nt!NtAllocateVirtualMemory+0xb0e: 8409691d 83651000 and dword ptr [ebp+10h],0 nt!NtAllocateVirtualMemory+0xb12: 84096921 85ff test edi,edi 84096923 740c je nt!NtAllocateVirtualMemory+0xb22 (84096931) nt!NtAllocateVirtualMemory+0xb16: 84096925 017e0c add dword ptr [esi+0Ch],edi 84096928 b8a411f883 mov eax,offset nt!KeI386MachineType+0x14 (83f811a4) 8409692d f00fc138 lock xadd dword ptr [eax],edi nt!NtAllocateVirtualMemory+0xb22: 84096931 83c61c add esi,1Ch 84096934 83c8ff or eax,0FFFFFFFFh 84096937 8bce mov ecx,esi 84096939 f00fc101 lock xadd dword ptr [ecx],eax 8409693d a802 test al,2 8409693f 7409 je nt!NtAllocateVirtualMemory+0xb3b (8409694a) nt!NtAllocateVirtualMemory+0xb32: 84096941 a804 test al,4 84096943 7505 jne nt!NtAllocateVirtualMemory+0xb3b (8409694a) nt!NtAllocateVirtualMemory+0xb36: 84096945 e8c542e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0xb3b: 8409694a 837dc400 cmp dword ptr [ebp-3Ch],0 8409694e 7444 je nt!NtAllocateVirtualMemory+0xb85 (84096994) nt!NtAllocateVirtualMemory+0xb41: 84096950 8b4dc8 mov ecx,dword ptr [ebp-38h] 84096953 8d7118 lea esi,[ecx+18h] 84096956 8bc6 mov eax,esi 84096958 f00fba2800 lock bts dword ptr [eax],0 8409695d 730a jae nt!NtAllocateVirtualMemory+0xb5a (84096969) nt!NtAllocateVirtualMemory+0xb50: 8409695f 8bce mov ecx,esi 84096961 e8cd2de5ff call nt!ExfAcquirePushLockExclusive (83ee9733) 84096966 8b4dc8 mov ecx,dword ptr [ebp-38h] nt!NtAllocateVirtualMemory+0xb5a: 84096969 8b4114 mov eax,dword ptr [ecx+14h] 8409696c 8b55c4 mov edx,dword ptr [ebp-3Ch] 8409696f 03d0 add edx,eax 84096971 33d0 xor edx,eax 84096973 81e2ffff0700 and edx,7FFFFh 84096979 33d0 xor edx,eax 8409697b 895114 mov dword ptr [ecx+14h],edx 8409697e 83c8ff or eax,0FFFFFFFFh 84096981 8bce mov ecx,esi 84096983 f00fc101 lock xadd dword ptr [ecx],eax 84096987 a802 test al,2 84096989 7409 je nt!NtAllocateVirtualMemory+0xb85 (84096994) nt!NtAllocateVirtualMemory+0xb7c: 8409698b a804 test al,4 8409698d 7505 jne nt!NtAllocateVirtualMemory+0xb85 (84096994) nt!NtAllocateVirtualMemory+0xb80: 8409698f e87b42e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0xb85: 84096994 8b75c8 mov esi,dword ptr [ebp-38h] 84096997 83c618 add esi,18h 8409699a 8bc6 mov eax,esi 8409699c f00fba2800 lock bts dword ptr [eax],0 840969a1 7307 jae nt!NtAllocateVirtualMemory+0xb9b (840969aa) nt!NtAllocateVirtualMemory+0xb94: 840969a3 8bce mov ecx,esi 840969a5 e8892de5ff call nt!ExfAcquirePushLockExclusive (83ee9733) nt!NtAllocateVirtualMemory+0xb9b: 840969aa 8d857cffffff lea eax,[ebp-84h] 840969b0 50 push eax 840969b1 6a01 push 1 840969b3 8d4594 lea eax,[ebp-6Ch] 840969b6 50 push eax 840969b7 ff751c push dword ptr [ebp+1Ch] 840969ba ff75b4 push dword ptr [ebp-4Ch] 840969bd ff75c8 push dword ptr [ebp-38h] 840969c0 8b7de4 mov edi,dword ptr [ebp-1Ch] 840969c3 57 push edi 840969c4 8b4dd8 mov ecx,dword ptr [ebp-28h] 840969c7 e89ae7e5ff call nt!IoSetThreadHardErrorMode+0x6e8 (83ef5166) 840969cc 83c8ff or eax,0FFFFFFFFh 840969cf f645e002 test byte ptr [ebp-20h],2 840969d3 7537 jne nt!NtAllocateVirtualMemory+0xbfd (84096a0c) nt!NtAllocateVirtualMemory+0xbc6: 840969d5 8bce mov ecx,esi 840969d7 f00fc101 lock xadd dword ptr [ecx],eax 840969db a802 test al,2 840969dd 7409 je nt!NtAllocateVirtualMemory+0xbd9 (840969e8) nt!NtAllocateVirtualMemory+0xbd0: 840969df a804 test al,4 840969e1 7505 jne nt!NtAllocateVirtualMemory+0xbd9 (840969e8) nt!NtAllocateVirtualMemory+0xbd4: 840969e3 e82742e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0xbd9: 840969e8 8d8f00010000 lea ecx,[edi+100h] 840969ee 33d2 xor edx,edx 840969f0 8bf1 mov esi,ecx 840969f2 6a11 push 11h 840969f4 58 pop eax 840969f5 f00fb116 lock cmpxchg dword ptr [esi],edx 840969f9 83f811 cmp eax,11h 840969fc 7405 je nt!NtAllocateVirtualMemory+0xbf4 (84096a03) nt!NtAllocateVirtualMemory+0xbef: 840969fe e895fae4ff call nt!ExfReleasePushLockShared (83ee6498) nt!NtAllocateVirtualMemory+0xbf4: 84096a03 80a389020000fb and byte ptr [ebx+289h],0FBh 84096a0a eb20 jmp nt!NtAllocateVirtualMemory+0xc1d (84096a2c) nt!NtAllocateVirtualMemory+0xbfd: 84096a0c 8d8f00010000 lea ecx,[edi+100h] 84096a12 8bd1 mov edx,ecx 84096a14 f00fc102 lock xadd dword ptr [edx],eax 84096a18 a802 test al,2 84096a1a 7409 je nt!NtAllocateVirtualMemory+0xc16 (84096a25) nt!NtAllocateVirtualMemory+0xc0d: 84096a1c a804 test al,4 84096a1e 7505 jne nt!NtAllocateVirtualMemory+0xc16 (84096a25) nt!NtAllocateVirtualMemory+0xc11: 84096a20 e8ea41e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0xc16: 84096a25 80a389020000fd and byte ptr [ebx+289h],0FDh nt!NtAllocateVirtualMemory+0xc1d: 84096a2c 8d8386000000 lea eax,[ebx+86h] 84096a32 66ff00 inc word ptr [eax] 84096a35 0fb700 movzx eax,word ptr [eax] 84096a38 6685c0 test ax,ax 84096a3b 750c jne nt!NtAllocateVirtualMemory+0xc3a (84096a49) nt!NtAllocateVirtualMemory+0xc2e: 84096a3d 83c340 add ebx,40h 84096a40 391b cmp dword ptr [ebx],ebx 84096a42 7405 je nt!NtAllocateVirtualMemory+0xc3a (84096a49) nt!NtAllocateVirtualMemory+0xc35: 84096a44 e8a1ceddff call nt!KiCheckForKernelApcDelivery (83e738ea) nt!NtAllocateVirtualMemory+0xc3a: 84096a49 8b5510 mov edx,dword ptr [ebp+10h] 84096a4c 85d2 test edx,edx 84096a4e 7470 je nt!NtAllocateVirtualMemory+0xcb1 (84096ac0) nt!NtAllocateVirtualMemory+0xc41: 84096a50 64a120000000 mov eax,dword ptr fs:[00000020h] 84096a56 055c330000 add eax,335Ch 84096a5b 89451c mov dword ptr [ebp+1Ch],eax 84096a5e 8b08 mov ecx,dword ptr [eax] 84096a60 8d3c11 lea edi,[ecx+edx] 84096a63 be00010000 mov esi,100h 84096a68 3bfe cmp edi,esi 84096a6a 771c ja nt!NtAllocateVirtualMemory+0xc79 (84096a88) nt!NtAllocateVirtualMemory+0xc5d: 84096a6c eb03 jmp nt!NtAllocateVirtualMemory+0xc62 (84096a71) nt!NtAllocateVirtualMemory+0xc5f: 84096a6e 8b451c mov eax,dword ptr [ebp+1Ch] nt!NtAllocateVirtualMemory+0xc62: 84096a71 8d3c11 lea edi,[ecx+edx] 84096a74 8bd8 mov ebx,eax 84096a76 8bc1 mov eax,ecx 84096a78 f00fb13b lock cmpxchg dword ptr [ebx],edi 84096a7c 3bc1 cmp eax,ecx 84096a7e 7440 je nt!NtAllocateVirtualMemory+0xcb1 (84096ac0) nt!NtAllocateVirtualMemory+0xc71: 84096a80 8bc8 mov ecx,eax 84096a82 03c2 add eax,edx 84096a84 3bc6 cmp eax,esi 84096a86 76e6 jbe nt!NtAllocateVirtualMemory+0xc5f (84096a6e) nt!NtAllocateVirtualMemory+0xc79: 84096a88 8bc2 mov eax,edx 84096a8a f7d8 neg eax 84096a8c b95813f983 mov ecx,offset nt!TmEnlistmentObjectType+0x72ac (83f91358) 84096a91 f00fc101 lock xadd dword ptr [ecx],eax 84096a95 8b0d7413f983 mov ecx,dword ptr [nt!TmEnlistmentObjectType+0x72c8 (83f91374)] 84096a9b 3bc1 cmp eax,ecx 84096a9d 7208 jb nt!NtAllocateVirtualMemory+0xc98 (84096aa7) nt!NtAllocateVirtualMemory+0xc90: 84096a9f 8bf0 mov esi,eax 84096aa1 2bf2 sub esi,edx 84096aa3 3bf1 cmp esi,ecx 84096aa5 7212 jb nt!NtAllocateVirtualMemory+0xcaa (84096ab9) nt!NtAllocateVirtualMemory+0xc98: 84096aa7 8bf0 mov esi,eax 84096aa9 2bf2 sub esi,edx 84096aab 8b0d6013f983 mov ecx,dword ptr [nt!TmEnlistmentObjectType+0x72b4 (83f91360)] 84096ab1 3bf1 cmp esi,ecx 84096ab3 730b jae nt!NtAllocateVirtualMemory+0xcb1 (84096ac0) nt!NtAllocateVirtualMemory+0xca6: 84096ab5 3bc1 cmp eax,ecx 84096ab7 7207 jb nt!NtAllocateVirtualMemory+0xcb1 (84096ac0) nt!NtAllocateVirtualMemory+0xcaa: 84096ab9 6a00 push 0 84096abb e821f9dbff call nt!IoEnumerateDeviceObjectList+0x144 (83e563e1) nt!NtAllocateVirtualMemory+0xcb1: 84096ac0 f645e001 test byte ptr [ebp-20h],1 84096ac4 740c je nt!NtAllocateVirtualMemory+0xcc3 (84096ad2) nt!NtAllocateVirtualMemory+0xcb7: 84096ac6 8d8558ffffff lea eax,[ebp-0A8h] 84096acc 50 push eax 84096acd e87292e4ff call nt!KeUnstackDetachProcess (83edfd44) nt!NtAllocateVirtualMemory+0xcc3: 84096ad2 f70584f8f78300800000 test dword ptr [nt!KeTickCount+0x8404 (83f7f884)],8000h 84096adc 741a je nt!NtAllocateVirtualMemory+0xce9 (84096af8) nt!NtAllocateVirtualMemory+0xccf: 84096ade f7451800300000 test dword ptr [ebp+18h],3000h 84096ae5 7411 je nt!NtAllocateVirtualMemory+0xce9 (84096af8) nt!NtAllocateVirtualMemory+0xcd8: 84096ae7 ff7518 push dword ptr [ebp+18h] 84096aea ff75e4 push dword ptr [ebp-1Ch] 84096aed ff75bc push dword ptr [ebp-44h] 84096af0 8b45d8 mov eax,dword ptr [ebp-28h] 84096af3 e85345ecff call nt!EtwWriteString+0xa08 (83f5b04b) nt!NtAllocateVirtualMemory+0xce9: 84096af8 837d08ff cmp dword ptr [ebp+8],0FFFFFFFFh 84096afc 7408 je nt!NtAllocateVirtualMemory+0xcf7 (84096b06) nt!NtAllocateVirtualMemory+0xcef: 84096afe 8b4de4 mov ecx,dword ptr [ebp-1Ch] 84096b01 e8bdc3e1ff call nt!ObfDereferenceObject (83eb2ec3) nt!NtAllocateVirtualMemory+0xcf7: 84096b06 c745fc02000000 mov dword ptr [ebp-4],2 84096b0d 8b4514 mov eax,dword ptr [ebp+14h] 84096b10 8b4dbc mov ecx,dword ptr [ebp-44h] 84096b13 8908 mov dword ptr [eax],ecx 84096b15 e979080000 jmp nt!NtAllocateVirtualMemory+0x1584 (84097393) nt!NtAllocateVirtualMemory+0xd14: 84096b23 f6451c88 test byte ptr [ebp+1Ch],88h 84096b27 0f8591f7ffff jne nt!NtAllocateVirtualMemory+0x4af (840962be) nt!NtAllocateVirtualMemory+0xd1e: 84096b2d 83f906 cmp ecx,6 84096b30 750d jne nt!NtAllocateVirtualMemory+0xd30 (84096b3f) nt!NtAllocateVirtualMemory+0xd23: 84096b32 f7451cf9f9ffff test dword ptr [ebp+1Ch],0FFFFF9F9h 84096b39 0f857ff7ffff jne nt!NtAllocateVirtualMemory+0x4af (840962be) nt!NtAllocateVirtualMemory+0xd30: 84096b3f ff75c0 push dword ptr [ebp-40h] 84096b42 8b7de4 mov edi,dword ptr [ebp-1Ch] 84096b45 8bd7 mov edx,edi 84096b47 e8820be7ff call nt!EtwProviderEnabled+0xd72 (83f076ce) 84096b4c 85c0 test eax,eax 84096b4e 750c jne nt!NtAllocateVirtualMemory+0xd4d (84096b5c) nt!NtAllocateVirtualMemory+0xd41: 84096b50 c745102d0100c0 mov dword ptr [ebp+10h],0C000012Dh 84096b57 e9e4010000 jmp nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0xd4d: 84096b5c f6876c02000010 test byte ptr [edi+26Ch],10h 84096b63 7423 je nt!NtAllocateVirtualMemory+0xd79 (84096b88) nt!NtAllocateVirtualMemory+0xd56: 84096b65 ff75c0 push dword ptr [ebp-40h] 84096b68 6a10 push 10h 84096b6a e8de430300 call nt!ObGetObjectSecurity+0xa54 (840caf4d) 84096b6f 84c0 test al,al 84096b71 7511 jne nt!NtAllocateVirtualMemory+0xd75 (84096b84) nt!NtAllocateVirtualMemory+0xd64: 84096b73 8b45c0 mov eax,dword ptr [ebp-40h] 84096b76 f7d8 neg eax 84096b78 81c7d0000000 add edi,0D0h 84096b7e f00fc107 lock xadd dword ptr [edi],eax 84096b82 ebcc jmp nt!NtAllocateVirtualMemory+0xd41 (84096b50) nt!NtAllocateVirtualMemory+0xd75: 84096b84 834de008 or dword ptr [ebp-20h],8 nt!NtAllocateVirtualMemory+0xd79: 84096b88 ff75c0 push dword ptr [ebp-40h] 84096b8b 8bc7 mov eax,edi 84096b8d e870d60200 call nt!NtConnectPort+0x196e (840c4202) 84096b92 894510 mov dword ptr [ebp+10h],eax 84096b95 85c0 test eax,eax 84096b97 7d28 jge nt!NtAllocateVirtualMemory+0xdb2 (84096bc1) nt!NtAllocateVirtualMemory+0xd8a: 84096b99 8b45c0 mov eax,dword ptr [ebp-40h] 84096b9c f7d8 neg eax 84096b9e 8bc8 mov ecx,eax 84096ba0 81c7d0000000 add edi,0D0h 84096ba6 f00fc10f lock xadd dword ptr [edi],ecx 84096baa f645e008 test byte ptr [ebp-20h],8 84096bae 0f848c010000 je nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0xda5: 84096bb4 50 push eax 84096bb5 6a10 push 10h 84096bb7 e891430300 call nt!ObGetObjectSecurity+0xa54 (840caf4d) 84096bbc e97f010000 jmp nt!NtAllocateVirtualMemory+0xf31 (84096d40) nt!NtAllocateVirtualMemory+0xdb2: 84096bc1 8365a800 and dword ptr [ebp-58h],0 84096bc5 8d45a8 lea eax,[ebp-58h] 84096bc8 50 push eax 84096bc9 8d45a4 lea eax,[ebp-5Ch] 84096bcc 50 push eax 84096bcd ff751c push dword ptr [ebp+1Ch] 84096bd0 ff7588 push dword ptr [ebp-78h] 84096bd3 ff75b0 push dword ptr [ebp-50h] 84096bd6 56 push esi 84096bd7 e8ed45e3ff call nt!MmFreePagesFromMdl+0x22e (83ecb1c9) 84096bdc 894510 mov dword ptr [ebp+10h],eax 84096bdf 33d2 xor edx,edx 84096be1 8b4dd0 mov ecx,dword ptr [ebp-30h] 84096be4 8bf1 mov esi,ecx 84096be6 6a11 push 11h 84096be8 58 pop eax 84096be9 f00fb116 lock cmpxchg dword ptr [esi],edx 84096bed 83f811 cmp eax,11h 84096bf0 7405 je nt!NtAllocateVirtualMemory+0xde8 (84096bf7) nt!NtAllocateVirtualMemory+0xde3: 84096bf2 e8a1f8e4ff call nt!ExfReleasePushLockShared (83ee6498) nt!NtAllocateVirtualMemory+0xde8: 84096bf7 80a389020000fb and byte ptr [ebx+289h],0FBh 84096bfe 66ff8386000000 inc word ptr [ebx+86h] 84096c05 0fb78386000000 movzx eax,word ptr [ebx+86h] 84096c0c 6685c0 test ax,ax 84096c0f 750c jne nt!NtAllocateVirtualMemory+0xe0e (84096c1d) nt!NtAllocateVirtualMemory+0xe02: 84096c11 83c340 add ebx,40h 84096c14 391b cmp dword ptr [ebx],ebx 84096c16 7405 je nt!NtAllocateVirtualMemory+0xe0e (84096c1d) nt!NtAllocateVirtualMemory+0xe09: 84096c18 e8cdccddff call nt!KiCheckForKernelApcDelivery (83e738ea) nt!NtAllocateVirtualMemory+0xe0e: 84096c1d 837d1000 cmp dword ptr [ebp+10h],0 84096c21 7d32 jge nt!NtAllocateVirtualMemory+0xe46 (84096c55) nt!NtAllocateVirtualMemory+0xe14: 84096c23 ff75c0 push dword ptr [ebp-40h] 84096c26 8bc7 mov eax,edi 84096c28 e89f4e0200 call nt!SeQueryAuthenticationIdToken+0xe31 (840bbacc) 84096c2d 8b45c0 mov eax,dword ptr [ebp-40h] 84096c30 f7d8 neg eax 84096c32 8bc8 mov ecx,eax 84096c34 81c7d0000000 add edi,0D0h 84096c3a f00fc10f lock xadd dword ptr [edi],ecx 84096c3e f645e008 test byte ptr [ebp-20h],8 84096c42 0f846e070000 je nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0xe39: 84096c48 50 push eax 84096c49 6a10 push 10h 84096c4b e8fd420300 call nt!ObGetObjectSecurity+0xa54 (840caf4d) 84096c50 e961070000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0xe46: 84096c55 8b5dc0 mov ebx,dword ptr [ebp-40h] 84096c58 2b5da4 sub ebx,dword ptr [ebp-5Ch] 84096c5b 7426 je nt!NtAllocateVirtualMemory+0xe74 (84096c83) nt!NtAllocateVirtualMemory+0xe4e: 84096c5d 53 push ebx 84096c5e 8bc7 mov eax,edi 84096c60 e8674e0200 call nt!SeQueryAuthenticationIdToken+0xe31 (840bbacc) 84096c65 8d87d0000000 lea eax,[edi+0D0h] 84096c6b 8bcb mov ecx,ebx 84096c6d f7d9 neg ecx 84096c6f 8bd1 mov edx,ecx 84096c71 f00fc110 lock xadd dword ptr [eax],edx 84096c75 f645e008 test byte ptr [ebp-20h],8 84096c79 7408 je nt!NtAllocateVirtualMemory+0xe74 (84096c83) nt!NtAllocateVirtualMemory+0xe6c: 84096c7b 51 push ecx 84096c7c 6a10 push 10h 84096c7e e8ca420300 call nt!ObGetObjectSecurity+0xa54 (840caf4d) nt!NtAllocateVirtualMemory+0xe74: 84096c83 837da801 cmp dword ptr [ebp-58h],1 84096c87 7524 jne nt!NtAllocateVirtualMemory+0xe9e (84096cad) nt!NtAllocateVirtualMemory+0xe7a: 84096c89 8b45d8 mov eax,dword ptr [ebp-28h] 84096c8c 8945a0 mov dword ptr [ebp-60h],eax 84096c8f 8b45bc mov eax,dword ptr [ebp-44h] 84096c92 894580 mov dword ptr [ebp-80h],eax 84096c95 8d8570ffffff lea eax,[ebp-90h] 84096c9b 50 push eax 84096c9c ff751c push dword ptr [ebp+1Ch] 84096c9f 8d4580 lea eax,[ebp-80h] 84096ca2 50 push eax 84096ca3 8d45a0 lea eax,[ebp-60h] 84096ca6 50 push eax 84096ca7 57 push edi 84096ca8 e8a02a0300 call nt!SeAppendPrivileges+0x455 (840c974d) nt!NtAllocateVirtualMemory+0xe9e: 84096cad f645e001 test byte ptr [ebp-20h],1 84096cb1 740c je nt!NtAllocateVirtualMemory+0xeb0 (84096cbf) nt!NtAllocateVirtualMemory+0xea4: 84096cb3 8d8558ffffff lea eax,[ebp-0A8h] 84096cb9 50 push eax 84096cba e88590e4ff call nt!KeUnstackDetachProcess (83edfd44) nt!NtAllocateVirtualMemory+0xeb0: 84096cbf f70584f8f78300800000 test dword ptr [nt!KeTickCount+0x8404 (83f7f884)],8000h 84096cc9 741a je nt!NtAllocateVirtualMemory+0xed6 (84096ce5) nt!NtAllocateVirtualMemory+0xebc: 84096ccb f7451800300000 test dword ptr [ebp+18h],3000h 84096cd2 7411 je nt!NtAllocateVirtualMemory+0xed6 (84096ce5) nt!NtAllocateVirtualMemory+0xec5: 84096cd4 ff7518 push dword ptr [ebp+18h] 84096cd7 ff75e4 push dword ptr [ebp-1Ch] 84096cda ff75bc push dword ptr [ebp-44h] 84096cdd 8b45d8 mov eax,dword ptr [ebp-28h] 84096ce0 e86643ecff call nt!EtwWriteString+0xa08 (83f5b04b) nt!NtAllocateVirtualMemory+0xed6: 84096ce5 837d08ff cmp dword ptr [ebp+8],0FFFFFFFFh 84096ce9 7408 je nt!NtAllocateVirtualMemory+0xee4 (84096cf3) nt!NtAllocateVirtualMemory+0xedc: 84096ceb 8b4de4 mov ecx,dword ptr [ebp-1Ch] 84096cee e8d0c1e1ff call nt!ObfDereferenceObject (83eb2ec3) nt!NtAllocateVirtualMemory+0xee4: 84096cf3 c745fc03000000 mov dword ptr [ebp-4],3 84096cfa 8b4514 mov eax,dword ptr [ebp+14h] 84096cfd 8b4dbc mov ecx,dword ptr [ebp-44h] 84096d00 8908 mov dword ptr [eax],ecx 84096d02 8b450c mov eax,dword ptr [ebp+0Ch] 84096d05 8b4dd8 mov ecx,dword ptr [ebp-28h] 84096d08 8908 mov dword ptr [eax],ecx 84096d0a c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh nt!NtAllocateVirtualMemory+0xf02: 84096d11 8b4510 mov eax,dword ptr [ebp+10h] 84096d14 e9e3060000 jmp nt!NtAllocateVirtualMemory+0x15ed (840973fc) nt!NtAllocateVirtualMemory+0xf2a: 84096d39 c74510180000c0 mov dword ptr [ebp+10h],0C0000018h nt!NtAllocateVirtualMemory+0xf31: 84096d40 8b4de4 mov ecx,dword ptr [ebp-1Ch] 84096d43 81c100010000 add ecx,100h 84096d49 f645e002 test byte ptr [ebp-20h],2 84096d4d 7532 jne nt!NtAllocateVirtualMemory+0xf72 (84096d81) nt!NtAllocateVirtualMemory+0xf40: 84096d4f 33d2 xor edx,edx 84096d51 8bf1 mov esi,ecx 84096d53 6a11 push 11h 84096d55 58 pop eax 84096d56 f00fb116 lock cmpxchg dword ptr [esi],edx 84096d5a 83f811 cmp eax,11h 84096d5d 7405 je nt!NtAllocateVirtualMemory+0xf55 (84096d64) nt!NtAllocateVirtualMemory+0xf50: 84096d5f e834f7e4ff call nt!ExfReleasePushLockShared (83ee6498) nt!NtAllocateVirtualMemory+0xf55: 84096d64 80a389020000fb and byte ptr [ebx+289h],0FBh nt!NtAllocateVirtualMemory+0xf5c: 84096d6b 66ff8386000000 inc word ptr [ebx+86h] 84096d72 0fb78386000000 movzx eax,word ptr [ebx+86h] 84096d79 6685c0 test ax,ax 84096d7c e99af8ffff jmp nt!NtAllocateVirtualMemory+0x80c (8409661b) nt!NtAllocateVirtualMemory+0xf72: 84096d81 83c8ff or eax,0FFFFFFFFh nt!NtAllocateVirtualMemory+0xf75: 84096d84 8bd1 mov edx,ecx 84096d86 f00fc102 lock xadd dword ptr [edx],eax 84096d8a a802 test al,2 84096d8c 7409 je nt!NtAllocateVirtualMemory+0xf88 (84096d97) nt!NtAllocateVirtualMemory+0xf7f: 84096d8e a804 test al,4 84096d90 7505 jne nt!NtAllocateVirtualMemory+0xf88 (84096d97) nt!NtAllocateVirtualMemory+0xf83: 84096d92 e8783ee7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0xf88: 84096d97 80a389020000fd and byte ptr [ebx+289h],0FDh 84096d9e ebcb jmp nt!NtAllocateVirtualMemory+0xf5c (84096d6b) nt!NtAllocateVirtualMemory+0xf91: 84096da0 f6451c88 test byte ptr [ebp+1Ch],88h 84096da4 0f8505060000 jne nt!NtAllocateVirtualMemory+0x15a0 (840973af) nt!NtAllocateVirtualMemory+0xf9b: 84096daa c745b800000100 mov dword ptr [ebp-48h],10000h 84096db1 85f6 test esi,esi 84096db3 0f85bc000000 jne nt!NtAllocateVirtualMemory+0x1066 (84096e75) nt!NtAllocateVirtualMemory+0xfaa: 84096db9 8d97ff0f0000 lea edx,[edi+0FFFh] 84096dbf 81e200f0ffff and edx,0FFFFF000h 84096dc5 8955bc mov dword ptr [ebp-44h],edx 84096dc8 a11427fb83 mov eax,dword ptr [nt!MmHighestUserAddress (83fb2714)] 84096dcd 050000ffff add eax,0FFFF0000h 84096dd2 8945c4 mov dword ptr [ebp-3Ch],eax 84096dd5 8b4d10 mov ecx,dword ptr [ebp+10h] 84096dd8 85c9 test ecx,ecx 84096dda 7424 je nt!NtAllocateVirtualMemory+0xff1 (84096e00) nt!NtAllocateVirtualMemory+0xfcd: 84096ddc 83c8ff or eax,0FFFFFFFFh 84096ddf d3e8 shr eax,cl 84096de1 8945c4 mov dword ptr [ebp-3Ch],eax 84096de4 8b0d1427fb83 mov ecx,dword ptr [nt!MmHighestUserAddress (83fb2714)] 84096dea 81c10000ffff add ecx,0FFFF0000h 84096df0 3bc1 cmp eax,ecx 84096df2 760c jbe nt!NtAllocateVirtualMemory+0xff1 (84096e00) nt!NtAllocateVirtualMemory+0xfe5: 84096df4 c74510f10000c0 mov dword ptr [ebp+10h],0C00000F1h 84096dfb e9b6050000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0xff1: 84096e00 8b45e4 mov eax,dword ptr [ebp-1Ch] 84096e03 f7807002000000002000 test dword ptr [eax+270h],200000h 84096e0d 7407 je nt!NtAllocateVirtualMemory+0x1007 (84096e16) nt!NtAllocateVirtualMemory+0x1000: 84096e0f 814d1800001000 or dword ptr [ebp+18h],100000h nt!NtAllocateVirtualMemory+0x1007: 84096e16 8bc2 mov eax,edx 84096e18 25ff0f0000 and eax,0FFFh 84096e1d f7d8 neg eax 84096e1f 1bc0 sbb eax,eax 84096e21 f7d8 neg eax 84096e23 8bca mov ecx,edx 84096e25 c1e90c shr ecx,0Ch 84096e28 03c1 add eax,ecx 84096e2a 8945c8 mov dword ptr [ebp-38h],eax 84096e2d 33f6 xor esi,esi 84096e2f 8975d8 mov dword ptr [ebp-28h],esi 84096e32 8b4518 mov eax,dword ptr [ebp+18h] 84096e35 2500000020 and eax,20000000h 84096e3a 8945d0 mov dword ptr [ebp-30h],eax 84096e3d 0f848b000000 je nt!NtAllocateVirtualMemory+0x10bf (84096ece) nt!NtAllocateVirtualMemory+0x1034: 84096e43 f6054829fb8320 test byte ptr [nt!KeNumberProcessors+0xa2 (83fb2948)],20h 84096e4a 750c jne nt!NtAllocateVirtualMemory+0x1049 (84096e58) nt!NtAllocateVirtualMemory+0x103d: 84096e4c c74510bb0000c0 mov dword ptr [ebp+10h],0C00000BBh 84096e53 e95e050000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x1049: 84096e58 f7c2ffff1f00 test edx,1FFFFFh 84096e5e 740c je nt!NtAllocateVirtualMemory+0x105d (84096e6c) nt!NtAllocateVirtualMemory+0x1051: 84096e60 c74510f20000c0 mov dword ptr [ebp+10h],0C00000F2h 84096e67 e94a050000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x105d: 84096e6c c745b800002000 mov dword ptr [ebp-48h],200000h 84096e73 eb59 jmp nt!NtAllocateVirtualMemory+0x10bf (84096ece) nt!NtAllocateVirtualMemory+0x1066: 84096e75 8b45b0 mov eax,dword ptr [ebp-50h] 84096e78 8d7407ff lea esi,[edi+eax-1] 84096e7c baff0f0000 mov edx,0FFFh 84096e81 0bf2 or esi,edx 84096e83 837dd000 cmp dword ptr [ebp-30h],0 84096e87 7423 je nt!NtAllocateVirtualMemory+0x109d (84096eac) nt!NtAllocateVirtualMemory+0x107a: 84096e89 f6054829fb8320 test byte ptr [nt!KeNumberProcessors+0xa2 (83fb2948)],20h 84096e90 74ba je nt!NtAllocateVirtualMemory+0x103d (84096e4c) nt!NtAllocateVirtualMemory+0x1083: 84096e92 f7c7ffff1f00 test edi,1FFFFFh 84096e98 75c6 jne nt!NtAllocateVirtualMemory+0x1051 (84096e60) nt!NtAllocateVirtualMemory+0x108b: 84096e9a c745b800002000 mov dword ptr [ebp-48h],200000h 84096ea1 250000e0ff and eax,0FFE00000h 84096ea6 8d7407ff lea esi,[edi+eax-1] 84096eaa eb05 jmp nt!NtAllocateVirtualMemory+0x10a2 (84096eb1) nt!NtAllocateVirtualMemory+0x109d: 84096eac 250000ffff and eax,0FFFF0000h nt!NtAllocateVirtualMemory+0x10a2: 84096eb1 8945d8 mov dword ptr [ebp-28h],eax 84096eb4 8bce mov ecx,esi 84096eb6 2bc8 sub ecx,eax 84096eb8 8bc1 mov eax,ecx 84096eba 23c2 and eax,edx 84096ebc f7d8 neg eax 84096ebe 1bc0 sbb eax,eax 84096ec0 f7d8 neg eax 84096ec2 c1f90c sar ecx,0Ch 84096ec5 03c1 add eax,ecx 84096ec7 8945c8 mov dword ptr [ebp-38h],eax 84096eca 8365c400 and dword ptr [ebp-3Ch],0 nt!NtAllocateVirtualMemory+0x10bf: 84096ece 8365cc00 and dword ptr [ebp-34h],0 84096ed2 6856616453 push 53646156h 84096ed7 6a20 push 20h 84096ed9 6a00 push 0 84096edb e8cb2cedff call nt!ExAllocatePoolWithTag (83f69bab) 84096ee0 8bf8 mov edi,eax 84096ee2 85ff test edi,edi 84096ee4 750c jne nt!NtAllocateVirtualMemory+0x10e3 (84096ef2) nt!NtAllocateVirtualMemory+0x10d7: 84096ee6 c745109a0000c0 mov dword ptr [ebp+10h],0C000009Ah 84096eed e9c4040000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x10e3: 84096ef2 33c0 xor eax,eax 84096ef4 894718 mov dword ptr [edi+18h],eax 84096ef7 894714 mov dword ptr [edi+14h],eax 84096efa 8b4ddc mov ecx,dword ptr [ebp-24h] 84096efd 83e13f and ecx,3Fh 84096f00 894f1c mov dword ptr [edi+1Ch],ecx 84096f03 3945dc cmp dword ptr [ebp-24h],eax 84096f06 7411 je nt!NtAllocateVirtualMemory+0x110a (84096f19) nt!NtAllocateVirtualMemory+0x10f9: 84096f08 b800040000 mov eax,400h 84096f0d 8b4de4 mov ecx,dword ptr [ebp-1Ch] 84096f10 81c16c020000 add ecx,26Ch 84096f16 f00901 lock or dword ptr [ecx],eax nt!NtAllocateVirtualMemory+0x110a: 84096f19 8b5518 mov edx,dword ptr [ebp+18h] 84096f1c f7c200100000 test edx,1000h 84096f22 740c je nt!NtAllocateVirtualMemory+0x1121 (84096f30) nt!NtAllocateVirtualMemory+0x1115: 84096f24 8b4dc8 mov ecx,dword ptr [ebp-38h] 84096f27 814f1400008000 or dword ptr [edi+14h],800000h 84096f2e eb03 jmp nt!NtAllocateVirtualMemory+0x1124 (84096f33) nt!NtAllocateVirtualMemory+0x1121: 84096f30 8b4dc0 mov ecx,dword ptr [ebp-40h] nt!NtAllocateVirtualMemory+0x1124: 84096f33 8b45ac mov eax,dword ptr [ebp-54h] 84096f36 83e01f and eax,1Fh 84096f39 83c880 or eax,0FFFFFF80h 84096f3c c1e018 shl eax,18h 84096f3f 81e1ffff0700 and ecx,7FFFFh 84096f45 0bc1 or eax,ecx 84096f47 8b4f14 mov ecx,dword ptr [edi+14h] 84096f4a 81e10000f8e0 and ecx,0E0F80000h 84096f50 0bc1 or eax,ecx 84096f52 894714 mov dword ptr [edi+14h],eax 84096f55 33c0 xor eax,eax 84096f57 8945d4 mov dword ptr [ebp-2Ch],eax 84096f5a 89451c mov dword ptr [ebp+1Ch],eax 84096f5d 8945dc mov dword ptr [ebp-24h],eax 84096f60 8955b4 mov dword ptr [ebp-4Ch],edx 84096f63 8165b40000c020 and dword ptr [ebp-4Ch],20C00000h 84096f6a 0f84a1000000 je nt!NtAllocateVirtualMemory+0x1202 (84097011) nt!NtAllocateVirtualMemory+0x1161: 84096f70 f7c200004020 test edx,20400000h 84096f76 7425 je nt!NtAllocateVirtualMemory+0x118e (84096f9d) nt!NtAllocateVirtualMemory+0x1169: 84096f78 8b45e4 mov eax,dword ptr [ebp-1Ch] 84096f7b 83b8e801000000 cmp dword ptr [eax+1E8h],0 84096f82 751d jne nt!NtAllocateVirtualMemory+0x1192 (84096fa1) nt!NtAllocateVirtualMemory+0x1175: 84096f84 e8ca1a0800 call nt!MmCreateMirror+0x2712 (84118a53) 84096f89 8945dc mov dword ptr [ebp-24h],eax 84096f8c 85c0 test eax,eax 84096f8e 7511 jne nt!NtAllocateVirtualMemory+0x1192 (84096fa1) nt!NtAllocateVirtualMemory+0x1181: 84096f90 6a00 push 0 84096f92 57 push edi 84096f93 e86d20edff call nt!ExFreePoolWithTag (83f69005) 84096f98 e949ffffff jmp nt!NtAllocateVirtualMemory+0x10d7 (84096ee6) nt!NtAllocateVirtualMemory+0x118e: 84096f9d 834de020 or dword ptr [ebp-20h],20h nt!NtAllocateVirtualMemory+0x1192: 84096fa1 684d6d7076 push 76706D4Dh 84096fa6 6a24 push 24h 84096fa8 6a00 push 0 84096faa e8fc2bedff call nt!ExAllocatePoolWithTag (83f69bab) 84096faf 89451c mov dword ptr [ebp+1Ch],eax 84096fb2 85c0 test eax,eax 84096fb4 750e jne nt!NtAllocateVirtualMemory+0x11b5 (84096fc4) nt!NtAllocateVirtualMemory+0x11a7: 84096fb6 8b75dc mov esi,dword ptr [ebp-24h] 84096fb9 85f6 test esi,esi 84096fbb 74d3 je nt!NtAllocateVirtualMemory+0x1181 (84096f90) nt!NtAllocateVirtualMemory+0x11ae: 84096fbd e8021b0800 call nt!MmCreateMirror+0x2783 (84118ac4) 84096fc2 ebcc jmp nt!NtAllocateVirtualMemory+0x1181 (84096f90) nt!NtAllocateVirtualMemory+0x11b5: 84096fc4 8b4714 mov eax,dword ptr [edi+14h] 84096fc7 f7451800004000 test dword ptr [ebp+18h],400000h 84096fce 740c je nt!NtAllocateVirtualMemory+0x11cd (84096fdc) nt!NtAllocateVirtualMemory+0x11c1: 84096fd0 25ffffbfff and eax,0FFBFFFFFh 84096fd5 0d00003000 or eax,300000h 84096fda eb1c jmp nt!NtAllocateVirtualMemory+0x11e9 (84096ff8) nt!NtAllocateVirtualMemory+0x11cd: 84096fdc 837dd000 cmp dword ptr [ebp-30h],0 84096fe0 740c je nt!NtAllocateVirtualMemory+0x11df (84096fee) nt!NtAllocateVirtualMemory+0x11d3: 84096fe2 25ffffdfff and eax,0FFDFFFFFh 84096fe7 0d00005000 or eax,500000h 84096fec eb0a jmp nt!NtAllocateVirtualMemory+0x11e9 (84096ff8) nt!NtAllocateVirtualMemory+0x11df: 84096fee 25ffffefff and eax,0FFEFFFFFh 84096ff3 0d00006000 or eax,600000h nt!NtAllocateVirtualMemory+0x11e9: 84096ff8 894714 mov dword ptr [edi+14h],eax 84096ffb 8bc8 mov ecx,eax 84096ffd c1e914 shr ecx,14h 84097000 83e107 and ecx,7 84097003 8b451c mov eax,dword ptr [ebp+1Ch] 84097006 894818 mov dword ptr [eax+18h],ecx 84097009 897814 mov dword ptr [eax+14h],edi 8409700c e9dc000000 jmp nt!NtAllocateVirtualMemory+0x12de (840970ed) nt!NtAllocateVirtualMemory+0x1202: 84097011 f7c200002000 test edx,200000h 84097017 0f84d0000000 je nt!NtAllocateVirtualMemory+0x12de (840970ed) nt!NtAllocateVirtualMemory+0x120e: 8409701d 834de020 or dword ptr [ebp-20h],20h 84097021 f645c81f test byte ptr [ebp-38h],1Fh 84097025 6a00 push 0 84097027 58 pop eax 84097028 0f95c0 setne al 8409702b 8b4dc8 mov ecx,dword ptr [ebp-38h] 8409702e c1e905 shr ecx,5 84097031 03c1 add eax,ecx 84097033 8d048508000000 lea eax,[eax*4+8] 8409703a 8945cc mov dword ptr [ebp-34h],eax 8409703d 684d6d7777 push 77776D4Dh 84097042 50 push eax 84097043 6a00 push 0 84097045 e8612bedff call nt!ExAllocatePoolWithTag (83f69bab) 8409704a 8945d4 mov dword ptr [ebp-2Ch],eax 8409704d 85c0 test eax,eax 8409704f 0f843bffffff je nt!NtAllocateVirtualMemory+0x1181 (84096f90) nt!NtAllocateVirtualMemory+0x1246: 84097055 ff75cc push dword ptr [ebp-34h] 84097058 ff75e4 push dword ptr [ebp-1Ch] 8409705b e8ef2ee7ff call nt!PsChargeProcessNonPagedPoolQuota (83f09f4f) 84097060 894510 mov dword ptr [ebp+10h],eax 84097063 85c0 test eax,eax 84097065 7d17 jge nt!NtAllocateVirtualMemory+0x126f (8409707e) nt!NtAllocateVirtualMemory+0x1258: 84097067 6a00 push 0 84097069 57 push edi 8409706a e8961fedff call nt!ExFreePoolWithTag (83f69005) 8409706f 6a00 push 0 84097071 ff75d4 push dword ptr [ebp-2Ch] nt!NtAllocateVirtualMemory+0x1265: 84097074 e88c1fedff call nt!ExFreePoolWithTag (83f69005) 84097079 e938030000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x126f: 8409707e 684d6d5777 push 77576D4Dh 84097083 6a24 push 24h 84097085 6a00 push 0 84097087 e81f2bedff call nt!ExAllocatePoolWithTag (83f69bab) 8409708c 89451c mov dword ptr [ebp+1Ch],eax 8409708f 85c0 test eax,eax 84097091 7521 jne nt!NtAllocateVirtualMemory+0x12a5 (840970b4) nt!NtAllocateVirtualMemory+0x1284: 84097093 50 push eax 84097094 57 push edi 84097095 e86b1fedff call nt!ExFreePoolWithTag (83f69005) 8409709a 6a00 push 0 8409709c ff75d4 push dword ptr [ebp-2Ch] 8409709f e8611fedff call nt!ExFreePoolWithTag (83f69005) 840970a4 ff75cc push dword ptr [ebp-34h] 840970a7 ff75e4 push dword ptr [ebp-1Ch] 840970aa e8bf9ee6ff call nt!PsReturnProcessNonPagedPoolQuota (83f00f6e) 840970af e932feffff jmp nt!NtAllocateVirtualMemory+0x10d7 (84096ee6) nt!NtAllocateVirtualMemory+0x12a5: 840970b4 8b4dc8 mov ecx,dword ptr [ebp-38h] 840970b7 8b45d4 mov eax,dword ptr [ebp-2Ch] 840970ba 8908 mov dword ptr [eax],ecx 840970bc 8d4808 lea ecx,[eax+8] 840970bf 894804 mov dword ptr [eax+4],ecx 840970c2 50 push eax 840970c3 e892b9ddff call nt!RtlClearAllBits (83e72a5a) 840970c8 8b4d1c mov ecx,dword ptr [ebp+1Ch] 840970cb 897914 mov dword ptr [ecx+14h],edi 840970ce 8b45d4 mov eax,dword ptr [ebp-2Ch] 840970d1 89411c mov dword ptr [ecx+1Ch],eax 840970d4 8b4714 mov eax,dword ptr [edi+14h] 840970d7 25ffffcfff and eax,0FFCFFFFFh 840970dc 0d00004000 or eax,400000h 840970e1 894714 mov dword ptr [edi+14h],eax 840970e4 c1e814 shr eax,14h 840970e7 83e007 and eax,7 840970ea 894118 mov dword ptr [ecx+18h],eax nt!NtAllocateVirtualMemory+0x12de: 840970ed 66ff8b86000000 dec word ptr [ebx+86h] 840970f4 8b4de4 mov ecx,dword ptr [ebp-1Ch] 840970f7 81c100010000 add ecx,100h 840970fd 8bc1 mov eax,ecx 840970ff f00fba2800 lock bts dword ptr [eax],0 84097104 7305 jae nt!NtAllocateVirtualMemory+0x12fc (8409710b) nt!NtAllocateVirtualMemory+0x12f7: 84097106 e82826e5ff call nt!ExfAcquirePushLockExclusive (83ee9733) nt!NtAllocateVirtualMemory+0x12fc: 8409710b 808b8902000002 or byte ptr [ebx+289h],2 84097112 8b45e4 mov eax,dword ptr [ebp-1Ch] 84097115 f6807002000020 test byte ptr [eax+270h],20h 8409711c 741e je nt!NtAllocateVirtualMemory+0x132d (8409713c) nt!NtAllocateVirtualMemory+0x130f: 8409711e c745100a0100c0 mov dword ptr [ebp+10h],0C000010Ah 84097125 837ddc00 cmp dword ptr [ebp-24h],0 84097129 0f84f4000000 je nt!NtAllocateVirtualMemory+0x1414 (84097223) nt!NtAllocateVirtualMemory+0x1320: 8409712f 8b75dc mov esi,dword ptr [ebp-24h] 84097132 e88d190800 call nt!MmCreateMirror+0x2783 (84118ac4) 84097137 e9e7000000 jmp nt!NtAllocateVirtualMemory+0x1414 (84097223) nt!NtAllocateVirtualMemory+0x132d: 8409713c f645e020 test byte ptr [ebp-20h],20h 84097140 7422 je nt!NtAllocateVirtualMemory+0x1355 (84097164) nt!NtAllocateVirtualMemory+0x1333: 84097142 8b45e4 mov eax,dword ptr [ebp-1Ch] 84097145 83b81001000000 cmp dword ptr [eax+110h],0 8409714c 7516 jne nt!NtAllocateVirtualMemory+0x1355 (84097164) nt!NtAllocateVirtualMemory+0x133f: 8409714e 50 push eax 8409714f e8a57addff call nt!wcsicmp+0x160 (83e6ebf9) 84097154 85c0 test eax,eax 84097156 750c jne nt!NtAllocateVirtualMemory+0x1355 (84097164) nt!NtAllocateVirtualMemory+0x1349: 84097158 c745109a0000c0 mov dword ptr [ebp+10h],0C000009Ah 8409715f e9bf000000 jmp nt!NtAllocateVirtualMemory+0x1414 (84097223) nt!NtAllocateVirtualMemory+0x1355: 84097164 837ddc00 cmp dword ptr [ebp-24h],0 84097168 740b je nt!NtAllocateVirtualMemory+0x1366 (84097175) nt!NtAllocateVirtualMemory+0x135b: 8409716a 8b45dc mov eax,dword ptr [ebp-24h] 8409716d 8b4de4 mov ecx,dword ptr [ebp-1Ch] 84097170 e86a190800 call nt!MmCreateMirror+0x279e (84118adf) nt!NtAllocateVirtualMemory+0x1366: 84097175 837db000 cmp dword ptr [ebp-50h],0 84097179 7567 jne nt!NtAllocateVirtualMemory+0x13d3 (840971e2) nt!NtAllocateVirtualMemory+0x136c: 8409717b f7451800001000 test dword ptr [ebp+18h],100000h 84097182 741d je nt!NtAllocateVirtualMemory+0x1392 (840971a1) nt!NtAllocateVirtualMemory+0x1375: 84097184 8d45d8 lea eax,[ebp-28h] 84097187 50 push eax 84097188 8b45e4 mov eax,dword ptr [ebp-1Ch] 8409718b 0578020000 add eax,278h 84097190 50 push eax 84097191 ff75bc push dword ptr [ebp-44h] 84097194 8b45b8 mov eax,dword ptr [ebp-48h] 84097197 8b55c4 mov edx,dword ptr [ebp-3Ch] 8409719a e8348b0100 call nt!IoCreateStreamFileObjectLite+0x868 (840afcd3) 8409719f eb1c jmp nt!NtAllocateVirtualMemory+0x13ae (840971bd) nt!NtAllocateVirtualMemory+0x1392: 840971a1 837dd000 cmp dword ptr [ebp-30h],0 840971a5 7504 jne nt!NtAllocateVirtualMemory+0x139c (840971ab) nt!NtAllocateVirtualMemory+0x1398: 840971a7 834de040 or dword ptr [ebp-20h],40h nt!NtAllocateVirtualMemory+0x139c: 840971ab 8d45d8 lea eax,[ebp-28h] 840971ae 50 push eax 840971af ff75c4 push dword ptr [ebp-3Ch] 840971b2 ff75b8 push dword ptr [ebp-48h] 840971b5 ff75bc push dword ptr [ebp-44h] 840971b8 e8dd1b0300 call nt!FsRtlCurrentBatchOplock+0x685 (840c8d9a) nt!NtAllocateVirtualMemory+0x13ae: 840971bd 894510 mov dword ptr [ebp+10h],eax 840971c0 85c0 test eax,eax 840971c2 7c5f jl nt!NtAllocateVirtualMemory+0x1414 (84097223) nt!NtAllocateVirtualMemory+0x13b5: 840971c4 8b45bc mov eax,dword ptr [ebp-44h] 840971c7 8b4dd8 mov ecx,dword ptr [ebp-28h] 840971ca 8d7408ff lea esi,[eax+ecx-1] 840971ce 81ceff0f0000 or esi,0FFFh 840971d4 3b75c4 cmp esi,dword ptr [ebp-3Ch] 840971d7 7624 jbe nt!NtAllocateVirtualMemory+0x13ee (840971fd) nt!NtAllocateVirtualMemory+0x13ca: 840971d9 c74510170000c0 mov dword ptr [ebp+10h],0C0000017h 840971e0 eb41 jmp nt!NtAllocateVirtualMemory+0x1414 (84097223) nt!NtAllocateVirtualMemory+0x13d3: 840971e2 ff75e4 push dword ptr [ebp-1Ch] 840971e5 8bce mov ecx,esi 840971e7 8b55d8 mov edx,dword ptr [ebp-28h] 840971ea e86305e7ff call nt!EtwProviderEnabled+0xdf6 (83f07752) 840971ef 83f801 cmp eax,1 840971f2 7509 jne nt!NtAllocateVirtualMemory+0x13ee (840971fd) nt!NtAllocateVirtualMemory+0x13e5: 840971f4 c74510180000c0 mov dword ptr [ebp+10h],0C0000018h 840971fb eb26 jmp nt!NtAllocateVirtualMemory+0x1414 (84097223) nt!NtAllocateVirtualMemory+0x13ee: 840971fd 8b45d8 mov eax,dword ptr [ebp-28h] 84097200 c1e80c shr eax,0Ch 84097203 89470c mov dword ptr [edi+0Ch],eax 84097206 8bc6 mov eax,esi 84097208 c1e80c shr eax,0Ch 8409720b 894710 mov dword ptr [edi+10h],eax 8409720e ff75e4 push dword ptr [ebp-1Ch] 84097211 8bc7 mov eax,edi 84097213 e877da0100 call nt!NtSetInformationThread+0x14e5 (840b4c8f) 84097218 894510 mov dword ptr [ebp+10h],eax 8409721b 85c0 test eax,eax 8409721d 0f8d89000000 jge nt!NtAllocateVirtualMemory+0x149d (840972ac) nt!NtAllocateVirtualMemory+0x1414: 84097223 83c8ff or eax,0FFFFFFFFh 84097226 8b4de4 mov ecx,dword ptr [ebp-1Ch] 84097229 81c100010000 add ecx,100h 8409722f 8bd1 mov edx,ecx 84097231 f00fc102 lock xadd dword ptr [edx],eax 84097235 a802 test al,2 84097237 7409 je nt!NtAllocateVirtualMemory+0x1433 (84097242) nt!NtAllocateVirtualMemory+0x142a: 84097239 a804 test al,4 8409723b 7505 jne nt!NtAllocateVirtualMemory+0x1433 (84097242) nt!NtAllocateVirtualMemory+0x142e: 8409723d e8cd39e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0x1433: 84097242 80a389020000fd and byte ptr [ebx+289h],0FDh 84097249 66ff8386000000 inc word ptr [ebx+86h] 84097250 0fb78386000000 movzx eax,word ptr [ebx+86h] 84097257 33f6 xor esi,esi 84097259 663bc6 cmp ax,si 8409725c 750c jne nt!NtAllocateVirtualMemory+0x145b (8409726a) nt!NtAllocateVirtualMemory+0x144f: 8409725e 83c340 add ebx,40h 84097261 391b cmp dword ptr [ebx],ebx 84097263 7405 je nt!NtAllocateVirtualMemory+0x145b (8409726a) nt!NtAllocateVirtualMemory+0x1456: 84097265 e880c6ddff call nt!KiCheckForKernelApcDelivery (83e738ea) nt!NtAllocateVirtualMemory+0x145b: 8409726a 56 push esi 8409726b 57 push edi 8409726c e8941dedff call nt!ExFreePoolWithTag (83f69005) 84097271 3975b4 cmp dword ptr [ebp-4Ch],esi 84097274 7409 je nt!NtAllocateVirtualMemory+0x1470 (8409727f) nt!NtAllocateVirtualMemory+0x1467: 84097276 56 push esi 84097277 ff751c push dword ptr [ebp+1Ch] 8409727a e9f5fdffff jmp nt!NtAllocateVirtualMemory+0x1265 (84097074) nt!NtAllocateVirtualMemory+0x1470: 8409727f 3975cc cmp dword ptr [ebp-34h],esi 84097282 0f842e010000 je nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x1479: 84097288 6a00 push 0 8409728a ff751c push dword ptr [ebp+1Ch] 8409728d e8731dedff call nt!ExFreePoolWithTag (83f69005) 84097292 6a00 push 0 84097294 ff75d4 push dword ptr [ebp-2Ch] 84097297 e8691dedff call nt!ExFreePoolWithTag (83f69005) 8409729c ff75cc push dword ptr [ebp-34h] 8409729f ff75e4 push dword ptr [ebp-1Ch] 840972a2 e8c79ce6ff call nt!PsReturnProcessNonPagedPoolQuota (83f00f6e) 840972a7 e90a010000 jmp nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x149d: 840972ac ff751c push dword ptr [ebp+1Ch] 840972af ff7518 push dword ptr [ebp+18h] 840972b2 e87143e3ff call nt!MmFreePagesFromMdl+0x68d (83ecb628) 840972b7 894510 mov dword ptr [ebp+10h],eax 840972ba 85c0 test eax,eax 840972bc 0f8cf4000000 jl nt!NtAllocateVirtualMemory+0x15a7 (840973b6) nt!NtAllocateVirtualMemory+0x14b3: 840972c2 f645e040 test byte ptr [ebp-20h],40h 840972c6 740b je nt!NtAllocateVirtualMemory+0x14c4 (840972d3) nt!NtAllocateVirtualMemory+0x14b9: 840972c8 8b4710 mov eax,dword ptr [edi+10h] 840972cb 8b4f0c mov ecx,dword ptr [edi+0Ch] 840972ce e8bd5a0100 call nt!PsRevertThreadToSelf+0xb9 (840acd90) nt!NtAllocateVirtualMemory+0x14c4: 840972d3 2b75d8 sub esi,dword ptr [ebp-28h] 840972d6 46 inc esi 840972d7 8b7de4 mov edi,dword ptr [ebp-1Ch] 840972da 8d87e0000000 lea eax,[edi+0E0h] 840972e0 0130 add dword ptr [eax],esi 840972e2 8b10 mov edx,dword ptr [eax] 840972e4 8d8fdc000000 lea ecx,[edi+0DCh] 840972ea 3b11 cmp edx,dword ptr [ecx] 840972ec 7604 jbe nt!NtAllocateVirtualMemory+0x14e3 (840972f2) nt!NtAllocateVirtualMemory+0x14df: 840972ee 8bc2 mov eax,edx 840972f0 8901 mov dword ptr [ecx],eax nt!NtAllocateVirtualMemory+0x14e3: 840972f2 83c8ff or eax,0FFFFFFFFh 840972f5 8d8f00010000 lea ecx,[edi+100h] 840972fb 8bd1 mov edx,ecx 840972fd f00fc102 lock xadd dword ptr [edx],eax 84097301 a802 test al,2 84097303 7409 je nt!NtAllocateVirtualMemory+0x14ff (8409730e) nt!NtAllocateVirtualMemory+0x14f6: 84097305 a804 test al,4 84097307 7505 jne nt!NtAllocateVirtualMemory+0x14ff (8409730e) nt!NtAllocateVirtualMemory+0x14fa: 84097309 e80139e7ff call nt!ExfTryToWakePushLock (83f0ac0f) nt!NtAllocateVirtualMemory+0x14ff: 8409730e 80a389020000fd and byte ptr [ebx+289h],0FDh 84097315 66ff8386000000 inc word ptr [ebx+86h] 8409731c 0fb78386000000 movzx eax,word ptr [ebx+86h] 84097323 6685c0 test ax,ax 84097326 750c jne nt!NtAllocateVirtualMemory+0x1525 (84097334) nt!NtAllocateVirtualMemory+0x1519: 84097328 83c340 add ebx,40h 8409732b 391b cmp dword ptr [ebx],ebx 8409732d 7405 je nt!NtAllocateVirtualMemory+0x1525 (84097334) nt!NtAllocateVirtualMemory+0x1520: 8409732f e8b6c5ddff call nt!KiCheckForKernelApcDelivery (83e738ea) nt!NtAllocateVirtualMemory+0x1525: 84097334 f645e001 test byte ptr [ebp-20h],1 84097338 740c je nt!NtAllocateVirtualMemory+0x1537 (84097346) nt!NtAllocateVirtualMemory+0x152b: 8409733a 8d8558ffffff lea eax,[ebp-0A8h] 84097340 50 push eax 84097341 e8fe89e4ff call nt!KeUnstackDetachProcess (83edfd44) nt!NtAllocateVirtualMemory+0x1537: 84097346 f70584f8f78300800000 test dword ptr [nt!KeTickCount+0x8404 (83f7f884)],8000h 84097350 7428 je nt!NtAllocateVirtualMemory+0x156b (8409737a) nt!NtAllocateVirtualMemory+0x1543: 84097352 f7451800300000 test dword ptr [ebp+18h],3000h 84097359 741f je nt!NtAllocateVirtualMemory+0x156b (8409737a) nt!NtAllocateVirtualMemory+0x154c: 8409735b 8b45b0 mov eax,dword ptr [ebp-50h] 8409735e f7d8 neg eax 84097360 1bc0 sbb eax,eax 84097362 2500e0ffff and eax,0FFFFE000h 84097367 0500200000 add eax,2000h 8409736c 0b4518 or eax,dword ptr [ebp+18h] 8409736f 50 push eax 84097370 57 push edi 84097371 56 push esi 84097372 8b45d8 mov eax,dword ptr [ebp-28h] 84097375 e8d13cecff call nt!EtwWriteString+0xa08 (83f5b04b) nt!NtAllocateVirtualMemory+0x156b: 8409737a 837d08ff cmp dword ptr [ebp+8],0FFFFFFFFh 8409737e 7407 je nt!NtAllocateVirtualMemory+0x1578 (84097387) nt!NtAllocateVirtualMemory+0x1571: 84097380 8bcf mov ecx,edi 84097382 e83cbbe1ff call nt!ObfDereferenceObject (83eb2ec3) nt!NtAllocateVirtualMemory+0x1578: 84097387 c745fc01000000 mov dword ptr [ebp-4],1 8409738e 8b4514 mov eax,dword ptr [ebp+14h] 84097391 8930 mov dword ptr [eax],esi nt!NtAllocateVirtualMemory+0x1584: 84097393 8b450c mov eax,dword ptr [ebp+0Ch] 84097396 8b4dd8 mov ecx,dword ptr [ebp-28h] 84097399 8908 mov dword ptr [eax],ecx 8409739b eb07 jmp nt!NtAllocateVirtualMemory+0x1595 (840973a4) nt!NtAllocateVirtualMemory+0x1595: 840973a4 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh 840973ab 33c0 xor eax,eax 840973ad eb4d jmp nt!NtAllocateVirtualMemory+0x15ed (840973fc) nt!NtAllocateVirtualMemory+0x15a0: 840973af c74510450000c0 mov dword ptr [ebp+10h],0C0000045h nt!NtAllocateVirtualMemory+0x15a7: 840973b6 f645e001 test byte ptr [ebp-20h],1 840973ba 740c je nt!NtAllocateVirtualMemory+0x15b9 (840973c8) nt!NtAllocateVirtualMemory+0x15ad: 840973bc 8d8558ffffff lea eax,[ebp-0A8h] 840973c2 50 push eax 840973c3 e87c89e4ff call nt!KeUnstackDetachProcess (83edfd44) nt!NtAllocateVirtualMemory+0x15b9: 840973c8 837d08ff cmp dword ptr [ebp+8],0FFFFFFFFh 840973cc 0f843ff9ffff je nt!NtAllocateVirtualMemory+0xf02 (84096d11) nt!NtAllocateVirtualMemory+0x15c3: 840973d2 8b4de4 mov ecx,dword ptr [ebp-1Ch] 840973d5 e8e9bae1ff call nt!ObfDereferenceObject (83eb2ec3) 840973da e932f9ffff jmp nt!NtAllocateVirtualMemory+0xf02 (84096d11) nt!NtAllocateVirtualMemory+0x15ed: 840973fc e84c31e2ff call nt!strchr+0x15d (83eba54d) 84097401 c21800 ret 18h 2016-4-24 19:35 0
kman 雪币： 155 活跃值： (20) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 338 粉丝 2 关注私信	kman 6 楼楼主在浪费论坛资源上有下功夫。。申请进程内存是个比较复杂的过程，比如关于vad管理，到内核内存管理，是大量函数配合完成的。 2016-4-24 23:28 0
姜世离雪币： 220 活跃值： (37) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 25 粉丝 0 关注私信	姜世离 7 楼你可以用MmAllocatePagesForMdl申请，然后用MmMapLockedPagesSpecifyCache映射到用户层给它 2016-4-25 08:26 0
天涯何处雪币： 44 活跃值： (186) 能力值： ( LV2，RANK：10 ) 在线值：发帖 39 回帖 335 粉丝 1 关注私信	天涯何处 8 楼、谢谢楼上好主意，先谢谢楼上两位热心大牛百忙之中来回小弟的贴 2016-4-25 09:54 0
天涯何处雪币： 44 活跃值： (186) 能力值： ( LV2，RANK：10 ) 在线值：发帖 39 回帖 335 粉丝 1 关注私信	天涯何处 9 楼内在倒是映射到用户进程空间了，可还有一个小问题，如何开放给R3代码读写呀，现在R3下的代码只读不能写，可否让这块内存读写都可以呀？大神再麻烦一下你啦。 2016-4-25 18:37 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

天涯何处

雪币： 44

活跃值： (186)

能力值：

( LV2，RANK：10 )

在线值：

发帖

39

回帖

335

粉丝

1

关注

私信

天涯何处: 2 楼

自己给自己顶一个先

2016-4-24 11:48

0

轩辕之风

雪币： 2291

活跃值： (933)

能力值：

( LV8，RANK：130 )

在线值：

发帖

34

回帖

322

粉丝

67

关注

私信

轩辕之风 1: 3 楼

ZwAllocateVirtualMemory
The ZwAllocateVirtualMemory routine reserves, commits, or both, a region of pages within the user-mode virtual address space of a specified process.

NTSTATUS
  ZwAllocateVirtualMemory(
__in HANDLE  ProcessHandle,
__inout PVOID  *BaseAddress,
__in ULONG_PTR  ZeroBits,
__inout PSIZE_T  RegionSize,
__in ULONG  AllocationType,
__in ULONG  Protect
);

2016-4-24 11:50

0

天涯何处

雪币： 44

活跃值： (186)

能力值：

( LV2，RANK：10 )

在线值：

发帖

39

回帖

335

粉丝

1

关注

私信

天涯何处: 4 楼

为什么我用这个函数总是 BaseAddress返回地址是0呀

2016-4-24 13:36

0

天涯何处

雪币： 44

活跃值： (186)

能力值：

( LV2，RANK：10 )

在线值：

发帖

39

回帖

335

粉丝

1

关注

私信

天涯何处: 5 楼

这个函数哪里是申请内存的CALL？？？大神过来指点一下呀
nt!NtAllocateVirtualMemory:
84095e0f 68c0000000    push 0C0h
84095e14 688891ea83    push offset nt!NtBuildGUID+0xf044 (83ea9188)
84095e19 e8ea46e2ff    call nt!strchr+0x118 (83eba508)
84095e1e 33f6          xor    esi,esi
84095e20 397510       cmp    dword ptr [ebp+10h],esi
84095e23 7410          je    nt!NtAllocateVirtualMemory+0x26 (84095e35)

nt!NtAllocateVirtualMemory+0x16:
84095e25 837d1015       cmp    dword ptr [ebp+10h],15h
84095e29 760a          jbe    nt!NtAllocateVirtualMemory+0x26 (84095e35)

nt!NtAllocateVirtualMemory+0x1c:
84095e2b b8f10000c0    mov    eax,0C00000F1h
84095e30 e9c7150000    jmp    nt!NtAllocateVirtualMemory+0x15ed (840973fc)

nt!NtAllocateVirtualMemory+0x26:
84095e35 8975e0       mov    dword ptr [ebp-20h],esi
84095e38 648b1d24010000  mov    ebx,dword ptr fs:[124h]
84095e3f 8b4350       mov    eax,dword ptr [ebx+50h]
84095e42 8945b8       mov    dword ptr [ebp-48h],eax
84095e45 8b4d18       mov    ecx,dword ptr [ebp+18h]
84095e48 8bc1          mov    eax,ecx
84095e4a 83e07f       and    eax,7Fh
84095e4d 8945dc       mov    dword ptr [ebp-24h],eax
84095e50 0fb7156829fb83  movzx edx,word ptr [nt!KeLoaderBlock+0x14 (83fb2968)]
84095e57 3bc2          cmp    eax,edx
84095e59 760a          jbe    nt!NtAllocateVirtualMemory+0x56 (84095e65)

nt!NtAllocateVirtualMemory+0x4c:
84095e5b b8f30000c0    mov    eax,0C00000F3h
84095e60 e997150000    jmp    nt!NtAllocateVirtualMemory+0x15ed (840973fc)

nt!NtAllocateVirtualMemory+0x56:
84095e65 83e180       and    ecx,0FFFFFF80h
84095e68 894d18       mov    dword ptr [ebp+18h],ecx
84095e6b f7c1ffcf07df test ecx,0DF07CFFFh
84095e71 75e8          jne    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x64:
84095e73 f7c100300800 test ecx,83000h
84095e79 74e0          je    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x6c:
84095e7b f7c10000e820 test ecx,20E80000h
84095e81 7429          je    nt!NtAllocateVirtualMemory+0x9d (84095eac)

nt!NtAllocateVirtualMemory+0x74:
84095e83 b800000800    mov    eax,80000h
84095e88 85c8          test eax,ecx
84095e8a 7404          je    nt!NtAllocateVirtualMemory+0x81 (84095e90)

nt!NtAllocateVirtualMemory+0x7d:
84095e8c 3bc8          cmp    ecx,eax
84095e8e 75cb          jne    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x81:
84095e90 f7c100000020 test ecx,20000000h
84095e96 0f8490000000 je    nt!NtAllocateVirtualMemory+0x11d (84095f2c)

nt!NtAllocateVirtualMemory+0x8d:
84095e9c f7c100100000 test ecx,1000h
84095ea2 74b7          je    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x95:
84095ea4 f7c10000e800 test ecx,0E80000h
84095eaa 75af          jne    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x9d:
84095eac ff751c       push dword ptr [ebp+1Ch]
84095eaf e85714dfff    call nt!KeCheckProcessorAffinityEx+0xc09 (83e8730b)
84095eb4 8945ac       mov    dword ptr [ebp-54h],eax
84095eb7 83f8ff       cmp    eax,0FFFFFFFFh
84095eba 0f848d000000 je    nt!NtAllocateVirtualMemory+0x13e (84095f4d)

nt!NtAllocateVirtualMemory+0xb1:
84095ec0 8a833a010000 mov    al,byte ptr [ebx+13Ah]
84095ec6 8845b4       mov    byte ptr [ebp-4Ch],al
84095ec9 8975fc       mov    dword ptr [ebp-4],esi
84095ecc 84c0          test al,al
84095ece 7425          je    nt!NtAllocateVirtualMemory+0xe6 (84095ef5)

nt!NtAllocateVirtualMemory+0xc1:
84095ed0 8b450c       mov    eax,dword ptr [ebp+0Ch]
84095ed3 8b0d1c27fb83 mov    ecx,dword ptr [nt!MmUserProbeAddress (83fb271c)]
84095ed9 3bc1          cmp    eax,ecx
84095edb 7202          jb    nt!NtAllocateVirtualMemory+0xd0 (84095edf)

nt!NtAllocateVirtualMemory+0xce:
84095edd 8bc1          mov    eax,ecx

nt!NtAllocateVirtualMemory+0xd0:
84095edf 8b08          mov    ecx,dword ptr [eax]
84095ee1 8908          mov    dword ptr [eax],ecx
84095ee3 8b4d14       mov    ecx,dword ptr [ebp+14h]
84095ee6 a11c27fb83    mov    eax,dword ptr [nt!MmUserProbeAddress (83fb271c)]
84095eeb 3bc8          cmp    ecx,eax
84095eed 7202          jb    nt!NtAllocateVirtualMemory+0xe2 (84095ef1)

nt!NtAllocateVirtualMemory+0xe0:
84095eef 8bc8          mov    ecx,eax

nt!NtAllocateVirtualMemory+0xe2:
84095ef1 8b01          mov    eax,dword ptr [ecx]
84095ef3 8901          mov    dword ptr [ecx],eax

nt!NtAllocateVirtualMemory+0xe6:
84095ef5 8b450c       mov    eax,dword ptr [ebp+0Ch]
84095ef8 8b30          mov    esi,dword ptr [eax]
84095efa 8975b0       mov    dword ptr [ebp-50h],esi
84095efd 8b4514       mov    eax,dword ptr [ebp+14h]
84095f00 8b38          mov    edi,dword ptr [eax]
84095f02 897dbc       mov    dword ptr [ebp-44h],edi
84095f05 c745fcfeffffff  mov    dword ptr [ebp-4],0FFFFFFFEh
84095f0c 897d88       mov    dword ptr [ebp-78h],edi
84095f0f a11427fb83    mov    eax,dword ptr [nt!MmHighestUserAddress (83fb2714)]
84095f14 8d880000ffff lea    ecx,[eax-10000h]
84095f1a 3bf1          cmp    esi,ecx
84095f1c 0f8692000000 jbe    nt!NtAllocateVirtualMemory+0x1a5 (84095fb4)

nt!NtAllocateVirtualMemory+0x113:
84095f22 b8f00000c0    mov    eax,0C00000F0h
84095f27 e9d0140000    jmp    nt!NtAllocateVirtualMemory+0x15ed (840973fc)

nt!NtAllocateVirtualMemory+0x11d:
84095f2c f7c100008000 test ecx,800000h
84095f32 7423          je    nt!NtAllocateVirtualMemory+0x148 (84095f57)

nt!NtAllocateVirtualMemory+0x125:
84095f34 f7c100006000 test ecx,600000h
84095f3a 0f851bffffff jne    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x131:
84095f40 f7451cf9f9ffff  test dword ptr [ebp+1Ch],0FFFFF9F9h
84095f47 0f845fffffff je    nt!NtAllocateVirtualMemory+0x9d (84095eac)

nt!NtAllocateVirtualMemory+0x13e:
84095f4d b8450000c0    mov    eax,0C0000045h
84095f52 e9a5140000    jmp    nt!NtAllocateVirtualMemory+0x15ed (840973fc)

nt!NtAllocateVirtualMemory+0x148:
84095f57 f7c100002000 test ecx,200000h
84095f5d 741d          je    nt!NtAllocateVirtualMemory+0x16d (84095f7c)

nt!NtAllocateVirtualMemory+0x150:
84095f5f f7c100004000 test ecx,400000h
84095f65 0f85f0feffff jne    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x15c:
84095f6b f7c100200000 test ecx,2000h
84095f71 0f8535ffffff jne    nt!NtAllocateVirtualMemory+0x9d (84095eac)

nt!NtAllocateVirtualMemory+0x168:
84095f77 e9dffeffff    jmp    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x16d:
84095f7c f7c100004000 test ecx,400000h
84095f82 0f8424ffffff je    nt!NtAllocateVirtualMemory+0x9d (84095eac)

nt!NtAllocateVirtualMemory+0x179:
84095f88 f7c100200000 test ecx,2000h
84095f8e 0f84c7feffff je    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x185:
84095f94 f7c1ffdfafff test ecx,0FFAFDFFFh
84095f9a 0f85bbfeffff jne    nt!NtAllocateVirtualMemory+0x4c (84095e5b)

nt!NtAllocateVirtualMemory+0x191:
84095fa0 837d1c04       cmp    dword ptr [ebp+1Ch],4
84095fa4 0f8402ffffff je    nt!NtAllocateVirtualMemory+0x9d (84095eac)

nt!NtAllocateVirtualMemory+0x19b:
84095faa b8f40000c0    mov    eax,0C00000F4h
84095faf e948140000    jmp    nt!NtAllocateVirtualMemory+0x15ed (840973fc)

nt!NtAllocateVirtualMemory+0x1a5:
84095fb4 2bc6          sub    eax,esi
84095fb6 2dffff0000    sub    eax,0FFFFh
84095fbb 3bc7          cmp    eax,edi
84095fbd 730a          jae    nt!NtAllocateVirtualMemory+0x1ba (84095fc9)

nt!NtAllocateVirtualMemory+0x1b0:
84095fbf b8f20000c0    mov    eax,0C00000F2h
84095fc4 e933140000    jmp    nt!NtAllocateVirtualMemory+0x15ed (840973fc)

nt!NtAllocateVirtualMemory+0x1ba:
84095fc9 85ff          test edi,edi
84095fcb 74f2          je    nt!NtAllocateVirtualMemory+0x1b0 (84095fbf)

nt!NtAllocateVirtualMemory+0x1be:
84095fcd 837d08ff       cmp    dword ptr [ebp+8],0FFFFFFFFh
84095fd1 7508          jne    nt!NtAllocateVirtualMemory+0x1cc (84095fdb)

nt!NtAllocateVirtualMemory+0x1c4:
84095fd3 8b45b8       mov    eax,dword ptr [ebp-48h]
84095fd6 8945e4       mov    dword ptr [ebp-1Ch],eax
84095fd9 eb27          jmp    nt!NtAllocateVirtualMemory+0x1f3 (84096002)

nt!NtAllocateVirtualMemory+0x1cc:
84095fdb 6a00          push 0
84095fdd 8d458c       lea    eax,[ebp-74h]
84095fe0 50             push eax
84095fe1 ff75b4       push dword ptr [ebp-4Ch]
84095fe4 ff352c20fb83 push dword ptr [nt!PsProcessType (83fb202c)]
84095fea 6a08          push 8
84095fec ff7508       push dword ptr [ebp+8]
84095fef e81181fdff    call nt!ObReferenceObjectByHandle (8406e105)
84095ff4 8b4d8c       mov    ecx,dword ptr [ebp-74h]
84095ff7 894de4       mov    dword ptr [ebp-1Ch],ecx
84095ffa 85c0          test eax,eax
84095ffc 0f8cfa130000 jl    nt!NtAllocateVirtualMemory+0x15ed (840973fc)

nt!NtAllocateVirtualMemory+0x1f3:
84096002 8b4518       mov    eax,dword ptr [ebp+18h]
84096005 2500000020    and    eax,20000000h
8409600a 8945d0       mov    dword ptr [ebp-30h],eax
8409600d 7424          je    nt!NtAllocateVirtualMemory+0x224 (84096033)

nt!NtAllocateVirtualMemory+0x200:
8409600f ff75b4       push dword ptr [ebp-4Ch]
84096012 ff3514361b84 push dword ptr [nt!SeSystemDefaultDacl+0x1c (841b3614)]
84096018 ff3510361b84 push dword ptr [nt!SeSystemDefaultDacl+0x18 (841b3610)]
8409601e e89b92ffff    call nt!SeSinglePrivilegeCheck (8408f2be)
84096023 84c0          test al,al
84096025 750c          jne    nt!NtAllocateVirtualMemory+0x224 (84096033)

nt!NtAllocateVirtualMemory+0x218:
84096027 c74510610000c0  mov    dword ptr [ebp+10h],0C0000061h
8409602e e983130000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x224:
84096033 8b45b8       mov    eax,dword ptr [ebp-48h]
84096036 3b45e4       cmp    eax,dword ptr [ebp-1Ch]
84096039 7416          je    nt!NtAllocateVirtualMemory+0x242 (84096051)

nt!NtAllocateVirtualMemory+0x22c:
8409603b 8d8558ffffff lea    eax,[ebp-0A8h]
84096041 50             push eax
84096042 ff75e4       push dword ptr [ebp-1Ch]
84096045 e8cd85e4ff    call nt!KeStackAttachProcess (83ede617)          ring0获取指定进程的PEB
8409604a c745e001000000  mov    dword ptr [ebp-20h],1

nt!NtAllocateVirtualMemory+0x242:
84096051 8365c000       and    dword ptr [ebp-40h],0
84096055 85f6          test esi,esi
84096057 0f84430d0000 je    nt!NtAllocateVirtualMemory+0xf91 (84096da0)

nt!NtAllocateVirtualMemory+0x24e:
8409605d f7451800200000  test dword ptr [ebp+18h],2000h
84096064 0f85360d0000 jne    nt!NtAllocateVirtualMemory+0xf91 (84096da0)

nt!NtAllocateVirtualMemory+0x25b:
8409606a 817d1800000800  cmp    dword ptr [ebp+18h],80000h
84096071 7528          jne    nt!NtAllocateVirtualMemory+0x28c (8409609b)

nt!NtAllocateVirtualMemory+0x264:
84096073 03fe          add    edi,esi
84096075 b900f0ffff    mov    ecx,0FFFFF000h
8409607a 23f9          and    edi,ecx
8409607c 4f             dec    edi
8409607d 897db4       mov    dword ptr [ebp-4Ch],edi
84096080 8d86ff0f0000 lea    eax,[esi+0FFFh]
84096086 23c1          and    eax,ecx
84096088 8945d8       mov    dword ptr [ebp-28h],eax
8409608b 3bc7          cmp    eax,edi
8409608d 7622          jbe    nt!NtAllocateVirtualMemory+0x2a2 (840960b1)

nt!NtAllocateVirtualMemory+0x280:
8409608f c74510180000c0  mov    dword ptr [ebp+10h],0C0000018h
84096096 e91b130000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x28c:
8409609b 8d7c37ff       lea    edi,[edi+esi-1]
8409609f 81cfff0f0000 or    edi,0FFFh
840960a5 897db4       mov    dword ptr [ebp-4Ch],edi
840960a8 81e600f0ffff and    esi,0FFFFF000h
840960ae 8975d8       mov    dword ptr [ebp-28h],esi

nt!NtAllocateVirtualMemory+0x2a2:
840960b1 8bc7          mov    eax,edi
840960b3 8b4dd8       mov    ecx,dword ptr [ebp-28h]
840960b6 2bc1          sub    eax,ecx
840960b8 40             inc    eax
840960b9 8945bc       mov    dword ptr [ebp-44h],eax
840960bc 894dd4       mov    dword ptr [ebp-2Ch],ecx
840960bf c16dd40c       shr    dword ptr [ebp-2Ch],0Ch
840960c3 897ddc       mov    dword ptr [ebp-24h],edi
840960c6 c16ddc0c       shr    dword ptr [ebp-24h],0Ch
840960ca c1e909       shr    ecx,9
840960cd bef8ff7f00    mov    esi,7FFFF8h
840960d2 23ce          and    ecx,esi
840960d4 ba00000040    mov    edx,40000000h
840960d9 2bca          sub    ecx,edx
840960db 8bc7          mov    eax,edi
840960dd c1e809       shr    eax,9
840960e0 23c6          and    eax,esi
840960e2 2bc2          sub    eax,edx
840960e4 2bc1          sub    eax,ecx
840960e6 c1f803       sar    eax,3
840960e9 40             inc    eax
840960ea 8945c0       mov    dword ptr [ebp-40h],eax
840960ed 8365c400       and    dword ptr [ebp-3Ch],0
840960f1 8b45e0       mov    eax,dword ptr [ebp-20h]
840960f4 d1e8          shr    eax,1
840960f6 83e001       and    eax,1
840960f9 8945cc       mov    dword ptr [ebp-34h],eax
840960fc 7530          jne    nt!NtAllocateVirtualMemory+0x31f (8409612e)

nt!NtAllocateVirtualMemory+0x2ef:
840960fe 66ff8b86000000  dec    word ptr [ebx+86h]
84096105 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
84096108 81c100010000 add    ecx,100h
8409610e 894dd0       mov    dword ptr [ebp-30h],ecx
84096111 6a11          push 11h
84096113 5a             pop    edx
84096114 8bf1          mov    esi,ecx
84096116 33c0          xor    eax,eax
84096118 f00fb116       lock cmpxchg dword ptr [esi],edx
8409611c 85c0          test eax,eax
8409611e 7405          je    nt!NtAllocateVirtualMemory+0x316 (84096125)

nt!NtAllocateVirtualMemory+0x311:
84096120 e8aba8e5ff    call nt!ExfAcquirePushLockShared (83ef09d0)

nt!NtAllocateVirtualMemory+0x316:
84096125 808b8902000004  or    byte ptr [ebx+289h],4
8409612c eb28          jmp    nt!NtAllocateVirtualMemory+0x347 (84096156)

nt!NtAllocateVirtualMemory+0x31f:
8409612e 66ff8b86000000  dec    word ptr [ebx+86h]
84096135 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
84096138 81c100010000 add    ecx,100h
8409613e 894dd0       mov    dword ptr [ebp-30h],ecx
84096141 8bc1          mov    eax,ecx
84096143 f00fba2800    lock bts dword ptr [eax],0
84096148 7305          jae    nt!NtAllocateVirtualMemory+0x340 (8409614f)

nt!NtAllocateVirtualMemory+0x33b:
8409614a e8e435e5ff    call nt!ExfAcquirePushLockExclusive (83ee9733)

nt!NtAllocateVirtualMemory+0x340:
8409614f 808b8902000002  or    byte ptr [ebx+289h],2

nt!NtAllocateVirtualMemory+0x347:
84096156 8b45e4       mov    eax,dword ptr [ebp-1Ch]
84096159 f6807002000020  test byte ptr [eax+270h],20h
84096160 740c          je    nt!NtAllocateVirtualMemory+0x35f (8409616e)

nt!NtAllocateVirtualMemory+0x353:
84096162 c745100a0100c0  mov    dword ptr [ebp+10h],0C000010Ah
84096169 e9d20b0000    jmp    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x35f:
8409616e 8b45e4       mov    eax,dword ptr [ebp-1Ch]
84096171 0578020000    add    eax,278h
84096176 ff75dc       push dword ptr [ebp-24h]
84096179 ff75d4       push dword ptr [ebp-2Ch]
8409617c e8463de7ff    call nt!PsIsSystemProcess+0x93 (83f09ec7)
84096181 8bf0          mov    esi,eax
84096183 8975c8       mov    dword ptr [ebp-38h],esi
84096186 85f6          test esi,esi
84096188 0f84ab0b0000 je    nt!NtAllocateVirtualMemory+0xf2a (84096d39)

nt!NtAllocateVirtualMemory+0x37f:
8409618e 8b4e14       mov    ecx,dword ptr [esi+14h]
84096191 c1e914       shr    ecx,14h
84096194 83e107       and    ecx,7
84096197 894d10       mov    dword ptr [ebp+10h],ecx
8409619a 33c0          xor    eax,eax
8409619c 40             inc    eax
8409619d d3e0          shl    eax,cl
8409619f a855          test al,55h
840961a1 0f84920b0000 je    nt!NtAllocateVirtualMemory+0xf2a (84096d39)

nt!NtAllocateVirtualMemory+0x398:
840961a7 8b460c       mov    eax,dword ptr [esi+0Ch]
840961aa 89459c       mov    dword ptr [ebp-64h],eax
840961ad 3945d4       cmp    dword ptr [ebp-2Ch],eax
840961b0 0f82830b0000 jb    nt!NtAllocateVirtualMemory+0xf2a (84096d39)

nt!NtAllocateVirtualMemory+0x3a7:
840961b6 8b45dc       mov    eax,dword ptr [ebp-24h]
840961b9 3b4610       cmp    eax,dword ptr [esi+10h]
840961bc 0f87770b0000 ja    nt!NtAllocateVirtualMemory+0xf2a (84096d39)

nt!NtAllocateVirtualMemory+0x3b3:
840961c2 8b5614       mov    edx,dword ptr [esi+14h]
840961c5 b8ffff0700    mov    eax,7FFFFh
840961ca 23d0          and    edx,eax
840961cc 3bd0          cmp    edx,eax
840961ce 0f84650b0000 je    nt!NtAllocateVirtualMemory+0xf2a (84096d39)

nt!NtAllocateVirtualMemory+0x3c5:
840961d4 83f906       cmp    ecx,6
840961d7 7542          jne    nt!NtAllocateVirtualMemory+0x40c (8409621b)

nt!NtAllocateVirtualMemory+0x3ca:
840961d9 81651cfff9ffff  and    dword ptr [ebp+1Ch],0FFFFF9FFh
840961e0 8b4e14       mov    ecx,dword ptr [esi+14h]
840961e3 8bc1          mov    eax,ecx
840961e5 c1e81b       shr    eax,1Bh
840961e8 83e003       and    eax,3
840961eb 83f803       cmp    eax,3
840961ee 7511          jne    nt!NtAllocateVirtualMemory+0x3f2 (84096201)

nt!NtAllocateVirtualMemory+0x3e1:
840961f0 f7c100000007 test ecx,7000000h
840961f6 7409          je    nt!NtAllocateVirtualMemory+0x3f2 (84096201)

nt!NtAllocateVirtualMemory+0x3e9:
840961f8 814d1c00040000  or    dword ptr [ebp+1Ch],400h
840961ff eb0c          jmp    nt!NtAllocateVirtualMemory+0x3fe (8409620d)

nt!NtAllocateVirtualMemory+0x3f2:
84096201 83f801       cmp    eax,1
84096204 7507          jne    nt!NtAllocateVirtualMemory+0x3fe (8409620d)

nt!NtAllocateVirtualMemory+0x3f7:
84096206 814d1c00020000  or    dword ptr [ebp+1Ch],200h

nt!NtAllocateVirtualMemory+0x3fe:
8409620d ff751c       push dword ptr [ebp+1Ch]
84096210 e8f610dfff    call nt!KeCheckProcessorAffinityEx+0xc09 (83e8730b)
84096215 8945ac       mov    dword ptr [ebp-54h],eax
84096218 8b4d10       mov    ecx,dword ptr [ebp+10h]

nt!NtAllocateVirtualMemory+0x40c:
8409621b b800000800    mov    eax,80000h
84096220 394518       cmp    dword ptr [ebp+18h],eax
84096223 0f8581000000 jne    nt!NtAllocateVirtualMemory+0x49b (840962aa)

nt!NtAllocateVirtualMemory+0x41a:
84096229 ff75e4       push dword ptr [ebp-1Ch]
8409622c 56             push esi
8409622d 8bc7          mov    eax,edi
8409622f 8b4dd8       mov    ecx,dword ptr [ebp-28h]
84096232 e8a9040d00    call nt!IoUnregisterShutdownNotification+0xc10 (841666e0)
84096237 894510       mov    dword ptr [ebp+10h],eax
8409623a 8b4dd0       mov    ecx,dword ptr [ebp-30h]
8409623d 837dcc00       cmp    dword ptr [ebp-34h],0
84096241 751e          jne    nt!NtAllocateVirtualMemory+0x452 (84096261)

nt!NtAllocateVirtualMemory+0x434:
84096243 33d2          xor    edx,edx
84096245 8bf1          mov    esi,ecx
84096247 6a11          push 11h
84096249 58             pop    eax
8409624a f00fb116       lock cmpxchg dword ptr [esi],edx
8409624e 83f811       cmp    eax,11h
84096251 7405          je    nt!NtAllocateVirtualMemory+0x449 (84096258)

nt!NtAllocateVirtualMemory+0x444:
84096253 e84002e5ff    call nt!ExfReleasePushLockShared (83ee6498)

nt!NtAllocateVirtualMemory+0x449:
84096258 80a389020000fb  and    byte ptr [ebx+289h],0FBh
8409625f eb1d          jmp    nt!NtAllocateVirtualMemory+0x46f (8409627e)

nt!NtAllocateVirtualMemory+0x452:
84096261 83c8ff       or    eax,0FFFFFFFFh
84096264 8bd1          mov    edx,ecx
84096266 f00fc102       lock xadd dword ptr [edx],eax
8409626a a802          test al,2
8409626c 7409          je    nt!NtAllocateVirtualMemory+0x468 (84096277)

nt!NtAllocateVirtualMemory+0x45f:
8409626e a804          test al,4
84096270 7505          jne    nt!NtAllocateVirtualMemory+0x468 (84096277)

nt!NtAllocateVirtualMemory+0x463:
84096272 e89849e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0x468:
84096277 80a389020000fd  and    byte ptr [ebx+289h],0FDh

nt!NtAllocateVirtualMemory+0x46f:
8409627e 66ff8386000000  inc    word ptr [ebx+86h]
84096285 0fb78386000000  movzx eax,word ptr [ebx+86h]
8409628c 6685c0       test ax,ax
8409628f 0f85180a0000 jne    nt!NtAllocateVirtualMemory+0xe9e (84096cad)

nt!NtAllocateVirtualMemory+0x486:
84096295 83c340       add    ebx,40h
84096298 391b          cmp    dword ptr [ebx],ebx
8409629a 0f840d0a0000 je    nt!NtAllocateVirtualMemory+0xe9e (84096cad)

nt!NtAllocateVirtualMemory+0x491:
840962a0 e845d6ddff    call nt!KiCheckForKernelApcDelivery (83e738ea)
840962a5 e9030a0000    jmp    nt!NtAllocateVirtualMemory+0xe9e (84096cad)

nt!NtAllocateVirtualMemory+0x49b:
840962aa 8b5614       mov    edx,dword ptr [esi+14h]
840962ad 85d2          test edx,edx
840962af 0f886e080000 js    nt!NtAllocateVirtualMemory+0xd14 (84096b23)

nt!NtAllocateVirtualMemory+0x4a6:
840962b5 f7451c00060000  test dword ptr [ebp+1Ch],600h
840962bc 740c          je    nt!NtAllocateVirtualMemory+0x4bb (840962ca)

nt!NtAllocateVirtualMemory+0x4af:
840962be c74510450000c0  mov    dword ptr [ebp+10h],0C0000045h
840962c5 e9760a0000    jmp    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x4bb:
840962ca 85d0          test eax,edx
840962cc 741f          je    nt!NtAllocateVirtualMemory+0x4de (840962ed)

nt!NtAllocateVirtualMemory+0x4bf:
840962ce ff75ac       push dword ptr [ebp-54h]
840962d1 8b55bc       mov    edx,dword ptr [ebp-44h]
840962d4 8b75b0       mov    esi,dword ptr [ebp-50h]
840962d7 8b4dc8       mov    ecx,dword ptr [ebp-38h]
840962da e8c2780200    call nt!PsLookupThreadByThreadId+0x1cb4 (840bdba1)
840962df 894510       mov    dword ptr [ebp+10h],eax
840962e2 85c0          test eax,eax
840962e4 0f8c560a0000 jl    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x4db:
840962ea 8b75c8       mov    esi,dword ptr [ebp-38h]

nt!NtAllocateVirtualMemory+0x4de:
840962ed 8b4624       mov    eax,dword ptr [esi+24h]
840962f0 8b00          mov    eax,dword ptr [eax]
840962f2 8945b8       mov    dword ptr [ebp-48h],eax
840962f5 83782400       cmp    dword ptr [eax+24h],0
840962f9 0f847a020000 je    nt!NtAllocateVirtualMemory+0x76a (84096579)

nt!NtAllocateVirtualMemory+0x4f0:
840962ff 8b7620       mov    esi,dword ptr [esi+20h]
84096302 f7c600000020 test esi,20000000h
84096308 750c          jne    nt!NtAllocateVirtualMemory+0x507 (84096316)

nt!NtAllocateVirtualMemory+0x4fb:
8409630a c74510210000c0  mov    dword ptr [ebp+10h],0C0000021h
84096311 e92a0a0000    jmp    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x507:
84096316 8b4d9c       mov    ecx,dword ptr [ebp-64h]
84096319 c1e10c       shl    ecx,0Ch
8409631c 8bc7          mov    eax,edi
8409631e 2bc1          sub    eax,ecx
84096320 40             inc    eax
84096321 99             cdq
84096322 8bc8          mov    ecx,eax
84096324 8bfa          mov    edi,edx
84096326 8bc6          mov    eax,esi
84096328 25ffffff00    and    eax,0FFFFFFh
8409632d ba00000100    mov    edx,10000h
84096332 f7e2          mul    eax,edx
84096334 03c8          add    ecx,eax
84096336 13fa          adc    edi,edx
84096338 898d74ffffff mov    dword ptr [ebp-8Ch],ecx
8409633e 89bd78ffffff mov    dword ptr [ebp-88h],edi
84096344 8b75b8       mov    esi,dword ptr [ebp-48h]
84096347 56             push esi
84096348 e84fe0e7ff    call nt!CcGetFileObjectFromSectionPtrsRef+0x2e2 (83f1439c)
8409634d 85c0          test eax,eax
8409634f 750c          jne    nt!NtAllocateVirtualMemory+0x54e (8409635d)

nt!NtAllocateVirtualMemory+0x542:
84096351 c745109a0000c0  mov    dword ptr [ebp+10h],0C000009Ah
84096358 e9e3090000    jmp    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x54e:
8409635d 8b4dd0       mov    ecx,dword ptr [ebp-30h]
84096360 837dcc00       cmp    dword ptr [ebp-34h],0
84096364 751e          jne    nt!NtAllocateVirtualMemory+0x575 (84096384)

nt!NtAllocateVirtualMemory+0x557:
84096366 33d2          xor    edx,edx
84096368 8bf9          mov    edi,ecx
8409636a 6a11          push 11h
8409636c 58             pop    eax
8409636d f00fb117       lock cmpxchg dword ptr [edi],edx
84096371 83f811       cmp    eax,11h
84096374 7405          je    nt!NtAllocateVirtualMemory+0x56c (8409637b)

nt!NtAllocateVirtualMemory+0x567:
84096376 e81d01e5ff    call nt!ExfReleasePushLockShared (83ee6498)

nt!NtAllocateVirtualMemory+0x56c:
8409637b 80a389020000fb  and    byte ptr [ebx+289h],0FBh
84096382 eb1d          jmp    nt!NtAllocateVirtualMemory+0x592 (840963a1)

nt!NtAllocateVirtualMemory+0x575:
84096384 83c8ff       or    eax,0FFFFFFFFh
84096387 8bd1          mov    edx,ecx
84096389 f00fc102       lock xadd dword ptr [edx],eax
8409638d a802          test al,2
8409638f 7409          je    nt!NtAllocateVirtualMemory+0x58b (8409639a)

nt!NtAllocateVirtualMemory+0x582:
84096391 a804          test al,4
84096393 7505          jne    nt!NtAllocateVirtualMemory+0x58b (8409639a)

nt!NtAllocateVirtualMemory+0x586:
84096395 e87548e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0x58b:
8409639a 80a389020000fd  and    byte ptr [ebx+289h],0FDh

nt!NtAllocateVirtualMemory+0x592:
840963a1 66ff8386000000  inc    word ptr [ebx+86h]
840963a8 0fb78386000000  movzx eax,word ptr [ebx+86h]
840963af 6685c0       test ax,ax
840963b2 750c          jne    nt!NtAllocateVirtualMemory+0x5b1 (840963c0)

nt!NtAllocateVirtualMemory+0x5a5:
840963b4 8d4340       lea    eax,[ebx+40h]
840963b7 3900          cmp    dword ptr [eax],eax
840963b9 7405          je    nt!NtAllocateVirtualMemory+0x5b1 (840963c0)

nt!NtAllocateVirtualMemory+0x5ac:
840963bb e82ad5ddff    call nt!KiCheckForKernelApcDelivery (83e738ea)

nt!NtAllocateVirtualMemory+0x5b1:
840963c0 6a0a          push 0Ah
840963c2 59             pop    ecx
840963c3 33c0          xor    eax,eax
840963c5 8dbd30ffffff lea    edi,[ebp-0D0h]
840963cb f3ab          rep stos dword ptr es:[edi]
840963cd 8b06          mov    eax,dword ptr [esi]
840963cf 898544ffffff mov    dword ptr [ebp-0BCh],eax
840963d5 8b461c       mov    eax,dword ptr [esi+1Ch]
840963d8 898550ffffff mov    dword ptr [ebp-0B0h],eax
840963de 8b8554ffffff mov    eax,dword ptr [ebp-0ACh]
840963e4 2504f0ffff    and    eax,0FFFFF004h
840963e9 83c804       or    eax,4
840963ec 898554ffffff mov    dword ptr [ebp-0ACh],eax
840963f2 6a00          push 0
840963f4 8d8574ffffff lea    eax,[ebp-8Ch]
840963fa 50             push eax
840963fb 8d8530ffffff lea    eax,[ebp-0D0h]
84096401 50             push eax
84096402 e805f5fcff    call nt!ObCheckCreateObjectAccess+0x34e (8406590c)
84096407 894510       mov    dword ptr [ebp+10h],eax
8409640a 85c0          test eax,eax
8409640c 0f8c5c010000 jl    nt!NtAllocateVirtualMemory+0x75f (8409656e)

nt!NtAllocateVirtualMemory+0x603:
84096412 66ff8b86000000  dec    word ptr [ebx+86h]
84096419 8b7de4       mov    edi,dword ptr [ebp-1Ch]
8409641c 8d8f00010000 lea    ecx,[edi+100h]
84096422 837dcc00       cmp    dword ptr [ebp-34h],0
84096426 7520          jne    nt!NtAllocateVirtualMemory+0x639 (84096448)

nt!NtAllocateVirtualMemory+0x619:
84096428 6a11          push 11h
8409642a 5a             pop    edx
8409642b 8bf1          mov    esi,ecx
8409642d 33c0          xor    eax,eax
8409642f f00fb116       lock cmpxchg dword ptr [esi],edx
84096433 85c0          test eax,eax
84096435 7405          je    nt!NtAllocateVirtualMemory+0x62d (8409643c)

nt!NtAllocateVirtualMemory+0x628:
84096437 e894a5e5ff    call nt!ExfAcquirePushLockShared (83ef09d0)

nt!NtAllocateVirtualMemory+0x62d:
8409643c 808b8902000004  or    byte ptr [ebx+289h],4
84096443 8b75b8       mov    esi,dword ptr [ebp-48h]
84096446 eb15          jmp    nt!NtAllocateVirtualMemory+0x64e (8409645d)

nt!NtAllocateVirtualMemory+0x639:
84096448 8bc1          mov    eax,ecx
8409644a f00fba2800    lock bts dword ptr [eax],0
8409644f 7305          jae    nt!NtAllocateVirtualMemory+0x647 (84096456)

nt!NtAllocateVirtualMemory+0x642:
84096451 e8dd32e5ff    call nt!ExfAcquirePushLockExclusive (83ee9733)

nt!NtAllocateVirtualMemory+0x647:
84096456 808b8902000002  or    byte ptr [ebx+289h],2

nt!NtAllocateVirtualMemory+0x64e:
8409645d 56             push esi
8409645e e8891bddff    call nt!FsRtlOplockKeysEqual+0x3ff (83e67fec)
84096463 f6877002000020  test byte ptr [edi+270h],20h
8409646a 0f85d0080000 jne    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x661:
84096470 ff75dc       push dword ptr [ebp-24h]
84096473 ff75d4       push dword ptr [ebp-2Ch]
84096476 8b45e4       mov    eax,dword ptr [ebp-1Ch]
84096479 0578020000    add    eax,278h
8409647e e8443ae7ff    call nt!PsIsSystemProcess+0x93 (83f09ec7)
84096483 8bf8          mov    edi,eax
84096485 85ff          test edi,edi
84096487 0f84b3080000 je    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x67e:
8409648d 8b4f14       mov    ecx,dword ptr [edi+14h]
84096490 8bd1          mov    edx,ecx
84096492 b800000080    mov    eax,80000000h
84096497 23d0          and    edx,eax
84096499 3bd0          cmp    edx,eax
8409649b 0f849f080000 je    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x692:
840964a1 8b4724       mov    eax,dword ptr [edi+24h]
840964a4 3b30          cmp    esi,dword ptr [eax]
840964a6 0f8594080000 jne    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x69d:
840964ac 8bd1          mov    edx,ecx
840964ae b8ffff0700    mov    eax,7FFFFh
840964b3 23d0          and    edx,eax
840964b5 3bd0          cmp    edx,eax
840964b7 0f8483080000 je    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x6ae:
840964bd 8b45d4       mov    eax,dword ptr [ebp-2Ch]
840964c0 3b470c       cmp    eax,dword ptr [edi+0Ch]
840964c3 0f8277080000 jb    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x6ba:
840964c9 8b45dc       mov    eax,dword ptr [ebp-24h]
840964cc 3b4710       cmp    eax,dword ptr [edi+10h]
840964cf 0f876b080000 ja    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x6c6:
840964d5 f7c100000800 test ecx,80000h
840964db 7418          je    nt!NtAllocateVirtualMemory+0x6e6 (840964f5)

nt!NtAllocateVirtualMemory+0x6ce:
840964dd ff75ac       push dword ptr [ebp-54h]
840964e0 8b55bc       mov    edx,dword ptr [ebp-44h]
840964e3 8b75b0       mov    esi,dword ptr [ebp-50h]
840964e6 8bcf          mov    ecx,edi
840964e8 e8b4760200    call nt!PsLookupThreadByThreadId+0x1cb4 (840bdba1)
840964ed 85c0          test eax,eax
840964ef 0f8c4b080000 jl    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x6e6:
840964f5 f7472000000020  test dword ptr [edi+20h],20000000h
840964fc 0f843e080000 je    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0x6f3:
84096502 837dcc00       cmp    dword ptr [ebp-34h],0
84096506 7511          jne    nt!NtAllocateVirtualMemory+0x70a (84096519)

nt!NtAllocateVirtualMemory+0x6f9:
84096508 8d4f18       lea    ecx,[edi+18h]
8409650b 8bc1          mov    eax,ecx
8409650d f00fba2800    lock bts dword ptr [eax],0
84096512 7305          jae    nt!NtAllocateVirtualMemory+0x70a (84096519)

nt!NtAllocateVirtualMemory+0x705:
84096514 e81a32e5ff    call nt!ExfAcquirePushLockExclusive (83ee9733)

nt!NtAllocateVirtualMemory+0x70a:
84096519 8d857cffffff lea    eax,[ebp-84h]
8409651f 50             push eax
84096520 6a01          push 1
84096522 8d4594       lea    eax,[ebp-6Ch]
84096525 50             push eax
84096526 ff751c       push dword ptr [ebp+1Ch]
84096529 ff75b4       push dword ptr [ebp-4Ch]
8409652c 57             push edi
8409652d 8b75e4       mov    esi,dword ptr [ebp-1Ch]
84096530 56             push esi
84096531 8b4dd8       mov    ecx,dword ptr [ebp-28h]
84096534 e82dece5ff    call nt!IoSetThreadHardErrorMode+0x6e8 (83ef5166)
84096539 83c8ff       or    eax,0FFFFFFFFh
8409653c 837dcc00       cmp    dword ptr [ebp-34h],0
84096540 7521          jne    nt!NtAllocateVirtualMemory+0x754 (84096563)

nt!NtAllocateVirtualMemory+0x733:
84096542 8d4f18       lea    ecx,[edi+18h]
84096545 8bd1          mov    edx,ecx
84096547 f00fc102       lock xadd dword ptr [edx],eax
8409654b a802          test al,2
8409654d 7409          je    nt!NtAllocateVirtualMemory+0x749 (84096558)

nt!NtAllocateVirtualMemory+0x740:
8409654f a804          test al,4
84096551 7505          jne    nt!NtAllocateVirtualMemory+0x749 (84096558)

nt!NtAllocateVirtualMemory+0x744:
84096553 e8b746e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0x749:
84096558 8d8e00010000 lea    ecx,[esi+100h]
8409655e e9ec070000    jmp    nt!NtAllocateVirtualMemory+0xf40 (84096d4f)

nt!NtAllocateVirtualMemory+0x754:
84096563 8d8e00010000 lea    ecx,[esi+100h]
84096569 e916080000    jmp    nt!NtAllocateVirtualMemory+0xf75 (84096d84)

nt!NtAllocateVirtualMemory+0x75f:
8409656e 56             push esi
8409656f e8781addff    call nt!FsRtlOplockKeysEqual+0x3ff (83e67fec)
84096574 e93d0e0000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x76a:
84096579 ff75d4       push dword ptr [ebp-2Ch]
8409657c 8b4dc8       mov    ecx,dword ptr [ebp-38h]
8409657f e801e0e6ff    call nt!SeTokenIsRestricted+0x51 (83f04585)
84096584 8bf0          mov    esi,eax
84096586 8975c0       mov    dword ptr [ebp-40h],esi
84096589 ff75dc       push dword ptr [ebp-24h]
8409658c 8b4dc8       mov    ecx,dword ptr [ebp-38h]
8409658f e8f1dfe6ff    call nt!SeTokenIsRestricted+0x51 (83f04585)
84096594 8945dc       mov    dword ptr [ebp-24h],eax
84096597 8975d4       mov    dword ptr [ebp-2Ch],esi
8409659a 8bf8          mov    edi,eax
8409659c 2bfe          sub    edi,esi
8409659e 83c708       add    edi,8
840965a1 c1ff03       sar    edi,3
840965a4 8b45ac       mov    eax,dword ptr [ebp-54h]
840965a7 83e005       and    eax,5
840965aa 3c05          cmp    al,5
840965ac 0f85cc010000 jne    nt!NtAllocateVirtualMemory+0x96f (8409677e)

nt!NtAllocateVirtualMemory+0x7a3:
840965b2 897dc4       mov    dword ptr [ebp-3Ch],edi
840965b5 57             push edi
840965b6 8b45e4       mov    eax,dword ptr [ebp-1Ch]
840965b9 e844dc0200    call nt!NtConnectPort+0x196e (840c4202)
840965be 894510       mov    dword ptr [ebp+10h],eax
840965c1 33f6          xor    esi,esi
840965c3 3bc6          cmp    eax,esi
840965c5 7d6f          jge    nt!NtAllocateVirtualMemory+0x827 (84096636)

nt!NtAllocateVirtualMemory+0x7b8:
840965c7 8b4dd0       mov    ecx,dword ptr [ebp-30h]
840965ca 3975cc       cmp    dword ptr [ebp-34h],esi
840965cd 751e          jne    nt!NtAllocateVirtualMemory+0x7de (840965ed)

nt!NtAllocateVirtualMemory+0x7c0:
840965cf 33d2          xor    edx,edx
840965d1 8bf9          mov    edi,ecx
840965d3 6a11          push 11h
840965d5 58             pop    eax
840965d6 f00fb117       lock cmpxchg dword ptr [edi],edx
840965da 83f811       cmp    eax,11h
840965dd 7405          je    nt!NtAllocateVirtualMemory+0x7d5 (840965e4)

nt!NtAllocateVirtualMemory+0x7d0:
840965df e8b4fee4ff    call nt!ExfReleasePushLockShared (83ee6498)

nt!NtAllocateVirtualMemory+0x7d5:
840965e4 80a389020000fb  and    byte ptr [ebx+289h],0FBh
840965eb eb1d          jmp    nt!NtAllocateVirtualMemory+0x7fb (8409660a)

nt!NtAllocateVirtualMemory+0x7de:
840965ed 83c8ff       or    eax,0FFFFFFFFh
840965f0 8bd1          mov    edx,ecx
840965f2 f00fc102       lock xadd dword ptr [edx],eax
840965f6 a802          test al,2
840965f8 7409          je    nt!NtAllocateVirtualMemory+0x7f4 (84096603)

nt!NtAllocateVirtualMemory+0x7eb:
840965fa a804          test al,4
840965fc 7505          jne    nt!NtAllocateVirtualMemory+0x7f4 (84096603)

nt!NtAllocateVirtualMemory+0x7ef:
840965fe e80c46e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0x7f4:
84096603 80a389020000fd  and    byte ptr [ebx+289h],0FDh

nt!NtAllocateVirtualMemory+0x7fb:
8409660a 66ff8386000000  inc    word ptr [ebx+86h]
84096611 0fb78386000000  movzx eax,word ptr [ebx+86h]
84096618 663bc6       cmp    ax,si

nt!NtAllocateVirtualMemory+0x80c:
8409661b 0f85950d0000 jne    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x812:
84096621 8d4340       lea    eax,[ebx+40h]
84096624 3900          cmp    dword ptr [eax],eax
84096626 0f848a0d0000 je    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x81d:
8409662c e8b9d2ddff    call nt!KiCheckForKernelApcDelivery (83e738ea)
84096631 e9800d0000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x827:
84096636 57             push edi
84096637 8b55e4       mov    edx,dword ptr [ebp-1Ch]
8409663a e88f10e7ff    call nt!EtwProviderEnabled+0xd72 (83f076ce)
8409663f 85c0          test eax,eax
84096641 0f8588000000 jne    nt!NtAllocateVirtualMemory+0x8c0 (840966cf)

nt!NtAllocateVirtualMemory+0x838:
84096647 8b4dd0       mov    ecx,dword ptr [ebp-30h]
8409664a 3975cc       cmp    dword ptr [ebp-34h],esi
8409664d 752f          jne    nt!NtAllocateVirtualMemory+0x86f (8409667e)

nt!NtAllocateVirtualMemory+0x840:
8409664f 33d2          xor    edx,edx
84096651 8bf1          mov    esi,ecx
84096653 6a11          push 11h
84096655 58             pop    eax
84096656 f00fb116       lock cmpxchg dword ptr [esi],edx
8409665a 83f811       cmp    eax,11h
8409665d 7405          je    nt!NtAllocateVirtualMemory+0x855 (84096664)

nt!NtAllocateVirtualMemory+0x850:
8409665f e834fee4ff    call nt!ExfReleasePushLockShared (83ee6498)

nt!NtAllocateVirtualMemory+0x855:
84096664 80a389020000fb  and    byte ptr [ebx+289h],0FBh
8409666b 66ff8386000000  inc    word ptr [ebx+86h]
84096672 0fb78386000000  movzx eax,word ptr [ebx+86h]
84096679 6685c0       test ax,ax
8409667c eb2e          jmp    nt!NtAllocateVirtualMemory+0x89d (840966ac)

nt!NtAllocateVirtualMemory+0x86f:
8409667e 83c8ff       or    eax,0FFFFFFFFh
84096681 8bd1          mov    edx,ecx
84096683 f00fc102       lock xadd dword ptr [edx],eax
84096687 a802          test al,2
84096689 7409          je    nt!NtAllocateVirtualMemory+0x885 (84096694)

nt!NtAllocateVirtualMemory+0x87c:
8409668b a804          test al,4
8409668d 7505          jne    nt!NtAllocateVirtualMemory+0x885 (84096694)

nt!NtAllocateVirtualMemory+0x880:
8409668f e87b45e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0x885:
84096694 80a389020000fd  and    byte ptr [ebx+289h],0FDh
8409669b 66ff8386000000  inc    word ptr [ebx+86h]
840966a2 0fb78386000000  movzx eax,word ptr [ebx+86h]
840966a9 663bc6       cmp    ax,si

nt!NtAllocateVirtualMemory+0x89d:
840966ac 750c          jne    nt!NtAllocateVirtualMemory+0x8ab (840966ba)

nt!NtAllocateVirtualMemory+0x89f:
840966ae 83c340       add    ebx,40h
840966b1 391b          cmp    dword ptr [ebx],ebx
840966b3 7405          je    nt!NtAllocateVirtualMemory+0x8ab (840966ba)

nt!NtAllocateVirtualMemory+0x8a6:
840966b5 e830d2ddff    call nt!KiCheckForKernelApcDelivery (83e738ea)

nt!NtAllocateVirtualMemory+0x8ab:
840966ba 8b45e4       mov    eax,dword ptr [ebp-1Ch]

nt!NtAllocateVirtualMemory+0x8ae:
840966bd 57             push edi

nt!NtAllocateVirtualMemory+0x8af:
840966be e809540200    call nt!SeQueryAuthenticationIdToken+0xe31 (840bbacc)

nt!NtAllocateVirtualMemory+0x8b4:
840966c3 c745102d0100c0  mov    dword ptr [ebp+10h],0C000012Dh
840966ca e9e70c0000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x8c0:
840966cf 8b45e4       mov    eax,dword ptr [ebp-1Ch]
840966d2 f6806c02000010  test byte ptr [eax+26Ch],10h
840966d9 0f849f000000 je    nt!NtAllocateVirtualMemory+0x96f (8409677e)

nt!NtAllocateVirtualMemory+0x8d0:
840966df 57             push edi
840966e0 6a10          push 10h
840966e2 e866480300    call nt!ObGetObjectSecurity+0xa54 (840caf4d)
840966e7 84c0          test al,al
840966e9 0f858b000000 jne    nt!NtAllocateVirtualMemory+0x96b (8409677a)

nt!NtAllocateVirtualMemory+0x8e0:
840966ef 8b4dd0       mov    ecx,dword ptr [ebp-30h]
840966f2 3975cc       cmp    dword ptr [ebp-34h],esi
840966f5 752f          jne    nt!NtAllocateVirtualMemory+0x917 (84096726)

nt!NtAllocateVirtualMemory+0x8e8:
840966f7 33d2          xor    edx,edx
840966f9 8bf1          mov    esi,ecx
840966fb 6a11          push 11h
840966fd 58             pop    eax
840966fe f00fb116       lock cmpxchg dword ptr [esi],edx
84096702 83f811       cmp    eax,11h
84096705 7405          je    nt!NtAllocateVirtualMemory+0x8fd (8409670c)

nt!NtAllocateVirtualMemory+0x8f8:
84096707 e88cfde4ff    call nt!ExfReleasePushLockShared (83ee6498)

nt!NtAllocateVirtualMemory+0x8fd:
8409670c 80a389020000fb  and    byte ptr [ebx+289h],0FBh
84096713 66ff8386000000  inc    word ptr [ebx+86h]
8409671a 0fb78386000000  movzx eax,word ptr [ebx+86h]
84096721 6685c0       test ax,ax
84096724 eb2e          jmp    nt!NtAllocateVirtualMemory+0x945 (84096754)

nt!NtAllocateVirtualMemory+0x917:
84096726 83c8ff       or    eax,0FFFFFFFFh
84096729 8bd1          mov    edx,ecx
8409672b f00fc102       lock xadd dword ptr [edx],eax
8409672f a802          test al,2
84096731 7409          je    nt!NtAllocateVirtualMemory+0x92d (8409673c)

nt!NtAllocateVirtualMemory+0x924:
84096733 a804          test al,4
84096735 7505          jne    nt!NtAllocateVirtualMemory+0x92d (8409673c)

nt!NtAllocateVirtualMemory+0x928:
84096737 e8d344e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0x92d:
8409673c 80a389020000fd  and    byte ptr [ebx+289h],0FDh
84096743 66ff8386000000  inc    word ptr [ebx+86h]
8409674a 0fb78386000000  movzx eax,word ptr [ebx+86h]
84096751 663bc6       cmp    ax,si

nt!NtAllocateVirtualMemory+0x945:
84096754 750c          jne    nt!NtAllocateVirtualMemory+0x953 (84096762)

nt!NtAllocateVirtualMemory+0x947:
84096756 83c340       add    ebx,40h
84096759 391b          cmp    dword ptr [ebx],ebx
8409675b 7405          je    nt!NtAllocateVirtualMemory+0x953 (84096762)

nt!NtAllocateVirtualMemory+0x94e:
8409675d e888d1ddff    call nt!KiCheckForKernelApcDelivery (83e738ea)

nt!NtAllocateVirtualMemory+0x953:
84096762 8bc7          mov    eax,edi
84096764 f7d8          neg    eax
84096766 8bc8          mov    ecx,eax
84096768 8b45e4       mov    eax,dword ptr [ebp-1Ch]
8409676b 8d90d0000000 lea    edx,[eax+0D0h]
84096771 f00fc10a       lock xadd dword ptr [edx],ecx
84096775 e943ffffff    jmp    nt!NtAllocateVirtualMemory+0x8ae (840966bd)

nt!NtAllocateVirtualMemory+0x96b:
8409677a 834de008       or    dword ptr [ebp-20h],8

nt!NtAllocateVirtualMemory+0x96f:
8409677e 8b45b8       mov    eax,dword ptr [ebp-48h]
84096781 8b30          mov    esi,dword ptr [eax]
84096783 8b45c4       mov    eax,dword ptr [ebp-3Ch]
84096786 8d0c38       lea    ecx,[eax+edi]
84096789 e8f705dfff    call nt!KeCheckProcessorAffinityEx+0x683 (83e86d85)
8409678e 8d4e1c       lea    ecx,[esi+1Ch]
84096791 83f801       cmp    eax,1
84096794 8bc1          mov    eax,ecx
84096796 7551          jne    nt!NtAllocateVirtualMemory+0x9da (840967e9)

nt!NtAllocateVirtualMemory+0x989:
84096798 f00fba2800    lock bts dword ptr [eax],0
8409679d 7305          jae    nt!NtAllocateVirtualMemory+0x995 (840967a4)

nt!NtAllocateVirtualMemory+0x990:
8409679f e88f2fe5ff    call nt!ExfAcquirePushLockExclusive (83ee9733)

nt!NtAllocateVirtualMemory+0x995:
840967a4 8b4608       mov    eax,dword ptr [esi+8]
840967a7 c1e811       shr    eax,11h
840967aa 83e01f       and    eax,1Fh
840967ad 83651000       and    dword ptr [ebp+10h],0
840967b1 8b4d10       mov    ecx,dword ptr [ebp+10h]
840967b4 0fa4c105       shld ecx,eax,5
840967b8 894d88       mov    dword ptr [ebp-78h],ecx
840967bb c1e005       shl    eax,5
840967be 83651000       and    dword ptr [ebp+10h],0
840967c2 8b4dc0       mov    ecx,dword ptr [ebp-40h]
840967c5 3b4ddc       cmp    ecx,dword ptr [ebp-24h]
840967c8 0f8744010000 ja    nt!NtAllocateVirtualMemory+0xb03 (84096912)

nt!NtAllocateVirtualMemory+0x9bf:
840967ce 8b55d4       mov    edx,dword ptr [ebp-2Ch]

nt!NtAllocateVirtualMemory+0x9c2:
840967d1 8b0a          mov    ecx,dword ptr [edx]
840967d3 0b4a04       or    ecx,dword ptr [edx+4]
840967d6 0f8527010000 jne    nt!NtAllocateVirtualMemory+0xaf4 (84096903)

nt!NtAllocateVirtualMemory+0x9cd:
840967dc 8902          mov    dword ptr [edx],eax
840967de 8b4d88       mov    ecx,dword ptr [ebp-78h]
840967e1 894a04       mov    dword ptr [edx+4],ecx
840967e4 e91d010000    jmp    nt!NtAllocateVirtualMemory+0xaf7 (84096906)

nt!NtAllocateVirtualMemory+0x9da:
840967e9 834de004       or    dword ptr [ebp-20h],4
840967ed f00fba2800    lock bts dword ptr [eax],0
840967f2 7305          jae    nt!NtAllocateVirtualMemory+0x9ea (840967f9)

nt!NtAllocateVirtualMemory+0x9e5:
840967f4 e83a2fe5ff    call nt!ExfAcquirePushLockExclusive (83ee9733)

nt!NtAllocateVirtualMemory+0x9ea:
840967f9 8b55c0       mov    edx,dword ptr [ebp-40h]
840967fc 3b55dc       cmp    edx,dword ptr [ebp-24h]
840967ff 7713          ja    nt!NtAllocateVirtualMemory+0xa05 (84096814)

nt!NtAllocateVirtualMemory+0x9f2:
84096801 8b4dd4       mov    ecx,dword ptr [ebp-2Ch]

nt!NtAllocateVirtualMemory+0x9f5:
84096804 8b01          mov    eax,dword ptr [ecx]
84096806 0b4104       or    eax,dword ptr [ecx+4]
84096809 7401          je    nt!NtAllocateVirtualMemory+0x9fd (8409680c)

nt!NtAllocateVirtualMemory+0x9fc:
8409680b 4f             dec    edi

nt!NtAllocateVirtualMemory+0x9fd:
8409680c 83c108       add    ecx,8
8409680f 3b4ddc       cmp    ecx,dword ptr [ebp-24h]
84096812 76f0          jbe    nt!NtAllocateVirtualMemory+0x9f5 (84096804)

nt!NtAllocateVirtualMemory+0xa05:
84096814 8955d4       mov    dword ptr [ebp-2Ch],edx
84096817 8b45c4       mov    eax,dword ptr [ebp-3Ch]
8409681a 8d0c38       lea    ecx,[eax+edi]
8409681d 85c9          test ecx,ecx
8409681f 7522          jne    nt!NtAllocateVirtualMemory+0xa34 (84096843)

nt!NtAllocateVirtualMemory+0xa12:
84096821 8d4e1c       lea    ecx,[esi+1Ch]
84096824 83c8ff       or    eax,0FFFFFFFFh
84096827 8bd1          mov    edx,ecx
84096829 f00fc102       lock xadd dword ptr [edx],eax
8409682d a802          test al,2
8409682f 7409          je    nt!NtAllocateVirtualMemory+0xa2b (8409683a)

nt!NtAllocateVirtualMemory+0xa22:
84096831 a804          test al,4
84096833 7505          jne    nt!NtAllocateVirtualMemory+0xa2b (8409683a)

nt!NtAllocateVirtualMemory+0xa26:
84096835 e8d543e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0xa2b:
8409683a 83651000       and    dword ptr [ebp+10h],0
8409683e e951010000    jmp    nt!NtAllocateVirtualMemory+0xb85 (84096994)

nt!NtAllocateVirtualMemory+0xa34:
84096843 e83d05dfff    call nt!KeCheckProcessorAffinityEx+0x683 (83e86d85)
84096848 85c0          test eax,eax
8409684a 0f8554ffffff jne    nt!NtAllocateVirtualMemory+0x995 (840967a4)

nt!NtAllocateVirtualMemory+0xa41:
84096850 8d4e1c       lea    ecx,[esi+1Ch]
84096853 83c8ff       or    eax,0FFFFFFFFh
84096856 8bd1          mov    edx,ecx
84096858 f00fc102       lock xadd dword ptr [edx],eax
8409685c a802          test al,2
8409685e 7409          je    nt!NtAllocateVirtualMemory+0xa5a (84096869)

nt!NtAllocateVirtualMemory+0xa51:
84096860 a804          test al,4
84096862 7505          jne    nt!NtAllocateVirtualMemory+0xa5a (84096869)

nt!NtAllocateVirtualMemory+0xa55:
84096864 e8a643e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0xa5a:
84096869 8b75e4       mov    esi,dword ptr [ebp-1Ch]
8409686c 8d8e00010000 lea    ecx,[esi+100h]
84096872 f645e002       test byte ptr [ebp-20h],2
84096876 751e          jne    nt!NtAllocateVirtualMemory+0xa87 (84096896)

nt!NtAllocateVirtualMemory+0xa69:
84096878 33d2          xor    edx,edx
8409687a 8bf9          mov    edi,ecx
8409687c 6a11          push 11h
8409687e 58             pop    eax
8409687f f00fb117       lock cmpxchg dword ptr [edi],edx
84096883 83f811       cmp    eax,11h
84096886 7405          je    nt!NtAllocateVirtualMemory+0xa7e (8409688d)

nt!NtAllocateVirtualMemory+0xa79:
84096888 e80bfce4ff    call nt!ExfReleasePushLockShared (83ee6498)

nt!NtAllocateVirtualMemory+0xa7e:
8409688d 80a389020000fb  and    byte ptr [ebx+289h],0FBh
84096894 eb1d          jmp    nt!NtAllocateVirtualMemory+0xaa4 (840968b3)

nt!NtAllocateVirtualMemory+0xa87:
84096896 83c8ff       or    eax,0FFFFFFFFh
84096899 8bd1          mov    edx,ecx
8409689b f00fc102       lock xadd dword ptr [edx],eax
8409689f a802          test al,2
840968a1 7409          je    nt!NtAllocateVirtualMemory+0xa9d (840968ac)

nt!NtAllocateVirtualMemory+0xa94:
840968a3 a804          test al,4
840968a5 7505          jne    nt!NtAllocateVirtualMemory+0xa9d (840968ac)

nt!NtAllocateVirtualMemory+0xa98:
840968a7 e86343e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0xa9d:
840968ac 80a389020000fd  and    byte ptr [ebx+289h],0FDh

nt!NtAllocateVirtualMemory+0xaa4:
840968b3 8d8386000000 lea    eax,[ebx+86h]
840968b9 66ff00       inc    word ptr [eax]
840968bc 0fb700       movzx eax,word ptr [eax]
840968bf 6685c0       test ax,ax
840968c2 750c          jne    nt!NtAllocateVirtualMemory+0xac1 (840968d0)

nt!NtAllocateVirtualMemory+0xab5:
840968c4 83c340       add    ebx,40h
840968c7 391b          cmp    dword ptr [ebx],ebx
840968c9 7405          je    nt!NtAllocateVirtualMemory+0xac1 (840968d0)

nt!NtAllocateVirtualMemory+0xabc:
840968cb e81ad0ddff    call nt!KiCheckForKernelApcDelivery (83e738ea)

nt!NtAllocateVirtualMemory+0xac1:
840968d0 837dc400       cmp    dword ptr [ebp-3Ch],0
840968d4 0f84e9fdffff je    nt!NtAllocateVirtualMemory+0x8b4 (840966c3)

nt!NtAllocateVirtualMemory+0xacb:
840968da 8b45c4       mov    eax,dword ptr [ebp-3Ch]
840968dd f7d8          neg    eax
840968df 8bc8          mov    ecx,eax
840968e1 8d96d0000000 lea    edx,[esi+0D0h]
840968e7 f00fc10a       lock xadd dword ptr [edx],ecx
840968eb f645e008       test byte ptr [ebp-20h],8
840968ef 7408          je    nt!NtAllocateVirtualMemory+0xaea (840968f9)

nt!NtAllocateVirtualMemory+0xae2:
840968f1 50             push eax
840968f2 6a10          push 10h
840968f4 e854460300    call nt!ObGetObjectSecurity+0xa54 (840caf4d)

nt!NtAllocateVirtualMemory+0xaea:
840968f9 ff75c4       push dword ptr [ebp-3Ch]
840968fc 8bc6          mov    eax,esi
840968fe e9bbfdffff    jmp    nt!NtAllocateVirtualMemory+0x8af (840966be)

nt!NtAllocateVirtualMemory+0xaf4:
84096903 ff4510       inc    dword ptr [ebp+10h]

nt!NtAllocateVirtualMemory+0xaf7:
84096906 83c208       add    edx,8
84096909 3b55dc       cmp    edx,dword ptr [ebp-24h]
8409690c 0f86bffeffff jbe    nt!NtAllocateVirtualMemory+0x9c2 (840967d1)

nt!NtAllocateVirtualMemory+0xb03:
84096912 f645e004       test byte ptr [ebp-20h],4
84096916 7505          jne    nt!NtAllocateVirtualMemory+0xb0e (8409691d)

nt!NtAllocateVirtualMemory+0xb09:
84096918 2b7d10       sub    edi,dword ptr [ebp+10h]
8409691b eb04          jmp    nt!NtAllocateVirtualMemory+0xb12 (84096921)

nt!NtAllocateVirtualMemory+0xb0e:
8409691d 83651000       and    dword ptr [ebp+10h],0

nt!NtAllocateVirtualMemory+0xb12:
84096921 85ff          test edi,edi
84096923 740c          je    nt!NtAllocateVirtualMemory+0xb22 (84096931)

nt!NtAllocateVirtualMemory+0xb16:
84096925 017e0c       add    dword ptr [esi+0Ch],edi
84096928 b8a411f883    mov    eax,offset nt!KeI386MachineType+0x14 (83f811a4)
8409692d f00fc138       lock xadd dword ptr [eax],edi

nt!NtAllocateVirtualMemory+0xb22:
84096931 83c61c       add    esi,1Ch
84096934 83c8ff       or    eax,0FFFFFFFFh
84096937 8bce          mov    ecx,esi
84096939 f00fc101       lock xadd dword ptr [ecx],eax
8409693d a802          test al,2
8409693f 7409          je    nt!NtAllocateVirtualMemory+0xb3b (8409694a)

nt!NtAllocateVirtualMemory+0xb32:
84096941 a804          test al,4
84096943 7505          jne    nt!NtAllocateVirtualMemory+0xb3b (8409694a)

nt!NtAllocateVirtualMemory+0xb36:
84096945 e8c542e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0xb3b:
8409694a 837dc400       cmp    dword ptr [ebp-3Ch],0
8409694e 7444          je    nt!NtAllocateVirtualMemory+0xb85 (84096994)

nt!NtAllocateVirtualMemory+0xb41:
84096950 8b4dc8       mov    ecx,dword ptr [ebp-38h]
84096953 8d7118       lea    esi,[ecx+18h]
84096956 8bc6          mov    eax,esi
84096958 f00fba2800    lock bts dword ptr [eax],0
8409695d 730a          jae    nt!NtAllocateVirtualMemory+0xb5a (84096969)

nt!NtAllocateVirtualMemory+0xb50:
8409695f 8bce          mov    ecx,esi
84096961 e8cd2de5ff    call nt!ExfAcquirePushLockExclusive (83ee9733)
84096966 8b4dc8       mov    ecx,dword ptr [ebp-38h]

nt!NtAllocateVirtualMemory+0xb5a:
84096969 8b4114       mov    eax,dword ptr [ecx+14h]
8409696c 8b55c4       mov    edx,dword ptr [ebp-3Ch]
8409696f 03d0          add    edx,eax
84096971 33d0          xor    edx,eax
84096973 81e2ffff0700 and    edx,7FFFFh
84096979 33d0          xor    edx,eax
8409697b 895114       mov    dword ptr [ecx+14h],edx
8409697e 83c8ff       or    eax,0FFFFFFFFh
84096981 8bce          mov    ecx,esi
84096983 f00fc101       lock xadd dword ptr [ecx],eax
84096987 a802          test al,2
84096989 7409          je    nt!NtAllocateVirtualMemory+0xb85 (84096994)

nt!NtAllocateVirtualMemory+0xb7c:
8409698b a804          test al,4
8409698d 7505          jne    nt!NtAllocateVirtualMemory+0xb85 (84096994)

nt!NtAllocateVirtualMemory+0xb80:
8409698f e87b42e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0xb85:
84096994 8b75c8       mov    esi,dword ptr [ebp-38h]
84096997 83c618       add    esi,18h
8409699a 8bc6          mov    eax,esi
8409699c f00fba2800    lock bts dword ptr [eax],0
840969a1 7307          jae    nt!NtAllocateVirtualMemory+0xb9b (840969aa)

nt!NtAllocateVirtualMemory+0xb94:
840969a3 8bce          mov    ecx,esi
840969a5 e8892de5ff    call nt!ExfAcquirePushLockExclusive (83ee9733)

nt!NtAllocateVirtualMemory+0xb9b:
840969aa 8d857cffffff lea    eax,[ebp-84h]
840969b0 50             push eax
840969b1 6a01          push 1
840969b3 8d4594       lea    eax,[ebp-6Ch]
840969b6 50             push eax
840969b7 ff751c       push dword ptr [ebp+1Ch]
840969ba ff75b4       push dword ptr [ebp-4Ch]
840969bd ff75c8       push dword ptr [ebp-38h]
840969c0 8b7de4       mov    edi,dword ptr [ebp-1Ch]
840969c3 57             push edi
840969c4 8b4dd8       mov    ecx,dword ptr [ebp-28h]
840969c7 e89ae7e5ff    call nt!IoSetThreadHardErrorMode+0x6e8 (83ef5166)
840969cc 83c8ff       or    eax,0FFFFFFFFh
840969cf f645e002       test byte ptr [ebp-20h],2
840969d3 7537          jne    nt!NtAllocateVirtualMemory+0xbfd (84096a0c)

nt!NtAllocateVirtualMemory+0xbc6:
840969d5 8bce          mov    ecx,esi
840969d7 f00fc101       lock xadd dword ptr [ecx],eax
840969db a802          test al,2
840969dd 7409          je    nt!NtAllocateVirtualMemory+0xbd9 (840969e8)

nt!NtAllocateVirtualMemory+0xbd0:
840969df a804          test al,4
840969e1 7505          jne    nt!NtAllocateVirtualMemory+0xbd9 (840969e8)

nt!NtAllocateVirtualMemory+0xbd4:
840969e3 e82742e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0xbd9:
840969e8 8d8f00010000 lea    ecx,[edi+100h]
840969ee 33d2          xor    edx,edx
840969f0 8bf1          mov    esi,ecx
840969f2 6a11          push 11h
840969f4 58             pop    eax
840969f5 f00fb116       lock cmpxchg dword ptr [esi],edx
840969f9 83f811       cmp    eax,11h
840969fc 7405          je    nt!NtAllocateVirtualMemory+0xbf4 (84096a03)

nt!NtAllocateVirtualMemory+0xbef:
840969fe e895fae4ff    call nt!ExfReleasePushLockShared (83ee6498)

nt!NtAllocateVirtualMemory+0xbf4:
84096a03 80a389020000fb  and    byte ptr [ebx+289h],0FBh
84096a0a eb20          jmp    nt!NtAllocateVirtualMemory+0xc1d (84096a2c)

nt!NtAllocateVirtualMemory+0xbfd:
84096a0c 8d8f00010000 lea    ecx,[edi+100h]
84096a12 8bd1          mov    edx,ecx
84096a14 f00fc102       lock xadd dword ptr [edx],eax
84096a18 a802          test al,2
84096a1a 7409          je    nt!NtAllocateVirtualMemory+0xc16 (84096a25)

nt!NtAllocateVirtualMemory+0xc0d:
84096a1c a804          test al,4
84096a1e 7505          jne    nt!NtAllocateVirtualMemory+0xc16 (84096a25)

nt!NtAllocateVirtualMemory+0xc11:
84096a20 e8ea41e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0xc16:
84096a25 80a389020000fd  and    byte ptr [ebx+289h],0FDh

nt!NtAllocateVirtualMemory+0xc1d:
84096a2c 8d8386000000 lea    eax,[ebx+86h]
84096a32 66ff00       inc    word ptr [eax]
84096a35 0fb700       movzx eax,word ptr [eax]
84096a38 6685c0       test ax,ax
84096a3b 750c          jne    nt!NtAllocateVirtualMemory+0xc3a (84096a49)

nt!NtAllocateVirtualMemory+0xc2e:
84096a3d 83c340       add    ebx,40h
84096a40 391b          cmp    dword ptr [ebx],ebx
84096a42 7405          je    nt!NtAllocateVirtualMemory+0xc3a (84096a49)

nt!NtAllocateVirtualMemory+0xc35:
84096a44 e8a1ceddff    call nt!KiCheckForKernelApcDelivery (83e738ea)

nt!NtAllocateVirtualMemory+0xc3a:
84096a49 8b5510       mov    edx,dword ptr [ebp+10h]
84096a4c 85d2          test edx,edx
84096a4e 7470          je    nt!NtAllocateVirtualMemory+0xcb1 (84096ac0)

nt!NtAllocateVirtualMemory+0xc41:
84096a50 64a120000000 mov    eax,dword ptr fs:[00000020h]
84096a56 055c330000    add    eax,335Ch
84096a5b 89451c       mov    dword ptr [ebp+1Ch],eax
84096a5e 8b08          mov    ecx,dword ptr [eax]
84096a60 8d3c11       lea    edi,[ecx+edx]
84096a63 be00010000    mov    esi,100h
84096a68 3bfe          cmp    edi,esi
84096a6a 771c          ja    nt!NtAllocateVirtualMemory+0xc79 (84096a88)

nt!NtAllocateVirtualMemory+0xc5d:
84096a6c eb03          jmp    nt!NtAllocateVirtualMemory+0xc62 (84096a71)

nt!NtAllocateVirtualMemory+0xc5f:
84096a6e 8b451c       mov    eax,dword ptr [ebp+1Ch]

nt!NtAllocateVirtualMemory+0xc62:
84096a71 8d3c11       lea    edi,[ecx+edx]
84096a74 8bd8          mov    ebx,eax
84096a76 8bc1          mov    eax,ecx
84096a78 f00fb13b       lock cmpxchg dword ptr [ebx],edi
84096a7c 3bc1          cmp    eax,ecx
84096a7e 7440          je    nt!NtAllocateVirtualMemory+0xcb1 (84096ac0)

nt!NtAllocateVirtualMemory+0xc71:
84096a80 8bc8          mov    ecx,eax
84096a82 03c2          add    eax,edx
84096a84 3bc6          cmp    eax,esi
84096a86 76e6          jbe    nt!NtAllocateVirtualMemory+0xc5f (84096a6e)

nt!NtAllocateVirtualMemory+0xc79:
84096a88 8bc2          mov    eax,edx
84096a8a f7d8          neg    eax
84096a8c b95813f983    mov    ecx,offset nt!TmEnlistmentObjectType+0x72ac (83f91358)
84096a91 f00fc101       lock xadd dword ptr [ecx],eax
84096a95 8b0d7413f983 mov    ecx,dword ptr [nt!TmEnlistmentObjectType+0x72c8 (83f91374)]
84096a9b 3bc1          cmp    eax,ecx
84096a9d 7208          jb    nt!NtAllocateVirtualMemory+0xc98 (84096aa7)

nt!NtAllocateVirtualMemory+0xc90:
84096a9f 8bf0          mov    esi,eax
84096aa1 2bf2          sub    esi,edx
84096aa3 3bf1          cmp    esi,ecx
84096aa5 7212          jb    nt!NtAllocateVirtualMemory+0xcaa (84096ab9)

nt!NtAllocateVirtualMemory+0xc98:
84096aa7 8bf0          mov    esi,eax
84096aa9 2bf2          sub    esi,edx
84096aab 8b0d6013f983 mov    ecx,dword ptr [nt!TmEnlistmentObjectType+0x72b4 (83f91360)]
84096ab1 3bf1          cmp    esi,ecx
84096ab3 730b          jae    nt!NtAllocateVirtualMemory+0xcb1 (84096ac0)

nt!NtAllocateVirtualMemory+0xca6:
84096ab5 3bc1          cmp    eax,ecx
84096ab7 7207          jb    nt!NtAllocateVirtualMemory+0xcb1 (84096ac0)

nt!NtAllocateVirtualMemory+0xcaa:
84096ab9 6a00          push 0
84096abb e821f9dbff    call nt!IoEnumerateDeviceObjectList+0x144 (83e563e1)

nt!NtAllocateVirtualMemory+0xcb1:
84096ac0 f645e001       test byte ptr [ebp-20h],1
84096ac4 740c          je    nt!NtAllocateVirtualMemory+0xcc3 (84096ad2)

nt!NtAllocateVirtualMemory+0xcb7:
84096ac6 8d8558ffffff lea    eax,[ebp-0A8h]
84096acc 50             push eax
84096acd e87292e4ff    call nt!KeUnstackDetachProcess (83edfd44)

nt!NtAllocateVirtualMemory+0xcc3:
84096ad2 f70584f8f78300800000 test dword ptr [nt!KeTickCount+0x8404 (83f7f884)],8000h
84096adc 741a          je    nt!NtAllocateVirtualMemory+0xce9 (84096af8)

nt!NtAllocateVirtualMemory+0xccf:
84096ade f7451800300000  test dword ptr [ebp+18h],3000h
84096ae5 7411          je    nt!NtAllocateVirtualMemory+0xce9 (84096af8)

nt!NtAllocateVirtualMemory+0xcd8:
84096ae7 ff7518       push dword ptr [ebp+18h]
84096aea ff75e4       push dword ptr [ebp-1Ch]
84096aed ff75bc       push dword ptr [ebp-44h]
84096af0 8b45d8       mov    eax,dword ptr [ebp-28h]
84096af3 e85345ecff    call nt!EtwWriteString+0xa08 (83f5b04b)

nt!NtAllocateVirtualMemory+0xce9:
84096af8 837d08ff       cmp    dword ptr [ebp+8],0FFFFFFFFh
84096afc 7408          je    nt!NtAllocateVirtualMemory+0xcf7 (84096b06)

nt!NtAllocateVirtualMemory+0xcef:
84096afe 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
84096b01 e8bdc3e1ff    call nt!ObfDereferenceObject (83eb2ec3)

nt!NtAllocateVirtualMemory+0xcf7:
84096b06 c745fc02000000  mov    dword ptr [ebp-4],2
84096b0d 8b4514       mov    eax,dword ptr [ebp+14h]
84096b10 8b4dbc       mov    ecx,dword ptr [ebp-44h]
84096b13 8908          mov    dword ptr [eax],ecx
84096b15 e979080000    jmp    nt!NtAllocateVirtualMemory+0x1584 (84097393)

nt!NtAllocateVirtualMemory+0xd14:
84096b23 f6451c88       test byte ptr [ebp+1Ch],88h
84096b27 0f8591f7ffff jne    nt!NtAllocateVirtualMemory+0x4af (840962be)

nt!NtAllocateVirtualMemory+0xd1e:
84096b2d 83f906       cmp    ecx,6
84096b30 750d          jne    nt!NtAllocateVirtualMemory+0xd30 (84096b3f)

nt!NtAllocateVirtualMemory+0xd23:
84096b32 f7451cf9f9ffff  test dword ptr [ebp+1Ch],0FFFFF9F9h
84096b39 0f857ff7ffff jne    nt!NtAllocateVirtualMemory+0x4af (840962be)

nt!NtAllocateVirtualMemory+0xd30:
84096b3f ff75c0       push dword ptr [ebp-40h]
84096b42 8b7de4       mov    edi,dword ptr [ebp-1Ch]
84096b45 8bd7          mov    edx,edi
84096b47 e8820be7ff    call nt!EtwProviderEnabled+0xd72 (83f076ce)
84096b4c 85c0          test eax,eax
84096b4e 750c          jne    nt!NtAllocateVirtualMemory+0xd4d (84096b5c)

nt!NtAllocateVirtualMemory+0xd41:
84096b50 c745102d0100c0  mov    dword ptr [ebp+10h],0C000012Dh
84096b57 e9e4010000    jmp    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0xd4d:
84096b5c f6876c02000010  test byte ptr [edi+26Ch],10h
84096b63 7423          je    nt!NtAllocateVirtualMemory+0xd79 (84096b88)

nt!NtAllocateVirtualMemory+0xd56:
84096b65 ff75c0       push dword ptr [ebp-40h]
84096b68 6a10          push 10h
84096b6a e8de430300    call nt!ObGetObjectSecurity+0xa54 (840caf4d)
84096b6f 84c0          test al,al
84096b71 7511          jne    nt!NtAllocateVirtualMemory+0xd75 (84096b84)

nt!NtAllocateVirtualMemory+0xd64:
84096b73 8b45c0       mov    eax,dword ptr [ebp-40h]
84096b76 f7d8          neg    eax
84096b78 81c7d0000000 add    edi,0D0h
84096b7e f00fc107       lock xadd dword ptr [edi],eax
84096b82 ebcc          jmp    nt!NtAllocateVirtualMemory+0xd41 (84096b50)

nt!NtAllocateVirtualMemory+0xd75:
84096b84 834de008       or    dword ptr [ebp-20h],8

nt!NtAllocateVirtualMemory+0xd79:
84096b88 ff75c0       push dword ptr [ebp-40h]
84096b8b 8bc7          mov    eax,edi
84096b8d e870d60200    call nt!NtConnectPort+0x196e (840c4202)
84096b92 894510       mov    dword ptr [ebp+10h],eax
84096b95 85c0          test eax,eax
84096b97 7d28          jge    nt!NtAllocateVirtualMemory+0xdb2 (84096bc1)

nt!NtAllocateVirtualMemory+0xd8a:
84096b99 8b45c0       mov    eax,dword ptr [ebp-40h]
84096b9c f7d8          neg    eax
84096b9e 8bc8          mov    ecx,eax
84096ba0 81c7d0000000 add    edi,0D0h
84096ba6 f00fc10f       lock xadd dword ptr [edi],ecx
84096baa f645e008       test byte ptr [ebp-20h],8
84096bae 0f848c010000 je    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0xda5:
84096bb4 50             push eax
84096bb5 6a10          push 10h
84096bb7 e891430300    call nt!ObGetObjectSecurity+0xa54 (840caf4d)
84096bbc e97f010000    jmp    nt!NtAllocateVirtualMemory+0xf31 (84096d40)

nt!NtAllocateVirtualMemory+0xdb2:
84096bc1 8365a800       and    dword ptr [ebp-58h],0
84096bc5 8d45a8       lea    eax,[ebp-58h]
84096bc8 50             push eax
84096bc9 8d45a4       lea    eax,[ebp-5Ch]
84096bcc 50             push eax
84096bcd ff751c       push dword ptr [ebp+1Ch]
84096bd0 ff7588       push dword ptr [ebp-78h]
84096bd3 ff75b0       push dword ptr [ebp-50h]
84096bd6 56             push esi
84096bd7 e8ed45e3ff    call nt!MmFreePagesFromMdl+0x22e (83ecb1c9)
84096bdc 894510       mov    dword ptr [ebp+10h],eax
84096bdf 33d2          xor    edx,edx
84096be1 8b4dd0       mov    ecx,dword ptr [ebp-30h]
84096be4 8bf1          mov    esi,ecx
84096be6 6a11          push 11h
84096be8 58             pop    eax
84096be9 f00fb116       lock cmpxchg dword ptr [esi],edx
84096bed 83f811       cmp    eax,11h
84096bf0 7405          je    nt!NtAllocateVirtualMemory+0xde8 (84096bf7)

nt!NtAllocateVirtualMemory+0xde3:
84096bf2 e8a1f8e4ff    call nt!ExfReleasePushLockShared (83ee6498)

nt!NtAllocateVirtualMemory+0xde8:
84096bf7 80a389020000fb  and    byte ptr [ebx+289h],0FBh
84096bfe 66ff8386000000  inc    word ptr [ebx+86h]
84096c05 0fb78386000000  movzx eax,word ptr [ebx+86h]
84096c0c 6685c0       test ax,ax
84096c0f 750c          jne    nt!NtAllocateVirtualMemory+0xe0e (84096c1d)

nt!NtAllocateVirtualMemory+0xe02:
84096c11 83c340       add    ebx,40h
84096c14 391b          cmp    dword ptr [ebx],ebx
84096c16 7405          je    nt!NtAllocateVirtualMemory+0xe0e (84096c1d)

nt!NtAllocateVirtualMemory+0xe09:
84096c18 e8cdccddff    call nt!KiCheckForKernelApcDelivery (83e738ea)

nt!NtAllocateVirtualMemory+0xe0e:
84096c1d 837d1000       cmp    dword ptr [ebp+10h],0
84096c21 7d32          jge    nt!NtAllocateVirtualMemory+0xe46 (84096c55)

nt!NtAllocateVirtualMemory+0xe14:
84096c23 ff75c0       push dword ptr [ebp-40h]
84096c26 8bc7          mov    eax,edi
84096c28 e89f4e0200    call nt!SeQueryAuthenticationIdToken+0xe31 (840bbacc)
84096c2d 8b45c0       mov    eax,dword ptr [ebp-40h]
84096c30 f7d8          neg    eax
84096c32 8bc8          mov    ecx,eax
84096c34 81c7d0000000 add    edi,0D0h
84096c3a f00fc10f       lock xadd dword ptr [edi],ecx
84096c3e f645e008       test byte ptr [ebp-20h],8
84096c42 0f846e070000 je    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0xe39:
84096c48 50             push eax
84096c49 6a10          push 10h
84096c4b e8fd420300    call nt!ObGetObjectSecurity+0xa54 (840caf4d)
84096c50 e961070000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0xe46:
84096c55 8b5dc0       mov    ebx,dword ptr [ebp-40h]
84096c58 2b5da4       sub    ebx,dword ptr [ebp-5Ch]
84096c5b 7426          je    nt!NtAllocateVirtualMemory+0xe74 (84096c83)

nt!NtAllocateVirtualMemory+0xe4e:
84096c5d 53             push ebx
84096c5e 8bc7          mov    eax,edi
84096c60 e8674e0200    call nt!SeQueryAuthenticationIdToken+0xe31 (840bbacc)
84096c65 8d87d0000000 lea    eax,[edi+0D0h]
84096c6b 8bcb          mov    ecx,ebx
84096c6d f7d9          neg    ecx
84096c6f 8bd1          mov    edx,ecx
84096c71 f00fc110       lock xadd dword ptr [eax],edx
84096c75 f645e008       test byte ptr [ebp-20h],8
84096c79 7408          je    nt!NtAllocateVirtualMemory+0xe74 (84096c83)

nt!NtAllocateVirtualMemory+0xe6c:
84096c7b 51             push ecx
84096c7c 6a10          push 10h
84096c7e e8ca420300    call nt!ObGetObjectSecurity+0xa54 (840caf4d)

nt!NtAllocateVirtualMemory+0xe74:
84096c83 837da801       cmp    dword ptr [ebp-58h],1
84096c87 7524          jne    nt!NtAllocateVirtualMemory+0xe9e (84096cad)

nt!NtAllocateVirtualMemory+0xe7a:
84096c89 8b45d8       mov    eax,dword ptr [ebp-28h]
84096c8c 8945a0       mov    dword ptr [ebp-60h],eax
84096c8f 8b45bc       mov    eax,dword ptr [ebp-44h]
84096c92 894580       mov    dword ptr [ebp-80h],eax
84096c95 8d8570ffffff lea    eax,[ebp-90h]
84096c9b 50             push eax
84096c9c ff751c       push dword ptr [ebp+1Ch]
84096c9f 8d4580       lea    eax,[ebp-80h]
84096ca2 50             push eax
84096ca3 8d45a0       lea    eax,[ebp-60h]
84096ca6 50             push eax
84096ca7 57             push edi
84096ca8 e8a02a0300    call nt!SeAppendPrivileges+0x455 (840c974d)

nt!NtAllocateVirtualMemory+0xe9e:
84096cad f645e001       test byte ptr [ebp-20h],1
84096cb1 740c          je    nt!NtAllocateVirtualMemory+0xeb0 (84096cbf)

nt!NtAllocateVirtualMemory+0xea4:
84096cb3 8d8558ffffff lea    eax,[ebp-0A8h]
84096cb9 50             push eax
84096cba e88590e4ff    call nt!KeUnstackDetachProcess (83edfd44)

nt!NtAllocateVirtualMemory+0xeb0:
84096cbf f70584f8f78300800000 test dword ptr [nt!KeTickCount+0x8404 (83f7f884)],8000h
84096cc9 741a          je    nt!NtAllocateVirtualMemory+0xed6 (84096ce5)

nt!NtAllocateVirtualMemory+0xebc:
84096ccb f7451800300000  test dword ptr [ebp+18h],3000h
84096cd2 7411          je    nt!NtAllocateVirtualMemory+0xed6 (84096ce5)

nt!NtAllocateVirtualMemory+0xec5:
84096cd4 ff7518       push dword ptr [ebp+18h]
84096cd7 ff75e4       push dword ptr [ebp-1Ch]
84096cda ff75bc       push dword ptr [ebp-44h]
84096cdd 8b45d8       mov    eax,dword ptr [ebp-28h]
84096ce0 e86643ecff    call nt!EtwWriteString+0xa08 (83f5b04b)

nt!NtAllocateVirtualMemory+0xed6:
84096ce5 837d08ff       cmp    dword ptr [ebp+8],0FFFFFFFFh
84096ce9 7408          je    nt!NtAllocateVirtualMemory+0xee4 (84096cf3)

nt!NtAllocateVirtualMemory+0xedc:
84096ceb 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
84096cee e8d0c1e1ff    call nt!ObfDereferenceObject (83eb2ec3)

nt!NtAllocateVirtualMemory+0xee4:
84096cf3 c745fc03000000  mov    dword ptr [ebp-4],3
84096cfa 8b4514       mov    eax,dword ptr [ebp+14h]
84096cfd 8b4dbc       mov    ecx,dword ptr [ebp-44h]
84096d00 8908          mov    dword ptr [eax],ecx
84096d02 8b450c       mov    eax,dword ptr [ebp+0Ch]
84096d05 8b4dd8       mov    ecx,dword ptr [ebp-28h]
84096d08 8908          mov    dword ptr [eax],ecx
84096d0a c745fcfeffffff  mov    dword ptr [ebp-4],0FFFFFFFEh

nt!NtAllocateVirtualMemory+0xf02:
84096d11 8b4510       mov    eax,dword ptr [ebp+10h]
84096d14 e9e3060000    jmp    nt!NtAllocateVirtualMemory+0x15ed (840973fc)

nt!NtAllocateVirtualMemory+0xf2a:
84096d39 c74510180000c0  mov    dword ptr [ebp+10h],0C0000018h

nt!NtAllocateVirtualMemory+0xf31:
84096d40 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
84096d43 81c100010000 add    ecx,100h
84096d49 f645e002       test byte ptr [ebp-20h],2
84096d4d 7532          jne    nt!NtAllocateVirtualMemory+0xf72 (84096d81)

nt!NtAllocateVirtualMemory+0xf40:
84096d4f 33d2          xor    edx,edx
84096d51 8bf1          mov    esi,ecx
84096d53 6a11          push 11h
84096d55 58             pop    eax
84096d56 f00fb116       lock cmpxchg dword ptr [esi],edx
84096d5a 83f811       cmp    eax,11h
84096d5d 7405          je    nt!NtAllocateVirtualMemory+0xf55 (84096d64)

nt!NtAllocateVirtualMemory+0xf50:
84096d5f e834f7e4ff    call nt!ExfReleasePushLockShared (83ee6498)

nt!NtAllocateVirtualMemory+0xf55:
84096d64 80a389020000fb  and    byte ptr [ebx+289h],0FBh

nt!NtAllocateVirtualMemory+0xf5c:
84096d6b 66ff8386000000  inc    word ptr [ebx+86h]
84096d72 0fb78386000000  movzx eax,word ptr [ebx+86h]
84096d79 6685c0       test ax,ax
84096d7c e99af8ffff    jmp    nt!NtAllocateVirtualMemory+0x80c (8409661b)

nt!NtAllocateVirtualMemory+0xf72:
84096d81 83c8ff       or    eax,0FFFFFFFFh

nt!NtAllocateVirtualMemory+0xf75:
84096d84 8bd1          mov    edx,ecx
84096d86 f00fc102       lock xadd dword ptr [edx],eax
84096d8a a802          test al,2
84096d8c 7409          je    nt!NtAllocateVirtualMemory+0xf88 (84096d97)

nt!NtAllocateVirtualMemory+0xf7f:
84096d8e a804          test al,4
84096d90 7505          jne    nt!NtAllocateVirtualMemory+0xf88 (84096d97)

nt!NtAllocateVirtualMemory+0xf83:
84096d92 e8783ee7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0xf88:
84096d97 80a389020000fd  and    byte ptr [ebx+289h],0FDh
84096d9e ebcb          jmp    nt!NtAllocateVirtualMemory+0xf5c (84096d6b)

nt!NtAllocateVirtualMemory+0xf91:
84096da0 f6451c88       test byte ptr [ebp+1Ch],88h
84096da4 0f8505060000 jne    nt!NtAllocateVirtualMemory+0x15a0 (840973af)

nt!NtAllocateVirtualMemory+0xf9b:
84096daa c745b800000100  mov    dword ptr [ebp-48h],10000h
84096db1 85f6          test esi,esi
84096db3 0f85bc000000 jne    nt!NtAllocateVirtualMemory+0x1066 (84096e75)

nt!NtAllocateVirtualMemory+0xfaa:
84096db9 8d97ff0f0000 lea    edx,[edi+0FFFh]
84096dbf 81e200f0ffff and    edx,0FFFFF000h
84096dc5 8955bc       mov    dword ptr [ebp-44h],edx
84096dc8 a11427fb83    mov    eax,dword ptr [nt!MmHighestUserAddress (83fb2714)]
84096dcd 050000ffff    add    eax,0FFFF0000h
84096dd2 8945c4       mov    dword ptr [ebp-3Ch],eax
84096dd5 8b4d10       mov    ecx,dword ptr [ebp+10h]
84096dd8 85c9          test ecx,ecx
84096dda 7424          je    nt!NtAllocateVirtualMemory+0xff1 (84096e00)

nt!NtAllocateVirtualMemory+0xfcd:
84096ddc 83c8ff       or    eax,0FFFFFFFFh
84096ddf d3e8          shr    eax,cl
84096de1 8945c4       mov    dword ptr [ebp-3Ch],eax
84096de4 8b0d1427fb83 mov    ecx,dword ptr [nt!MmHighestUserAddress (83fb2714)]
84096dea 81c10000ffff add    ecx,0FFFF0000h
84096df0 3bc1          cmp    eax,ecx
84096df2 760c          jbe    nt!NtAllocateVirtualMemory+0xff1 (84096e00)

nt!NtAllocateVirtualMemory+0xfe5:
84096df4 c74510f10000c0  mov    dword ptr [ebp+10h],0C00000F1h
84096dfb e9b6050000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0xff1:
84096e00 8b45e4       mov    eax,dword ptr [ebp-1Ch]
84096e03 f7807002000000002000 test dword ptr [eax+270h],200000h
84096e0d 7407          je    nt!NtAllocateVirtualMemory+0x1007 (84096e16)

nt!NtAllocateVirtualMemory+0x1000:
84096e0f 814d1800001000  or    dword ptr [ebp+18h],100000h

nt!NtAllocateVirtualMemory+0x1007:
84096e16 8bc2          mov    eax,edx
84096e18 25ff0f0000    and    eax,0FFFh
84096e1d f7d8          neg    eax
84096e1f 1bc0          sbb    eax,eax
84096e21 f7d8          neg    eax
84096e23 8bca          mov    ecx,edx
84096e25 c1e90c       shr    ecx,0Ch
84096e28 03c1          add    eax,ecx
84096e2a 8945c8       mov    dword ptr [ebp-38h],eax
84096e2d 33f6          xor    esi,esi
84096e2f 8975d8       mov    dword ptr [ebp-28h],esi
84096e32 8b4518       mov    eax,dword ptr [ebp+18h]
84096e35 2500000020    and    eax,20000000h
84096e3a 8945d0       mov    dword ptr [ebp-30h],eax
84096e3d 0f848b000000 je    nt!NtAllocateVirtualMemory+0x10bf (84096ece)

nt!NtAllocateVirtualMemory+0x1034:
84096e43 f6054829fb8320  test byte ptr [nt!KeNumberProcessors+0xa2 (83fb2948)],20h
84096e4a 750c          jne    nt!NtAllocateVirtualMemory+0x1049 (84096e58)

nt!NtAllocateVirtualMemory+0x103d:
84096e4c c74510bb0000c0  mov    dword ptr [ebp+10h],0C00000BBh
84096e53 e95e050000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x1049:
84096e58 f7c2ffff1f00 test edx,1FFFFFh
84096e5e 740c          je    nt!NtAllocateVirtualMemory+0x105d (84096e6c)

nt!NtAllocateVirtualMemory+0x1051:
84096e60 c74510f20000c0  mov    dword ptr [ebp+10h],0C00000F2h
84096e67 e94a050000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x105d:
84096e6c c745b800002000  mov    dword ptr [ebp-48h],200000h
84096e73 eb59          jmp    nt!NtAllocateVirtualMemory+0x10bf (84096ece)

nt!NtAllocateVirtualMemory+0x1066:
84096e75 8b45b0       mov    eax,dword ptr [ebp-50h]
84096e78 8d7407ff       lea    esi,[edi+eax-1]
84096e7c baff0f0000    mov    edx,0FFFh
84096e81 0bf2          or    esi,edx
84096e83 837dd000       cmp    dword ptr [ebp-30h],0
84096e87 7423          je    nt!NtAllocateVirtualMemory+0x109d (84096eac)

nt!NtAllocateVirtualMemory+0x107a:
84096e89 f6054829fb8320  test byte ptr [nt!KeNumberProcessors+0xa2 (83fb2948)],20h
84096e90 74ba          je    nt!NtAllocateVirtualMemory+0x103d (84096e4c)

nt!NtAllocateVirtualMemory+0x1083:
84096e92 f7c7ffff1f00 test edi,1FFFFFh
84096e98 75c6          jne    nt!NtAllocateVirtualMemory+0x1051 (84096e60)

nt!NtAllocateVirtualMemory+0x108b:
84096e9a c745b800002000  mov    dword ptr [ebp-48h],200000h
84096ea1 250000e0ff    and    eax,0FFE00000h
84096ea6 8d7407ff       lea    esi,[edi+eax-1]
84096eaa eb05          jmp    nt!NtAllocateVirtualMemory+0x10a2 (84096eb1)

nt!NtAllocateVirtualMemory+0x109d:
84096eac 250000ffff    and    eax,0FFFF0000h

nt!NtAllocateVirtualMemory+0x10a2:
84096eb1 8945d8       mov    dword ptr [ebp-28h],eax
84096eb4 8bce          mov    ecx,esi
84096eb6 2bc8          sub    ecx,eax
84096eb8 8bc1          mov    eax,ecx
84096eba 23c2          and    eax,edx
84096ebc f7d8          neg    eax
84096ebe 1bc0          sbb    eax,eax
84096ec0 f7d8          neg    eax
84096ec2 c1f90c       sar    ecx,0Ch
84096ec5 03c1          add    eax,ecx
84096ec7 8945c8       mov    dword ptr [ebp-38h],eax
84096eca 8365c400       and    dword ptr [ebp-3Ch],0

nt!NtAllocateVirtualMemory+0x10bf:
84096ece 8365cc00       and    dword ptr [ebp-34h],0
84096ed2 6856616453    push 53646156h
84096ed7 6a20          push 20h
84096ed9 6a00          push 0
84096edb e8cb2cedff    call nt!ExAllocatePoolWithTag (83f69bab)
84096ee0 8bf8          mov    edi,eax
84096ee2 85ff          test edi,edi
84096ee4 750c          jne    nt!NtAllocateVirtualMemory+0x10e3 (84096ef2)

nt!NtAllocateVirtualMemory+0x10d7:
84096ee6 c745109a0000c0  mov    dword ptr [ebp+10h],0C000009Ah
84096eed e9c4040000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x10e3:
84096ef2 33c0          xor    eax,eax
84096ef4 894718       mov    dword ptr [edi+18h],eax
84096ef7 894714       mov    dword ptr [edi+14h],eax
84096efa 8b4ddc       mov    ecx,dword ptr [ebp-24h]
84096efd 83e13f       and    ecx,3Fh
84096f00 894f1c       mov    dword ptr [edi+1Ch],ecx
84096f03 3945dc       cmp    dword ptr [ebp-24h],eax
84096f06 7411          je    nt!NtAllocateVirtualMemory+0x110a (84096f19)

nt!NtAllocateVirtualMemory+0x10f9:
84096f08 b800040000    mov    eax,400h
84096f0d 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
84096f10 81c16c020000 add    ecx,26Ch
84096f16 f00901       lock or dword ptr [ecx],eax

nt!NtAllocateVirtualMemory+0x110a:
84096f19 8b5518       mov    edx,dword ptr [ebp+18h]
84096f1c f7c200100000 test edx,1000h
84096f22 740c          je    nt!NtAllocateVirtualMemory+0x1121 (84096f30)

nt!NtAllocateVirtualMemory+0x1115:
84096f24 8b4dc8       mov    ecx,dword ptr [ebp-38h]
84096f27 814f1400008000  or    dword ptr [edi+14h],800000h
84096f2e eb03          jmp    nt!NtAllocateVirtualMemory+0x1124 (84096f33)

nt!NtAllocateVirtualMemory+0x1121:
84096f30 8b4dc0       mov    ecx,dword ptr [ebp-40h]

nt!NtAllocateVirtualMemory+0x1124:
84096f33 8b45ac       mov    eax,dword ptr [ebp-54h]
84096f36 83e01f       and    eax,1Fh
84096f39 83c880       or    eax,0FFFFFF80h
84096f3c c1e018       shl    eax,18h
84096f3f 81e1ffff0700 and    ecx,7FFFFh
84096f45 0bc1          or    eax,ecx
84096f47 8b4f14       mov    ecx,dword ptr [edi+14h]
84096f4a 81e10000f8e0 and    ecx,0E0F80000h
84096f50 0bc1          or    eax,ecx
84096f52 894714       mov    dword ptr [edi+14h],eax
84096f55 33c0          xor    eax,eax
84096f57 8945d4       mov    dword ptr [ebp-2Ch],eax
84096f5a 89451c       mov    dword ptr [ebp+1Ch],eax
84096f5d 8945dc       mov    dword ptr [ebp-24h],eax
84096f60 8955b4       mov    dword ptr [ebp-4Ch],edx
84096f63 8165b40000c020  and    dword ptr [ebp-4Ch],20C00000h
84096f6a 0f84a1000000 je    nt!NtAllocateVirtualMemory+0x1202 (84097011)

nt!NtAllocateVirtualMemory+0x1161:
84096f70 f7c200004020 test edx,20400000h
84096f76 7425          je    nt!NtAllocateVirtualMemory+0x118e (84096f9d)

nt!NtAllocateVirtualMemory+0x1169:
84096f78 8b45e4       mov    eax,dword ptr [ebp-1Ch]
84096f7b 83b8e801000000  cmp    dword ptr [eax+1E8h],0
84096f82 751d          jne    nt!NtAllocateVirtualMemory+0x1192 (84096fa1)

nt!NtAllocateVirtualMemory+0x1175:
84096f84 e8ca1a0800    call nt!MmCreateMirror+0x2712 (84118a53)
84096f89 8945dc       mov    dword ptr [ebp-24h],eax
84096f8c 85c0          test eax,eax
84096f8e 7511          jne    nt!NtAllocateVirtualMemory+0x1192 (84096fa1)

nt!NtAllocateVirtualMemory+0x1181:
84096f90 6a00          push 0
84096f92 57             push edi
84096f93 e86d20edff    call nt!ExFreePoolWithTag (83f69005)
84096f98 e949ffffff    jmp    nt!NtAllocateVirtualMemory+0x10d7 (84096ee6)

nt!NtAllocateVirtualMemory+0x118e:
84096f9d 834de020       or    dword ptr [ebp-20h],20h

nt!NtAllocateVirtualMemory+0x1192:
84096fa1 684d6d7076    push 76706D4Dh
84096fa6 6a24          push 24h
84096fa8 6a00          push 0
84096faa e8fc2bedff    call nt!ExAllocatePoolWithTag (83f69bab)
84096faf 89451c       mov    dword ptr [ebp+1Ch],eax
84096fb2 85c0          test eax,eax
84096fb4 750e          jne    nt!NtAllocateVirtualMemory+0x11b5 (84096fc4)

nt!NtAllocateVirtualMemory+0x11a7:
84096fb6 8b75dc       mov    esi,dword ptr [ebp-24h]
84096fb9 85f6          test esi,esi
84096fbb 74d3          je    nt!NtAllocateVirtualMemory+0x1181 (84096f90)

nt!NtAllocateVirtualMemory+0x11ae:
84096fbd e8021b0800    call nt!MmCreateMirror+0x2783 (84118ac4)
84096fc2 ebcc          jmp    nt!NtAllocateVirtualMemory+0x1181 (84096f90)

nt!NtAllocateVirtualMemory+0x11b5:
84096fc4 8b4714       mov    eax,dword ptr [edi+14h]
84096fc7 f7451800004000  test dword ptr [ebp+18h],400000h
84096fce 740c          je    nt!NtAllocateVirtualMemory+0x11cd (84096fdc)

nt!NtAllocateVirtualMemory+0x11c1:
84096fd0 25ffffbfff    and    eax,0FFBFFFFFh
84096fd5 0d00003000    or    eax,300000h
84096fda eb1c          jmp    nt!NtAllocateVirtualMemory+0x11e9 (84096ff8)

nt!NtAllocateVirtualMemory+0x11cd:
84096fdc 837dd000       cmp    dword ptr [ebp-30h],0
84096fe0 740c          je    nt!NtAllocateVirtualMemory+0x11df (84096fee)

nt!NtAllocateVirtualMemory+0x11d3:
84096fe2 25ffffdfff    and    eax,0FFDFFFFFh
84096fe7 0d00005000    or    eax,500000h
84096fec eb0a          jmp    nt!NtAllocateVirtualMemory+0x11e9 (84096ff8)

nt!NtAllocateVirtualMemory+0x11df:
84096fee 25ffffefff    and    eax,0FFEFFFFFh
84096ff3 0d00006000    or    eax,600000h

nt!NtAllocateVirtualMemory+0x11e9:
84096ff8 894714       mov    dword ptr [edi+14h],eax
84096ffb 8bc8          mov    ecx,eax
84096ffd c1e914       shr    ecx,14h
84097000 83e107       and    ecx,7
84097003 8b451c       mov    eax,dword ptr [ebp+1Ch]
84097006 894818       mov    dword ptr [eax+18h],ecx
84097009 897814       mov    dword ptr [eax+14h],edi
8409700c e9dc000000    jmp    nt!NtAllocateVirtualMemory+0x12de (840970ed)

nt!NtAllocateVirtualMemory+0x1202:
84097011 f7c200002000 test edx,200000h
84097017 0f84d0000000 je    nt!NtAllocateVirtualMemory+0x12de (840970ed)

nt!NtAllocateVirtualMemory+0x120e:
8409701d 834de020       or    dword ptr [ebp-20h],20h
84097021 f645c81f       test byte ptr [ebp-38h],1Fh
84097025 6a00          push 0
84097027 58             pop    eax
84097028 0f95c0       setne al
8409702b 8b4dc8       mov    ecx,dword ptr [ebp-38h]
8409702e c1e905       shr    ecx,5
84097031 03c1          add    eax,ecx
84097033 8d048508000000  lea    eax,[eax*4+8]
8409703a 8945cc       mov    dword ptr [ebp-34h],eax
8409703d 684d6d7777    push 77776D4Dh
84097042 50             push eax
84097043 6a00          push 0
84097045 e8612bedff    call nt!ExAllocatePoolWithTag (83f69bab)
8409704a 8945d4       mov    dword ptr [ebp-2Ch],eax
8409704d 85c0          test eax,eax
8409704f 0f843bffffff je    nt!NtAllocateVirtualMemory+0x1181 (84096f90)

nt!NtAllocateVirtualMemory+0x1246:
84097055 ff75cc       push dword ptr [ebp-34h]
84097058 ff75e4       push dword ptr [ebp-1Ch]
8409705b e8ef2ee7ff    call nt!PsChargeProcessNonPagedPoolQuota (83f09f4f)
84097060 894510       mov    dword ptr [ebp+10h],eax
84097063 85c0          test eax,eax
84097065 7d17          jge    nt!NtAllocateVirtualMemory+0x126f (8409707e)

nt!NtAllocateVirtualMemory+0x1258:
84097067 6a00          push 0
84097069 57             push edi
8409706a e8961fedff    call nt!ExFreePoolWithTag (83f69005)
8409706f 6a00          push 0
84097071 ff75d4       push dword ptr [ebp-2Ch]

nt!NtAllocateVirtualMemory+0x1265:
84097074 e88c1fedff    call nt!ExFreePoolWithTag (83f69005)
84097079 e938030000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x126f:
8409707e 684d6d5777    push 77576D4Dh
84097083 6a24          push 24h
84097085 6a00          push 0
84097087 e81f2bedff    call nt!ExAllocatePoolWithTag (83f69bab)
8409708c 89451c       mov    dword ptr [ebp+1Ch],eax
8409708f 85c0          test eax,eax
84097091 7521          jne    nt!NtAllocateVirtualMemory+0x12a5 (840970b4)

nt!NtAllocateVirtualMemory+0x1284:
84097093 50             push eax
84097094 57             push edi
84097095 e86b1fedff    call nt!ExFreePoolWithTag (83f69005)
8409709a 6a00          push 0
8409709c ff75d4       push dword ptr [ebp-2Ch]
8409709f e8611fedff    call nt!ExFreePoolWithTag (83f69005)
840970a4 ff75cc       push dword ptr [ebp-34h]
840970a7 ff75e4       push dword ptr [ebp-1Ch]
840970aa e8bf9ee6ff    call nt!PsReturnProcessNonPagedPoolQuota (83f00f6e)
840970af e932feffff    jmp    nt!NtAllocateVirtualMemory+0x10d7 (84096ee6)

nt!NtAllocateVirtualMemory+0x12a5:
840970b4 8b4dc8       mov    ecx,dword ptr [ebp-38h]
840970b7 8b45d4       mov    eax,dword ptr [ebp-2Ch]
840970ba 8908          mov    dword ptr [eax],ecx
840970bc 8d4808       lea    ecx,[eax+8]
840970bf 894804       mov    dword ptr [eax+4],ecx
840970c2 50             push eax
840970c3 e892b9ddff    call nt!RtlClearAllBits (83e72a5a)
840970c8 8b4d1c       mov    ecx,dword ptr [ebp+1Ch]
840970cb 897914       mov    dword ptr [ecx+14h],edi
840970ce 8b45d4       mov    eax,dword ptr [ebp-2Ch]
840970d1 89411c       mov    dword ptr [ecx+1Ch],eax
840970d4 8b4714       mov    eax,dword ptr [edi+14h]
840970d7 25ffffcfff    and    eax,0FFCFFFFFh
840970dc 0d00004000    or    eax,400000h
840970e1 894714       mov    dword ptr [edi+14h],eax
840970e4 c1e814       shr    eax,14h
840970e7 83e007       and    eax,7
840970ea 894118       mov    dword ptr [ecx+18h],eax

nt!NtAllocateVirtualMemory+0x12de:
840970ed 66ff8b86000000  dec    word ptr [ebx+86h]
840970f4 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
840970f7 81c100010000 add    ecx,100h
840970fd 8bc1          mov    eax,ecx
840970ff f00fba2800    lock bts dword ptr [eax],0
84097104 7305          jae    nt!NtAllocateVirtualMemory+0x12fc (8409710b)

nt!NtAllocateVirtualMemory+0x12f7:
84097106 e82826e5ff    call nt!ExfAcquirePushLockExclusive (83ee9733)

nt!NtAllocateVirtualMemory+0x12fc:
8409710b 808b8902000002  or    byte ptr [ebx+289h],2
84097112 8b45e4       mov    eax,dword ptr [ebp-1Ch]
84097115 f6807002000020  test byte ptr [eax+270h],20h
8409711c 741e          je    nt!NtAllocateVirtualMemory+0x132d (8409713c)

nt!NtAllocateVirtualMemory+0x130f:
8409711e c745100a0100c0  mov    dword ptr [ebp+10h],0C000010Ah
84097125 837ddc00       cmp    dword ptr [ebp-24h],0
84097129 0f84f4000000 je    nt!NtAllocateVirtualMemory+0x1414 (84097223)

nt!NtAllocateVirtualMemory+0x1320:
8409712f 8b75dc       mov    esi,dword ptr [ebp-24h]
84097132 e88d190800    call nt!MmCreateMirror+0x2783 (84118ac4)
84097137 e9e7000000    jmp    nt!NtAllocateVirtualMemory+0x1414 (84097223)

nt!NtAllocateVirtualMemory+0x132d:
8409713c f645e020       test byte ptr [ebp-20h],20h
84097140 7422          je    nt!NtAllocateVirtualMemory+0x1355 (84097164)

nt!NtAllocateVirtualMemory+0x1333:
84097142 8b45e4       mov    eax,dword ptr [ebp-1Ch]
84097145 83b81001000000  cmp    dword ptr [eax+110h],0
8409714c 7516          jne    nt!NtAllocateVirtualMemory+0x1355 (84097164)

nt!NtAllocateVirtualMemory+0x133f:
8409714e 50             push eax
8409714f e8a57addff    call nt!wcsicmp+0x160 (83e6ebf9)
84097154 85c0          test eax,eax
84097156 750c          jne    nt!NtAllocateVirtualMemory+0x1355 (84097164)

nt!NtAllocateVirtualMemory+0x1349:
84097158 c745109a0000c0  mov    dword ptr [ebp+10h],0C000009Ah
8409715f e9bf000000    jmp    nt!NtAllocateVirtualMemory+0x1414 (84097223)

nt!NtAllocateVirtualMemory+0x1355:
84097164 837ddc00       cmp    dword ptr [ebp-24h],0
84097168 740b          je    nt!NtAllocateVirtualMemory+0x1366 (84097175)

nt!NtAllocateVirtualMemory+0x135b:
8409716a 8b45dc       mov    eax,dword ptr [ebp-24h]
8409716d 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
84097170 e86a190800    call nt!MmCreateMirror+0x279e (84118adf)

nt!NtAllocateVirtualMemory+0x1366:
84097175 837db000       cmp    dword ptr [ebp-50h],0
84097179 7567          jne    nt!NtAllocateVirtualMemory+0x13d3 (840971e2)

nt!NtAllocateVirtualMemory+0x136c:
8409717b f7451800001000  test dword ptr [ebp+18h],100000h
84097182 741d          je    nt!NtAllocateVirtualMemory+0x1392 (840971a1)

nt!NtAllocateVirtualMemory+0x1375:
84097184 8d45d8       lea    eax,[ebp-28h]
84097187 50             push eax
84097188 8b45e4       mov    eax,dword ptr [ebp-1Ch]
8409718b 0578020000    add    eax,278h
84097190 50             push eax
84097191 ff75bc       push dword ptr [ebp-44h]
84097194 8b45b8       mov    eax,dword ptr [ebp-48h]
84097197 8b55c4       mov    edx,dword ptr [ebp-3Ch]
8409719a e8348b0100    call nt!IoCreateStreamFileObjectLite+0x868 (840afcd3)
8409719f eb1c          jmp    nt!NtAllocateVirtualMemory+0x13ae (840971bd)

nt!NtAllocateVirtualMemory+0x1392:
840971a1 837dd000       cmp    dword ptr [ebp-30h],0
840971a5 7504          jne    nt!NtAllocateVirtualMemory+0x139c (840971ab)

nt!NtAllocateVirtualMemory+0x1398:
840971a7 834de040       or    dword ptr [ebp-20h],40h

nt!NtAllocateVirtualMemory+0x139c:
840971ab 8d45d8       lea    eax,[ebp-28h]
840971ae 50             push eax
840971af ff75c4       push dword ptr [ebp-3Ch]
840971b2 ff75b8       push dword ptr [ebp-48h]
840971b5 ff75bc       push dword ptr [ebp-44h]
840971b8 e8dd1b0300    call nt!FsRtlCurrentBatchOplock+0x685 (840c8d9a)

nt!NtAllocateVirtualMemory+0x13ae:
840971bd 894510       mov    dword ptr [ebp+10h],eax
840971c0 85c0          test eax,eax
840971c2 7c5f          jl    nt!NtAllocateVirtualMemory+0x1414 (84097223)

nt!NtAllocateVirtualMemory+0x13b5:
840971c4 8b45bc       mov    eax,dword ptr [ebp-44h]
840971c7 8b4dd8       mov    ecx,dword ptr [ebp-28h]
840971ca 8d7408ff       lea    esi,[eax+ecx-1]
840971ce 81ceff0f0000 or    esi,0FFFh
840971d4 3b75c4       cmp    esi,dword ptr [ebp-3Ch]
840971d7 7624          jbe    nt!NtAllocateVirtualMemory+0x13ee (840971fd)

nt!NtAllocateVirtualMemory+0x13ca:
840971d9 c74510170000c0  mov    dword ptr [ebp+10h],0C0000017h
840971e0 eb41          jmp    nt!NtAllocateVirtualMemory+0x1414 (84097223)

nt!NtAllocateVirtualMemory+0x13d3:
840971e2 ff75e4       push dword ptr [ebp-1Ch]
840971e5 8bce          mov    ecx,esi
840971e7 8b55d8       mov    edx,dword ptr [ebp-28h]
840971ea e86305e7ff    call nt!EtwProviderEnabled+0xdf6 (83f07752)
840971ef 83f801       cmp    eax,1
840971f2 7509          jne    nt!NtAllocateVirtualMemory+0x13ee (840971fd)

nt!NtAllocateVirtualMemory+0x13e5:
840971f4 c74510180000c0  mov    dword ptr [ebp+10h],0C0000018h
840971fb eb26          jmp    nt!NtAllocateVirtualMemory+0x1414 (84097223)

nt!NtAllocateVirtualMemory+0x13ee:
840971fd 8b45d8       mov    eax,dword ptr [ebp-28h]
84097200 c1e80c       shr    eax,0Ch
84097203 89470c       mov    dword ptr [edi+0Ch],eax
84097206 8bc6          mov    eax,esi
84097208 c1e80c       shr    eax,0Ch
8409720b 894710       mov    dword ptr [edi+10h],eax
8409720e ff75e4       push dword ptr [ebp-1Ch]
84097211 8bc7          mov    eax,edi
84097213 e877da0100    call nt!NtSetInformationThread+0x14e5 (840b4c8f)
84097218 894510       mov    dword ptr [ebp+10h],eax
8409721b 85c0          test eax,eax
8409721d 0f8d89000000 jge    nt!NtAllocateVirtualMemory+0x149d (840972ac)

nt!NtAllocateVirtualMemory+0x1414:
84097223 83c8ff       or    eax,0FFFFFFFFh
84097226 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
84097229 81c100010000 add    ecx,100h
8409722f 8bd1          mov    edx,ecx
84097231 f00fc102       lock xadd dword ptr [edx],eax
84097235 a802          test al,2
84097237 7409          je    nt!NtAllocateVirtualMemory+0x1433 (84097242)

nt!NtAllocateVirtualMemory+0x142a:
84097239 a804          test al,4
8409723b 7505          jne    nt!NtAllocateVirtualMemory+0x1433 (84097242)

nt!NtAllocateVirtualMemory+0x142e:
8409723d e8cd39e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0x1433:
84097242 80a389020000fd  and    byte ptr [ebx+289h],0FDh
84097249 66ff8386000000  inc    word ptr [ebx+86h]
84097250 0fb78386000000  movzx eax,word ptr [ebx+86h]
84097257 33f6          xor    esi,esi
84097259 663bc6       cmp    ax,si
8409725c 750c          jne    nt!NtAllocateVirtualMemory+0x145b (8409726a)

nt!NtAllocateVirtualMemory+0x144f:
8409725e 83c340       add    ebx,40h
84097261 391b          cmp    dword ptr [ebx],ebx
84097263 7405          je    nt!NtAllocateVirtualMemory+0x145b (8409726a)

nt!NtAllocateVirtualMemory+0x1456:
84097265 e880c6ddff    call nt!KiCheckForKernelApcDelivery (83e738ea)

nt!NtAllocateVirtualMemory+0x145b:
8409726a 56             push esi
8409726b 57             push edi
8409726c e8941dedff    call nt!ExFreePoolWithTag (83f69005)
84097271 3975b4       cmp    dword ptr [ebp-4Ch],esi
84097274 7409          je    nt!NtAllocateVirtualMemory+0x1470 (8409727f)

nt!NtAllocateVirtualMemory+0x1467:
84097276 56             push esi
84097277 ff751c       push dword ptr [ebp+1Ch]
8409727a e9f5fdffff    jmp    nt!NtAllocateVirtualMemory+0x1265 (84097074)

nt!NtAllocateVirtualMemory+0x1470:
8409727f 3975cc       cmp    dword ptr [ebp-34h],esi
84097282 0f842e010000 je    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x1479:
84097288 6a00          push 0
8409728a ff751c       push dword ptr [ebp+1Ch]
8409728d e8731dedff    call nt!ExFreePoolWithTag (83f69005)
84097292 6a00          push 0
84097294 ff75d4       push dword ptr [ebp-2Ch]
84097297 e8691dedff    call nt!ExFreePoolWithTag (83f69005)
8409729c ff75cc       push dword ptr [ebp-34h]
8409729f ff75e4       push dword ptr [ebp-1Ch]
840972a2 e8c79ce6ff    call nt!PsReturnProcessNonPagedPoolQuota (83f00f6e)
840972a7 e90a010000    jmp    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x149d:
840972ac ff751c       push dword ptr [ebp+1Ch]
840972af ff7518       push dword ptr [ebp+18h]
840972b2 e87143e3ff    call nt!MmFreePagesFromMdl+0x68d (83ecb628)
840972b7 894510       mov    dword ptr [ebp+10h],eax
840972ba 85c0          test eax,eax
840972bc 0f8cf4000000 jl    nt!NtAllocateVirtualMemory+0x15a7 (840973b6)

nt!NtAllocateVirtualMemory+0x14b3:
840972c2 f645e040       test byte ptr [ebp-20h],40h
840972c6 740b          je    nt!NtAllocateVirtualMemory+0x14c4 (840972d3)

nt!NtAllocateVirtualMemory+0x14b9:
840972c8 8b4710       mov    eax,dword ptr [edi+10h]
840972cb 8b4f0c       mov    ecx,dword ptr [edi+0Ch]
840972ce e8bd5a0100    call nt!PsRevertThreadToSelf+0xb9 (840acd90)

nt!NtAllocateVirtualMemory+0x14c4:
840972d3 2b75d8       sub    esi,dword ptr [ebp-28h]
840972d6 46             inc    esi
840972d7 8b7de4       mov    edi,dword ptr [ebp-1Ch]
840972da 8d87e0000000 lea    eax,[edi+0E0h]
840972e0 0130          add    dword ptr [eax],esi
840972e2 8b10          mov    edx,dword ptr [eax]
840972e4 8d8fdc000000 lea    ecx,[edi+0DCh]
840972ea 3b11          cmp    edx,dword ptr [ecx]
840972ec 7604          jbe    nt!NtAllocateVirtualMemory+0x14e3 (840972f2)

nt!NtAllocateVirtualMemory+0x14df:
840972ee 8bc2          mov    eax,edx
840972f0 8901          mov    dword ptr [ecx],eax

nt!NtAllocateVirtualMemory+0x14e3:
840972f2 83c8ff       or    eax,0FFFFFFFFh
840972f5 8d8f00010000 lea    ecx,[edi+100h]
840972fb 8bd1          mov    edx,ecx
840972fd f00fc102       lock xadd dword ptr [edx],eax
84097301 a802          test al,2
84097303 7409          je    nt!NtAllocateVirtualMemory+0x14ff (8409730e)

nt!NtAllocateVirtualMemory+0x14f6:
84097305 a804          test al,4
84097307 7505          jne    nt!NtAllocateVirtualMemory+0x14ff (8409730e)

nt!NtAllocateVirtualMemory+0x14fa:
84097309 e80139e7ff    call nt!ExfTryToWakePushLock (83f0ac0f)

nt!NtAllocateVirtualMemory+0x14ff:
8409730e 80a389020000fd  and    byte ptr [ebx+289h],0FDh
84097315 66ff8386000000  inc    word ptr [ebx+86h]
8409731c 0fb78386000000  movzx eax,word ptr [ebx+86h]
84097323 6685c0       test ax,ax
84097326 750c          jne    nt!NtAllocateVirtualMemory+0x1525 (84097334)

nt!NtAllocateVirtualMemory+0x1519:
84097328 83c340       add    ebx,40h
8409732b 391b          cmp    dword ptr [ebx],ebx
8409732d 7405          je    nt!NtAllocateVirtualMemory+0x1525 (84097334)

nt!NtAllocateVirtualMemory+0x1520:
8409732f e8b6c5ddff    call nt!KiCheckForKernelApcDelivery (83e738ea)

nt!NtAllocateVirtualMemory+0x1525:
84097334 f645e001       test byte ptr [ebp-20h],1
84097338 740c          je    nt!NtAllocateVirtualMemory+0x1537 (84097346)

nt!NtAllocateVirtualMemory+0x152b:
8409733a 8d8558ffffff lea    eax,[ebp-0A8h]
84097340 50             push eax
84097341 e8fe89e4ff    call nt!KeUnstackDetachProcess (83edfd44)

nt!NtAllocateVirtualMemory+0x1537:
84097346 f70584f8f78300800000 test dword ptr [nt!KeTickCount+0x8404 (83f7f884)],8000h
84097350 7428          je    nt!NtAllocateVirtualMemory+0x156b (8409737a)

nt!NtAllocateVirtualMemory+0x1543:
84097352 f7451800300000  test dword ptr [ebp+18h],3000h
84097359 741f          je    nt!NtAllocateVirtualMemory+0x156b (8409737a)

nt!NtAllocateVirtualMemory+0x154c:
8409735b 8b45b0       mov    eax,dword ptr [ebp-50h]
8409735e f7d8          neg    eax
84097360 1bc0          sbb    eax,eax
84097362 2500e0ffff    and    eax,0FFFFE000h
84097367 0500200000    add    eax,2000h
8409736c 0b4518       or    eax,dword ptr [ebp+18h]
8409736f 50             push eax
84097370 57             push edi
84097371 56             push esi
84097372 8b45d8       mov    eax,dword ptr [ebp-28h]
84097375 e8d13cecff    call nt!EtwWriteString+0xa08 (83f5b04b)

nt!NtAllocateVirtualMemory+0x156b:
8409737a 837d08ff       cmp    dword ptr [ebp+8],0FFFFFFFFh
8409737e 7407          je    nt!NtAllocateVirtualMemory+0x1578 (84097387)

nt!NtAllocateVirtualMemory+0x1571:
84097380 8bcf          mov    ecx,edi
84097382 e83cbbe1ff    call nt!ObfDereferenceObject (83eb2ec3)

nt!NtAllocateVirtualMemory+0x1578:
84097387 c745fc01000000  mov    dword ptr [ebp-4],1
8409738e 8b4514       mov    eax,dword ptr [ebp+14h]
84097391 8930          mov    dword ptr [eax],esi

nt!NtAllocateVirtualMemory+0x1584:
84097393 8b450c       mov    eax,dword ptr [ebp+0Ch]
84097396 8b4dd8       mov    ecx,dword ptr [ebp-28h]
84097399 8908          mov    dword ptr [eax],ecx
8409739b eb07          jmp    nt!NtAllocateVirtualMemory+0x1595 (840973a4)

nt!NtAllocateVirtualMemory+0x1595:
840973a4 c745fcfeffffff  mov    dword ptr [ebp-4],0FFFFFFFEh
840973ab 33c0          xor    eax,eax
840973ad eb4d          jmp    nt!NtAllocateVirtualMemory+0x15ed (840973fc)

nt!NtAllocateVirtualMemory+0x15a0:
840973af c74510450000c0  mov    dword ptr [ebp+10h],0C0000045h

nt!NtAllocateVirtualMemory+0x15a7:
840973b6 f645e001       test byte ptr [ebp-20h],1
840973ba 740c          je    nt!NtAllocateVirtualMemory+0x15b9 (840973c8)

nt!NtAllocateVirtualMemory+0x15ad:
840973bc 8d8558ffffff lea    eax,[ebp-0A8h]
840973c2 50             push eax
840973c3 e87c89e4ff    call nt!KeUnstackDetachProcess (83edfd44)

nt!NtAllocateVirtualMemory+0x15b9:
840973c8 837d08ff       cmp    dword ptr [ebp+8],0FFFFFFFFh
840973cc 0f843ff9ffff je    nt!NtAllocateVirtualMemory+0xf02 (84096d11)

nt!NtAllocateVirtualMemory+0x15c3:
840973d2 8b4de4       mov    ecx,dword ptr [ebp-1Ch]
840973d5 e8e9bae1ff    call nt!ObfDereferenceObject (83eb2ec3)
840973da e932f9ffff    jmp    nt!NtAllocateVirtualMemory+0xf02 (84096d11)

nt!NtAllocateVirtualMemory+0x15ed:
840973fc e84c31e2ff    call nt!strchr+0x15d (83eba54d)
84097401 c21800       ret    18h

2016-4-24 19:35

0