-
-
[原创]X86下获取SSDT表的方法
-
发表于:
2017-4-1 21:01
3472
-
一 通过KTHREAD结构字段获得
1: kd> uf nt!PsGetCurrentProcess
nt!PsGetCurrentProcess:
83e9ffce 64a124010000 mov eax,dword ptr fs:[00000124h]
83e9ffd4 8b4050 mov eax,dword ptr [eax+50h]
83e9ffd7 c3 ret
2: kd> dps fs:[00000124h]
0030:00000124 86d11a70
3: kd> dt nt!_KTHREAD 86d11a70
... ...
+0x0bc ServiceTable : 0x83f7fb00 Void
... ...
二 通过KeServiceDescriptorTable
UNICODE_STRING usKeSDTName;
RtlInitUnicodeString(&usKeSDTName, L"KeServiceDescriptorTable");
PVOID usKeSDTAddr = MmGetSystemRoutineAddress(&usKeSDTName);
值也是 0x83f7fb00
三 直接使用KeSystemSeriveTable?
和 extern "C" PULONG InitSafeBootMode;一样?
四 看看具体内容
1: kd> dps 83f7fb00
83f7fb00 83e9443c nt!KiServiceTable
83f7fb04 00000000
83f7fb08 00000191
83f7fb0c 83e94a84 nt!KiArgumentTable
83f7fb10 00000000
83f7fb14 00000000
83f7fb18 00000000
83f7fb1c 00000000
83f7fb20 841da5b0 nt!_NULL_IMPORT_DESCRIPTOR+0x1be2
83f7fb24 841434f2 nt!KdpTrap
83f7fb28 83ef338b nt!KdpSwitchProcessor
83f7fb2c 00000000
83f7fb30 03b770bf
83f7fb34 0000002e
83f7fb38 00000011
83f7fb3c 00000100
83f7fb40 83e9443c nt!KiServiceTable
83f7fb44 00000000
83f7fb48 00000191
83f7fb4c 83e94a84 nt!KiArgumentTable
83f7fb50 9ad86000 win32k!W32pServiceTable
83f7fb54 00000000
83f7fb58 00000339
83f7fb5c 9ad8702c win32k!W32pArgumentTable
83f7fb60 5385d2ba
83f7fb64 d717548f
83f7fb68 00000000
83f7fb6c 00000000
83f7fb70 83f7fb6c nt!KiNonNumaDistance
83f7fb74 00000340
83f7fb78 00000340
83f7fb7c 86d29900
2: kd> dps 83e9443c L192
83e9443c 8408ffbf nt!NtAcceptConnectPort
83e94440 83ed7855 nt!NtAccessCheck
83e94444 8401fd47 nt!NtAccessCheckAndAuditAlarm
83e94448 83e3b897 nt!NtAccessCheckByType
83e9444c 84091895 nt!NtAccessCheckByTypeAndAuditAlarm
83e94450 83f14112 nt!NtAccessCheckByTypeResultList
83e94454 841020d7 nt!NtAccessCheckByTypeResultListAndAuditAlarm
83e94458 84102120 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
83e9445c 84014563 nt!NtAddAtom
83e94460 8411b9d4 nt!NtAddBootEntry
83e94464 8411cc2d nt!NtAddDriverEntry
83e94468 8400ad3b nt!NtAdjustGroupsToken
83e9446c 8409bed3 nt!NtAdjustPrivilegesToken
83e94470 840f4da3 nt!NtAlertResumeThread
83e94474 84047cc7 nt!NtAlertThread
83e94478 840178ab nt!NtAllocateLocallyUniqueId
83e9447c 83fad9e3 nt!NtAllocateReserveObject
83e94480 840e6c88 nt!NtAllocateUserPhysicalPages
83e94484 83ffe28c nt!NtAllocateUuids
83e94488 84040cbc nt!NtAllocateVirtualMemory
83e9448c 8408d191 nt!NtAlpcAcceptConnectPort
83e94490 83fee300 nt!NtAlpcCancelMessage
83e94494 8408c59e nt!NtAlpcConnectPort
83e94498 8400bdb2 nt!NtAlpcCreatePort
83e9449c 8409d95a nt!NtAlpcCreatePortSection
83e944a0 8400e435 nt!NtAlpcCreateResourceReserve
83e944a4 8409d73a nt!NtAlpcCreateSectionView
83e944a8 84095e92 nt!NtAlpcCreateSecurityContext
83e944ac 840202cf nt!NtAlpcDeletePortSection
83e944b0 840e1a25 nt!NtAlpcDeleteResourceReserve
83e944b4 8409325f nt!NtAlpcDeleteSectionView
83e944b8 8409db8c nt!NtAlpcDeleteSecurityContext
83e944bc 84076577 nt!NtAlpcDisconnectPort
83e944c0 840912c4 nt!NtAlpcImpersonateClientOfPort
83e944c4 84022ef4 nt!NtAlpcOpenSenderProcess
83e944c8 84016eed nt!NtAlpcOpenSenderThread
83e944cc 84008cb8 nt!NtAlpcQueryInformation
83e944d0 84076dfe nt!NtAlpcQueryInformationMessage
83e944d4 840e1b49 nt!NtAlpcRevokeSecurityContext
83e944d8 84069225 nt!NtAlpcSendWaitReceivePort
83e944dc 840168fd nt!NtAlpcSetInformation
83e944e0 840283df nt!NtApphelpCacheControl
83e944e4 83fe41ab nt!NtAreMappedFilesTheSame
83e944e8 840160cc nt!NtAssignProcessToJobObject
83e944ec 83e94f60 nt!NtCallbackReturn
83e944f0 83fdf68b nt!NtCancelIoFile
83e944f4 84013e8d nt!NtCancelIoFileEx
83e944f8 840ce35c nt!NtCancelSynchronousIoFile
83e944fc 83e413e6 nt!NtCancelTimer
83e94500 84042dd0 nt!NtClearEvent
83e94504 8405b5c8 nt!NtClose
83e94508 840917c4 nt!NtCloseObjectAuditAlarm
83e9450c 841099ca nt!NtCommitComplete
83e94510 841096ea nt!NtCommitEnlistment
83e94514 83feaa81 nt!NtCommitTransaction
83e94518 840b33b3 nt!NtCompactKeys
83e9451c 84011e43 nt!NtCompareTokens
83e94520 84016ee3 nt!NtCompleteConnectPort
83e94524 840b361f nt!NtCompressKey
83e94528 8408f0a0 nt!NtConnectPort
83e9452c 83e572c0 nt!NtContinue
83e94530 840c401d nt!NtCreateDebugObject
83e94534 840196e4 nt!NtCreateDirectoryObject
83e94538 83fbbb05 nt!NtCreateEnlistment
83e9453c 840578be nt!NtCreateEvent
83e94540 841216d4 nt!NtCreateEventPair
83e94544 84066470 nt!NtCreateFile
83e94548 84071a42 nt!NtCreateIoCompletion
83e9454c 84008abf nt!NtCreateJobObject
83e94550 840f6b1e nt!NtCreateJobSet
83e94554 84018009 nt!NtCreateKey
83e94558 84026ee2 nt!NtCreateKeyedEvent
83e9455c 83fe8afe nt!NtCreateKeyTransacted
83e94560 8401c50e nt!NtCreateMailslotFile
83e94564 8402735a nt!NtCreateMutant
83e94568 8409788f nt!NtCreateNamedPipeFile
83e9456c 83fa349e nt!NtCreatePagingFile
83e94570 840088a6 nt!NtCreatePort
83e94574 83fea647 nt!NtCreatePrivateNamespace
83e94578 840f31d1 nt!NtCreateProcess
83e9457c 840f321c nt!NtCreateProcessEx
83e94580 84122167 nt!NtCreateProfile
83e94584 8412212d nt!NtCreateProfileEx
83e94588 83fbe421 nt!NtCreateResourceManager
83e9458c 8403a13d nt!NtCreateSection
83e94590 8401cb6c nt!NtCreateSemaphore
83e94594 840189d4 nt!NtCreateSymbolicLinkObject
83e94598 840f2fda nt!NtCreateThread
83e9459c 840874ab nt!NtCreateThreadEx
83e945a0 840154ff nt!NtCreateTimer
83e945a4 8401bca7 nt!NtCreateToken
83e945a8 83fe6f2a nt!NtCreateTransaction
83e945ac 83fbe22d nt!NtCreateTransactionManager
83e945b0 840853dd nt!NtCreateUserProcess
83e945b4 83fbb1e4 nt!NtCreateWaitablePort
83e945b8 840270fd nt!NtCreateWorkerFactory
83e945bc 840c4eda nt!NtDebugActiveProcess
83e945c0 840c5597 nt!NtDebugContinue
83e945c4 8403fbc9 nt!NtDelayExecution
83e945c8 840031c2 nt!NtDeleteAtom
83e945cc 8411ba07 nt!NtDeleteBootEntry
83e945d0 8411cc5f nt!NtDeleteDriverEntry
83e945d4 83faf75d nt!NtDeleteFile
83e945d8 84002a58 nt!NtDeleteKey
83e945dc 840a1d7d nt!NtDeleteObjectAuditAlarm
83e945e0 840aaa94 nt!NtDeletePrivateNamespace
83e945e4 83ff4461 nt!NtDeleteValueKey
83e945e8 8408a74f nt!NtDeviceIoControlFile
83e945ec 840de884 nt!NtDisableLastKnownGood
83e945f0 84119c5b nt!NtDisplayString
83e945f4 83f2afa8 nt!NtDrawText
83e945f8 84048761 nt!NtDuplicateObject
83e945fc 84082cfb nt!NtDuplicateToken
83e94600 840de965 nt!NtEnableLastKnownGood
83e94604 8411bc09 nt!NtEnumerateBootEntries
83e94608 8411ce5f nt!NtEnumerateDriverEntries
83e9460c 8407dde0 nt!NtEnumerateKey
83e94610 8411b7e7 nt!NtEnumerateSystemEnvironmentValuesEx
83e94614 8410a50a nt!NtEnumerateTransactionObject
83e94618 84080246 nt!NtEnumerateValueKey
83e9461c 840e4e07 nt!NtExtendSection
83e94620 83ffbebf nt!NtFilterToken
83e94624 84007a46 nt!NtFindAtom
83e94628 8401f2f6 nt!NtFlushBuffersFile
83e9462c 83fab9ca nt!NtFlushInstallUILanguage
83e94630 840166bd nt!NtFlushInstructionCache
83e94634 83ff5b06 nt!NtFlushKey
83e94638 83e3c1be nt!NtFlushProcessWriteBuffers
83e9463c 83ff1220 nt!NtFlushVirtualMemory
83e94640 840e7da7 nt!NtFlushWriteBuffer
83e94644 840e7429 nt!NtFreeUserPhysicalPages
83e94648 83ecf82c nt!NtFreeVirtualMemory
83e9464c 83eea3a2 nt!NtFreezeRegistry
83e94650 8410a95a nt!NtFreezeTransactions
83e94654 8406ca4d nt!NtFsControlFile
83e94658 840ac15f nt!NtGetContextThread
83e9465c 840ac0f4 nt!NtGetCurrentProcessorNumber
83e94660 840f020f nt!NtGetDevicePowerState
83e94664 84027f73 nt!NtGetMUIRegistryInfo
83e94668 840f4f94 nt!NtGetNextProcess
83e9466c 840a3fa8 nt!NtGetNextThread
83e94670 83ff06b6 nt!NtGetNlsSectionPtr
83e94674 8410aaba nt!NtGetNotificationResourceManager
83e94678 83fd5f2f nt!NtGetPlugPlayEvent
83e9467c 83f014a1 nt!NtGetWriteWatch
83e94680 8400c970 nt!NtImpersonateAnonymousToken
83e94684 840e0b8f nt!NtImpersonateClientOfPort
83e94688 84090992 nt!NtImpersonateThread
83e9468c 840732e8 nt!NtInitializeNlsFiles
83e94690 83faf27a nt!NtInitializeRegistry
83e94694 840a6961 nt!NtInitiatePowerAction
83e94698 840a807b nt!NtIsProcessInJob
83e9469c 840f01f6 nt!NtIsSystemResumeAutomatic
83e946a0 83fa9ea4 nt!NtIsUILanguageComitted
83e946a4 83fa6d30 nt!NtListenPort
83e946a8 83fdcc40 nt!NtLoadDriver
83e946ac 83fa84e1 nt!NtLoadKey
83e946b0 83f95a69 nt!NtLoadKey2
83e946b4 83fb8f22 nt!NtLoadKeyEx
83e946b8 8401a50a nt!NtLockFile
83e946bc 83f8f07a nt!NtLockProductActivationKeys
83e946c0 83f8a6ec nt!NtLockRegistryKey
83e946c4 83e3b19e nt!NtLockVirtualMemory
83e946c8 83fdd279 nt!NtMakePermanentObject
83e946cc 84022a30 nt!NtMakeTemporaryObject
83e946d0 8402751f nt!NtMapCMFModule
83e946d4 840e5f49 nt!NtMapUserPhysicalPages
83e946d8 840e651f nt!NtMapUserPhysicalPagesScatter
83e946dc 8405d5f1 nt!NtMapViewOfSection
83e946e0 8411bbd8 nt!NtModifyBootEntry
83e946e4 8411ce30 nt!NtModifyDriverEntry
83e946e8 8400cf5c nt!NtNotifyChangeDirectoryFile
83e946ec 84010fbd nt!NtNotifyChangeKey
83e946f0 840100df nt!NtNotifyChangeMultipleKeys
83e946f4 83fd6e33 nt!NtNotifyChangeSession
83e946f8 840597d2 nt!NtOpenDirectoryObject
83e946fc 84108f51 nt!NtOpenEnlistment
83e94700 84026d56 nt!NtOpenEvent
83e94704 841217d5 nt!NtOpenEventPair
83e94708 84048d81 nt!NtOpenFile
83e9470c 840ce057 nt!NtOpenIoCompletion
83e94710 840f6497 nt!NtOpenJobObject
83e94714 840628d2 nt!NtOpenKey
83e94718 84026ca1 nt!NtOpenKeyEx
83e9471c 84121b0b nt!NtOpenKeyedEvent
83e94720 83fe6231 nt!NtOpenKeyTransacted
83e94724 83fe61c1 nt!NtOpenKeyTransactedEx
83e94728 8407845d nt!NtOpenMutant
83e9472c 83fef5a2 nt!NtOpenObjectAuditAlarm
83e94730 83ff0ff7 nt!NtOpenPrivateNamespace
83e94734 84028ba1 nt!NtOpenProcess
83e94738 8407b37f nt!NtOpenProcessToken
83e9473c 84068e52 nt!NtOpenProcessTokenEx
83e94740 83f94114 nt!NtOpenResourceManager
83e94744 840809fb nt!NtOpenSection
83e94748 83ffc204 nt!NtOpenSemaphore
83e9474c 8409dd15 nt!NtOpenSession
83e94750 84064dff nt!NtOpenSymbolicLinkObject
83e94754 84075102 nt!NtOpenThread
83e94758 8408f67b nt!NtOpenThreadToken
83e9475c 84068f69 nt!NtOpenThreadTokenEx
83e94760 8412147b nt!NtOpenTimer
83e94764 84109caf nt!NtOpenTransaction
83e94768 8410af4f nt!NtOpenTransactionManager
83e9476c 83ffa63e nt!NtPlugPlayControl
83e94770 84057bbd nt!NtPowerInformation
83e94774 8410985a nt!NtPrepareComplete
83e94778 84109578 nt!NtPrepareEnlistment
83e9477c 84109912 nt!NtPrePrepareComplete
83e94780 84109632 nt!NtPrePrepareEnlistment
83e94784 8400dae5 nt!NtPrivilegeCheck
83e94788 83fdd028 nt!NtPrivilegedServiceAuditAlarm
83e9478c 83ff7b8a nt!NtPrivilegeObjectAuditAlarm
83e94790 8410b6aa nt!NtPropagationComplete
83e94794 8410b772 nt!NtPropagationFailed
83e94798 84059651 nt!NtProtectVirtualMemory
83e9479c 840aa945 nt!NtPulseEvent
83e947a0 8406ed4c nt!NtQueryAttributesFile
83e947a4 8411c0aa nt!NtQueryBootEntryOrder
83e947a8 8411c4ef nt!NtQueryBootOptions
83e947ac 83edb176 nt!NtQueryDebugFilterState
83e947b0 8408df23 nt!NtQueryDefaultLocale
83e947b4 83fba00c nt!NtQueryDefaultUILanguage
83e947b8 8404af82 nt!NtQueryDirectoryFile
83e947bc 8406fdcb nt!NtQueryDirectoryObject
83e947c0 8411c9ed nt!NtQueryDriverEntryOrder
83e947c4 83fa8c05 nt!NtQueryEaFile
83e947c8 840119c4 nt!NtQueryEvent
83e947cc 8409796b nt!NtQueryFullAttributesFile
83e947d0 84003393 nt!NtQueryInformationAtom
83e947d4 8410915c nt!NtQueryInformationEnlistment
83e947d8 8406ca80 nt!NtQueryInformationFile
83e947dc 840a349d nt!NtQueryInformationJobObject
83e947e0 840e0bc4 nt!NtQueryInformationPort
83e947e4 8404d8b5 nt!NtQueryInformationProcess
83e947e8 8410abc4 nt!NtQueryInformationResourceManager
83e947ec 840740e8 nt!NtQueryInformationThread
83e947f0 84069389 nt!NtQueryInformationToken
83e947f4 84109ea2 nt!NtQueryInformationTransaction
83e947f8 83f93c1c nt!NtQueryInformationTransactionManager
83e947fc 83f2bbcf nt!NtQueryInformationWorkerFactory
83e94800 83ff5d78 nt!NtQueryInstallUILanguage
83e94804 841224d7 nt!NtQueryIntervalProfile
83e94808 840ce11a nt!NtQueryIoCompletion
83e9480c 84062f3e nt!NtQueryKey
83e94810 8401906c nt!NtQueryLicenseValue
83e94814 83ff7df9 nt!NtQueryMultipleValueKey
83e94818 84121be8 nt!NtQueryMutant
83e9481c 840180b5 nt!NtQueryObject
83e94820 840b2ea5 nt!NtQueryOpenSubKeys
83e94824 840a1196 nt!NtQueryOpenSubKeysEx
83e94828 8402743b nt!NtQueryPerformanceCounter
83e9482c 840f369c nt!NtQueryPortInformationProcess
83e94830 840cf6f5 nt!NtQueryQuotaInformationFile
83e94834 8408dd7d nt!NtQuerySection
83e94838 8400d476 nt!NtQuerySecurityAttributesToken
83e9483c 84010ff2 nt!NtQuerySecurityObject
83e94840 8411aa68 nt!NtQuerySemaphore
83e94844 84064ea5 nt!NtQuerySymbolicLinkObject
83e94848 8411ac3f nt!NtQuerySystemEnvironmentValue
83e9484c 8411b233 nt!NtQuerySystemEnvironmentValueEx
83e94850 84046f45 nt!NtQuerySystemInformation
83e94854 84080164 nt!NtQuerySystemInformationEx
83e94858 8408de8e nt!NtQuerySystemTime
83e9485c 8412153a nt!NtQueryTimer
83e94860 84003870 nt!NtQueryTimerResolution
83e94864 84061695 nt!NtQueryValueKey
83e94868 84072a82 nt!NtQueryVirtualMemory
83e9486c 8406d673 nt!NtQueryVolumeInformationFile
83e94870 84012e50 nt!NtQueueApcThread
83e94874 8400f00d nt!NtQueueApcThreadEx
83e94878 83e57308 nt!NtRaiseException
83e9487c 83fee16b nt!NtRaiseHardError
83e94880 84079007 nt!NtReadFile
83e94884 83fae762 nt!NtReadFileScatter
83e94888 84109b3a nt!NtReadOnlyEnlistment
83e9488c 840e0ca9 nt!NtReadRequestData
83e94890 84076ba7 nt!NtReadVirtualMemory
83e94894 84109102 nt!NtRecoverEnlistment
83e94898 83fbe94e nt!NtRecoverResourceManager
83e9489c 83fc01ea nt!NtRecoverTransactionManager
83e948a0 8410b4fe nt!NtRegisterProtocolAddressInformation
83e948a4 840f43dc nt!NtRegisterThreadTerminatePort
83e948a8 8404735e nt!NtReleaseKeyedEvent
83e948ac 8403facd nt!NtReleaseMutant
83e948b0 84029d2f nt!NtReleaseSemaphore
83e948b4 83e9a097 nt!NtReleaseWorkerFactoryWorker
83e948b8 8401cc6d nt!NtRemoveIoCompletion
83e948bc 84017c6d nt!NtRemoveIoCompletionEx
83e948c0 840c5025 nt!NtRemoveProcessDebug
83e948c4 840b30eb nt!NtRenameKey
83e948c8 8410b19a nt!NtRenameTransactionManager
83e948cc 840b2c38 nt!NtReplaceKey
83e948d0 83ef30af nt!NtReplacePartitionUnit
83e948d4 84007b84 nt!NtReplyPort
83e948d8 8404f854 nt!NtReplyWaitReceivePort
83e948dc 8404f3d7 nt!NtReplyWaitReceivePortEx
83e948e0 840e0e77 nt!NtReplyWaitReplyPort
83e948e4 840977cb nt!NtRequestPort
83e948e8 84054b22 nt!NtRequestWaitReplyPort
83e948ec 83ff2fbe nt!NtResetEvent
83e948f0 83f01af2 nt!NtResetWriteWatch
83e948f4 840a8ca2 nt!NtRestoreKey
83e948f8 840f4d3d nt!NtResumeProcess
83e948fc 840876d2 nt!NtResumeThread
83e94900 84109bf2 nt!NtRollbackComplete
83e94904 841097a2 nt!NtRollbackEnlistment
83e94908 83fbcd2c nt!NtRollbackTransaction
83e9490c 8410b2fc nt!NtRollforwardTransactionManager
83e94910 840aa514 nt!NtSaveKey
83e94914 840a9cba nt!NtSaveKeyEx
83e94918 840b1f5b nt!NtSaveMergedKeys
83e9491c 84075137 nt!NtSecureConnectPort
83e94920 83fa1f9f nt!NtSerializeBoot
83e94924 8411c2eb nt!NtSetBootEntryOrder
83e94928 8411c7d7 nt!NtSetBootOptions
83e9492c 840f484f nt!NtSetContextThread
83e94930 83f879d4 nt!NtSetDebugFilterState
83e94934 83fa5950 nt!NtSetDefaultHardErrorPort
83e94938 83fb9d91 nt!NtSetDefaultLocale
83e9493c 83fba300 nt!NtSetDefaultUILanguage
83e94940 8411d261 nt!NtSetDriverEntryOrder
83e94944 840cf188 nt!NtSetEaFile
83e94948 84040938 nt!NtSetEvent
83e9494c 8411a723 nt!NtSetEventBoostPriority
83e94950 84121aa1 nt!NtSetHighEventPair
83e94954 841219d3 nt!NtSetHighWaitLowEventPair
83e94958 840c575d nt!NtSetInformationDebugObject
83e9495c 841093a2 nt!NtSetInformationEnlistment
83e94960 8406db07 nt!NtSetInformationFile
83e94964 84012e74 nt!NtSetInformationJobObject
83e94968 840b274d nt!NtSetInformationKey
83e9496c 8401f4f3 nt!NtSetInformationObject
83e94970 8404f875 nt!NtSetInformationProcess
83e94974 8410add2 nt!NtSetInformationResourceManager
83e94978 84080e36 nt!NtSetInformationThread
83e9497c 8401a95f nt!NtSetInformationToken
83e94980 8410a704 nt!NtSetInformationTransaction
83e94984 8410b3c1 nt!NtSetInformationTransactionManager
83e94988 83ec36a5 nt!NtSetInformationWorkerFactory
83e9498c 841224b4 nt!NtSetIntervalProfile
83e94990 83ffacba nt!NtSetIoCompletion
83e94994 840ce240 nt!NtSetIoCompletionEx
83e94998 840f6157 nt!NtSetLdtEntries
83e9499c 84121a3e nt!NtSetLowEventPair
83e949a0 84121968 nt!NtSetLowWaitHighEventPair
83e949a4 840cfd0b nt!NtSetQuotaInformationFile
83e949a8 84018805 nt!NtSetSecurityObject
83e949ac 8411af39 nt!NtSetSystemEnvironmentValue
83e949b0 8411b54b nt!NtSetSystemEnvironmentValueEx
83e949b4 8406537a nt!NtSetSystemInformation
83e949b8 84138e4a nt!NtSetSystemPowerState
83e949bc 840a720e nt!NtSetSystemTime
83e949c0 840adeeb nt!NtSetThreadExecutionState
83e949c4 83e9a1c1 nt!NtSetTimer
83e949c8 83eac8b2 nt!NtSetTimerEx
83e949cc 84007c85 nt!NtSetTimerResolution
83e949d0 83fa9392 nt!NtSetUuidSeed
83e949d4 84021606 nt!NtSetValueKey
83e949d8 840cfd25 nt!NtSetVolumeInformationFile
83e949dc 84119c19 nt!NtShutdownSystem
83e949e0 84029b7c nt!NtShutdownWorkerFactory
83e949e4 83ee43fe nt!NtSignalAndWaitForSingleObject
83e949e8 84109a82 nt!NtSinglePhaseReject
83e949ec 841221f0 nt!NtStartProfile
83e949f0 841223e7 nt!NtStopProfile
83e949f4 840f4cdf nt!NtSuspendProcess
83e949f8 840ac1cb nt!NtSuspendThread
83e949fc 8409c802 nt!NtSystemDebugControl
83e94a00 840094b7 nt!NtTerminateJobObject
83e94a04 84071d9a nt!NtTerminateProcess
83e94a08 8408f6cb nt!NtTerminateThread
83e94a0c 84086e81 nt!NtTestAlert
83e94a10 83eea405 nt!NtThawRegistry
83e94a14 8410aa3a nt!NtThawTransactions
83e94a18 84066c47 nt!NtTraceControl
83e94a1c 83eddae2 nt!NtTraceEvent
83e94a20 8411d465 nt!NtTranslateFilePath
83e94a24 840e0b3f nt!NtUmsThreadYield
83e94a28 840d0583 nt!NtUnloadDriver
83e94a2c 8409f8a1 nt!NtUnloadKey
83e94a30 8409f8bb nt!NtUnloadKey2
83e94a34 840b20f3 nt!NtUnloadKeyEx
83e94a38 8401d08e nt!NtUnlockFile
83e94a3c 83e33b24 nt!NtUnlockVirtualMemory
83e94a40 8407b9ba nt!NtUnmapViewOfSection
83e94a44 8410ed35 nt!NtVdmControl
83e94a48 840c527b nt!NtWaitForDebugEvent
83e94a4c 84047087 nt!NtWaitForKeyedEvent
83e94a50 8403f68f nt!NtWaitForMultipleObjects
83e94a54 840eacf0 nt!NtWaitForMultipleObjects32
83e94a58 8403ed41 nt!NtWaitForSingleObject
83e94a5c 83e99c20 nt!NtWaitForWorkViaWorkerFactory
83e94a60 841218ff nt!NtWaitHighEventPair
83e94a64 84121896 nt!NtWaitLowEventPair
83e94a68 83ed3ed7 nt!NtWorkerFactoryWorkerReady
83e94a6c 840862b2 nt!NtWriteFile
83e94a70 83fb63a7 nt!NtWriteFileGather
83e94a74 840e0d16 nt!NtWriteRequestData
83e94a78 84076a97 nt!NtWriteVirtualMemory
83e94a7c 83e41c55 nt!NtYieldExecution
83e94a80 00000191
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
