Last active
November 24, 2019 22:18
-
-
Save jthuraisamy/15625e83ad10ba85eaf544ce4bf78ec0 to your computer and use it in GitHub Desktop.
AV/EDR Evasion with Direct System Calls (x64)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .code | |
| NtAcceptConnectPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAcceptConnectPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAcceptConnectPort_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAcceptConnectPort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAcceptConnectPort_Check_10_0_XXXX | |
| jmp NtAcceptConnectPort_SystemCall_Unknown | |
| NtAcceptConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAcceptConnectPort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAcceptConnectPort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAcceptConnectPort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAcceptConnectPort_SystemCall_6_3_XXXX | |
| jmp NtAcceptConnectPort_SystemCall_Unknown | |
| NtAcceptConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAcceptConnectPort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAcceptConnectPort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAcceptConnectPort_SystemCall_6_0_6002 | |
| jmp NtAcceptConnectPort_SystemCall_Unknown | |
| NtAcceptConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAcceptConnectPort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAcceptConnectPort_SystemCall_6_1_7601 | |
| jmp NtAcceptConnectPort_SystemCall_Unknown | |
| NtAcceptConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAcceptConnectPort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAcceptConnectPort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAcceptConnectPort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAcceptConnectPort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAcceptConnectPort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAcceptConnectPort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAcceptConnectPort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAcceptConnectPort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAcceptConnectPort_SystemCall_10_0_18363 | |
| jmp NtAcceptConnectPort_SystemCall_Unknown | |
| NtAcceptConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0060h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0060h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0060h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0060h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0060h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0060h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0061h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0001h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0002h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0002h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0002h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0002h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0002h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0002h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0002h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0002h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0002h | |
| jmp NtAcceptConnectPort_Epilogue | |
| NtAcceptConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAcceptConnectPort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAcceptConnectPort ENDP | |
| NtAccessCheck PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAccessCheck_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAccessCheck_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAccessCheck_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAccessCheck_Check_10_0_XXXX | |
| jmp NtAccessCheck_SystemCall_Unknown | |
| NtAccessCheck_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAccessCheck_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAccessCheck_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheck_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheck_SystemCall_6_3_XXXX | |
| jmp NtAccessCheck_SystemCall_Unknown | |
| NtAccessCheck_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAccessCheck_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAccessCheck_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAccessCheck_SystemCall_6_0_6002 | |
| jmp NtAccessCheck_SystemCall_Unknown | |
| NtAccessCheck_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAccessCheck_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAccessCheck_SystemCall_6_1_7601 | |
| jmp NtAccessCheck_SystemCall_Unknown | |
| NtAccessCheck_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| jmp NtAccessCheck_SystemCall_Unknown | |
| NtAccessCheck_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0061h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0061h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0061h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0061h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0061h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0061h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0062h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0062h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0000h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0000h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0000h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0000h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0000h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0000h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0000h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0000h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0000h | |
| jmp NtAccessCheck_Epilogue | |
| NtAccessCheck_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAccessCheck_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAccessCheck ENDP | |
| NtAccessCheckAndAuditAlarm PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAccessCheckAndAuditAlarm_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAccessCheckAndAuditAlarm_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAccessCheckAndAuditAlarm_Check_10_0_XXXX | |
| jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckAndAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAccessCheckAndAuditAlarm_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAccessCheckAndAuditAlarm_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_6_3_XXXX | |
| jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckAndAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_6_0_6002 | |
| jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckAndAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_6_1_7601 | |
| jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckAndAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAccessCheckAndAuditAlarm_SystemCall_10_0_18363 | |
| jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckAndAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0026h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0026h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0026h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0026h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0026h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0026h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0027h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0028h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0029h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0029h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0029h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0029h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0029h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0029h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0029h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0029h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0029h | |
| jmp NtAccessCheckAndAuditAlarm_Epilogue | |
| NtAccessCheckAndAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAccessCheckAndAuditAlarm_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAccessCheckAndAuditAlarm ENDP | |
| NtAccessCheckByType PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAccessCheckByType_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAccessCheckByType_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAccessCheckByType_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAccessCheckByType_Check_10_0_XXXX | |
| jmp NtAccessCheckByType_SystemCall_Unknown | |
| NtAccessCheckByType_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAccessCheckByType_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAccessCheckByType_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByType_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByType_SystemCall_6_3_XXXX | |
| jmp NtAccessCheckByType_SystemCall_Unknown | |
| NtAccessCheckByType_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAccessCheckByType_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAccessCheckByType_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAccessCheckByType_SystemCall_6_0_6002 | |
| jmp NtAccessCheckByType_SystemCall_Unknown | |
| NtAccessCheckByType_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAccessCheckByType_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAccessCheckByType_SystemCall_6_1_7601 | |
| jmp NtAccessCheckByType_SystemCall_Unknown | |
| NtAccessCheckByType_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAccessCheckByType_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAccessCheckByType_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAccessCheckByType_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAccessCheckByType_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAccessCheckByType_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAccessCheckByType_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAccessCheckByType_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAccessCheckByType_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAccessCheckByType_SystemCall_10_0_18363 | |
| jmp NtAccessCheckByType_SystemCall_Unknown | |
| NtAccessCheckByType_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0062h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0062h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0062h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0062h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0062h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0062h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0063h | |
| jmp NtAccessCheckByType_Epilogue | |
| NtAccessCheckByType_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAccessCheckByType_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAccessCheckByType ENDP | |
| NtAccessCheckByTypeAndAuditAlarm PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAccessCheckByTypeAndAuditAlarm_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAccessCheckByTypeAndAuditAlarm_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAccessCheckByTypeAndAuditAlarm_Check_10_0_XXXX | |
| jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeAndAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAccessCheckByTypeAndAuditAlarm_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAccessCheckByTypeAndAuditAlarm_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_3_XXXX | |
| jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeAndAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6002 | |
| jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeAndAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7601 | |
| jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeAndAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18363 | |
| jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0056h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0056h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0056h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0056h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0056h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0056h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0057h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0058h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0059h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0059h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0059h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0059h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0059h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0059h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0059h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0059h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0059h | |
| jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAccessCheckByTypeAndAuditAlarm_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAccessCheckByTypeAndAuditAlarm ENDP | |
| NtAccessCheckByTypeResultList PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAccessCheckByTypeResultList_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAccessCheckByTypeResultList_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAccessCheckByTypeResultList_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAccessCheckByTypeResultList_Check_10_0_XXXX | |
| jmp NtAccessCheckByTypeResultList_SystemCall_Unknown | |
| NtAccessCheckByTypeResultList_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAccessCheckByTypeResultList_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAccessCheckByTypeResultList_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByTypeResultList_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByTypeResultList_SystemCall_6_3_XXXX | |
| jmp NtAccessCheckByTypeResultList_SystemCall_Unknown | |
| NtAccessCheckByTypeResultList_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAccessCheckByTypeResultList_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAccessCheckByTypeResultList_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAccessCheckByTypeResultList_SystemCall_6_0_6002 | |
| jmp NtAccessCheckByTypeResultList_SystemCall_Unknown | |
| NtAccessCheckByTypeResultList_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAccessCheckByTypeResultList_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAccessCheckByTypeResultList_SystemCall_6_1_7601 | |
| jmp NtAccessCheckByTypeResultList_SystemCall_Unknown | |
| NtAccessCheckByTypeResultList_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAccessCheckByTypeResultList_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAccessCheckByTypeResultList_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAccessCheckByTypeResultList_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAccessCheckByTypeResultList_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAccessCheckByTypeResultList_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAccessCheckByTypeResultList_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAccessCheckByTypeResultList_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAccessCheckByTypeResultList_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAccessCheckByTypeResultList_SystemCall_10_0_18363 | |
| jmp NtAccessCheckByTypeResultList_SystemCall_Unknown | |
| NtAccessCheckByTypeResultList_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0063h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0063h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0063h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0063h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0063h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0063h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultList_Epilogue | |
| NtAccessCheckByTypeResultList_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAccessCheckByTypeResultList_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAccessCheckByTypeResultList ENDP | |
| NtAccessCheckByTypeResultListAndAuditAlarm PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAccessCheckByTypeResultListAndAuditAlarm_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_Check_10_0_XXXX | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_3_XXXX | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6002 | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7601 | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18363 | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0064h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAccessCheckByTypeResultListAndAuditAlarm ENDP | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_10_0_XXXX | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_3_XXXX | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6002 | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7601 | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18363 | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0065h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0066h | |
| jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle ENDP | |
| NtAcquireCMFViewOwnership PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAcquireCMFViewOwnership_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAcquireCMFViewOwnership_Check_6_X_XXXX | |
| jmp NtAcquireCMFViewOwnership_SystemCall_Unknown | |
| NtAcquireCMFViewOwnership_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAcquireCMFViewOwnership_Check_6_0_XXXX | |
| jmp NtAcquireCMFViewOwnership_SystemCall_Unknown | |
| NtAcquireCMFViewOwnership_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAcquireCMFViewOwnership_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAcquireCMFViewOwnership_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAcquireCMFViewOwnership_SystemCall_6_0_6002 | |
| jmp NtAcquireCMFViewOwnership_SystemCall_Unknown | |
| NtAcquireCMFViewOwnership_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0066h | |
| jmp NtAcquireCMFViewOwnership_Epilogue | |
| NtAcquireCMFViewOwnership_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0066h | |
| jmp NtAcquireCMFViewOwnership_Epilogue | |
| NtAcquireCMFViewOwnership_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0066h | |
| jmp NtAcquireCMFViewOwnership_Epilogue | |
| NtAcquireCMFViewOwnership_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAcquireCMFViewOwnership_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAcquireCMFViewOwnership ENDP | |
| NtAcquireProcessActivityReference PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAcquireProcessActivityReference_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAcquireProcessActivityReference_Check_10_0_XXXX | |
| jmp NtAcquireProcessActivityReference_SystemCall_Unknown | |
| NtAcquireProcessActivityReference_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAcquireProcessActivityReference_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAcquireProcessActivityReference_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAcquireProcessActivityReference_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAcquireProcessActivityReference_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAcquireProcessActivityReference_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAcquireProcessActivityReference_SystemCall_10_0_18363 | |
| jmp NtAcquireProcessActivityReference_SystemCall_Unknown | |
| NtAcquireProcessActivityReference_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0067h | |
| jmp NtAcquireProcessActivityReference_Epilogue | |
| NtAcquireProcessActivityReference_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0067h | |
| jmp NtAcquireProcessActivityReference_Epilogue | |
| NtAcquireProcessActivityReference_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0067h | |
| jmp NtAcquireProcessActivityReference_Epilogue | |
| NtAcquireProcessActivityReference_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0067h | |
| jmp NtAcquireProcessActivityReference_Epilogue | |
| NtAcquireProcessActivityReference_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0067h | |
| jmp NtAcquireProcessActivityReference_Epilogue | |
| NtAcquireProcessActivityReference_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0067h | |
| jmp NtAcquireProcessActivityReference_Epilogue | |
| NtAcquireProcessActivityReference_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAcquireProcessActivityReference_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAcquireProcessActivityReference ENDP | |
| NtAddAtom PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAddAtom_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAddAtom_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAddAtom_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAddAtom_Check_10_0_XXXX | |
| jmp NtAddAtom_SystemCall_Unknown | |
| NtAddAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAddAtom_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAddAtom_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAddAtom_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAddAtom_SystemCall_6_3_XXXX | |
| jmp NtAddAtom_SystemCall_Unknown | |
| NtAddAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAddAtom_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAddAtom_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAddAtom_SystemCall_6_0_6002 | |
| jmp NtAddAtom_SystemCall_Unknown | |
| NtAddAtom_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAddAtom_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAddAtom_SystemCall_6_1_7601 | |
| jmp NtAddAtom_SystemCall_Unknown | |
| NtAddAtom_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAddAtom_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAddAtom_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAddAtom_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAddAtom_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAddAtom_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAddAtom_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAddAtom_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAddAtom_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAddAtom_SystemCall_10_0_18363 | |
| jmp NtAddAtom_SystemCall_Unknown | |
| NtAddAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0044h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0044h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0044h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0044h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0044h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0044h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0045h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0046h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0047h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0047h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0047h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0047h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0047h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0047h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0047h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0047h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0047h | |
| jmp NtAddAtom_Epilogue | |
| NtAddAtom_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAddAtom_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAddAtom ENDP | |
| NtAddAtomEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAddAtomEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAddAtomEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAddAtomEx_Check_10_0_XXXX | |
| jmp NtAddAtomEx_SystemCall_Unknown | |
| NtAddAtomEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAddAtomEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAddAtomEx_SystemCall_6_3_XXXX | |
| jmp NtAddAtomEx_SystemCall_Unknown | |
| NtAddAtomEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAddAtomEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAddAtomEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAddAtomEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAddAtomEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAddAtomEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAddAtomEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAddAtomEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAddAtomEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAddAtomEx_SystemCall_10_0_18363 | |
| jmp NtAddAtomEx_SystemCall_Unknown | |
| NtAddAtomEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0067h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0067h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0067h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0067h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0067h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0068h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0068h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0068h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0068h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0068h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0068h | |
| jmp NtAddAtomEx_Epilogue | |
| NtAddAtomEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAddAtomEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAddAtomEx ENDP | |
| NtAddBootEntry PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAddBootEntry_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAddBootEntry_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAddBootEntry_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAddBootEntry_Check_10_0_XXXX | |
| jmp NtAddBootEntry_SystemCall_Unknown | |
| NtAddBootEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAddBootEntry_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAddBootEntry_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAddBootEntry_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAddBootEntry_SystemCall_6_3_XXXX | |
| jmp NtAddBootEntry_SystemCall_Unknown | |
| NtAddBootEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAddBootEntry_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAddBootEntry_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAddBootEntry_SystemCall_6_0_6002 | |
| jmp NtAddBootEntry_SystemCall_Unknown | |
| NtAddBootEntry_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAddBootEntry_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAddBootEntry_SystemCall_6_1_7601 | |
| jmp NtAddBootEntry_SystemCall_Unknown | |
| NtAddBootEntry_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAddBootEntry_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAddBootEntry_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAddBootEntry_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAddBootEntry_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAddBootEntry_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAddBootEntry_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAddBootEntry_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAddBootEntry_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAddBootEntry_SystemCall_10_0_18363 | |
| jmp NtAddBootEntry_SystemCall_Unknown | |
| NtAddBootEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0066h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0067h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0067h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0067h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0066h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0066h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0068h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0068h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0068h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0068h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0068h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0069h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0069h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0069h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0069h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0069h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0069h | |
| jmp NtAddBootEntry_Epilogue | |
| NtAddBootEntry_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAddBootEntry_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAddBootEntry ENDP | |
| NtAddDriverEntry PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAddDriverEntry_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAddDriverEntry_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAddDriverEntry_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAddDriverEntry_Check_10_0_XXXX | |
| jmp NtAddDriverEntry_SystemCall_Unknown | |
| NtAddDriverEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAddDriverEntry_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAddDriverEntry_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAddDriverEntry_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAddDriverEntry_SystemCall_6_3_XXXX | |
| jmp NtAddDriverEntry_SystemCall_Unknown | |
| NtAddDriverEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAddDriverEntry_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAddDriverEntry_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAddDriverEntry_SystemCall_6_0_6002 | |
| jmp NtAddDriverEntry_SystemCall_Unknown | |
| NtAddDriverEntry_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAddDriverEntry_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAddDriverEntry_SystemCall_6_1_7601 | |
| jmp NtAddDriverEntry_SystemCall_Unknown | |
| NtAddDriverEntry_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAddDriverEntry_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAddDriverEntry_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAddDriverEntry_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAddDriverEntry_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAddDriverEntry_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAddDriverEntry_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAddDriverEntry_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAddDriverEntry_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAddDriverEntry_SystemCall_10_0_18363 | |
| jmp NtAddDriverEntry_SystemCall_Unknown | |
| NtAddDriverEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0067h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0068h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0068h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0068h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0067h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0067h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0069h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0069h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0069h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0069h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0069h | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 006ah | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 006ah | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 006ah | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 006ah | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 006ah | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 006ah | |
| jmp NtAddDriverEntry_Epilogue | |
| NtAddDriverEntry_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAddDriverEntry_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAddDriverEntry ENDP | |
| NtAdjustGroupsToken PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAdjustGroupsToken_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAdjustGroupsToken_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAdjustGroupsToken_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAdjustGroupsToken_Check_10_0_XXXX | |
| jmp NtAdjustGroupsToken_SystemCall_Unknown | |
| NtAdjustGroupsToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAdjustGroupsToken_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAdjustGroupsToken_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAdjustGroupsToken_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAdjustGroupsToken_SystemCall_6_3_XXXX | |
| jmp NtAdjustGroupsToken_SystemCall_Unknown | |
| NtAdjustGroupsToken_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAdjustGroupsToken_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAdjustGroupsToken_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAdjustGroupsToken_SystemCall_6_0_6002 | |
| jmp NtAdjustGroupsToken_SystemCall_Unknown | |
| NtAdjustGroupsToken_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAdjustGroupsToken_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAdjustGroupsToken_SystemCall_6_1_7601 | |
| jmp NtAdjustGroupsToken_SystemCall_Unknown | |
| NtAdjustGroupsToken_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAdjustGroupsToken_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAdjustGroupsToken_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAdjustGroupsToken_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAdjustGroupsToken_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAdjustGroupsToken_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAdjustGroupsToken_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAdjustGroupsToken_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAdjustGroupsToken_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAdjustGroupsToken_SystemCall_10_0_18363 | |
| jmp NtAdjustGroupsToken_SystemCall_Unknown | |
| NtAdjustGroupsToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0068h | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0069h | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0069h | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0069h | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0068h | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0068h | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 006ah | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 006ah | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 006ah | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 006ah | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 006ah | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 006bh | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 006bh | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 006bh | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 006bh | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 006bh | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 006bh | |
| jmp NtAdjustGroupsToken_Epilogue | |
| NtAdjustGroupsToken_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAdjustGroupsToken_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAdjustGroupsToken ENDP | |
| NtAdjustPrivilegesToken PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAdjustPrivilegesToken_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAdjustPrivilegesToken_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAdjustPrivilegesToken_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAdjustPrivilegesToken_Check_10_0_XXXX | |
| jmp NtAdjustPrivilegesToken_SystemCall_Unknown | |
| NtAdjustPrivilegesToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAdjustPrivilegesToken_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAdjustPrivilegesToken_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAdjustPrivilegesToken_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAdjustPrivilegesToken_SystemCall_6_3_XXXX | |
| jmp NtAdjustPrivilegesToken_SystemCall_Unknown | |
| NtAdjustPrivilegesToken_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAdjustPrivilegesToken_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAdjustPrivilegesToken_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAdjustPrivilegesToken_SystemCall_6_0_6002 | |
| jmp NtAdjustPrivilegesToken_SystemCall_Unknown | |
| NtAdjustPrivilegesToken_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAdjustPrivilegesToken_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAdjustPrivilegesToken_SystemCall_6_1_7601 | |
| jmp NtAdjustPrivilegesToken_SystemCall_Unknown | |
| NtAdjustPrivilegesToken_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAdjustPrivilegesToken_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAdjustPrivilegesToken_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAdjustPrivilegesToken_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAdjustPrivilegesToken_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAdjustPrivilegesToken_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAdjustPrivilegesToken_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAdjustPrivilegesToken_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAdjustPrivilegesToken_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAdjustPrivilegesToken_SystemCall_10_0_18363 | |
| jmp NtAdjustPrivilegesToken_SystemCall_Unknown | |
| NtAdjustPrivilegesToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 003eh | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 003eh | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 003eh | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 003eh | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 003eh | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 003eh | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 003fh | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0040h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0041h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0041h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0041h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0041h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0041h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0041h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0041h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0041h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0041h | |
| jmp NtAdjustPrivilegesToken_Epilogue | |
| NtAdjustPrivilegesToken_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAdjustPrivilegesToken_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAdjustPrivilegesToken ENDP | |
| NtAdjustTokenClaimsAndDeviceGroups PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAdjustTokenClaimsAndDeviceGroups_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAdjustTokenClaimsAndDeviceGroups_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAdjustTokenClaimsAndDeviceGroups_Check_10_0_XXXX | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown | |
| NtAdjustTokenClaimsAndDeviceGroups_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_3_XXXX | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown | |
| NtAdjustTokenClaimsAndDeviceGroups_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18363 | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 006bh | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 006bh | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 006bh | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 006bh | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 006bh | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 006ch | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 006ch | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 006ch | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 006ch | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 006ch | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 006ch | |
| jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue | |
| NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAdjustTokenClaimsAndDeviceGroups_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAdjustTokenClaimsAndDeviceGroups ENDP | |
| NtAlertResumeThread PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlertResumeThread_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAlertResumeThread_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlertResumeThread_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlertResumeThread_Check_10_0_XXXX | |
| jmp NtAlertResumeThread_SystemCall_Unknown | |
| NtAlertResumeThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlertResumeThread_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlertResumeThread_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlertResumeThread_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlertResumeThread_SystemCall_6_3_XXXX | |
| jmp NtAlertResumeThread_SystemCall_Unknown | |
| NtAlertResumeThread_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlertResumeThread_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlertResumeThread_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlertResumeThread_SystemCall_6_0_6002 | |
| jmp NtAlertResumeThread_SystemCall_Unknown | |
| NtAlertResumeThread_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlertResumeThread_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlertResumeThread_SystemCall_6_1_7601 | |
| jmp NtAlertResumeThread_SystemCall_Unknown | |
| NtAlertResumeThread_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlertResumeThread_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlertResumeThread_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlertResumeThread_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlertResumeThread_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlertResumeThread_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlertResumeThread_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlertResumeThread_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlertResumeThread_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlertResumeThread_SystemCall_10_0_18363 | |
| jmp NtAlertResumeThread_SystemCall_Unknown | |
| NtAlertResumeThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0069h | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 006ah | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 006ah | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 006ah | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0069h | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0069h | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 006ch | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 006ch | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 006ch | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 006ch | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 006ch | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 006dh | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 006dh | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 006dh | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 006dh | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 006dh | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 006dh | |
| jmp NtAlertResumeThread_Epilogue | |
| NtAlertResumeThread_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlertResumeThread_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlertResumeThread ENDP | |
| NtAlertThread PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlertThread_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAlertThread_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlertThread_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlertThread_Check_10_0_XXXX | |
| jmp NtAlertThread_SystemCall_Unknown | |
| NtAlertThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlertThread_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlertThread_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlertThread_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlertThread_SystemCall_6_3_XXXX | |
| jmp NtAlertThread_SystemCall_Unknown | |
| NtAlertThread_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlertThread_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlertThread_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlertThread_SystemCall_6_0_6002 | |
| jmp NtAlertThread_SystemCall_Unknown | |
| NtAlertThread_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlertThread_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlertThread_SystemCall_6_1_7601 | |
| jmp NtAlertThread_SystemCall_Unknown | |
| NtAlertThread_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlertThread_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlertThread_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlertThread_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlertThread_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlertThread_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlertThread_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlertThread_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlertThread_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlertThread_SystemCall_10_0_18363 | |
| jmp NtAlertThread_SystemCall_Unknown | |
| NtAlertThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 006ah | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 006bh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 006bh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 006bh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 006ah | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 006ah | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 006dh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 006dh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 006dh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 006dh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 006dh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 006eh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 006eh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 006eh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 006eh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 006eh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 006eh | |
| jmp NtAlertThread_Epilogue | |
| NtAlertThread_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlertThread_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlertThread ENDP | |
| NtAlertThreadByThreadId PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlertThreadByThreadId_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlertThreadByThreadId_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlertThreadByThreadId_Check_10_0_XXXX | |
| jmp NtAlertThreadByThreadId_SystemCall_Unknown | |
| NtAlertThreadByThreadId_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlertThreadByThreadId_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlertThreadByThreadId_SystemCall_6_3_XXXX | |
| jmp NtAlertThreadByThreadId_SystemCall_Unknown | |
| NtAlertThreadByThreadId_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlertThreadByThreadId_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlertThreadByThreadId_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlertThreadByThreadId_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlertThreadByThreadId_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlertThreadByThreadId_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlertThreadByThreadId_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlertThreadByThreadId_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlertThreadByThreadId_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlertThreadByThreadId_SystemCall_10_0_18363 | |
| jmp NtAlertThreadByThreadId_SystemCall_Unknown | |
| NtAlertThreadByThreadId_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 006eh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 006eh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 006eh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 006eh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 006eh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 006fh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 006fh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 006fh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 006fh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 006fh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 006fh | |
| jmp NtAlertThreadByThreadId_Epilogue | |
| NtAlertThreadByThreadId_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlertThreadByThreadId_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlertThreadByThreadId ENDP | |
| NtAllocateLocallyUniqueId PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAllocateLocallyUniqueId_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAllocateLocallyUniqueId_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAllocateLocallyUniqueId_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAllocateLocallyUniqueId_Check_10_0_XXXX | |
| jmp NtAllocateLocallyUniqueId_SystemCall_Unknown | |
| NtAllocateLocallyUniqueId_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAllocateLocallyUniqueId_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAllocateLocallyUniqueId_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateLocallyUniqueId_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateLocallyUniqueId_SystemCall_6_3_XXXX | |
| jmp NtAllocateLocallyUniqueId_SystemCall_Unknown | |
| NtAllocateLocallyUniqueId_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAllocateLocallyUniqueId_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAllocateLocallyUniqueId_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAllocateLocallyUniqueId_SystemCall_6_0_6002 | |
| jmp NtAllocateLocallyUniqueId_SystemCall_Unknown | |
| NtAllocateLocallyUniqueId_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAllocateLocallyUniqueId_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAllocateLocallyUniqueId_SystemCall_6_1_7601 | |
| jmp NtAllocateLocallyUniqueId_SystemCall_Unknown | |
| NtAllocateLocallyUniqueId_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAllocateLocallyUniqueId_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAllocateLocallyUniqueId_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAllocateLocallyUniqueId_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAllocateLocallyUniqueId_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAllocateLocallyUniqueId_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAllocateLocallyUniqueId_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAllocateLocallyUniqueId_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAllocateLocallyUniqueId_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAllocateLocallyUniqueId_SystemCall_10_0_18363 | |
| jmp NtAllocateLocallyUniqueId_SystemCall_Unknown | |
| NtAllocateLocallyUniqueId_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 006bh | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 006ch | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 006ch | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 006ch | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 006bh | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 006bh | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 006fh | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 006fh | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 006fh | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 006fh | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 006fh | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0070h | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0070h | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0070h | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0070h | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0070h | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0070h | |
| jmp NtAllocateLocallyUniqueId_Epilogue | |
| NtAllocateLocallyUniqueId_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAllocateLocallyUniqueId_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAllocateLocallyUniqueId ENDP | |
| NtAllocateReserveObject PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAllocateReserveObject_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAllocateReserveObject_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAllocateReserveObject_Check_10_0_XXXX | |
| jmp NtAllocateReserveObject_SystemCall_Unknown | |
| NtAllocateReserveObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAllocateReserveObject_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateReserveObject_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateReserveObject_SystemCall_6_3_XXXX | |
| jmp NtAllocateReserveObject_SystemCall_Unknown | |
| NtAllocateReserveObject_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAllocateReserveObject_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAllocateReserveObject_SystemCall_6_1_7601 | |
| jmp NtAllocateReserveObject_SystemCall_Unknown | |
| NtAllocateReserveObject_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAllocateReserveObject_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAllocateReserveObject_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAllocateReserveObject_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAllocateReserveObject_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAllocateReserveObject_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAllocateReserveObject_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAllocateReserveObject_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAllocateReserveObject_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAllocateReserveObject_SystemCall_10_0_18363 | |
| jmp NtAllocateReserveObject_SystemCall_Unknown | |
| NtAllocateReserveObject_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 006ch | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 006ch | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0070h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0070h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0070h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0070h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0070h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0071h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0071h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0071h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0071h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0071h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0071h | |
| jmp NtAllocateReserveObject_Epilogue | |
| NtAllocateReserveObject_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAllocateReserveObject_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAllocateReserveObject ENDP | |
| NtAllocateUserPhysicalPages PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAllocateUserPhysicalPages_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAllocateUserPhysicalPages_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAllocateUserPhysicalPages_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAllocateUserPhysicalPages_Check_10_0_XXXX | |
| jmp NtAllocateUserPhysicalPages_SystemCall_Unknown | |
| NtAllocateUserPhysicalPages_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAllocateUserPhysicalPages_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAllocateUserPhysicalPages_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateUserPhysicalPages_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateUserPhysicalPages_SystemCall_6_3_XXXX | |
| jmp NtAllocateUserPhysicalPages_SystemCall_Unknown | |
| NtAllocateUserPhysicalPages_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAllocateUserPhysicalPages_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAllocateUserPhysicalPages_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAllocateUserPhysicalPages_SystemCall_6_0_6002 | |
| jmp NtAllocateUserPhysicalPages_SystemCall_Unknown | |
| NtAllocateUserPhysicalPages_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAllocateUserPhysicalPages_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAllocateUserPhysicalPages_SystemCall_6_1_7601 | |
| jmp NtAllocateUserPhysicalPages_SystemCall_Unknown | |
| NtAllocateUserPhysicalPages_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAllocateUserPhysicalPages_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAllocateUserPhysicalPages_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAllocateUserPhysicalPages_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAllocateUserPhysicalPages_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAllocateUserPhysicalPages_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAllocateUserPhysicalPages_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAllocateUserPhysicalPages_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAllocateUserPhysicalPages_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAllocateUserPhysicalPages_SystemCall_10_0_18363 | |
| jmp NtAllocateUserPhysicalPages_SystemCall_Unknown | |
| NtAllocateUserPhysicalPages_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 006ch | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 006dh | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 006dh | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 006dh | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 006dh | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 006dh | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0071h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0071h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0071h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0071h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0071h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0072h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0072h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0072h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0072h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0072h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0072h | |
| jmp NtAllocateUserPhysicalPages_Epilogue | |
| NtAllocateUserPhysicalPages_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAllocateUserPhysicalPages_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAllocateUserPhysicalPages ENDP | |
| NtAllocateUuids PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAllocateUuids_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAllocateUuids_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAllocateUuids_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAllocateUuids_Check_10_0_XXXX | |
| jmp NtAllocateUuids_SystemCall_Unknown | |
| NtAllocateUuids_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAllocateUuids_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAllocateUuids_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateUuids_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateUuids_SystemCall_6_3_XXXX | |
| jmp NtAllocateUuids_SystemCall_Unknown | |
| NtAllocateUuids_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAllocateUuids_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAllocateUuids_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAllocateUuids_SystemCall_6_0_6002 | |
| jmp NtAllocateUuids_SystemCall_Unknown | |
| NtAllocateUuids_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAllocateUuids_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAllocateUuids_SystemCall_6_1_7601 | |
| jmp NtAllocateUuids_SystemCall_Unknown | |
| NtAllocateUuids_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAllocateUuids_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAllocateUuids_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAllocateUuids_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAllocateUuids_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAllocateUuids_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAllocateUuids_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAllocateUuids_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAllocateUuids_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAllocateUuids_SystemCall_10_0_18363 | |
| jmp NtAllocateUuids_SystemCall_Unknown | |
| NtAllocateUuids_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 006dh | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 006eh | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 006eh | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 006eh | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 006eh | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 006eh | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0072h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0072h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0072h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0072h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0072h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0073h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0073h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0073h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0073h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0073h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0073h | |
| jmp NtAllocateUuids_Epilogue | |
| NtAllocateUuids_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAllocateUuids_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAllocateUuids ENDP | |
| NtAllocateVirtualMemory PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAllocateVirtualMemory_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAllocateVirtualMemory_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAllocateVirtualMemory_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAllocateVirtualMemory_Check_10_0_XXXX | |
| jmp NtAllocateVirtualMemory_SystemCall_Unknown | |
| NtAllocateVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAllocateVirtualMemory_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAllocateVirtualMemory_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateVirtualMemory_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAllocateVirtualMemory_SystemCall_6_3_XXXX | |
| jmp NtAllocateVirtualMemory_SystemCall_Unknown | |
| NtAllocateVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAllocateVirtualMemory_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAllocateVirtualMemory_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAllocateVirtualMemory_SystemCall_6_0_6002 | |
| jmp NtAllocateVirtualMemory_SystemCall_Unknown | |
| NtAllocateVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAllocateVirtualMemory_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAllocateVirtualMemory_SystemCall_6_1_7601 | |
| jmp NtAllocateVirtualMemory_SystemCall_Unknown | |
| NtAllocateVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAllocateVirtualMemory_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAllocateVirtualMemory_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAllocateVirtualMemory_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAllocateVirtualMemory_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAllocateVirtualMemory_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAllocateVirtualMemory_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAllocateVirtualMemory_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAllocateVirtualMemory_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAllocateVirtualMemory_SystemCall_10_0_18363 | |
| jmp NtAllocateVirtualMemory_SystemCall_Unknown | |
| NtAllocateVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0015h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0015h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0015h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0015h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0015h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0015h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0016h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0017h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0018h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0018h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0018h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0018h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0018h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0018h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0018h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0018h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0018h | |
| jmp NtAllocateVirtualMemory_Epilogue | |
| NtAllocateVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAllocateVirtualMemory_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAllocateVirtualMemory ENDP | |
| NtAllocateVirtualMemoryEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAllocateVirtualMemoryEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAllocateVirtualMemoryEx_Check_10_0_XXXX | |
| jmp NtAllocateVirtualMemoryEx_SystemCall_Unknown | |
| NtAllocateVirtualMemoryEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAllocateVirtualMemoryEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAllocateVirtualMemoryEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAllocateVirtualMemoryEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAllocateVirtualMemoryEx_SystemCall_10_0_18363 | |
| jmp NtAllocateVirtualMemoryEx_SystemCall_Unknown | |
| NtAllocateVirtualMemoryEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0074h | |
| jmp NtAllocateVirtualMemoryEx_Epilogue | |
| NtAllocateVirtualMemoryEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0074h | |
| jmp NtAllocateVirtualMemoryEx_Epilogue | |
| NtAllocateVirtualMemoryEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0074h | |
| jmp NtAllocateVirtualMemoryEx_Epilogue | |
| NtAllocateVirtualMemoryEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0074h | |
| jmp NtAllocateVirtualMemoryEx_Epilogue | |
| NtAllocateVirtualMemoryEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAllocateVirtualMemoryEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAllocateVirtualMemoryEx ENDP | |
| NtAlpcAcceptConnectPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcAcceptConnectPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcAcceptConnectPort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcAcceptConnectPort_Check_10_0_XXXX | |
| jmp NtAlpcAcceptConnectPort_SystemCall_Unknown | |
| NtAlpcAcceptConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcAcceptConnectPort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcAcceptConnectPort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcAcceptConnectPort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcAcceptConnectPort_SystemCall_6_3_XXXX | |
| jmp NtAlpcAcceptConnectPort_SystemCall_Unknown | |
| NtAlpcAcceptConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcAcceptConnectPort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcAcceptConnectPort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcAcceptConnectPort_SystemCall_6_0_6002 | |
| jmp NtAlpcAcceptConnectPort_SystemCall_Unknown | |
| NtAlpcAcceptConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcAcceptConnectPort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcAcceptConnectPort_SystemCall_6_1_7601 | |
| jmp NtAlpcAcceptConnectPort_SystemCall_Unknown | |
| NtAlpcAcceptConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcAcceptConnectPort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcAcceptConnectPort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcAcceptConnectPort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcAcceptConnectPort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcAcceptConnectPort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcAcceptConnectPort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcAcceptConnectPort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcAcceptConnectPort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcAcceptConnectPort_SystemCall_10_0_18363 | |
| jmp NtAlpcAcceptConnectPort_SystemCall_Unknown | |
| NtAlpcAcceptConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 006fh | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 006fh | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 006fh | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 006fh | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 006fh | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0073h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0073h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0073h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0073h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0073h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0074h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0074h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0075h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0075h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0075h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0075h | |
| jmp NtAlpcAcceptConnectPort_Epilogue | |
| NtAlpcAcceptConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcAcceptConnectPort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcAcceptConnectPort ENDP | |
| NtAlpcCancelMessage PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcCancelMessage_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcCancelMessage_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcCancelMessage_Check_10_0_XXXX | |
| jmp NtAlpcCancelMessage_SystemCall_Unknown | |
| NtAlpcCancelMessage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcCancelMessage_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcCancelMessage_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCancelMessage_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCancelMessage_SystemCall_6_3_XXXX | |
| jmp NtAlpcCancelMessage_SystemCall_Unknown | |
| NtAlpcCancelMessage_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcCancelMessage_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcCancelMessage_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcCancelMessage_SystemCall_6_0_6002 | |
| jmp NtAlpcCancelMessage_SystemCall_Unknown | |
| NtAlpcCancelMessage_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcCancelMessage_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcCancelMessage_SystemCall_6_1_7601 | |
| jmp NtAlpcCancelMessage_SystemCall_Unknown | |
| NtAlpcCancelMessage_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcCancelMessage_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcCancelMessage_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcCancelMessage_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcCancelMessage_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcCancelMessage_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcCancelMessage_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcCancelMessage_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcCancelMessage_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcCancelMessage_SystemCall_10_0_18363 | |
| jmp NtAlpcCancelMessage_SystemCall_Unknown | |
| NtAlpcCancelMessage_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0070h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0070h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0070h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0070h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0070h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0074h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0074h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0074h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0074h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0074h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0075h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0075h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0076h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0076h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0076h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0076h | |
| jmp NtAlpcCancelMessage_Epilogue | |
| NtAlpcCancelMessage_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcCancelMessage_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcCancelMessage ENDP | |
| NtAlpcConnectPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcConnectPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcConnectPort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcConnectPort_Check_10_0_XXXX | |
| jmp NtAlpcConnectPort_SystemCall_Unknown | |
| NtAlpcConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcConnectPort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcConnectPort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcConnectPort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcConnectPort_SystemCall_6_3_XXXX | |
| jmp NtAlpcConnectPort_SystemCall_Unknown | |
| NtAlpcConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcConnectPort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcConnectPort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcConnectPort_SystemCall_6_0_6002 | |
| jmp NtAlpcConnectPort_SystemCall_Unknown | |
| NtAlpcConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcConnectPort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcConnectPort_SystemCall_6_1_7601 | |
| jmp NtAlpcConnectPort_SystemCall_Unknown | |
| NtAlpcConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcConnectPort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcConnectPort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcConnectPort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcConnectPort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcConnectPort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcConnectPort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcConnectPort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcConnectPort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcConnectPort_SystemCall_10_0_18363 | |
| jmp NtAlpcConnectPort_SystemCall_Unknown | |
| NtAlpcConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0071h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0071h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0071h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0071h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0071h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0075h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0075h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0075h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0075h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0075h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0076h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0076h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0077h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0077h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0077h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0077h | |
| jmp NtAlpcConnectPort_Epilogue | |
| NtAlpcConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcConnectPort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcConnectPort ENDP | |
| NtAlpcConnectPortEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcConnectPortEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcConnectPortEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcConnectPortEx_Check_10_0_XXXX | |
| jmp NtAlpcConnectPortEx_SystemCall_Unknown | |
| NtAlpcConnectPortEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcConnectPortEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcConnectPortEx_SystemCall_6_3_XXXX | |
| jmp NtAlpcConnectPortEx_SystemCall_Unknown | |
| NtAlpcConnectPortEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcConnectPortEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcConnectPortEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcConnectPortEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcConnectPortEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcConnectPortEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcConnectPortEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcConnectPortEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcConnectPortEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcConnectPortEx_SystemCall_10_0_18363 | |
| jmp NtAlpcConnectPortEx_SystemCall_Unknown | |
| NtAlpcConnectPortEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0076h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0076h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0076h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0076h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0076h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0077h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0077h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0078h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0078h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0078h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0078h | |
| jmp NtAlpcConnectPortEx_Epilogue | |
| NtAlpcConnectPortEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcConnectPortEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcConnectPortEx ENDP | |
| NtAlpcCreatePort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcCreatePort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcCreatePort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcCreatePort_Check_10_0_XXXX | |
| jmp NtAlpcCreatePort_SystemCall_Unknown | |
| NtAlpcCreatePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcCreatePort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcCreatePort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreatePort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreatePort_SystemCall_6_3_XXXX | |
| jmp NtAlpcCreatePort_SystemCall_Unknown | |
| NtAlpcCreatePort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcCreatePort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcCreatePort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcCreatePort_SystemCall_6_0_6002 | |
| jmp NtAlpcCreatePort_SystemCall_Unknown | |
| NtAlpcCreatePort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcCreatePort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcCreatePort_SystemCall_6_1_7601 | |
| jmp NtAlpcCreatePort_SystemCall_Unknown | |
| NtAlpcCreatePort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcCreatePort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcCreatePort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcCreatePort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcCreatePort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcCreatePort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcCreatePort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcCreatePort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcCreatePort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcCreatePort_SystemCall_10_0_18363 | |
| jmp NtAlpcCreatePort_SystemCall_Unknown | |
| NtAlpcCreatePort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0072h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0072h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0072h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0072h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0072h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0077h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0077h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0077h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0077h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0077h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0078h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0078h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0079h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0079h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0079h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0079h | |
| jmp NtAlpcCreatePort_Epilogue | |
| NtAlpcCreatePort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcCreatePort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcCreatePort ENDP | |
| NtAlpcCreatePortSection PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcCreatePortSection_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcCreatePortSection_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcCreatePortSection_Check_10_0_XXXX | |
| jmp NtAlpcCreatePortSection_SystemCall_Unknown | |
| NtAlpcCreatePortSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcCreatePortSection_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcCreatePortSection_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreatePortSection_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreatePortSection_SystemCall_6_3_XXXX | |
| jmp NtAlpcCreatePortSection_SystemCall_Unknown | |
| NtAlpcCreatePortSection_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcCreatePortSection_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcCreatePortSection_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcCreatePortSection_SystemCall_6_0_6002 | |
| jmp NtAlpcCreatePortSection_SystemCall_Unknown | |
| NtAlpcCreatePortSection_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcCreatePortSection_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcCreatePortSection_SystemCall_6_1_7601 | |
| jmp NtAlpcCreatePortSection_SystemCall_Unknown | |
| NtAlpcCreatePortSection_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcCreatePortSection_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcCreatePortSection_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcCreatePortSection_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcCreatePortSection_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcCreatePortSection_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcCreatePortSection_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcCreatePortSection_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcCreatePortSection_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcCreatePortSection_SystemCall_10_0_18363 | |
| jmp NtAlpcCreatePortSection_SystemCall_Unknown | |
| NtAlpcCreatePortSection_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0073h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0073h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0073h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0073h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0073h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0078h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0078h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0078h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0078h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0078h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0079h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0079h | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 007ah | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 007ah | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 007ah | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 007ah | |
| jmp NtAlpcCreatePortSection_Epilogue | |
| NtAlpcCreatePortSection_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcCreatePortSection_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcCreatePortSection ENDP | |
| NtAlpcCreateResourceReserve PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcCreateResourceReserve_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcCreateResourceReserve_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcCreateResourceReserve_Check_10_0_XXXX | |
| jmp NtAlpcCreateResourceReserve_SystemCall_Unknown | |
| NtAlpcCreateResourceReserve_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcCreateResourceReserve_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcCreateResourceReserve_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreateResourceReserve_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreateResourceReserve_SystemCall_6_3_XXXX | |
| jmp NtAlpcCreateResourceReserve_SystemCall_Unknown | |
| NtAlpcCreateResourceReserve_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcCreateResourceReserve_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcCreateResourceReserve_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcCreateResourceReserve_SystemCall_6_0_6002 | |
| jmp NtAlpcCreateResourceReserve_SystemCall_Unknown | |
| NtAlpcCreateResourceReserve_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcCreateResourceReserve_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcCreateResourceReserve_SystemCall_6_1_7601 | |
| jmp NtAlpcCreateResourceReserve_SystemCall_Unknown | |
| NtAlpcCreateResourceReserve_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcCreateResourceReserve_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcCreateResourceReserve_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcCreateResourceReserve_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcCreateResourceReserve_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcCreateResourceReserve_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcCreateResourceReserve_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcCreateResourceReserve_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcCreateResourceReserve_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcCreateResourceReserve_SystemCall_10_0_18363 | |
| jmp NtAlpcCreateResourceReserve_SystemCall_Unknown | |
| NtAlpcCreateResourceReserve_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0074h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0074h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0074h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0074h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0074h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0079h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0079h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0079h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0079h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0079h | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 007ah | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 007ah | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 007bh | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 007bh | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 007bh | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 007bh | |
| jmp NtAlpcCreateResourceReserve_Epilogue | |
| NtAlpcCreateResourceReserve_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcCreateResourceReserve_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcCreateResourceReserve ENDP | |
| NtAlpcCreateSectionView PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcCreateSectionView_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcCreateSectionView_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcCreateSectionView_Check_10_0_XXXX | |
| jmp NtAlpcCreateSectionView_SystemCall_Unknown | |
| NtAlpcCreateSectionView_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcCreateSectionView_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcCreateSectionView_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreateSectionView_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreateSectionView_SystemCall_6_3_XXXX | |
| jmp NtAlpcCreateSectionView_SystemCall_Unknown | |
| NtAlpcCreateSectionView_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcCreateSectionView_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcCreateSectionView_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcCreateSectionView_SystemCall_6_0_6002 | |
| jmp NtAlpcCreateSectionView_SystemCall_Unknown | |
| NtAlpcCreateSectionView_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcCreateSectionView_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcCreateSectionView_SystemCall_6_1_7601 | |
| jmp NtAlpcCreateSectionView_SystemCall_Unknown | |
| NtAlpcCreateSectionView_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcCreateSectionView_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcCreateSectionView_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcCreateSectionView_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcCreateSectionView_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcCreateSectionView_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcCreateSectionView_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcCreateSectionView_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcCreateSectionView_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcCreateSectionView_SystemCall_10_0_18363 | |
| jmp NtAlpcCreateSectionView_SystemCall_Unknown | |
| NtAlpcCreateSectionView_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0075h | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0075h | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0075h | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0075h | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0075h | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 007ah | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 007ah | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 007ah | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 007ah | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 007ah | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 007bh | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 007bh | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 007ch | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 007ch | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 007ch | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 007ch | |
| jmp NtAlpcCreateSectionView_Epilogue | |
| NtAlpcCreateSectionView_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcCreateSectionView_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcCreateSectionView ENDP | |
| NtAlpcCreateSecurityContext PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcCreateSecurityContext_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcCreateSecurityContext_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcCreateSecurityContext_Check_10_0_XXXX | |
| jmp NtAlpcCreateSecurityContext_SystemCall_Unknown | |
| NtAlpcCreateSecurityContext_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcCreateSecurityContext_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcCreateSecurityContext_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreateSecurityContext_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcCreateSecurityContext_SystemCall_6_3_XXXX | |
| jmp NtAlpcCreateSecurityContext_SystemCall_Unknown | |
| NtAlpcCreateSecurityContext_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcCreateSecurityContext_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcCreateSecurityContext_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcCreateSecurityContext_SystemCall_6_0_6002 | |
| jmp NtAlpcCreateSecurityContext_SystemCall_Unknown | |
| NtAlpcCreateSecurityContext_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcCreateSecurityContext_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcCreateSecurityContext_SystemCall_6_1_7601 | |
| jmp NtAlpcCreateSecurityContext_SystemCall_Unknown | |
| NtAlpcCreateSecurityContext_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcCreateSecurityContext_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcCreateSecurityContext_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcCreateSecurityContext_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcCreateSecurityContext_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcCreateSecurityContext_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcCreateSecurityContext_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcCreateSecurityContext_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcCreateSecurityContext_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcCreateSecurityContext_SystemCall_10_0_18363 | |
| jmp NtAlpcCreateSecurityContext_SystemCall_Unknown | |
| NtAlpcCreateSecurityContext_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0076h | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0076h | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0076h | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0076h | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0076h | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 007bh | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 007bh | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 007bh | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 007bh | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 007bh | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 007ch | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 007ch | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 007dh | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 007dh | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 007dh | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 007dh | |
| jmp NtAlpcCreateSecurityContext_Epilogue | |
| NtAlpcCreateSecurityContext_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcCreateSecurityContext_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcCreateSecurityContext ENDP | |
| NtAlpcDeletePortSection PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcDeletePortSection_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcDeletePortSection_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcDeletePortSection_Check_10_0_XXXX | |
| jmp NtAlpcDeletePortSection_SystemCall_Unknown | |
| NtAlpcDeletePortSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcDeletePortSection_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcDeletePortSection_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDeletePortSection_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDeletePortSection_SystemCall_6_3_XXXX | |
| jmp NtAlpcDeletePortSection_SystemCall_Unknown | |
| NtAlpcDeletePortSection_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcDeletePortSection_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcDeletePortSection_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcDeletePortSection_SystemCall_6_0_6002 | |
| jmp NtAlpcDeletePortSection_SystemCall_Unknown | |
| NtAlpcDeletePortSection_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcDeletePortSection_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcDeletePortSection_SystemCall_6_1_7601 | |
| jmp NtAlpcDeletePortSection_SystemCall_Unknown | |
| NtAlpcDeletePortSection_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcDeletePortSection_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcDeletePortSection_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcDeletePortSection_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcDeletePortSection_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcDeletePortSection_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcDeletePortSection_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcDeletePortSection_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcDeletePortSection_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcDeletePortSection_SystemCall_10_0_18363 | |
| jmp NtAlpcDeletePortSection_SystemCall_Unknown | |
| NtAlpcDeletePortSection_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0077h | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0077h | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0077h | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0077h | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0077h | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 007ch | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 007ch | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 007ch | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 007ch | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 007ch | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 007dh | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 007dh | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 007eh | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 007eh | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 007eh | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 007eh | |
| jmp NtAlpcDeletePortSection_Epilogue | |
| NtAlpcDeletePortSection_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcDeletePortSection_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcDeletePortSection ENDP | |
| NtAlpcDeleteResourceReserve PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcDeleteResourceReserve_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcDeleteResourceReserve_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcDeleteResourceReserve_Check_10_0_XXXX | |
| jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown | |
| NtAlpcDeleteResourceReserve_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcDeleteResourceReserve_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcDeleteResourceReserve_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDeleteResourceReserve_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDeleteResourceReserve_SystemCall_6_3_XXXX | |
| jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown | |
| NtAlpcDeleteResourceReserve_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcDeleteResourceReserve_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcDeleteResourceReserve_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcDeleteResourceReserve_SystemCall_6_0_6002 | |
| jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown | |
| NtAlpcDeleteResourceReserve_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcDeleteResourceReserve_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcDeleteResourceReserve_SystemCall_6_1_7601 | |
| jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown | |
| NtAlpcDeleteResourceReserve_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcDeleteResourceReserve_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcDeleteResourceReserve_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcDeleteResourceReserve_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcDeleteResourceReserve_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcDeleteResourceReserve_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcDeleteResourceReserve_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcDeleteResourceReserve_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcDeleteResourceReserve_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcDeleteResourceReserve_SystemCall_10_0_18363 | |
| jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown | |
| NtAlpcDeleteResourceReserve_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0078h | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0078h | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0078h | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0078h | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0078h | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 007dh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 007dh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 007dh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 007dh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 007dh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 007eh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 007eh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteResourceReserve_Epilogue | |
| NtAlpcDeleteResourceReserve_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcDeleteResourceReserve_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcDeleteResourceReserve ENDP | |
| NtAlpcDeleteSectionView PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcDeleteSectionView_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcDeleteSectionView_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcDeleteSectionView_Check_10_0_XXXX | |
| jmp NtAlpcDeleteSectionView_SystemCall_Unknown | |
| NtAlpcDeleteSectionView_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcDeleteSectionView_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcDeleteSectionView_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDeleteSectionView_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDeleteSectionView_SystemCall_6_3_XXXX | |
| jmp NtAlpcDeleteSectionView_SystemCall_Unknown | |
| NtAlpcDeleteSectionView_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcDeleteSectionView_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcDeleteSectionView_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcDeleteSectionView_SystemCall_6_0_6002 | |
| jmp NtAlpcDeleteSectionView_SystemCall_Unknown | |
| NtAlpcDeleteSectionView_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcDeleteSectionView_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcDeleteSectionView_SystemCall_6_1_7601 | |
| jmp NtAlpcDeleteSectionView_SystemCall_Unknown | |
| NtAlpcDeleteSectionView_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcDeleteSectionView_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcDeleteSectionView_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcDeleteSectionView_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcDeleteSectionView_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcDeleteSectionView_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcDeleteSectionView_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcDeleteSectionView_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcDeleteSectionView_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcDeleteSectionView_SystemCall_10_0_18363 | |
| jmp NtAlpcDeleteSectionView_SystemCall_Unknown | |
| NtAlpcDeleteSectionView_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0079h | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0079h | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0079h | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0079h | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0079h | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 007eh | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 007eh | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 007eh | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 007eh | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 007eh | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0080h | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0080h | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0080h | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0080h | |
| jmp NtAlpcDeleteSectionView_Epilogue | |
| NtAlpcDeleteSectionView_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcDeleteSectionView_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcDeleteSectionView ENDP | |
| NtAlpcDeleteSecurityContext PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcDeleteSecurityContext_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcDeleteSecurityContext_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcDeleteSecurityContext_Check_10_0_XXXX | |
| jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown | |
| NtAlpcDeleteSecurityContext_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcDeleteSecurityContext_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcDeleteSecurityContext_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDeleteSecurityContext_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDeleteSecurityContext_SystemCall_6_3_XXXX | |
| jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown | |
| NtAlpcDeleteSecurityContext_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcDeleteSecurityContext_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcDeleteSecurityContext_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcDeleteSecurityContext_SystemCall_6_0_6002 | |
| jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown | |
| NtAlpcDeleteSecurityContext_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcDeleteSecurityContext_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcDeleteSecurityContext_SystemCall_6_1_7601 | |
| jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown | |
| NtAlpcDeleteSecurityContext_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcDeleteSecurityContext_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcDeleteSecurityContext_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcDeleteSecurityContext_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcDeleteSecurityContext_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcDeleteSecurityContext_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcDeleteSecurityContext_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcDeleteSecurityContext_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcDeleteSecurityContext_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcDeleteSecurityContext_SystemCall_10_0_18363 | |
| jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown | |
| NtAlpcDeleteSecurityContext_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 007ah | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 007ah | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 007ah | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 007ah | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 007ah | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 007fh | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0080h | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0080h | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0081h | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0081h | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0081h | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0081h | |
| jmp NtAlpcDeleteSecurityContext_Epilogue | |
| NtAlpcDeleteSecurityContext_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcDeleteSecurityContext_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcDeleteSecurityContext ENDP | |
| NtAlpcDisconnectPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcDisconnectPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcDisconnectPort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcDisconnectPort_Check_10_0_XXXX | |
| jmp NtAlpcDisconnectPort_SystemCall_Unknown | |
| NtAlpcDisconnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcDisconnectPort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcDisconnectPort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDisconnectPort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcDisconnectPort_SystemCall_6_3_XXXX | |
| jmp NtAlpcDisconnectPort_SystemCall_Unknown | |
| NtAlpcDisconnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcDisconnectPort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcDisconnectPort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcDisconnectPort_SystemCall_6_0_6002 | |
| jmp NtAlpcDisconnectPort_SystemCall_Unknown | |
| NtAlpcDisconnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcDisconnectPort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcDisconnectPort_SystemCall_6_1_7601 | |
| jmp NtAlpcDisconnectPort_SystemCall_Unknown | |
| NtAlpcDisconnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcDisconnectPort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcDisconnectPort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcDisconnectPort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcDisconnectPort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcDisconnectPort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcDisconnectPort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcDisconnectPort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcDisconnectPort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcDisconnectPort_SystemCall_10_0_18363 | |
| jmp NtAlpcDisconnectPort_SystemCall_Unknown | |
| NtAlpcDisconnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 007bh | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 007bh | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 007bh | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 007bh | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 007bh | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0080h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0080h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0080h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0080h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0080h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0081h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0081h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0082h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0082h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0082h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0082h | |
| jmp NtAlpcDisconnectPort_Epilogue | |
| NtAlpcDisconnectPort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcDisconnectPort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcDisconnectPort ENDP | |
| NtAlpcImpersonateClientContainerOfPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcImpersonateClientContainerOfPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcImpersonateClientContainerOfPort_Check_10_0_XXXX | |
| jmp NtAlpcImpersonateClientContainerOfPort_SystemCall_Unknown | |
| NtAlpcImpersonateClientContainerOfPort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18363 | |
| jmp NtAlpcImpersonateClientContainerOfPort_SystemCall_Unknown | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0081h | |
| jmp NtAlpcImpersonateClientContainerOfPort_Epilogue | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0081h | |
| jmp NtAlpcImpersonateClientContainerOfPort_Epilogue | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0081h | |
| jmp NtAlpcImpersonateClientContainerOfPort_Epilogue | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0082h | |
| jmp NtAlpcImpersonateClientContainerOfPort_Epilogue | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0082h | |
| jmp NtAlpcImpersonateClientContainerOfPort_Epilogue | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0083h | |
| jmp NtAlpcImpersonateClientContainerOfPort_Epilogue | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0083h | |
| jmp NtAlpcImpersonateClientContainerOfPort_Epilogue | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0083h | |
| jmp NtAlpcImpersonateClientContainerOfPort_Epilogue | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0083h | |
| jmp NtAlpcImpersonateClientContainerOfPort_Epilogue | |
| NtAlpcImpersonateClientContainerOfPort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcImpersonateClientContainerOfPort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcImpersonateClientContainerOfPort ENDP | |
| NtAlpcImpersonateClientOfPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcImpersonateClientOfPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcImpersonateClientOfPort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcImpersonateClientOfPort_Check_10_0_XXXX | |
| jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown | |
| NtAlpcImpersonateClientOfPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcImpersonateClientOfPort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcImpersonateClientOfPort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_6_3_XXXX | |
| jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown | |
| NtAlpcImpersonateClientOfPort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_6_0_6002 | |
| jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown | |
| NtAlpcImpersonateClientOfPort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_6_1_7601 | |
| jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown | |
| NtAlpcImpersonateClientOfPort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcImpersonateClientOfPort_SystemCall_10_0_18363 | |
| jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown | |
| NtAlpcImpersonateClientOfPort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 007ch | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 007ch | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 007ch | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 007ch | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 007ch | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0081h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0081h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0082h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0082h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0082h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0083h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0083h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0084h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0084h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0084h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0084h | |
| jmp NtAlpcImpersonateClientOfPort_Epilogue | |
| NtAlpcImpersonateClientOfPort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcImpersonateClientOfPort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcImpersonateClientOfPort ENDP | |
| NtAlpcOpenSenderProcess PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcOpenSenderProcess_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcOpenSenderProcess_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcOpenSenderProcess_Check_10_0_XXXX | |
| jmp NtAlpcOpenSenderProcess_SystemCall_Unknown | |
| NtAlpcOpenSenderProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcOpenSenderProcess_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcOpenSenderProcess_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcOpenSenderProcess_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcOpenSenderProcess_SystemCall_6_3_XXXX | |
| jmp NtAlpcOpenSenderProcess_SystemCall_Unknown | |
| NtAlpcOpenSenderProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcOpenSenderProcess_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcOpenSenderProcess_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcOpenSenderProcess_SystemCall_6_0_6002 | |
| jmp NtAlpcOpenSenderProcess_SystemCall_Unknown | |
| NtAlpcOpenSenderProcess_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcOpenSenderProcess_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcOpenSenderProcess_SystemCall_6_1_7601 | |
| jmp NtAlpcOpenSenderProcess_SystemCall_Unknown | |
| NtAlpcOpenSenderProcess_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcOpenSenderProcess_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcOpenSenderProcess_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcOpenSenderProcess_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcOpenSenderProcess_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcOpenSenderProcess_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcOpenSenderProcess_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcOpenSenderProcess_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcOpenSenderProcess_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcOpenSenderProcess_SystemCall_10_0_18363 | |
| jmp NtAlpcOpenSenderProcess_SystemCall_Unknown | |
| NtAlpcOpenSenderProcess_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 007dh | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 007dh | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 007dh | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 007dh | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 007dh | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0082h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0082h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0083h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0083h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0083h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0084h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0084h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0085h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0085h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0085h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0085h | |
| jmp NtAlpcOpenSenderProcess_Epilogue | |
| NtAlpcOpenSenderProcess_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcOpenSenderProcess_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcOpenSenderProcess ENDP | |
| NtAlpcOpenSenderThread PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcOpenSenderThread_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcOpenSenderThread_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcOpenSenderThread_Check_10_0_XXXX | |
| jmp NtAlpcOpenSenderThread_SystemCall_Unknown | |
| NtAlpcOpenSenderThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcOpenSenderThread_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcOpenSenderThread_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcOpenSenderThread_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcOpenSenderThread_SystemCall_6_3_XXXX | |
| jmp NtAlpcOpenSenderThread_SystemCall_Unknown | |
| NtAlpcOpenSenderThread_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcOpenSenderThread_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcOpenSenderThread_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcOpenSenderThread_SystemCall_6_0_6002 | |
| jmp NtAlpcOpenSenderThread_SystemCall_Unknown | |
| NtAlpcOpenSenderThread_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcOpenSenderThread_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcOpenSenderThread_SystemCall_6_1_7601 | |
| jmp NtAlpcOpenSenderThread_SystemCall_Unknown | |
| NtAlpcOpenSenderThread_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcOpenSenderThread_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcOpenSenderThread_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcOpenSenderThread_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcOpenSenderThread_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcOpenSenderThread_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcOpenSenderThread_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcOpenSenderThread_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcOpenSenderThread_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcOpenSenderThread_SystemCall_10_0_18363 | |
| jmp NtAlpcOpenSenderThread_SystemCall_Unknown | |
| NtAlpcOpenSenderThread_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 007eh | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 007eh | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 007eh | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 007eh | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 007eh | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0083h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0083h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0084h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0084h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0084h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0085h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0085h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0086h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0086h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0086h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0086h | |
| jmp NtAlpcOpenSenderThread_Epilogue | |
| NtAlpcOpenSenderThread_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcOpenSenderThread_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcOpenSenderThread ENDP | |
| NtAlpcQueryInformation PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcQueryInformation_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcQueryInformation_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcQueryInformation_Check_10_0_XXXX | |
| jmp NtAlpcQueryInformation_SystemCall_Unknown | |
| NtAlpcQueryInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcQueryInformation_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcQueryInformation_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcQueryInformation_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcQueryInformation_SystemCall_6_3_XXXX | |
| jmp NtAlpcQueryInformation_SystemCall_Unknown | |
| NtAlpcQueryInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcQueryInformation_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcQueryInformation_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcQueryInformation_SystemCall_6_0_6002 | |
| jmp NtAlpcQueryInformation_SystemCall_Unknown | |
| NtAlpcQueryInformation_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcQueryInformation_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcQueryInformation_SystemCall_6_1_7601 | |
| jmp NtAlpcQueryInformation_SystemCall_Unknown | |
| NtAlpcQueryInformation_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcQueryInformation_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcQueryInformation_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcQueryInformation_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcQueryInformation_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcQueryInformation_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcQueryInformation_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcQueryInformation_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcQueryInformation_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcQueryInformation_SystemCall_10_0_18363 | |
| jmp NtAlpcQueryInformation_SystemCall_Unknown | |
| NtAlpcQueryInformation_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 007fh | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 007fh | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 007fh | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 007fh | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 007fh | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0084h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0084h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0085h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0085h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0085h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0086h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0086h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0087h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0087h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0087h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0087h | |
| jmp NtAlpcQueryInformation_Epilogue | |
| NtAlpcQueryInformation_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcQueryInformation_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcQueryInformation ENDP | |
| NtAlpcQueryInformationMessage PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcQueryInformationMessage_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcQueryInformationMessage_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcQueryInformationMessage_Check_10_0_XXXX | |
| jmp NtAlpcQueryInformationMessage_SystemCall_Unknown | |
| NtAlpcQueryInformationMessage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcQueryInformationMessage_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcQueryInformationMessage_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcQueryInformationMessage_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcQueryInformationMessage_SystemCall_6_3_XXXX | |
| jmp NtAlpcQueryInformationMessage_SystemCall_Unknown | |
| NtAlpcQueryInformationMessage_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcQueryInformationMessage_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcQueryInformationMessage_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcQueryInformationMessage_SystemCall_6_0_6002 | |
| jmp NtAlpcQueryInformationMessage_SystemCall_Unknown | |
| NtAlpcQueryInformationMessage_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcQueryInformationMessage_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcQueryInformationMessage_SystemCall_6_1_7601 | |
| jmp NtAlpcQueryInformationMessage_SystemCall_Unknown | |
| NtAlpcQueryInformationMessage_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcQueryInformationMessage_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcQueryInformationMessage_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcQueryInformationMessage_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcQueryInformationMessage_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcQueryInformationMessage_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcQueryInformationMessage_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcQueryInformationMessage_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcQueryInformationMessage_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcQueryInformationMessage_SystemCall_10_0_18363 | |
| jmp NtAlpcQueryInformationMessage_SystemCall_Unknown | |
| NtAlpcQueryInformationMessage_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0080h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0080h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0080h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0080h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0080h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0085h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0085h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0086h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0086h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0086h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0087h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0087h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0088h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0088h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0088h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0088h | |
| jmp NtAlpcQueryInformationMessage_Epilogue | |
| NtAlpcQueryInformationMessage_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcQueryInformationMessage_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcQueryInformationMessage ENDP | |
| NtAlpcRevokeSecurityContext PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcRevokeSecurityContext_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcRevokeSecurityContext_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcRevokeSecurityContext_Check_10_0_XXXX | |
| jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown | |
| NtAlpcRevokeSecurityContext_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcRevokeSecurityContext_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcRevokeSecurityContext_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcRevokeSecurityContext_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcRevokeSecurityContext_SystemCall_6_3_XXXX | |
| jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown | |
| NtAlpcRevokeSecurityContext_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcRevokeSecurityContext_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcRevokeSecurityContext_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcRevokeSecurityContext_SystemCall_6_0_6002 | |
| jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown | |
| NtAlpcRevokeSecurityContext_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcRevokeSecurityContext_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcRevokeSecurityContext_SystemCall_6_1_7601 | |
| jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown | |
| NtAlpcRevokeSecurityContext_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcRevokeSecurityContext_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcRevokeSecurityContext_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcRevokeSecurityContext_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcRevokeSecurityContext_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcRevokeSecurityContext_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcRevokeSecurityContext_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcRevokeSecurityContext_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcRevokeSecurityContext_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcRevokeSecurityContext_SystemCall_10_0_18363 | |
| jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown | |
| NtAlpcRevokeSecurityContext_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0081h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0081h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0081h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0081h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0081h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0086h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0086h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0087h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0087h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0087h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0088h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0088h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0089h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0089h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0089h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0089h | |
| jmp NtAlpcRevokeSecurityContext_Epilogue | |
| NtAlpcRevokeSecurityContext_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcRevokeSecurityContext_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcRevokeSecurityContext ENDP | |
| NtAlpcSendWaitReceivePort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcSendWaitReceivePort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcSendWaitReceivePort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcSendWaitReceivePort_Check_10_0_XXXX | |
| jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown | |
| NtAlpcSendWaitReceivePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcSendWaitReceivePort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcSendWaitReceivePort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcSendWaitReceivePort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcSendWaitReceivePort_SystemCall_6_3_XXXX | |
| jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown | |
| NtAlpcSendWaitReceivePort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcSendWaitReceivePort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcSendWaitReceivePort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcSendWaitReceivePort_SystemCall_6_0_6002 | |
| jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown | |
| NtAlpcSendWaitReceivePort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcSendWaitReceivePort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcSendWaitReceivePort_SystemCall_6_1_7601 | |
| jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown | |
| NtAlpcSendWaitReceivePort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcSendWaitReceivePort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcSendWaitReceivePort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcSendWaitReceivePort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcSendWaitReceivePort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcSendWaitReceivePort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcSendWaitReceivePort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcSendWaitReceivePort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcSendWaitReceivePort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcSendWaitReceivePort_SystemCall_10_0_18363 | |
| jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown | |
| NtAlpcSendWaitReceivePort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0082h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0082h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0082h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0082h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0082h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0087h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0087h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0088h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0088h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0088h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0089h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0089h | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 008ah | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 008ah | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 008ah | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 008ah | |
| jmp NtAlpcSendWaitReceivePort_Epilogue | |
| NtAlpcSendWaitReceivePort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcSendWaitReceivePort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcSendWaitReceivePort ENDP | |
| NtAlpcSetInformation PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAlpcSetInformation_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAlpcSetInformation_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAlpcSetInformation_Check_10_0_XXXX | |
| jmp NtAlpcSetInformation_SystemCall_Unknown | |
| NtAlpcSetInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAlpcSetInformation_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAlpcSetInformation_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcSetInformation_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAlpcSetInformation_SystemCall_6_3_XXXX | |
| jmp NtAlpcSetInformation_SystemCall_Unknown | |
| NtAlpcSetInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAlpcSetInformation_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAlpcSetInformation_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAlpcSetInformation_SystemCall_6_0_6002 | |
| jmp NtAlpcSetInformation_SystemCall_Unknown | |
| NtAlpcSetInformation_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAlpcSetInformation_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAlpcSetInformation_SystemCall_6_1_7601 | |
| jmp NtAlpcSetInformation_SystemCall_Unknown | |
| NtAlpcSetInformation_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAlpcSetInformation_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAlpcSetInformation_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAlpcSetInformation_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAlpcSetInformation_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAlpcSetInformation_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAlpcSetInformation_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAlpcSetInformation_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAlpcSetInformation_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAlpcSetInformation_SystemCall_10_0_18363 | |
| jmp NtAlpcSetInformation_SystemCall_Unknown | |
| NtAlpcSetInformation_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0083h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0083h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0083h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0083h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0083h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0088h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0088h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0089h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0089h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0089h | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 008ah | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 008ah | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 008bh | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 008bh | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 008bh | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 008bh | |
| jmp NtAlpcSetInformation_Epilogue | |
| NtAlpcSetInformation_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAlpcSetInformation_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAlpcSetInformation ENDP | |
| NtApphelpCacheControl PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtApphelpCacheControl_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtApphelpCacheControl_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtApphelpCacheControl_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtApphelpCacheControl_Check_10_0_XXXX | |
| jmp NtApphelpCacheControl_SystemCall_Unknown | |
| NtApphelpCacheControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtApphelpCacheControl_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtApphelpCacheControl_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtApphelpCacheControl_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtApphelpCacheControl_SystemCall_6_3_XXXX | |
| jmp NtApphelpCacheControl_SystemCall_Unknown | |
| NtApphelpCacheControl_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtApphelpCacheControl_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtApphelpCacheControl_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtApphelpCacheControl_SystemCall_6_0_6002 | |
| jmp NtApphelpCacheControl_SystemCall_Unknown | |
| NtApphelpCacheControl_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtApphelpCacheControl_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtApphelpCacheControl_SystemCall_6_1_7601 | |
| jmp NtApphelpCacheControl_SystemCall_Unknown | |
| NtApphelpCacheControl_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtApphelpCacheControl_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtApphelpCacheControl_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtApphelpCacheControl_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtApphelpCacheControl_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtApphelpCacheControl_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtApphelpCacheControl_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtApphelpCacheControl_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtApphelpCacheControl_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtApphelpCacheControl_SystemCall_10_0_18363 | |
| jmp NtApphelpCacheControl_SystemCall_Unknown | |
| NtApphelpCacheControl_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0049h | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0049h | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0049h | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0049h | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0049h | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0049h | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 004ah | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 004bh | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 004ch | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 004ch | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 004ch | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 004ch | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 004ch | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 004ch | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 004ch | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 004ch | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 004ch | |
| jmp NtApphelpCacheControl_Epilogue | |
| NtApphelpCacheControl_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtApphelpCacheControl_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtApphelpCacheControl ENDP | |
| NtAreMappedFilesTheSame PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAreMappedFilesTheSame_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAreMappedFilesTheSame_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAreMappedFilesTheSame_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAreMappedFilesTheSame_Check_10_0_XXXX | |
| jmp NtAreMappedFilesTheSame_SystemCall_Unknown | |
| NtAreMappedFilesTheSame_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAreMappedFilesTheSame_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAreMappedFilesTheSame_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAreMappedFilesTheSame_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAreMappedFilesTheSame_SystemCall_6_3_XXXX | |
| jmp NtAreMappedFilesTheSame_SystemCall_Unknown | |
| NtAreMappedFilesTheSame_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAreMappedFilesTheSame_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAreMappedFilesTheSame_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAreMappedFilesTheSame_SystemCall_6_0_6002 | |
| jmp NtAreMappedFilesTheSame_SystemCall_Unknown | |
| NtAreMappedFilesTheSame_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAreMappedFilesTheSame_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAreMappedFilesTheSame_SystemCall_6_1_7601 | |
| jmp NtAreMappedFilesTheSame_SystemCall_Unknown | |
| NtAreMappedFilesTheSame_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAreMappedFilesTheSame_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAreMappedFilesTheSame_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAreMappedFilesTheSame_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAreMappedFilesTheSame_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAreMappedFilesTheSame_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAreMappedFilesTheSame_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAreMappedFilesTheSame_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAreMappedFilesTheSame_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAreMappedFilesTheSame_SystemCall_10_0_18363 | |
| jmp NtAreMappedFilesTheSame_SystemCall_Unknown | |
| NtAreMappedFilesTheSame_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 006eh | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0084h | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0084h | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0084h | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0084h | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0084h | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0089h | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0089h | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 008ah | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 008ah | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 008ah | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 008bh | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 008bh | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 008ch | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 008ch | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 008ch | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 008ch | |
| jmp NtAreMappedFilesTheSame_Epilogue | |
| NtAreMappedFilesTheSame_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAreMappedFilesTheSame_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAreMappedFilesTheSame ENDP | |
| NtAssignProcessToJobObject PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAssignProcessToJobObject_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtAssignProcessToJobObject_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAssignProcessToJobObject_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAssignProcessToJobObject_Check_10_0_XXXX | |
| jmp NtAssignProcessToJobObject_SystemCall_Unknown | |
| NtAssignProcessToJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtAssignProcessToJobObject_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtAssignProcessToJobObject_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAssignProcessToJobObject_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAssignProcessToJobObject_SystemCall_6_3_XXXX | |
| jmp NtAssignProcessToJobObject_SystemCall_Unknown | |
| NtAssignProcessToJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtAssignProcessToJobObject_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtAssignProcessToJobObject_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtAssignProcessToJobObject_SystemCall_6_0_6002 | |
| jmp NtAssignProcessToJobObject_SystemCall_Unknown | |
| NtAssignProcessToJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtAssignProcessToJobObject_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtAssignProcessToJobObject_SystemCall_6_1_7601 | |
| jmp NtAssignProcessToJobObject_SystemCall_Unknown | |
| NtAssignProcessToJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAssignProcessToJobObject_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAssignProcessToJobObject_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAssignProcessToJobObject_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAssignProcessToJobObject_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAssignProcessToJobObject_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAssignProcessToJobObject_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAssignProcessToJobObject_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAssignProcessToJobObject_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAssignProcessToJobObject_SystemCall_10_0_18363 | |
| jmp NtAssignProcessToJobObject_SystemCall_Unknown | |
| NtAssignProcessToJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 006fh | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0085h | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0085h | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0085h | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0085h | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0085h | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 008ah | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 008ah | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 008bh | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 008bh | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 008bh | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 008ch | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 008ch | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 008dh | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 008dh | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 008dh | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 008dh | |
| jmp NtAssignProcessToJobObject_Epilogue | |
| NtAssignProcessToJobObject_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAssignProcessToJobObject_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAssignProcessToJobObject ENDP | |
| NtAssociateWaitCompletionPacket PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtAssociateWaitCompletionPacket_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtAssociateWaitCompletionPacket_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtAssociateWaitCompletionPacket_Check_10_0_XXXX | |
| jmp NtAssociateWaitCompletionPacket_SystemCall_Unknown | |
| NtAssociateWaitCompletionPacket_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAssociateWaitCompletionPacket_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtAssociateWaitCompletionPacket_SystemCall_6_3_XXXX | |
| jmp NtAssociateWaitCompletionPacket_SystemCall_Unknown | |
| NtAssociateWaitCompletionPacket_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtAssociateWaitCompletionPacket_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtAssociateWaitCompletionPacket_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtAssociateWaitCompletionPacket_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtAssociateWaitCompletionPacket_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtAssociateWaitCompletionPacket_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtAssociateWaitCompletionPacket_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtAssociateWaitCompletionPacket_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtAssociateWaitCompletionPacket_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtAssociateWaitCompletionPacket_SystemCall_10_0_18363 | |
| jmp NtAssociateWaitCompletionPacket_SystemCall_Unknown | |
| NtAssociateWaitCompletionPacket_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 008bh | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 008bh | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 008ch | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 008ch | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 008ch | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 008dh | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 008dh | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 008eh | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 008eh | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 008eh | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 008eh | |
| jmp NtAssociateWaitCompletionPacket_Epilogue | |
| NtAssociateWaitCompletionPacket_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtAssociateWaitCompletionPacket_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtAssociateWaitCompletionPacket ENDP | |
| NtCallEnclave PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCallEnclave_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCallEnclave_Check_10_0_XXXX | |
| jmp NtCallEnclave_SystemCall_Unknown | |
| NtCallEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCallEnclave_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCallEnclave_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCallEnclave_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCallEnclave_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCallEnclave_SystemCall_10_0_18363 | |
| jmp NtCallEnclave_SystemCall_Unknown | |
| NtCallEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 008eh | |
| jmp NtCallEnclave_Epilogue | |
| NtCallEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 008fh | |
| jmp NtCallEnclave_Epilogue | |
| NtCallEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 008fh | |
| jmp NtCallEnclave_Epilogue | |
| NtCallEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 008fh | |
| jmp NtCallEnclave_Epilogue | |
| NtCallEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 008fh | |
| jmp NtCallEnclave_Epilogue | |
| NtCallEnclave_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCallEnclave_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCallEnclave ENDP | |
| NtCallbackReturn PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCallbackReturn_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCallbackReturn_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCallbackReturn_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCallbackReturn_Check_10_0_XXXX | |
| jmp NtCallbackReturn_SystemCall_Unknown | |
| NtCallbackReturn_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCallbackReturn_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCallbackReturn_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCallbackReturn_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCallbackReturn_SystemCall_6_3_XXXX | |
| jmp NtCallbackReturn_SystemCall_Unknown | |
| NtCallbackReturn_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCallbackReturn_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCallbackReturn_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCallbackReturn_SystemCall_6_0_6002 | |
| jmp NtCallbackReturn_SystemCall_Unknown | |
| NtCallbackReturn_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCallbackReturn_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCallbackReturn_SystemCall_6_1_7601 | |
| jmp NtCallbackReturn_SystemCall_Unknown | |
| NtCallbackReturn_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCallbackReturn_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCallbackReturn_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCallbackReturn_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCallbackReturn_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCallbackReturn_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCallbackReturn_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCallbackReturn_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCallbackReturn_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCallbackReturn_SystemCall_10_0_18363 | |
| jmp NtCallbackReturn_SystemCall_Unknown | |
| NtCallbackReturn_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0002h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0002h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0002h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0002h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0002h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0002h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0003h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0004h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0005h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0005h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0005h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0005h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0005h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0005h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0005h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0005h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0005h | |
| jmp NtCallbackReturn_Epilogue | |
| NtCallbackReturn_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCallbackReturn_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCallbackReturn ENDP | |
| NtCancelDeviceWakeupRequest PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCancelDeviceWakeupRequest_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCancelDeviceWakeupRequest_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCancelDeviceWakeupRequest_Check_6_X_XXXX | |
| jmp NtCancelDeviceWakeupRequest_SystemCall_Unknown | |
| NtCancelDeviceWakeupRequest_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCancelDeviceWakeupRequest_Check_6_0_XXXX | |
| jmp NtCancelDeviceWakeupRequest_SystemCall_Unknown | |
| NtCancelDeviceWakeupRequest_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCancelDeviceWakeupRequest_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCancelDeviceWakeupRequest_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCancelDeviceWakeupRequest_SystemCall_6_0_6002 | |
| jmp NtCancelDeviceWakeupRequest_SystemCall_Unknown | |
| NtCancelDeviceWakeupRequest_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0070h | |
| jmp NtCancelDeviceWakeupRequest_Epilogue | |
| NtCancelDeviceWakeupRequest_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0086h | |
| jmp NtCancelDeviceWakeupRequest_Epilogue | |
| NtCancelDeviceWakeupRequest_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0086h | |
| jmp NtCancelDeviceWakeupRequest_Epilogue | |
| NtCancelDeviceWakeupRequest_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0086h | |
| jmp NtCancelDeviceWakeupRequest_Epilogue | |
| NtCancelDeviceWakeupRequest_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCancelDeviceWakeupRequest_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCancelDeviceWakeupRequest ENDP | |
| NtCancelIoFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCancelIoFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCancelIoFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCancelIoFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCancelIoFile_Check_10_0_XXXX | |
| jmp NtCancelIoFile_SystemCall_Unknown | |
| NtCancelIoFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCancelIoFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCancelIoFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelIoFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelIoFile_SystemCall_6_3_XXXX | |
| jmp NtCancelIoFile_SystemCall_Unknown | |
| NtCancelIoFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCancelIoFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCancelIoFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCancelIoFile_SystemCall_6_0_6002 | |
| jmp NtCancelIoFile_SystemCall_Unknown | |
| NtCancelIoFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCancelIoFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCancelIoFile_SystemCall_6_1_7601 | |
| jmp NtCancelIoFile_SystemCall_Unknown | |
| NtCancelIoFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCancelIoFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCancelIoFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCancelIoFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCancelIoFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCancelIoFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCancelIoFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCancelIoFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCancelIoFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCancelIoFile_SystemCall_10_0_18363 | |
| jmp NtCancelIoFile_SystemCall_Unknown | |
| NtCancelIoFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 005ah | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 005ah | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 005ah | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 005ah | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 005ah | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 005ah | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 005bh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 005ch | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 005dh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 005dh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 005dh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 005dh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 005dh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 005dh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 005dh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 005dh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 005dh | |
| jmp NtCancelIoFile_Epilogue | |
| NtCancelIoFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCancelIoFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCancelIoFile ENDP | |
| NtCancelIoFileEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCancelIoFileEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCancelIoFileEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCancelIoFileEx_Check_10_0_XXXX | |
| jmp NtCancelIoFileEx_SystemCall_Unknown | |
| NtCancelIoFileEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCancelIoFileEx_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCancelIoFileEx_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelIoFileEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelIoFileEx_SystemCall_6_3_XXXX | |
| jmp NtCancelIoFileEx_SystemCall_Unknown | |
| NtCancelIoFileEx_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCancelIoFileEx_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCancelIoFileEx_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCancelIoFileEx_SystemCall_6_0_6002 | |
| jmp NtCancelIoFileEx_SystemCall_Unknown | |
| NtCancelIoFileEx_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCancelIoFileEx_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCancelIoFileEx_SystemCall_6_1_7601 | |
| jmp NtCancelIoFileEx_SystemCall_Unknown | |
| NtCancelIoFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCancelIoFileEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCancelIoFileEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCancelIoFileEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCancelIoFileEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCancelIoFileEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCancelIoFileEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCancelIoFileEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCancelIoFileEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCancelIoFileEx_SystemCall_10_0_18363 | |
| jmp NtCancelIoFileEx_SystemCall_Unknown | |
| NtCancelIoFileEx_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0087h | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0087h | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0087h | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0086h | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0086h | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 008ch | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 008ch | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 008dh | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 008dh | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 008dh | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 008eh | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 008fh | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0090h | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0090h | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0090h | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0090h | |
| jmp NtCancelIoFileEx_Epilogue | |
| NtCancelIoFileEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCancelIoFileEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCancelIoFileEx ENDP | |
| NtCancelSynchronousIoFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCancelSynchronousIoFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCancelSynchronousIoFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCancelSynchronousIoFile_Check_10_0_XXXX | |
| jmp NtCancelSynchronousIoFile_SystemCall_Unknown | |
| NtCancelSynchronousIoFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCancelSynchronousIoFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCancelSynchronousIoFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelSynchronousIoFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelSynchronousIoFile_SystemCall_6_3_XXXX | |
| jmp NtCancelSynchronousIoFile_SystemCall_Unknown | |
| NtCancelSynchronousIoFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCancelSynchronousIoFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCancelSynchronousIoFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCancelSynchronousIoFile_SystemCall_6_0_6002 | |
| jmp NtCancelSynchronousIoFile_SystemCall_Unknown | |
| NtCancelSynchronousIoFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCancelSynchronousIoFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCancelSynchronousIoFile_SystemCall_6_1_7601 | |
| jmp NtCancelSynchronousIoFile_SystemCall_Unknown | |
| NtCancelSynchronousIoFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCancelSynchronousIoFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCancelSynchronousIoFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCancelSynchronousIoFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCancelSynchronousIoFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCancelSynchronousIoFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCancelSynchronousIoFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCancelSynchronousIoFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCancelSynchronousIoFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCancelSynchronousIoFile_SystemCall_10_0_18363 | |
| jmp NtCancelSynchronousIoFile_SystemCall_Unknown | |
| NtCancelSynchronousIoFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0088h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0088h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0088h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0087h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0087h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 008dh | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 008dh | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 008eh | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 008eh | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 008eh | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 008fh | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0090h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0091h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0091h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0091h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0091h | |
| jmp NtCancelSynchronousIoFile_Epilogue | |
| NtCancelSynchronousIoFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCancelSynchronousIoFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCancelSynchronousIoFile ENDP | |
| NtCancelTimer PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCancelTimer_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCancelTimer_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCancelTimer_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCancelTimer_Check_10_0_XXXX | |
| jmp NtCancelTimer_SystemCall_Unknown | |
| NtCancelTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCancelTimer_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCancelTimer_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelTimer_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelTimer_SystemCall_6_3_XXXX | |
| jmp NtCancelTimer_SystemCall_Unknown | |
| NtCancelTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCancelTimer_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCancelTimer_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCancelTimer_SystemCall_6_0_6002 | |
| jmp NtCancelTimer_SystemCall_Unknown | |
| NtCancelTimer_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCancelTimer_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCancelTimer_SystemCall_6_1_7601 | |
| jmp NtCancelTimer_SystemCall_Unknown | |
| NtCancelTimer_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCancelTimer_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCancelTimer_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCancelTimer_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCancelTimer_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCancelTimer_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCancelTimer_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCancelTimer_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCancelTimer_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCancelTimer_SystemCall_10_0_18363 | |
| jmp NtCancelTimer_SystemCall_Unknown | |
| NtCancelTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 005eh | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 005eh | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 005eh | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 005eh | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 005eh | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 005eh | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 005fh | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0060h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0061h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0061h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0061h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0061h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0061h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0061h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0061h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0061h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0061h | |
| jmp NtCancelTimer_Epilogue | |
| NtCancelTimer_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCancelTimer_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCancelTimer ENDP | |
| NtCancelTimer2 PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCancelTimer2_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCancelTimer2_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCancelTimer2_Check_10_0_XXXX | |
| jmp NtCancelTimer2_SystemCall_Unknown | |
| NtCancelTimer2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelTimer2_SystemCall_6_3_XXXX | |
| jmp NtCancelTimer2_SystemCall_Unknown | |
| NtCancelTimer2_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCancelTimer2_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCancelTimer2_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCancelTimer2_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCancelTimer2_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCancelTimer2_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCancelTimer2_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCancelTimer2_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCancelTimer2_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCancelTimer2_SystemCall_10_0_18363 | |
| jmp NtCancelTimer2_SystemCall_Unknown | |
| NtCancelTimer2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 008eh | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 008fh | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 008fh | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 008fh | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0090h | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0091h | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0092h | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0092h | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0092h | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0092h | |
| jmp NtCancelTimer2_Epilogue | |
| NtCancelTimer2_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCancelTimer2_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCancelTimer2 ENDP | |
| NtCancelWaitCompletionPacket PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCancelWaitCompletionPacket_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCancelWaitCompletionPacket_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCancelWaitCompletionPacket_Check_10_0_XXXX | |
| jmp NtCancelWaitCompletionPacket_SystemCall_Unknown | |
| NtCancelWaitCompletionPacket_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelWaitCompletionPacket_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCancelWaitCompletionPacket_SystemCall_6_3_XXXX | |
| jmp NtCancelWaitCompletionPacket_SystemCall_Unknown | |
| NtCancelWaitCompletionPacket_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCancelWaitCompletionPacket_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCancelWaitCompletionPacket_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCancelWaitCompletionPacket_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCancelWaitCompletionPacket_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCancelWaitCompletionPacket_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCancelWaitCompletionPacket_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCancelWaitCompletionPacket_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCancelWaitCompletionPacket_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCancelWaitCompletionPacket_SystemCall_10_0_18363 | |
| jmp NtCancelWaitCompletionPacket_SystemCall_Unknown | |
| NtCancelWaitCompletionPacket_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 008eh | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 008fh | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0090h | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0090h | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0090h | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0091h | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0092h | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0093h | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0093h | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0093h | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0093h | |
| jmp NtCancelWaitCompletionPacket_Epilogue | |
| NtCancelWaitCompletionPacket_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCancelWaitCompletionPacket_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCancelWaitCompletionPacket ENDP | |
| NtClearAllSavepointsTransaction PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtClearAllSavepointsTransaction_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtClearAllSavepointsTransaction_Check_6_X_XXXX | |
| jmp NtClearAllSavepointsTransaction_SystemCall_Unknown | |
| NtClearAllSavepointsTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtClearAllSavepointsTransaction_Check_6_0_XXXX | |
| jmp NtClearAllSavepointsTransaction_SystemCall_Unknown | |
| NtClearAllSavepointsTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtClearAllSavepointsTransaction_SystemCall_6_0_6000 | |
| jmp NtClearAllSavepointsTransaction_SystemCall_Unknown | |
| NtClearAllSavepointsTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0089h | |
| jmp NtClearAllSavepointsTransaction_Epilogue | |
| NtClearAllSavepointsTransaction_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtClearAllSavepointsTransaction_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtClearAllSavepointsTransaction ENDP | |
| NtClearEvent PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtClearEvent_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtClearEvent_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtClearEvent_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtClearEvent_Check_10_0_XXXX | |
| jmp NtClearEvent_SystemCall_Unknown | |
| NtClearEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtClearEvent_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtClearEvent_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtClearEvent_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtClearEvent_SystemCall_6_3_XXXX | |
| jmp NtClearEvent_SystemCall_Unknown | |
| NtClearEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtClearEvent_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtClearEvent_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtClearEvent_SystemCall_6_0_6002 | |
| jmp NtClearEvent_SystemCall_Unknown | |
| NtClearEvent_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtClearEvent_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtClearEvent_SystemCall_6_1_7601 | |
| jmp NtClearEvent_SystemCall_Unknown | |
| NtClearEvent_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtClearEvent_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtClearEvent_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtClearEvent_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtClearEvent_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtClearEvent_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtClearEvent_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtClearEvent_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtClearEvent_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtClearEvent_SystemCall_10_0_18363 | |
| jmp NtClearEvent_SystemCall_Unknown | |
| NtClearEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 003bh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 003bh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 003bh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 003bh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 003bh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 003bh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 003ch | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 003dh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 003eh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 003eh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 003eh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 003eh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 003eh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 003eh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 003eh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 003eh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 003eh | |
| jmp NtClearEvent_Epilogue | |
| NtClearEvent_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtClearEvent_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtClearEvent ENDP | |
| NtClearSavepointTransaction PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtClearSavepointTransaction_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtClearSavepointTransaction_Check_6_X_XXXX | |
| jmp NtClearSavepointTransaction_SystemCall_Unknown | |
| NtClearSavepointTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtClearSavepointTransaction_Check_6_0_XXXX | |
| jmp NtClearSavepointTransaction_SystemCall_Unknown | |
| NtClearSavepointTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtClearSavepointTransaction_SystemCall_6_0_6000 | |
| jmp NtClearSavepointTransaction_SystemCall_Unknown | |
| NtClearSavepointTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 008ah | |
| jmp NtClearSavepointTransaction_Epilogue | |
| NtClearSavepointTransaction_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtClearSavepointTransaction_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtClearSavepointTransaction ENDP | |
| NtClose PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtClose_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtClose_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtClose_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtClose_Check_10_0_XXXX | |
| jmp NtClose_SystemCall_Unknown | |
| NtClose_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtClose_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtClose_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtClose_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtClose_SystemCall_6_3_XXXX | |
| jmp NtClose_SystemCall_Unknown | |
| NtClose_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtClose_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtClose_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtClose_SystemCall_6_0_6002 | |
| jmp NtClose_SystemCall_Unknown | |
| NtClose_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtClose_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtClose_SystemCall_6_1_7601 | |
| jmp NtClose_SystemCall_Unknown | |
| NtClose_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtClose_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtClose_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtClose_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtClose_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtClose_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtClose_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtClose_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtClose_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtClose_SystemCall_10_0_18363 | |
| jmp NtClose_SystemCall_Unknown | |
| NtClose_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 000ch | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 000ch | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 000ch | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 000ch | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 000ch | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 000ch | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 000dh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 000eh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 000fh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 000fh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 000fh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 000fh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 000fh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 000fh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 000fh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 000fh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 000fh | |
| jmp NtClose_Epilogue | |
| NtClose_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtClose_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtClose ENDP | |
| NtCloseObjectAuditAlarm PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCloseObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCloseObjectAuditAlarm_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCloseObjectAuditAlarm_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCloseObjectAuditAlarm_Check_10_0_XXXX | |
| jmp NtCloseObjectAuditAlarm_SystemCall_Unknown | |
| NtCloseObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCloseObjectAuditAlarm_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCloseObjectAuditAlarm_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCloseObjectAuditAlarm_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCloseObjectAuditAlarm_SystemCall_6_3_XXXX | |
| jmp NtCloseObjectAuditAlarm_SystemCall_Unknown | |
| NtCloseObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCloseObjectAuditAlarm_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCloseObjectAuditAlarm_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCloseObjectAuditAlarm_SystemCall_6_0_6002 | |
| jmp NtCloseObjectAuditAlarm_SystemCall_Unknown | |
| NtCloseObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCloseObjectAuditAlarm_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCloseObjectAuditAlarm_SystemCall_6_1_7601 | |
| jmp NtCloseObjectAuditAlarm_SystemCall_Unknown | |
| NtCloseObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCloseObjectAuditAlarm_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCloseObjectAuditAlarm_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCloseObjectAuditAlarm_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCloseObjectAuditAlarm_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCloseObjectAuditAlarm_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCloseObjectAuditAlarm_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCloseObjectAuditAlarm_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCloseObjectAuditAlarm_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCloseObjectAuditAlarm_SystemCall_10_0_18363 | |
| jmp NtCloseObjectAuditAlarm_SystemCall_Unknown | |
| NtCloseObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0038h | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0038h | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0038h | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0038h | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0038h | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0038h | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0039h | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 003ah | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 003bh | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 003bh | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 003bh | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 003bh | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 003bh | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 003bh | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 003bh | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 003bh | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 003bh | |
| jmp NtCloseObjectAuditAlarm_Epilogue | |
| NtCloseObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCloseObjectAuditAlarm_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCloseObjectAuditAlarm ENDP | |
| NtCommitComplete PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCommitComplete_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCommitComplete_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCommitComplete_Check_10_0_XXXX | |
| jmp NtCommitComplete_SystemCall_Unknown | |
| NtCommitComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCommitComplete_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCommitComplete_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCommitComplete_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCommitComplete_SystemCall_6_3_XXXX | |
| jmp NtCommitComplete_SystemCall_Unknown | |
| NtCommitComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCommitComplete_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCommitComplete_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCommitComplete_SystemCall_6_0_6002 | |
| jmp NtCommitComplete_SystemCall_Unknown | |
| NtCommitComplete_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCommitComplete_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCommitComplete_SystemCall_6_1_7601 | |
| jmp NtCommitComplete_SystemCall_Unknown | |
| NtCommitComplete_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCommitComplete_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCommitComplete_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCommitComplete_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCommitComplete_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCommitComplete_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCommitComplete_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCommitComplete_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCommitComplete_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCommitComplete_SystemCall_10_0_18363 | |
| jmp NtCommitComplete_SystemCall_Unknown | |
| NtCommitComplete_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 008bh | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0089h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0089h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0088h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0088h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 008fh | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0090h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0091h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0091h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0091h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0092h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0093h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0094h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0094h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0094h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0094h | |
| jmp NtCommitComplete_Epilogue | |
| NtCommitComplete_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCommitComplete_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCommitComplete ENDP | |
| NtCommitEnlistment PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCommitEnlistment_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCommitEnlistment_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCommitEnlistment_Check_10_0_XXXX | |
| jmp NtCommitEnlistment_SystemCall_Unknown | |
| NtCommitEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCommitEnlistment_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCommitEnlistment_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCommitEnlistment_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCommitEnlistment_SystemCall_6_3_XXXX | |
| jmp NtCommitEnlistment_SystemCall_Unknown | |
| NtCommitEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCommitEnlistment_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCommitEnlistment_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCommitEnlistment_SystemCall_6_0_6002 | |
| jmp NtCommitEnlistment_SystemCall_Unknown | |
| NtCommitEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCommitEnlistment_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCommitEnlistment_SystemCall_6_1_7601 | |
| jmp NtCommitEnlistment_SystemCall_Unknown | |
| NtCommitEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCommitEnlistment_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCommitEnlistment_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCommitEnlistment_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCommitEnlistment_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCommitEnlistment_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCommitEnlistment_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCommitEnlistment_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCommitEnlistment_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCommitEnlistment_SystemCall_10_0_18363 | |
| jmp NtCommitEnlistment_SystemCall_Unknown | |
| NtCommitEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 008ch | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 008ah | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 008ah | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0089h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0089h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0090h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0091h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0092h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0092h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0092h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0093h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0094h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0095h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0095h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0095h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0095h | |
| jmp NtCommitEnlistment_Epilogue | |
| NtCommitEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCommitEnlistment_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCommitEnlistment ENDP | |
| NtCommitRegistryTransaction PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCommitRegistryTransaction_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCommitRegistryTransaction_Check_10_0_XXXX | |
| jmp NtCommitRegistryTransaction_SystemCall_Unknown | |
| NtCommitRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCommitRegistryTransaction_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCommitRegistryTransaction_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCommitRegistryTransaction_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCommitRegistryTransaction_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCommitRegistryTransaction_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCommitRegistryTransaction_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCommitRegistryTransaction_SystemCall_10_0_18363 | |
| jmp NtCommitRegistryTransaction_SystemCall_Unknown | |
| NtCommitRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0093h | |
| jmp NtCommitRegistryTransaction_Epilogue | |
| NtCommitRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0094h | |
| jmp NtCommitRegistryTransaction_Epilogue | |
| NtCommitRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0095h | |
| jmp NtCommitRegistryTransaction_Epilogue | |
| NtCommitRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0096h | |
| jmp NtCommitRegistryTransaction_Epilogue | |
| NtCommitRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0096h | |
| jmp NtCommitRegistryTransaction_Epilogue | |
| NtCommitRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0096h | |
| jmp NtCommitRegistryTransaction_Epilogue | |
| NtCommitRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0096h | |
| jmp NtCommitRegistryTransaction_Epilogue | |
| NtCommitRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCommitRegistryTransaction_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCommitRegistryTransaction ENDP | |
| NtCommitTransaction PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCommitTransaction_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCommitTransaction_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCommitTransaction_Check_10_0_XXXX | |
| jmp NtCommitTransaction_SystemCall_Unknown | |
| NtCommitTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCommitTransaction_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCommitTransaction_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCommitTransaction_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCommitTransaction_SystemCall_6_3_XXXX | |
| jmp NtCommitTransaction_SystemCall_Unknown | |
| NtCommitTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCommitTransaction_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCommitTransaction_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCommitTransaction_SystemCall_6_0_6002 | |
| jmp NtCommitTransaction_SystemCall_Unknown | |
| NtCommitTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCommitTransaction_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCommitTransaction_SystemCall_6_1_7601 | |
| jmp NtCommitTransaction_SystemCall_Unknown | |
| NtCommitTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCommitTransaction_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCommitTransaction_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCommitTransaction_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCommitTransaction_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCommitTransaction_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCommitTransaction_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCommitTransaction_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCommitTransaction_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCommitTransaction_SystemCall_10_0_18363 | |
| jmp NtCommitTransaction_SystemCall_Unknown | |
| NtCommitTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 008dh | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 008bh | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 008bh | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 008ah | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 008ah | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0091h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0092h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0093h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0093h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0094h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0095h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0096h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0097h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0097h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0097h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0097h | |
| jmp NtCommitTransaction_Epilogue | |
| NtCommitTransaction_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCommitTransaction_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCommitTransaction ENDP | |
| NtCompactKeys PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCompactKeys_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCompactKeys_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCompactKeys_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCompactKeys_Check_10_0_XXXX | |
| jmp NtCompactKeys_SystemCall_Unknown | |
| NtCompactKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCompactKeys_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCompactKeys_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCompactKeys_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCompactKeys_SystemCall_6_3_XXXX | |
| jmp NtCompactKeys_SystemCall_Unknown | |
| NtCompactKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCompactKeys_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCompactKeys_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCompactKeys_SystemCall_6_0_6002 | |
| jmp NtCompactKeys_SystemCall_Unknown | |
| NtCompactKeys_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCompactKeys_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCompactKeys_SystemCall_6_1_7601 | |
| jmp NtCompactKeys_SystemCall_Unknown | |
| NtCompactKeys_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCompactKeys_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCompactKeys_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCompactKeys_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCompactKeys_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCompactKeys_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCompactKeys_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCompactKeys_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCompactKeys_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCompactKeys_SystemCall_10_0_18363 | |
| jmp NtCompactKeys_SystemCall_Unknown | |
| NtCompactKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0071h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 008eh | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 008ch | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 008ch | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 008bh | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 008bh | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0092h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0093h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0094h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0094h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0095h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0096h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0097h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0098h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0098h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0098h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0098h | |
| jmp NtCompactKeys_Epilogue | |
| NtCompactKeys_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCompactKeys_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCompactKeys ENDP | |
| NtCompareObjects PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCompareObjects_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCompareObjects_Check_10_0_XXXX | |
| jmp NtCompareObjects_SystemCall_Unknown | |
| NtCompareObjects_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCompareObjects_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCompareObjects_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCompareObjects_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCompareObjects_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCompareObjects_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCompareObjects_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCompareObjects_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCompareObjects_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCompareObjects_SystemCall_10_0_18363 | |
| jmp NtCompareObjects_SystemCall_Unknown | |
| NtCompareObjects_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0095h | |
| jmp NtCompareObjects_Epilogue | |
| NtCompareObjects_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0095h | |
| jmp NtCompareObjects_Epilogue | |
| NtCompareObjects_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0096h | |
| jmp NtCompareObjects_Epilogue | |
| NtCompareObjects_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0097h | |
| jmp NtCompareObjects_Epilogue | |
| NtCompareObjects_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0098h | |
| jmp NtCompareObjects_Epilogue | |
| NtCompareObjects_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0099h | |
| jmp NtCompareObjects_Epilogue | |
| NtCompareObjects_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0099h | |
| jmp NtCompareObjects_Epilogue | |
| NtCompareObjects_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0099h | |
| jmp NtCompareObjects_Epilogue | |
| NtCompareObjects_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0099h | |
| jmp NtCompareObjects_Epilogue | |
| NtCompareObjects_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCompareObjects_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCompareObjects ENDP | |
| NtCompareSigningLevels PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCompareSigningLevels_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCompareSigningLevels_Check_10_0_XXXX | |
| jmp NtCompareSigningLevels_SystemCall_Unknown | |
| NtCompareSigningLevels_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCompareSigningLevels_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCompareSigningLevels_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCompareSigningLevels_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCompareSigningLevels_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCompareSigningLevels_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCompareSigningLevels_SystemCall_10_0_18363 | |
| jmp NtCompareSigningLevels_SystemCall_Unknown | |
| NtCompareSigningLevels_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0098h | |
| jmp NtCompareSigningLevels_Epilogue | |
| NtCompareSigningLevels_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0099h | |
| jmp NtCompareSigningLevels_Epilogue | |
| NtCompareSigningLevels_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 009ah | |
| jmp NtCompareSigningLevels_Epilogue | |
| NtCompareSigningLevels_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 009ah | |
| jmp NtCompareSigningLevels_Epilogue | |
| NtCompareSigningLevels_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 009ah | |
| jmp NtCompareSigningLevels_Epilogue | |
| NtCompareSigningLevels_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 009ah | |
| jmp NtCompareSigningLevels_Epilogue | |
| NtCompareSigningLevels_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCompareSigningLevels_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCompareSigningLevels ENDP | |
| NtCompareTokens PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCompareTokens_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCompareTokens_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCompareTokens_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCompareTokens_Check_10_0_XXXX | |
| jmp NtCompareTokens_SystemCall_Unknown | |
| NtCompareTokens_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCompareTokens_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCompareTokens_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCompareTokens_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCompareTokens_SystemCall_6_3_XXXX | |
| jmp NtCompareTokens_SystemCall_Unknown | |
| NtCompareTokens_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCompareTokens_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCompareTokens_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCompareTokens_SystemCall_6_0_6002 | |
| jmp NtCompareTokens_SystemCall_Unknown | |
| NtCompareTokens_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCompareTokens_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCompareTokens_SystemCall_6_1_7601 | |
| jmp NtCompareTokens_SystemCall_Unknown | |
| NtCompareTokens_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCompareTokens_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCompareTokens_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCompareTokens_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCompareTokens_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCompareTokens_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCompareTokens_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCompareTokens_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCompareTokens_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCompareTokens_SystemCall_10_0_18363 | |
| jmp NtCompareTokens_SystemCall_Unknown | |
| NtCompareTokens_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0072h | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 008fh | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 008dh | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 008dh | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 008ch | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 008ch | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0093h | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0094h | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0096h | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0096h | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0097h | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0099h | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 009ah | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 009bh | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 009bh | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 009bh | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 009bh | |
| jmp NtCompareTokens_Epilogue | |
| NtCompareTokens_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCompareTokens_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCompareTokens ENDP | |
| NtCompleteConnectPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCompleteConnectPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCompleteConnectPort_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCompleteConnectPort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCompleteConnectPort_Check_10_0_XXXX | |
| jmp NtCompleteConnectPort_SystemCall_Unknown | |
| NtCompleteConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCompleteConnectPort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCompleteConnectPort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCompleteConnectPort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCompleteConnectPort_SystemCall_6_3_XXXX | |
| jmp NtCompleteConnectPort_SystemCall_Unknown | |
| NtCompleteConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCompleteConnectPort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCompleteConnectPort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCompleteConnectPort_SystemCall_6_0_6002 | |
| jmp NtCompleteConnectPort_SystemCall_Unknown | |
| NtCompleteConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCompleteConnectPort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCompleteConnectPort_SystemCall_6_1_7601 | |
| jmp NtCompleteConnectPort_SystemCall_Unknown | |
| NtCompleteConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCompleteConnectPort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCompleteConnectPort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCompleteConnectPort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCompleteConnectPort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCompleteConnectPort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCompleteConnectPort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCompleteConnectPort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCompleteConnectPort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCompleteConnectPort_SystemCall_10_0_18363 | |
| jmp NtCompleteConnectPort_SystemCall_Unknown | |
| NtCompleteConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0073h | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0090h | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 008eh | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 008eh | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 008dh | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 008dh | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0094h | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0095h | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0097h | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0097h | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0098h | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 009ah | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 009bh | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 009ch | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 009ch | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 009ch | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 009ch | |
| jmp NtCompleteConnectPort_Epilogue | |
| NtCompleteConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCompleteConnectPort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCompleteConnectPort ENDP | |
| NtCompressKey PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCompressKey_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCompressKey_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCompressKey_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCompressKey_Check_10_0_XXXX | |
| jmp NtCompressKey_SystemCall_Unknown | |
| NtCompressKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCompressKey_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCompressKey_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCompressKey_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCompressKey_SystemCall_6_3_XXXX | |
| jmp NtCompressKey_SystemCall_Unknown | |
| NtCompressKey_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCompressKey_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCompressKey_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCompressKey_SystemCall_6_0_6002 | |
| jmp NtCompressKey_SystemCall_Unknown | |
| NtCompressKey_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCompressKey_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCompressKey_SystemCall_6_1_7601 | |
| jmp NtCompressKey_SystemCall_Unknown | |
| NtCompressKey_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCompressKey_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCompressKey_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCompressKey_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCompressKey_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCompressKey_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCompressKey_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCompressKey_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCompressKey_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCompressKey_SystemCall_10_0_18363 | |
| jmp NtCompressKey_SystemCall_Unknown | |
| NtCompressKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0074h | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0091h | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 008fh | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 008fh | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 008eh | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 008eh | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0095h | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0096h | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0098h | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0098h | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0099h | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 009bh | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 009ch | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 009dh | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 009dh | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 009dh | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 009dh | |
| jmp NtCompressKey_Epilogue | |
| NtCompressKey_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCompressKey_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCompressKey ENDP | |
| NtConnectPort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtConnectPort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtConnectPort_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtConnectPort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtConnectPort_Check_10_0_XXXX | |
| jmp NtConnectPort_SystemCall_Unknown | |
| NtConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtConnectPort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtConnectPort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtConnectPort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtConnectPort_SystemCall_6_3_XXXX | |
| jmp NtConnectPort_SystemCall_Unknown | |
| NtConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtConnectPort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtConnectPort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtConnectPort_SystemCall_6_0_6002 | |
| jmp NtConnectPort_SystemCall_Unknown | |
| NtConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtConnectPort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtConnectPort_SystemCall_6_1_7601 | |
| jmp NtConnectPort_SystemCall_Unknown | |
| NtConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtConnectPort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtConnectPort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtConnectPort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtConnectPort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtConnectPort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtConnectPort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtConnectPort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtConnectPort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtConnectPort_SystemCall_10_0_18363 | |
| jmp NtConnectPort_SystemCall_Unknown | |
| NtConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0075h | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0092h | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0090h | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0090h | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 008fh | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 008fh | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0096h | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0097h | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0099h | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0099h | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 009ah | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 009ch | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 009dh | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 009eh | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 009eh | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 009eh | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 009eh | |
| jmp NtConnectPort_Epilogue | |
| NtConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtConnectPort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtConnectPort ENDP | |
| NtContinue PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtContinue_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtContinue_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtContinue_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtContinue_Check_10_0_XXXX | |
| jmp NtContinue_SystemCall_Unknown | |
| NtContinue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtContinue_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtContinue_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtContinue_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtContinue_SystemCall_6_3_XXXX | |
| jmp NtContinue_SystemCall_Unknown | |
| NtContinue_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtContinue_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtContinue_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtContinue_SystemCall_6_0_6002 | |
| jmp NtContinue_SystemCall_Unknown | |
| NtContinue_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtContinue_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtContinue_SystemCall_6_1_7601 | |
| jmp NtContinue_SystemCall_Unknown | |
| NtContinue_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtContinue_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtContinue_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtContinue_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtContinue_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtContinue_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtContinue_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtContinue_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtContinue_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtContinue_SystemCall_10_0_18363 | |
| jmp NtContinue_SystemCall_Unknown | |
| NtContinue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0040h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0040h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0040h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0040h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0040h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0040h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0041h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0042h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0043h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0043h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0043h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0043h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0043h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0043h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0043h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0043h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0043h | |
| jmp NtContinue_Epilogue | |
| NtContinue_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtContinue_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtContinue ENDP | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Check_10_0_XXXX | |
| jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_Unknown | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18363 | |
| jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_Unknown | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 009dh | |
| jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 009eh | |
| jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 009fh | |
| jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 009fh | |
| jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 009fh | |
| jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 009fh | |
| jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtConvertBetweenAuxiliaryCounterAndPerformanceCounter ENDP | |
| NtCreateCrossVmEvent PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateCrossVmEvent_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateCrossVmEvent_Check_10_0_XXXX | |
| jmp NtCreateCrossVmEvent_SystemCall_Unknown | |
| NtCreateCrossVmEvent_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateCrossVmEvent_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateCrossVmEvent_SystemCall_10_0_18363 | |
| jmp NtCreateCrossVmEvent_SystemCall_Unknown | |
| NtCreateCrossVmEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a0h | |
| jmp NtCreateCrossVmEvent_Epilogue | |
| NtCreateCrossVmEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a0h | |
| jmp NtCreateCrossVmEvent_Epilogue | |
| NtCreateCrossVmEvent_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateCrossVmEvent_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateCrossVmEvent ENDP | |
| NtCreateDebugObject PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateDebugObject_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateDebugObject_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateDebugObject_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateDebugObject_Check_10_0_XXXX | |
| jmp NtCreateDebugObject_SystemCall_Unknown | |
| NtCreateDebugObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateDebugObject_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateDebugObject_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateDebugObject_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateDebugObject_SystemCall_6_3_XXXX | |
| jmp NtCreateDebugObject_SystemCall_Unknown | |
| NtCreateDebugObject_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateDebugObject_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateDebugObject_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateDebugObject_SystemCall_6_0_6002 | |
| jmp NtCreateDebugObject_SystemCall_Unknown | |
| NtCreateDebugObject_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateDebugObject_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateDebugObject_SystemCall_6_1_7601 | |
| jmp NtCreateDebugObject_SystemCall_Unknown | |
| NtCreateDebugObject_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateDebugObject_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateDebugObject_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateDebugObject_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateDebugObject_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateDebugObject_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateDebugObject_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateDebugObject_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateDebugObject_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateDebugObject_SystemCall_10_0_18363 | |
| jmp NtCreateDebugObject_SystemCall_Unknown | |
| NtCreateDebugObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0076h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0093h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0091h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0091h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0090h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0090h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0097h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0098h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 009ah | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 009ah | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 009bh | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 009eh | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 009fh | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a0h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a0h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a1h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a1h | |
| jmp NtCreateDebugObject_Epilogue | |
| NtCreateDebugObject_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateDebugObject_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateDebugObject ENDP | |
| NtCreateDirectoryObject PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateDirectoryObject_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateDirectoryObject_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateDirectoryObject_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateDirectoryObject_Check_10_0_XXXX | |
| jmp NtCreateDirectoryObject_SystemCall_Unknown | |
| NtCreateDirectoryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateDirectoryObject_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateDirectoryObject_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateDirectoryObject_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateDirectoryObject_SystemCall_6_3_XXXX | |
| jmp NtCreateDirectoryObject_SystemCall_Unknown | |
| NtCreateDirectoryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateDirectoryObject_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateDirectoryObject_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateDirectoryObject_SystemCall_6_0_6002 | |
| jmp NtCreateDirectoryObject_SystemCall_Unknown | |
| NtCreateDirectoryObject_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateDirectoryObject_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateDirectoryObject_SystemCall_6_1_7601 | |
| jmp NtCreateDirectoryObject_SystemCall_Unknown | |
| NtCreateDirectoryObject_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateDirectoryObject_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateDirectoryObject_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateDirectoryObject_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateDirectoryObject_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateDirectoryObject_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateDirectoryObject_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateDirectoryObject_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateDirectoryObject_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateDirectoryObject_SystemCall_10_0_18363 | |
| jmp NtCreateDirectoryObject_SystemCall_Unknown | |
| NtCreateDirectoryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0077h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0094h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0092h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0092h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0091h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0091h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0098h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0099h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 009bh | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 009bh | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 009ch | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 009fh | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a0h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a1h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a1h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a2h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a2h | |
| jmp NtCreateDirectoryObject_Epilogue | |
| NtCreateDirectoryObject_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateDirectoryObject_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateDirectoryObject ENDP | |
| NtCreateDirectoryObjectEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateDirectoryObjectEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateDirectoryObjectEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateDirectoryObjectEx_Check_10_0_XXXX | |
| jmp NtCreateDirectoryObjectEx_SystemCall_Unknown | |
| NtCreateDirectoryObjectEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateDirectoryObjectEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateDirectoryObjectEx_SystemCall_6_3_XXXX | |
| jmp NtCreateDirectoryObjectEx_SystemCall_Unknown | |
| NtCreateDirectoryObjectEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateDirectoryObjectEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateDirectoryObjectEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateDirectoryObjectEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateDirectoryObjectEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateDirectoryObjectEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateDirectoryObjectEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateDirectoryObjectEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateDirectoryObjectEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateDirectoryObjectEx_SystemCall_10_0_18363 | |
| jmp NtCreateDirectoryObjectEx_SystemCall_Unknown | |
| NtCreateDirectoryObjectEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0099h | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 009ah | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 009ch | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 009ch | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 009dh | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a0h | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a1h | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a2h | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a2h | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a3h | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a3h | |
| jmp NtCreateDirectoryObjectEx_Epilogue | |
| NtCreateDirectoryObjectEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateDirectoryObjectEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateDirectoryObjectEx ENDP | |
| NtCreateEnclave PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateEnclave_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateEnclave_Check_10_0_XXXX | |
| jmp NtCreateEnclave_SystemCall_Unknown | |
| NtCreateEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateEnclave_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateEnclave_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateEnclave_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateEnclave_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateEnclave_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateEnclave_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateEnclave_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateEnclave_SystemCall_10_0_18363 | |
| jmp NtCreateEnclave_SystemCall_Unknown | |
| NtCreateEnclave_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 009dh | |
| jmp NtCreateEnclave_Epilogue | |
| NtCreateEnclave_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 009eh | |
| jmp NtCreateEnclave_Epilogue | |
| NtCreateEnclave_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a1h | |
| jmp NtCreateEnclave_Epilogue | |
| NtCreateEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a2h | |
| jmp NtCreateEnclave_Epilogue | |
| NtCreateEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a3h | |
| jmp NtCreateEnclave_Epilogue | |
| NtCreateEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a3h | |
| jmp NtCreateEnclave_Epilogue | |
| NtCreateEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a4h | |
| jmp NtCreateEnclave_Epilogue | |
| NtCreateEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a4h | |
| jmp NtCreateEnclave_Epilogue | |
| NtCreateEnclave_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateEnclave_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateEnclave ENDP | |
| NtCreateEnlistment PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateEnlistment_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateEnlistment_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateEnlistment_Check_10_0_XXXX | |
| jmp NtCreateEnlistment_SystemCall_Unknown | |
| NtCreateEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateEnlistment_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateEnlistment_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateEnlistment_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateEnlistment_SystemCall_6_3_XXXX | |
| jmp NtCreateEnlistment_SystemCall_Unknown | |
| NtCreateEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateEnlistment_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateEnlistment_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateEnlistment_SystemCall_6_0_6002 | |
| jmp NtCreateEnlistment_SystemCall_Unknown | |
| NtCreateEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateEnlistment_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateEnlistment_SystemCall_6_1_7601 | |
| jmp NtCreateEnlistment_SystemCall_Unknown | |
| NtCreateEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateEnlistment_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateEnlistment_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateEnlistment_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateEnlistment_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateEnlistment_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateEnlistment_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateEnlistment_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateEnlistment_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateEnlistment_SystemCall_10_0_18363 | |
| jmp NtCreateEnlistment_SystemCall_Unknown | |
| NtCreateEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0095h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0093h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0093h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0092h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0092h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 009ah | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 009bh | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 009dh | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 009eh | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 009fh | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a2h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a3h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a4h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a4h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a5h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a5h | |
| jmp NtCreateEnlistment_Epilogue | |
| NtCreateEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateEnlistment_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateEnlistment ENDP | |
| NtCreateEvent PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateEvent_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateEvent_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateEvent_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateEvent_Check_10_0_XXXX | |
| jmp NtCreateEvent_SystemCall_Unknown | |
| NtCreateEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateEvent_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateEvent_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateEvent_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateEvent_SystemCall_6_3_XXXX | |
| jmp NtCreateEvent_SystemCall_Unknown | |
| NtCreateEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateEvent_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateEvent_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateEvent_SystemCall_6_0_6002 | |
| jmp NtCreateEvent_SystemCall_Unknown | |
| NtCreateEvent_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateEvent_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateEvent_SystemCall_6_1_7601 | |
| jmp NtCreateEvent_SystemCall_Unknown | |
| NtCreateEvent_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateEvent_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateEvent_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateEvent_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateEvent_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateEvent_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateEvent_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateEvent_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateEvent_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateEvent_SystemCall_10_0_18363 | |
| jmp NtCreateEvent_SystemCall_Unknown | |
| NtCreateEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0045h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0045h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0045h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0045h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0045h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0045h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0046h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0047h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0048h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0048h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0048h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0048h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0048h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0048h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0048h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0048h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0048h | |
| jmp NtCreateEvent_Epilogue | |
| NtCreateEvent_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateEvent_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateEvent ENDP | |
| NtCreateEventPair PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateEventPair_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateEventPair_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateEventPair_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateEventPair_Check_10_0_XXXX | |
| jmp NtCreateEventPair_SystemCall_Unknown | |
| NtCreateEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateEventPair_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateEventPair_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateEventPair_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateEventPair_SystemCall_6_3_XXXX | |
| jmp NtCreateEventPair_SystemCall_Unknown | |
| NtCreateEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateEventPair_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateEventPair_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateEventPair_SystemCall_6_0_6002 | |
| jmp NtCreateEventPair_SystemCall_Unknown | |
| NtCreateEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateEventPair_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateEventPair_SystemCall_6_1_7601 | |
| jmp NtCreateEventPair_SystemCall_Unknown | |
| NtCreateEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateEventPair_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateEventPair_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateEventPair_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateEventPair_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateEventPair_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateEventPair_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateEventPair_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateEventPair_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateEventPair_SystemCall_10_0_18363 | |
| jmp NtCreateEventPair_SystemCall_Unknown | |
| NtCreateEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0078h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0096h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0094h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0094h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0093h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0093h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 009bh | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 009ch | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 009eh | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 009fh | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a0h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a3h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a4h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a5h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a5h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a6h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a6h | |
| jmp NtCreateEventPair_Epilogue | |
| NtCreateEventPair_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateEventPair_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateEventPair ENDP | |
| NtCreateFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateFile_Check_10_0_XXXX | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateFile_SystemCall_6_3_XXXX | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateFile_SystemCall_6_0_6002 | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateFile_SystemCall_6_1_7601 | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateFile_SystemCall_10_0_18363 | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0053h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0054h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateFile ENDP | |
| NtCreateIRTimer PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateIRTimer_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateIRTimer_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateIRTimer_Check_10_0_XXXX | |
| jmp NtCreateIRTimer_SystemCall_Unknown | |
| NtCreateIRTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateIRTimer_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateIRTimer_SystemCall_6_3_XXXX | |
| jmp NtCreateIRTimer_SystemCall_Unknown | |
| NtCreateIRTimer_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateIRTimer_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateIRTimer_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateIRTimer_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateIRTimer_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateIRTimer_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateIRTimer_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateIRTimer_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateIRTimer_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateIRTimer_SystemCall_10_0_18363 | |
| jmp NtCreateIRTimer_SystemCall_Unknown | |
| NtCreateIRTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 009ch | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 009dh | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 009fh | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a0h | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a1h | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a4h | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a5h | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a6h | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a6h | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a7h | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a7h | |
| jmp NtCreateIRTimer_Epilogue | |
| NtCreateIRTimer_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateIRTimer_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateIRTimer ENDP | |
| NtCreateIoCompletion PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateIoCompletion_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateIoCompletion_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateIoCompletion_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateIoCompletion_Check_10_0_XXXX | |
| jmp NtCreateIoCompletion_SystemCall_Unknown | |
| NtCreateIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateIoCompletion_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateIoCompletion_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateIoCompletion_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateIoCompletion_SystemCall_6_3_XXXX | |
| jmp NtCreateIoCompletion_SystemCall_Unknown | |
| NtCreateIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateIoCompletion_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateIoCompletion_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateIoCompletion_SystemCall_6_0_6002 | |
| jmp NtCreateIoCompletion_SystemCall_Unknown | |
| NtCreateIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateIoCompletion_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateIoCompletion_SystemCall_6_1_7601 | |
| jmp NtCreateIoCompletion_SystemCall_Unknown | |
| NtCreateIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateIoCompletion_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateIoCompletion_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateIoCompletion_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateIoCompletion_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateIoCompletion_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateIoCompletion_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateIoCompletion_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateIoCompletion_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateIoCompletion_SystemCall_10_0_18363 | |
| jmp NtCreateIoCompletion_SystemCall_Unknown | |
| NtCreateIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0079h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0097h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0095h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0095h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0094h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0094h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 009dh | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 009eh | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a0h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a1h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a2h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a5h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a6h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a7h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a7h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a8h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a8h | |
| jmp NtCreateIoCompletion_Epilogue | |
| NtCreateIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateIoCompletion_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateIoCompletion ENDP | |
| NtCreateJobObject PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateJobObject_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateJobObject_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateJobObject_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateJobObject_Check_10_0_XXXX | |
| jmp NtCreateJobObject_SystemCall_Unknown | |
| NtCreateJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateJobObject_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateJobObject_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateJobObject_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateJobObject_SystemCall_6_3_XXXX | |
| jmp NtCreateJobObject_SystemCall_Unknown | |
| NtCreateJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateJobObject_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateJobObject_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateJobObject_SystemCall_6_0_6002 | |
| jmp NtCreateJobObject_SystemCall_Unknown | |
| NtCreateJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateJobObject_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateJobObject_SystemCall_6_1_7601 | |
| jmp NtCreateJobObject_SystemCall_Unknown | |
| NtCreateJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateJobObject_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateJobObject_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateJobObject_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateJobObject_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateJobObject_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateJobObject_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateJobObject_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateJobObject_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateJobObject_SystemCall_10_0_18363 | |
| jmp NtCreateJobObject_SystemCall_Unknown | |
| NtCreateJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 007ah | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0098h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0096h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0096h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0095h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0095h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 009eh | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 009fh | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a1h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a2h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a3h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a6h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a7h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a8h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a8h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00a9h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00a9h | |
| jmp NtCreateJobObject_Epilogue | |
| NtCreateJobObject_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateJobObject_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateJobObject ENDP | |
| NtCreateJobSet PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateJobSet_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateJobSet_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateJobSet_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateJobSet_Check_10_0_XXXX | |
| jmp NtCreateJobSet_SystemCall_Unknown | |
| NtCreateJobSet_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateJobSet_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateJobSet_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateJobSet_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateJobSet_SystemCall_6_3_XXXX | |
| jmp NtCreateJobSet_SystemCall_Unknown | |
| NtCreateJobSet_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateJobSet_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateJobSet_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateJobSet_SystemCall_6_0_6002 | |
| jmp NtCreateJobSet_SystemCall_Unknown | |
| NtCreateJobSet_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateJobSet_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateJobSet_SystemCall_6_1_7601 | |
| jmp NtCreateJobSet_SystemCall_Unknown | |
| NtCreateJobSet_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateJobSet_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateJobSet_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateJobSet_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateJobSet_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateJobSet_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateJobSet_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateJobSet_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateJobSet_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateJobSet_SystemCall_10_0_18363 | |
| jmp NtCreateJobSet_SystemCall_Unknown | |
| NtCreateJobSet_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 007bh | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0099h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0097h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0097h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0096h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0096h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 009fh | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a0h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a2h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a3h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a4h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a7h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a8h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00a9h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00a9h | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00aah | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00aah | |
| jmp NtCreateJobSet_Epilogue | |
| NtCreateJobSet_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateJobSet_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateJobSet ENDP | |
| NtCreateKey PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateKey_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateKey_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateKey_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateKey_Check_10_0_XXXX | |
| jmp NtCreateKey_SystemCall_Unknown | |
| NtCreateKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateKey_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateKey_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateKey_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateKey_SystemCall_6_3_XXXX | |
| jmp NtCreateKey_SystemCall_Unknown | |
| NtCreateKey_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateKey_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateKey_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateKey_SystemCall_6_0_6002 | |
| jmp NtCreateKey_SystemCall_Unknown | |
| NtCreateKey_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateKey_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateKey_SystemCall_6_1_7601 | |
| jmp NtCreateKey_SystemCall_Unknown | |
| NtCreateKey_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateKey_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateKey_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateKey_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateKey_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateKey_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateKey_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateKey_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateKey_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateKey_SystemCall_10_0_18363 | |
| jmp NtCreateKey_SystemCall_Unknown | |
| NtCreateKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 001ah | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 001ah | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 001ah | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 001ah | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 001ah | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 001ah | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 001bh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 001ch | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 001dh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 001dh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 001dh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 001dh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 001dh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 001dh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 001dh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 001dh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 001dh | |
| jmp NtCreateKey_Epilogue | |
| NtCreateKey_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateKey_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateKey ENDP | |
| NtCreateKeyTransacted PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateKeyTransacted_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateKeyTransacted_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateKeyTransacted_Check_10_0_XXXX | |
| jmp NtCreateKeyTransacted_SystemCall_Unknown | |
| NtCreateKeyTransacted_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateKeyTransacted_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateKeyTransacted_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateKeyTransacted_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateKeyTransacted_SystemCall_6_3_XXXX | |
| jmp NtCreateKeyTransacted_SystemCall_Unknown | |
| NtCreateKeyTransacted_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateKeyTransacted_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateKeyTransacted_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateKeyTransacted_SystemCall_6_0_6002 | |
| jmp NtCreateKeyTransacted_SystemCall_Unknown | |
| NtCreateKeyTransacted_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateKeyTransacted_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateKeyTransacted_SystemCall_6_1_7601 | |
| jmp NtCreateKeyTransacted_SystemCall_Unknown | |
| NtCreateKeyTransacted_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateKeyTransacted_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateKeyTransacted_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateKeyTransacted_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateKeyTransacted_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateKeyTransacted_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateKeyTransacted_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateKeyTransacted_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateKeyTransacted_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateKeyTransacted_SystemCall_10_0_18363 | |
| jmp NtCreateKeyTransacted_SystemCall_Unknown | |
| NtCreateKeyTransacted_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 009ah | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0098h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0098h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0097h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0097h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a0h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a1h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a3h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a4h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a5h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a8h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00a9h | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00aah | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00aah | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00abh | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00abh | |
| jmp NtCreateKeyTransacted_Epilogue | |
| NtCreateKeyTransacted_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateKeyTransacted_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateKeyTransacted ENDP | |
| NtCreateKeyedEvent PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateKeyedEvent_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateKeyedEvent_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateKeyedEvent_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateKeyedEvent_Check_10_0_XXXX | |
| jmp NtCreateKeyedEvent_SystemCall_Unknown | |
| NtCreateKeyedEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateKeyedEvent_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateKeyedEvent_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateKeyedEvent_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateKeyedEvent_SystemCall_6_3_XXXX | |
| jmp NtCreateKeyedEvent_SystemCall_Unknown | |
| NtCreateKeyedEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateKeyedEvent_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateKeyedEvent_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateKeyedEvent_SystemCall_6_0_6002 | |
| jmp NtCreateKeyedEvent_SystemCall_Unknown | |
| NtCreateKeyedEvent_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateKeyedEvent_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateKeyedEvent_SystemCall_6_1_7601 | |
| jmp NtCreateKeyedEvent_SystemCall_Unknown | |
| NtCreateKeyedEvent_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateKeyedEvent_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateKeyedEvent_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateKeyedEvent_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateKeyedEvent_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateKeyedEvent_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateKeyedEvent_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateKeyedEvent_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateKeyedEvent_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateKeyedEvent_SystemCall_10_0_18363 | |
| jmp NtCreateKeyedEvent_SystemCall_Unknown | |
| NtCreateKeyedEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 007ch | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 009bh | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0099h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0099h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0098h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0098h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a1h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a2h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a4h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a5h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a6h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00a9h | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00aah | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00abh | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00abh | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00ach | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00ach | |
| jmp NtCreateKeyedEvent_Epilogue | |
| NtCreateKeyedEvent_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateKeyedEvent_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateKeyedEvent ENDP | |
| NtCreateLowBoxToken PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateLowBoxToken_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateLowBoxToken_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateLowBoxToken_Check_10_0_XXXX | |
| jmp NtCreateLowBoxToken_SystemCall_Unknown | |
| NtCreateLowBoxToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateLowBoxToken_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateLowBoxToken_SystemCall_6_3_XXXX | |
| jmp NtCreateLowBoxToken_SystemCall_Unknown | |
| NtCreateLowBoxToken_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateLowBoxToken_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateLowBoxToken_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateLowBoxToken_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateLowBoxToken_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateLowBoxToken_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateLowBoxToken_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateLowBoxToken_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateLowBoxToken_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateLowBoxToken_SystemCall_10_0_18363 | |
| jmp NtCreateLowBoxToken_SystemCall_Unknown | |
| NtCreateLowBoxToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a2h | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a3h | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a5h | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a6h | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a7h | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00aah | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00abh | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00ach | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00ach | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00adh | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00adh | |
| jmp NtCreateLowBoxToken_Epilogue | |
| NtCreateLowBoxToken_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateLowBoxToken_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateLowBoxToken ENDP | |
| NtCreateMailslotFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateMailslotFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateMailslotFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateMailslotFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateMailslotFile_Check_10_0_XXXX | |
| jmp NtCreateMailslotFile_SystemCall_Unknown | |
| NtCreateMailslotFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateMailslotFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateMailslotFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateMailslotFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateMailslotFile_SystemCall_6_3_XXXX | |
| jmp NtCreateMailslotFile_SystemCall_Unknown | |
| NtCreateMailslotFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateMailslotFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateMailslotFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateMailslotFile_SystemCall_6_0_6002 | |
| jmp NtCreateMailslotFile_SystemCall_Unknown | |
| NtCreateMailslotFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateMailslotFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateMailslotFile_SystemCall_6_1_7601 | |
| jmp NtCreateMailslotFile_SystemCall_Unknown | |
| NtCreateMailslotFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateMailslotFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateMailslotFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateMailslotFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateMailslotFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateMailslotFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateMailslotFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateMailslotFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateMailslotFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateMailslotFile_SystemCall_10_0_18363 | |
| jmp NtCreateMailslotFile_SystemCall_Unknown | |
| NtCreateMailslotFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 007dh | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 009ch | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 009ah | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 009ah | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0099h | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0099h | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a3h | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a4h | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a6h | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a7h | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a8h | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00abh | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00ach | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00adh | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00adh | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00aeh | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00aeh | |
| jmp NtCreateMailslotFile_Epilogue | |
| NtCreateMailslotFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateMailslotFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateMailslotFile ENDP | |
| NtCreateMutant PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateMutant_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateMutant_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateMutant_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateMutant_Check_10_0_XXXX | |
| jmp NtCreateMutant_SystemCall_Unknown | |
| NtCreateMutant_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateMutant_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateMutant_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateMutant_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateMutant_SystemCall_6_3_XXXX | |
| jmp NtCreateMutant_SystemCall_Unknown | |
| NtCreateMutant_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateMutant_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateMutant_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateMutant_SystemCall_6_0_6002 | |
| jmp NtCreateMutant_SystemCall_Unknown | |
| NtCreateMutant_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateMutant_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateMutant_SystemCall_6_1_7601 | |
| jmp NtCreateMutant_SystemCall_Unknown | |
| NtCreateMutant_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateMutant_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateMutant_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateMutant_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateMutant_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateMutant_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateMutant_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateMutant_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateMutant_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateMutant_SystemCall_10_0_18363 | |
| jmp NtCreateMutant_SystemCall_Unknown | |
| NtCreateMutant_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 007eh | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 009dh | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 009bh | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 009bh | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 009ah | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 009ah | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a4h | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a5h | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a7h | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a8h | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00a9h | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00ach | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00adh | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00aeh | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00aeh | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00afh | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00afh | |
| jmp NtCreateMutant_Epilogue | |
| NtCreateMutant_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateMutant_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateMutant ENDP | |
| NtCreateNamedPipeFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateNamedPipeFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateNamedPipeFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateNamedPipeFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateNamedPipeFile_Check_10_0_XXXX | |
| jmp NtCreateNamedPipeFile_SystemCall_Unknown | |
| NtCreateNamedPipeFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateNamedPipeFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateNamedPipeFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateNamedPipeFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateNamedPipeFile_SystemCall_6_3_XXXX | |
| jmp NtCreateNamedPipeFile_SystemCall_Unknown | |
| NtCreateNamedPipeFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateNamedPipeFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateNamedPipeFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateNamedPipeFile_SystemCall_6_0_6002 | |
| jmp NtCreateNamedPipeFile_SystemCall_Unknown | |
| NtCreateNamedPipeFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateNamedPipeFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateNamedPipeFile_SystemCall_6_1_7601 | |
| jmp NtCreateNamedPipeFile_SystemCall_Unknown | |
| NtCreateNamedPipeFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateNamedPipeFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateNamedPipeFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateNamedPipeFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateNamedPipeFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateNamedPipeFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateNamedPipeFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateNamedPipeFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateNamedPipeFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateNamedPipeFile_SystemCall_10_0_18363 | |
| jmp NtCreateNamedPipeFile_SystemCall_Unknown | |
| NtCreateNamedPipeFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 007fh | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 009eh | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 009ch | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 009ch | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 009bh | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 009bh | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a5h | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a6h | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a8h | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00a9h | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00aah | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00adh | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00aeh | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00afh | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00afh | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b0h | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b0h | |
| jmp NtCreateNamedPipeFile_Epilogue | |
| NtCreateNamedPipeFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateNamedPipeFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateNamedPipeFile ENDP | |
| NtCreatePagingFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreatePagingFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreatePagingFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreatePagingFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreatePagingFile_Check_10_0_XXXX | |
| jmp NtCreatePagingFile_SystemCall_Unknown | |
| NtCreatePagingFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreatePagingFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreatePagingFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreatePagingFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreatePagingFile_SystemCall_6_3_XXXX | |
| jmp NtCreatePagingFile_SystemCall_Unknown | |
| NtCreatePagingFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreatePagingFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreatePagingFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreatePagingFile_SystemCall_6_0_6002 | |
| jmp NtCreatePagingFile_SystemCall_Unknown | |
| NtCreatePagingFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreatePagingFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreatePagingFile_SystemCall_6_1_7601 | |
| jmp NtCreatePagingFile_SystemCall_Unknown | |
| NtCreatePagingFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreatePagingFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreatePagingFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreatePagingFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreatePagingFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreatePagingFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreatePagingFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreatePagingFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreatePagingFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreatePagingFile_SystemCall_10_0_18363 | |
| jmp NtCreatePagingFile_SystemCall_Unknown | |
| NtCreatePagingFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0080h | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 009fh | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 009dh | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 009dh | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 009ch | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 009ch | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a6h | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a7h | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00a9h | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00aah | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00abh | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00aeh | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00afh | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b0h | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b0h | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b1h | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b1h | |
| jmp NtCreatePagingFile_Epilogue | |
| NtCreatePagingFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreatePagingFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreatePagingFile ENDP | |
| NtCreatePartition PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreatePartition_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreatePartition_Check_10_0_XXXX | |
| jmp NtCreatePartition_SystemCall_Unknown | |
| NtCreatePartition_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreatePartition_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreatePartition_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreatePartition_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreatePartition_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreatePartition_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreatePartition_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreatePartition_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreatePartition_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreatePartition_SystemCall_10_0_18363 | |
| jmp NtCreatePartition_SystemCall_Unknown | |
| NtCreatePartition_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00aah | |
| jmp NtCreatePartition_Epilogue | |
| NtCreatePartition_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00abh | |
| jmp NtCreatePartition_Epilogue | |
| NtCreatePartition_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00ach | |
| jmp NtCreatePartition_Epilogue | |
| NtCreatePartition_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00afh | |
| jmp NtCreatePartition_Epilogue | |
| NtCreatePartition_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b0h | |
| jmp NtCreatePartition_Epilogue | |
| NtCreatePartition_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b1h | |
| jmp NtCreatePartition_Epilogue | |
| NtCreatePartition_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b1h | |
| jmp NtCreatePartition_Epilogue | |
| NtCreatePartition_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b2h | |
| jmp NtCreatePartition_Epilogue | |
| NtCreatePartition_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b2h | |
| jmp NtCreatePartition_Epilogue | |
| NtCreatePartition_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreatePartition_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreatePartition ENDP | |
| NtCreatePort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreatePort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreatePort_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreatePort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreatePort_Check_10_0_XXXX | |
| jmp NtCreatePort_SystemCall_Unknown | |
| NtCreatePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreatePort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreatePort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreatePort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreatePort_SystemCall_6_3_XXXX | |
| jmp NtCreatePort_SystemCall_Unknown | |
| NtCreatePort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreatePort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreatePort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreatePort_SystemCall_6_0_6002 | |
| jmp NtCreatePort_SystemCall_Unknown | |
| NtCreatePort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreatePort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreatePort_SystemCall_6_1_7601 | |
| jmp NtCreatePort_SystemCall_Unknown | |
| NtCreatePort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreatePort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreatePort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreatePort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreatePort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreatePort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreatePort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreatePort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreatePort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreatePort_SystemCall_10_0_18363 | |
| jmp NtCreatePort_SystemCall_Unknown | |
| NtCreatePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0081h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a0h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 009eh | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 009eh | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 009dh | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 009dh | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a7h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a8h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00abh | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00ach | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00adh | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b0h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b1h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b2h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b2h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b3h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b3h | |
| jmp NtCreatePort_Epilogue | |
| NtCreatePort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreatePort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreatePort ENDP | |
| NtCreatePrivateNamespace PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreatePrivateNamespace_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreatePrivateNamespace_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreatePrivateNamespace_Check_10_0_XXXX | |
| jmp NtCreatePrivateNamespace_SystemCall_Unknown | |
| NtCreatePrivateNamespace_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreatePrivateNamespace_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreatePrivateNamespace_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreatePrivateNamespace_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreatePrivateNamespace_SystemCall_6_3_XXXX | |
| jmp NtCreatePrivateNamespace_SystemCall_Unknown | |
| NtCreatePrivateNamespace_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreatePrivateNamespace_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreatePrivateNamespace_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreatePrivateNamespace_SystemCall_6_0_6002 | |
| jmp NtCreatePrivateNamespace_SystemCall_Unknown | |
| NtCreatePrivateNamespace_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreatePrivateNamespace_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreatePrivateNamespace_SystemCall_6_1_7601 | |
| jmp NtCreatePrivateNamespace_SystemCall_Unknown | |
| NtCreatePrivateNamespace_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreatePrivateNamespace_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreatePrivateNamespace_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreatePrivateNamespace_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreatePrivateNamespace_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreatePrivateNamespace_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreatePrivateNamespace_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreatePrivateNamespace_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreatePrivateNamespace_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreatePrivateNamespace_SystemCall_10_0_18363 | |
| jmp NtCreatePrivateNamespace_SystemCall_Unknown | |
| NtCreatePrivateNamespace_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a1h | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 009fh | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 009fh | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 009eh | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 009eh | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a8h | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00a9h | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00ach | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00adh | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00aeh | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b1h | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b2h | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b3h | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b3h | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b4h | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b4h | |
| jmp NtCreatePrivateNamespace_Epilogue | |
| NtCreatePrivateNamespace_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreatePrivateNamespace_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreatePrivateNamespace ENDP | |
| NtCreateProcess PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateProcess_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateProcess_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateProcess_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateProcess_Check_10_0_XXXX | |
| jmp NtCreateProcess_SystemCall_Unknown | |
| NtCreateProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateProcess_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateProcess_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateProcess_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateProcess_SystemCall_6_3_XXXX | |
| jmp NtCreateProcess_SystemCall_Unknown | |
| NtCreateProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateProcess_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateProcess_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateProcess_SystemCall_6_0_6002 | |
| jmp NtCreateProcess_SystemCall_Unknown | |
| NtCreateProcess_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateProcess_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateProcess_SystemCall_6_1_7601 | |
| jmp NtCreateProcess_SystemCall_Unknown | |
| NtCreateProcess_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateProcess_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateProcess_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateProcess_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateProcess_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateProcess_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateProcess_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateProcess_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateProcess_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateProcess_SystemCall_10_0_18363 | |
| jmp NtCreateProcess_SystemCall_Unknown | |
| NtCreateProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0082h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a2h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a0h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a0h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 009fh | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 009fh | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00a9h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00aah | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00adh | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00aeh | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00afh | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b2h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b3h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b4h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b4h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b5h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b5h | |
| jmp NtCreateProcess_Epilogue | |
| NtCreateProcess_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateProcess_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateProcess ENDP | |
| NtCreateProcessEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateProcessEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateProcessEx_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateProcessEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateProcessEx_Check_10_0_XXXX | |
| jmp NtCreateProcessEx_SystemCall_Unknown | |
| NtCreateProcessEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateProcessEx_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateProcessEx_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateProcessEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateProcessEx_SystemCall_6_3_XXXX | |
| jmp NtCreateProcessEx_SystemCall_Unknown | |
| NtCreateProcessEx_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateProcessEx_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateProcessEx_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateProcessEx_SystemCall_6_0_6002 | |
| jmp NtCreateProcessEx_SystemCall_Unknown | |
| NtCreateProcessEx_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateProcessEx_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateProcessEx_SystemCall_6_1_7601 | |
| jmp NtCreateProcessEx_SystemCall_Unknown | |
| NtCreateProcessEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateProcessEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateProcessEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateProcessEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateProcessEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateProcessEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateProcessEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateProcessEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateProcessEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateProcessEx_SystemCall_10_0_18363 | |
| jmp NtCreateProcessEx_SystemCall_Unknown | |
| NtCreateProcessEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 004ah | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 004ah | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 004ah | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 004ah | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 004ah | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 004ah | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 004bh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 004ch | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 004dh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 004dh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 004dh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 004dh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 004dh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 004dh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 004dh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 004dh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 004dh | |
| jmp NtCreateProcessEx_Epilogue | |
| NtCreateProcessEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateProcessEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateProcessEx ENDP | |
| NtCreateProfile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateProfile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateProfile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateProfile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateProfile_Check_10_0_XXXX | |
| jmp NtCreateProfile_SystemCall_Unknown | |
| NtCreateProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateProfile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateProfile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateProfile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateProfile_SystemCall_6_3_XXXX | |
| jmp NtCreateProfile_SystemCall_Unknown | |
| NtCreateProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateProfile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateProfile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateProfile_SystemCall_6_0_6002 | |
| jmp NtCreateProfile_SystemCall_Unknown | |
| NtCreateProfile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateProfile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateProfile_SystemCall_6_1_7601 | |
| jmp NtCreateProfile_SystemCall_Unknown | |
| NtCreateProfile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateProfile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateProfile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateProfile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateProfile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateProfile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateProfile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateProfile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateProfile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateProfile_SystemCall_10_0_18363 | |
| jmp NtCreateProfile_SystemCall_Unknown | |
| NtCreateProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0083h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a3h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a1h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a1h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a0h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a0h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00aah | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00abh | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00aeh | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00afh | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b0h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b3h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b4h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b5h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b5h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b6h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b6h | |
| jmp NtCreateProfile_Epilogue | |
| NtCreateProfile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateProfile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateProfile ENDP | |
| NtCreateProfileEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateProfileEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateProfileEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateProfileEx_Check_10_0_XXXX | |
| jmp NtCreateProfileEx_SystemCall_Unknown | |
| NtCreateProfileEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateProfileEx_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateProfileEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateProfileEx_SystemCall_6_3_XXXX | |
| jmp NtCreateProfileEx_SystemCall_Unknown | |
| NtCreateProfileEx_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateProfileEx_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateProfileEx_SystemCall_6_1_7601 | |
| jmp NtCreateProfileEx_SystemCall_Unknown | |
| NtCreateProfileEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateProfileEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateProfileEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateProfileEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateProfileEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateProfileEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateProfileEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateProfileEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateProfileEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateProfileEx_SystemCall_10_0_18363 | |
| jmp NtCreateProfileEx_SystemCall_Unknown | |
| NtCreateProfileEx_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a1h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a1h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00abh | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00ach | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00afh | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b0h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b1h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b4h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b5h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b6h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b6h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b7h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b7h | |
| jmp NtCreateProfileEx_Epilogue | |
| NtCreateProfileEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateProfileEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateProfileEx ENDP | |
| NtCreateRegistryTransaction PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateRegistryTransaction_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateRegistryTransaction_Check_10_0_XXXX | |
| jmp NtCreateRegistryTransaction_SystemCall_Unknown | |
| NtCreateRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateRegistryTransaction_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateRegistryTransaction_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateRegistryTransaction_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateRegistryTransaction_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateRegistryTransaction_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateRegistryTransaction_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateRegistryTransaction_SystemCall_10_0_18363 | |
| jmp NtCreateRegistryTransaction_SystemCall_Unknown | |
| NtCreateRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b2h | |
| jmp NtCreateRegistryTransaction_Epilogue | |
| NtCreateRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b5h | |
| jmp NtCreateRegistryTransaction_Epilogue | |
| NtCreateRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b6h | |
| jmp NtCreateRegistryTransaction_Epilogue | |
| NtCreateRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b7h | |
| jmp NtCreateRegistryTransaction_Epilogue | |
| NtCreateRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b7h | |
| jmp NtCreateRegistryTransaction_Epilogue | |
| NtCreateRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b8h | |
| jmp NtCreateRegistryTransaction_Epilogue | |
| NtCreateRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b8h | |
| jmp NtCreateRegistryTransaction_Epilogue | |
| NtCreateRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateRegistryTransaction_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateRegistryTransaction ENDP | |
| NtCreateResourceManager PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateResourceManager_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateResourceManager_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateResourceManager_Check_10_0_XXXX | |
| jmp NtCreateResourceManager_SystemCall_Unknown | |
| NtCreateResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateResourceManager_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateResourceManager_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateResourceManager_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateResourceManager_SystemCall_6_3_XXXX | |
| jmp NtCreateResourceManager_SystemCall_Unknown | |
| NtCreateResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateResourceManager_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateResourceManager_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateResourceManager_SystemCall_6_0_6002 | |
| jmp NtCreateResourceManager_SystemCall_Unknown | |
| NtCreateResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateResourceManager_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateResourceManager_SystemCall_6_1_7601 | |
| jmp NtCreateResourceManager_SystemCall_Unknown | |
| NtCreateResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateResourceManager_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateResourceManager_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateResourceManager_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateResourceManager_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateResourceManager_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateResourceManager_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateResourceManager_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateResourceManager_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateResourceManager_SystemCall_10_0_18363 | |
| jmp NtCreateResourceManager_SystemCall_Unknown | |
| NtCreateResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a4h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a2h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a2h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a2h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a2h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00ach | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00adh | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b0h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b1h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b3h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b6h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b7h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b8h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b8h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00b9h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00b9h | |
| jmp NtCreateResourceManager_Epilogue | |
| NtCreateResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateResourceManager_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateResourceManager ENDP | |
| NtCreateSection PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateSection_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateSection_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateSection_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateSection_Check_10_0_XXXX | |
| jmp NtCreateSection_SystemCall_Unknown | |
| NtCreateSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateSection_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateSection_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateSection_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateSection_SystemCall_6_3_XXXX | |
| jmp NtCreateSection_SystemCall_Unknown | |
| NtCreateSection_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateSection_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateSection_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateSection_SystemCall_6_0_6002 | |
| jmp NtCreateSection_SystemCall_Unknown | |
| NtCreateSection_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateSection_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateSection_SystemCall_6_1_7601 | |
| jmp NtCreateSection_SystemCall_Unknown | |
| NtCreateSection_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateSection_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateSection_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateSection_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateSection_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateSection_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateSection_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateSection_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateSection_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateSection_SystemCall_10_0_18363 | |
| jmp NtCreateSection_SystemCall_Unknown | |
| NtCreateSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0047h | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0047h | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0047h | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0047h | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0047h | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0047h | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0048h | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0049h | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 004ah | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 004ah | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 004ah | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 004ah | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 004ah | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 004ah | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 004ah | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 004ah | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 004ah | |
| jmp NtCreateSection_Epilogue | |
| NtCreateSection_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateSection_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateSection ENDP | |
| NtCreateSectionEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateSectionEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateSectionEx_Check_10_0_XXXX | |
| jmp NtCreateSectionEx_SystemCall_Unknown | |
| NtCreateSectionEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateSectionEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateSectionEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateSectionEx_SystemCall_10_0_18363 | |
| jmp NtCreateSectionEx_SystemCall_Unknown | |
| NtCreateSectionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00b9h | |
| jmp NtCreateSectionEx_Epilogue | |
| NtCreateSectionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00bah | |
| jmp NtCreateSectionEx_Epilogue | |
| NtCreateSectionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00bah | |
| jmp NtCreateSectionEx_Epilogue | |
| NtCreateSectionEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateSectionEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateSectionEx ENDP | |
| NtCreateSemaphore PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateSemaphore_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateSemaphore_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateSemaphore_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateSemaphore_Check_10_0_XXXX | |
| jmp NtCreateSemaphore_SystemCall_Unknown | |
| NtCreateSemaphore_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateSemaphore_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateSemaphore_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateSemaphore_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateSemaphore_SystemCall_6_3_XXXX | |
| jmp NtCreateSemaphore_SystemCall_Unknown | |
| NtCreateSemaphore_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateSemaphore_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateSemaphore_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateSemaphore_SystemCall_6_0_6002 | |
| jmp NtCreateSemaphore_SystemCall_Unknown | |
| NtCreateSemaphore_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateSemaphore_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateSemaphore_SystemCall_6_1_7601 | |
| jmp NtCreateSemaphore_SystemCall_Unknown | |
| NtCreateSemaphore_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateSemaphore_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateSemaphore_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateSemaphore_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateSemaphore_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateSemaphore_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateSemaphore_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateSemaphore_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateSemaphore_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateSemaphore_SystemCall_10_0_18363 | |
| jmp NtCreateSemaphore_SystemCall_Unknown | |
| NtCreateSemaphore_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0084h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a5h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a3h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a3h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a3h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a3h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00adh | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00aeh | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b1h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b2h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b4h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b7h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b8h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00b9h | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00bah | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00bbh | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00bbh | |
| jmp NtCreateSemaphore_Epilogue | |
| NtCreateSemaphore_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateSemaphore_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateSemaphore ENDP | |
| NtCreateSymbolicLinkObject PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateSymbolicLinkObject_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateSymbolicLinkObject_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateSymbolicLinkObject_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateSymbolicLinkObject_Check_10_0_XXXX | |
| jmp NtCreateSymbolicLinkObject_SystemCall_Unknown | |
| NtCreateSymbolicLinkObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateSymbolicLinkObject_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateSymbolicLinkObject_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateSymbolicLinkObject_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateSymbolicLinkObject_SystemCall_6_3_XXXX | |
| jmp NtCreateSymbolicLinkObject_SystemCall_Unknown | |
| NtCreateSymbolicLinkObject_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateSymbolicLinkObject_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateSymbolicLinkObject_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateSymbolicLinkObject_SystemCall_6_0_6002 | |
| jmp NtCreateSymbolicLinkObject_SystemCall_Unknown | |
| NtCreateSymbolicLinkObject_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateSymbolicLinkObject_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateSymbolicLinkObject_SystemCall_6_1_7601 | |
| jmp NtCreateSymbolicLinkObject_SystemCall_Unknown | |
| NtCreateSymbolicLinkObject_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateSymbolicLinkObject_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateSymbolicLinkObject_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateSymbolicLinkObject_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateSymbolicLinkObject_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateSymbolicLinkObject_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateSymbolicLinkObject_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateSymbolicLinkObject_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateSymbolicLinkObject_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateSymbolicLinkObject_SystemCall_10_0_18363 | |
| jmp NtCreateSymbolicLinkObject_SystemCall_Unknown | |
| NtCreateSymbolicLinkObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0085h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a6h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a4h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a4h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a4h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a4h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00aeh | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00afh | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b2h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b3h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b5h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b8h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00b9h | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00bah | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00bbh | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00bch | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00bch | |
| jmp NtCreateSymbolicLinkObject_Epilogue | |
| NtCreateSymbolicLinkObject_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateSymbolicLinkObject_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateSymbolicLinkObject ENDP | |
| NtCreateThread PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateThread_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateThread_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateThread_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateThread_Check_10_0_XXXX | |
| jmp NtCreateThread_SystemCall_Unknown | |
| NtCreateThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateThread_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateThread_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateThread_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateThread_SystemCall_6_3_XXXX | |
| jmp NtCreateThread_SystemCall_Unknown | |
| NtCreateThread_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateThread_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateThread_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateThread_SystemCall_6_0_6002 | |
| jmp NtCreateThread_SystemCall_Unknown | |
| NtCreateThread_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateThread_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateThread_SystemCall_6_1_7601 | |
| jmp NtCreateThread_SystemCall_Unknown | |
| NtCreateThread_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateThread_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateThread_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateThread_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateThread_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateThread_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateThread_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateThread_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateThread_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateThread_SystemCall_10_0_18363 | |
| jmp NtCreateThread_SystemCall_Unknown | |
| NtCreateThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 004bh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 004bh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 004bh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 004bh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 004bh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 004bh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 004ch | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 004dh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 004eh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 004eh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 004eh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 004eh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 004eh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 004eh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 004eh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 004eh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 004eh | |
| jmp NtCreateThread_Epilogue | |
| NtCreateThread_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateThread_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateThread ENDP | |
| NtCreateThreadEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateThreadEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateThreadEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateThreadEx_Check_10_0_XXXX | |
| jmp NtCreateThreadEx_SystemCall_Unknown | |
| NtCreateThreadEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateThreadEx_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateThreadEx_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateThreadEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateThreadEx_SystemCall_6_3_XXXX | |
| jmp NtCreateThreadEx_SystemCall_Unknown | |
| NtCreateThreadEx_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateThreadEx_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateThreadEx_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateThreadEx_SystemCall_6_0_6002 | |
| jmp NtCreateThreadEx_SystemCall_Unknown | |
| NtCreateThreadEx_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateThreadEx_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateThreadEx_SystemCall_6_1_7601 | |
| jmp NtCreateThreadEx_SystemCall_Unknown | |
| NtCreateThreadEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateThreadEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateThreadEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateThreadEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateThreadEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateThreadEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateThreadEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateThreadEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateThreadEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateThreadEx_SystemCall_10_0_18363 | |
| jmp NtCreateThreadEx_SystemCall_Unknown | |
| NtCreateThreadEx_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a7h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a5h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a5h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a5h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a5h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00afh | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b0h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b3h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b4h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b6h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00b9h | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00bah | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00bbh | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00bch | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00bdh | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00bdh | |
| jmp NtCreateThreadEx_Epilogue | |
| NtCreateThreadEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateThreadEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateThreadEx ENDP | |
| NtCreateTimer PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateTimer_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateTimer_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateTimer_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateTimer_Check_10_0_XXXX | |
| jmp NtCreateTimer_SystemCall_Unknown | |
| NtCreateTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateTimer_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateTimer_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateTimer_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateTimer_SystemCall_6_3_XXXX | |
| jmp NtCreateTimer_SystemCall_Unknown | |
| NtCreateTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateTimer_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateTimer_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateTimer_SystemCall_6_0_6002 | |
| jmp NtCreateTimer_SystemCall_Unknown | |
| NtCreateTimer_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateTimer_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateTimer_SystemCall_6_1_7601 | |
| jmp NtCreateTimer_SystemCall_Unknown | |
| NtCreateTimer_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateTimer_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateTimer_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateTimer_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateTimer_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateTimer_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateTimer_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateTimer_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateTimer_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateTimer_SystemCall_10_0_18363 | |
| jmp NtCreateTimer_SystemCall_Unknown | |
| NtCreateTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0086h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a8h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a6h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a6h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a6h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a6h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b0h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b1h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b4h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b5h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b7h | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00bah | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00bbh | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00bch | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00bdh | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00beh | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00beh | |
| jmp NtCreateTimer_Epilogue | |
| NtCreateTimer_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateTimer_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateTimer ENDP | |
| NtCreateTimer2 PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateTimer2_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateTimer2_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateTimer2_Check_10_0_XXXX | |
| jmp NtCreateTimer2_SystemCall_Unknown | |
| NtCreateTimer2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateTimer2_SystemCall_6_3_XXXX | |
| jmp NtCreateTimer2_SystemCall_Unknown | |
| NtCreateTimer2_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateTimer2_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateTimer2_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateTimer2_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateTimer2_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateTimer2_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateTimer2_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateTimer2_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateTimer2_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateTimer2_SystemCall_10_0_18363 | |
| jmp NtCreateTimer2_SystemCall_Unknown | |
| NtCreateTimer2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b2h | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b5h | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b6h | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b8h | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00bbh | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00bch | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00bdh | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00beh | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00bfh | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00bfh | |
| jmp NtCreateTimer2_Epilogue | |
| NtCreateTimer2_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateTimer2_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateTimer2 ENDP | |
| NtCreateToken PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateToken_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateToken_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateToken_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateToken_Check_10_0_XXXX | |
| jmp NtCreateToken_SystemCall_Unknown | |
| NtCreateToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateToken_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateToken_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateToken_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateToken_SystemCall_6_3_XXXX | |
| jmp NtCreateToken_SystemCall_Unknown | |
| NtCreateToken_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateToken_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateToken_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateToken_SystemCall_6_0_6002 | |
| jmp NtCreateToken_SystemCall_Unknown | |
| NtCreateToken_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateToken_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateToken_SystemCall_6_1_7601 | |
| jmp NtCreateToken_SystemCall_Unknown | |
| NtCreateToken_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateToken_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateToken_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateToken_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateToken_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateToken_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateToken_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateToken_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateToken_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateToken_SystemCall_10_0_18363 | |
| jmp NtCreateToken_SystemCall_Unknown | |
| NtCreateToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0087h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00a9h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a7h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a7h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a7h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a7h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b1h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b3h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b6h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b7h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00b9h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00bch | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00bdh | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00beh | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00bfh | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c0h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c0h | |
| jmp NtCreateToken_Epilogue | |
| NtCreateToken_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateToken_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateToken ENDP | |
| NtCreateTokenEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateTokenEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateTokenEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateTokenEx_Check_10_0_XXXX | |
| jmp NtCreateTokenEx_SystemCall_Unknown | |
| NtCreateTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateTokenEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateTokenEx_SystemCall_6_3_XXXX | |
| jmp NtCreateTokenEx_SystemCall_Unknown | |
| NtCreateTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateTokenEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateTokenEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateTokenEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateTokenEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateTokenEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateTokenEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateTokenEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateTokenEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateTokenEx_SystemCall_10_0_18363 | |
| jmp NtCreateTokenEx_SystemCall_Unknown | |
| NtCreateTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b2h | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b4h | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b7h | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b8h | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00bah | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00bdh | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00beh | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00bfh | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c0h | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c1h | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c1h | |
| jmp NtCreateTokenEx_Epilogue | |
| NtCreateTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateTokenEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateTokenEx ENDP | |
| NtCreateTransaction PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateTransaction_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateTransaction_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateTransaction_Check_10_0_XXXX | |
| jmp NtCreateTransaction_SystemCall_Unknown | |
| NtCreateTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateTransaction_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateTransaction_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateTransaction_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateTransaction_SystemCall_6_3_XXXX | |
| jmp NtCreateTransaction_SystemCall_Unknown | |
| NtCreateTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateTransaction_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateTransaction_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateTransaction_SystemCall_6_0_6002 | |
| jmp NtCreateTransaction_SystemCall_Unknown | |
| NtCreateTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateTransaction_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateTransaction_SystemCall_6_1_7601 | |
| jmp NtCreateTransaction_SystemCall_Unknown | |
| NtCreateTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateTransaction_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateTransaction_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateTransaction_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateTransaction_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateTransaction_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateTransaction_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateTransaction_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateTransaction_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateTransaction_SystemCall_10_0_18363 | |
| jmp NtCreateTransaction_SystemCall_Unknown | |
| NtCreateTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00aah | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a8h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a8h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a8h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a8h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b3h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b5h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b8h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00b9h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00bbh | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00beh | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00bfh | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c0h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c1h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c2h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c2h | |
| jmp NtCreateTransaction_Epilogue | |
| NtCreateTransaction_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateTransaction_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateTransaction ENDP | |
| NtCreateTransactionManager PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateTransactionManager_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateTransactionManager_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateTransactionManager_Check_10_0_XXXX | |
| jmp NtCreateTransactionManager_SystemCall_Unknown | |
| NtCreateTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateTransactionManager_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateTransactionManager_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateTransactionManager_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateTransactionManager_SystemCall_6_3_XXXX | |
| jmp NtCreateTransactionManager_SystemCall_Unknown | |
| NtCreateTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateTransactionManager_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateTransactionManager_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateTransactionManager_SystemCall_6_0_6002 | |
| jmp NtCreateTransactionManager_SystemCall_Unknown | |
| NtCreateTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateTransactionManager_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateTransactionManager_SystemCall_6_1_7601 | |
| jmp NtCreateTransactionManager_SystemCall_Unknown | |
| NtCreateTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateTransactionManager_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateTransactionManager_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateTransactionManager_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateTransactionManager_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateTransactionManager_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateTransactionManager_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateTransactionManager_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateTransactionManager_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateTransactionManager_SystemCall_10_0_18363 | |
| jmp NtCreateTransactionManager_SystemCall_Unknown | |
| NtCreateTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00abh | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00a9h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00a9h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00a9h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00a9h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b4h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b6h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00b9h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00bah | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00bch | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00bfh | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c0h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c1h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c2h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c3h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c3h | |
| jmp NtCreateTransactionManager_Epilogue | |
| NtCreateTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateTransactionManager_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateTransactionManager ENDP | |
| NtCreateUserProcess PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateUserProcess_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateUserProcess_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateUserProcess_Check_10_0_XXXX | |
| jmp NtCreateUserProcess_SystemCall_Unknown | |
| NtCreateUserProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateUserProcess_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateUserProcess_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateUserProcess_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateUserProcess_SystemCall_6_3_XXXX | |
| jmp NtCreateUserProcess_SystemCall_Unknown | |
| NtCreateUserProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateUserProcess_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateUserProcess_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateUserProcess_SystemCall_6_0_6002 | |
| jmp NtCreateUserProcess_SystemCall_Unknown | |
| NtCreateUserProcess_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateUserProcess_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateUserProcess_SystemCall_6_1_7601 | |
| jmp NtCreateUserProcess_SystemCall_Unknown | |
| NtCreateUserProcess_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateUserProcess_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateUserProcess_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateUserProcess_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateUserProcess_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateUserProcess_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateUserProcess_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateUserProcess_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateUserProcess_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateUserProcess_SystemCall_10_0_18363 | |
| jmp NtCreateUserProcess_SystemCall_Unknown | |
| NtCreateUserProcess_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00ach | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00aah | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00aah | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00aah | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00aah | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b5h | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b7h | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00bah | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00bbh | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00bdh | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c0h | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c1h | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c2h | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c3h | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c4h | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c4h | |
| jmp NtCreateUserProcess_Epilogue | |
| NtCreateUserProcess_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateUserProcess_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateUserProcess ENDP | |
| NtCreateWaitCompletionPacket PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateWaitCompletionPacket_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateWaitCompletionPacket_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateWaitCompletionPacket_Check_10_0_XXXX | |
| jmp NtCreateWaitCompletionPacket_SystemCall_Unknown | |
| NtCreateWaitCompletionPacket_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateWaitCompletionPacket_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateWaitCompletionPacket_SystemCall_6_3_XXXX | |
| jmp NtCreateWaitCompletionPacket_SystemCall_Unknown | |
| NtCreateWaitCompletionPacket_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateWaitCompletionPacket_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateWaitCompletionPacket_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateWaitCompletionPacket_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateWaitCompletionPacket_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateWaitCompletionPacket_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateWaitCompletionPacket_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateWaitCompletionPacket_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateWaitCompletionPacket_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateWaitCompletionPacket_SystemCall_10_0_18363 | |
| jmp NtCreateWaitCompletionPacket_SystemCall_Unknown | |
| NtCreateWaitCompletionPacket_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b6h | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b8h | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00bbh | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00bch | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00beh | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c1h | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c2h | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c3h | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c4h | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c5h | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c5h | |
| jmp NtCreateWaitCompletionPacket_Epilogue | |
| NtCreateWaitCompletionPacket_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateWaitCompletionPacket_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateWaitCompletionPacket ENDP | |
| NtCreateWaitablePort PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateWaitablePort_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateWaitablePort_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateWaitablePort_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateWaitablePort_Check_10_0_XXXX | |
| jmp NtCreateWaitablePort_SystemCall_Unknown | |
| NtCreateWaitablePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateWaitablePort_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateWaitablePort_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateWaitablePort_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateWaitablePort_SystemCall_6_3_XXXX | |
| jmp NtCreateWaitablePort_SystemCall_Unknown | |
| NtCreateWaitablePort_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateWaitablePort_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateWaitablePort_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateWaitablePort_SystemCall_6_0_6002 | |
| jmp NtCreateWaitablePort_SystemCall_Unknown | |
| NtCreateWaitablePort_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateWaitablePort_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateWaitablePort_SystemCall_6_1_7601 | |
| jmp NtCreateWaitablePort_SystemCall_Unknown | |
| NtCreateWaitablePort_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateWaitablePort_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateWaitablePort_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateWaitablePort_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateWaitablePort_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateWaitablePort_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateWaitablePort_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateWaitablePort_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateWaitablePort_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateWaitablePort_SystemCall_10_0_18363 | |
| jmp NtCreateWaitablePort_SystemCall_Unknown | |
| NtCreateWaitablePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0088h | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00adh | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00abh | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00abh | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00abh | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00abh | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b7h | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00b9h | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00bch | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00bdh | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00bfh | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c2h | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c3h | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c4h | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c5h | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c6h | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c6h | |
| jmp NtCreateWaitablePort_Epilogue | |
| NtCreateWaitablePort_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateWaitablePort_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateWaitablePort ENDP | |
| NtCreateWnfStateName PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateWnfStateName_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateWnfStateName_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateWnfStateName_Check_10_0_XXXX | |
| jmp NtCreateWnfStateName_SystemCall_Unknown | |
| NtCreateWnfStateName_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateWnfStateName_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateWnfStateName_SystemCall_6_3_XXXX | |
| jmp NtCreateWnfStateName_SystemCall_Unknown | |
| NtCreateWnfStateName_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateWnfStateName_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateWnfStateName_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateWnfStateName_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateWnfStateName_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateWnfStateName_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateWnfStateName_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateWnfStateName_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateWnfStateName_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateWnfStateName_SystemCall_10_0_18363 | |
| jmp NtCreateWnfStateName_SystemCall_Unknown | |
| NtCreateWnfStateName_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b8h | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00bah | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00bdh | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00beh | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c0h | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c3h | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c4h | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c5h | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c6h | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c7h | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c7h | |
| jmp NtCreateWnfStateName_Epilogue | |
| NtCreateWnfStateName_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateWnfStateName_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateWnfStateName ENDP | |
| NtCreateWorkerFactory PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtCreateWorkerFactory_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateWorkerFactory_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateWorkerFactory_Check_10_0_XXXX | |
| jmp NtCreateWorkerFactory_SystemCall_Unknown | |
| NtCreateWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateWorkerFactory_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateWorkerFactory_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateWorkerFactory_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateWorkerFactory_SystemCall_6_3_XXXX | |
| jmp NtCreateWorkerFactory_SystemCall_Unknown | |
| NtCreateWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateWorkerFactory_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateWorkerFactory_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtCreateWorkerFactory_SystemCall_6_0_6002 | |
| jmp NtCreateWorkerFactory_SystemCall_Unknown | |
| NtCreateWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateWorkerFactory_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtCreateWorkerFactory_SystemCall_6_1_7601 | |
| jmp NtCreateWorkerFactory_SystemCall_Unknown | |
| NtCreateWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateWorkerFactory_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateWorkerFactory_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateWorkerFactory_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateWorkerFactory_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateWorkerFactory_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateWorkerFactory_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateWorkerFactory_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtCreateWorkerFactory_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtCreateWorkerFactory_SystemCall_10_0_18363 | |
| jmp NtCreateWorkerFactory_SystemCall_Unknown | |
| NtCreateWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00aeh | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00ach | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00ach | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00ach | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00ach | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00b9h | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00bbh | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00beh | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00bfh | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c1h | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c4h | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c5h | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c6h | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c7h | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c8h | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c8h | |
| jmp NtCreateWorkerFactory_Epilogue | |
| NtCreateWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtCreateWorkerFactory_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateWorkerFactory ENDP | |
| NtDebugActiveProcess PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDebugActiveProcess_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDebugActiveProcess_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDebugActiveProcess_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDebugActiveProcess_Check_10_0_XXXX | |
| jmp NtDebugActiveProcess_SystemCall_Unknown | |
| NtDebugActiveProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDebugActiveProcess_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDebugActiveProcess_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDebugActiveProcess_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDebugActiveProcess_SystemCall_6_3_XXXX | |
| jmp NtDebugActiveProcess_SystemCall_Unknown | |
| NtDebugActiveProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDebugActiveProcess_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDebugActiveProcess_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDebugActiveProcess_SystemCall_6_0_6002 | |
| jmp NtDebugActiveProcess_SystemCall_Unknown | |
| NtDebugActiveProcess_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDebugActiveProcess_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDebugActiveProcess_SystemCall_6_1_7601 | |
| jmp NtDebugActiveProcess_SystemCall_Unknown | |
| NtDebugActiveProcess_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDebugActiveProcess_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDebugActiveProcess_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDebugActiveProcess_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDebugActiveProcess_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDebugActiveProcess_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDebugActiveProcess_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDebugActiveProcess_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDebugActiveProcess_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDebugActiveProcess_SystemCall_10_0_18363 | |
| jmp NtDebugActiveProcess_SystemCall_Unknown | |
| NtDebugActiveProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0089h | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00afh | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00adh | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00adh | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00adh | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00adh | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00bah | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00bch | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00bfh | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c0h | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c2h | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c5h | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c6h | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c7h | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c8h | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00c9h | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00c9h | |
| jmp NtDebugActiveProcess_Epilogue | |
| NtDebugActiveProcess_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDebugActiveProcess_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDebugActiveProcess ENDP | |
| NtDebugContinue PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDebugContinue_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDebugContinue_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDebugContinue_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDebugContinue_Check_10_0_XXXX | |
| jmp NtDebugContinue_SystemCall_Unknown | |
| NtDebugContinue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDebugContinue_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDebugContinue_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDebugContinue_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDebugContinue_SystemCall_6_3_XXXX | |
| jmp NtDebugContinue_SystemCall_Unknown | |
| NtDebugContinue_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDebugContinue_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDebugContinue_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDebugContinue_SystemCall_6_0_6002 | |
| jmp NtDebugContinue_SystemCall_Unknown | |
| NtDebugContinue_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDebugContinue_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDebugContinue_SystemCall_6_1_7601 | |
| jmp NtDebugContinue_SystemCall_Unknown | |
| NtDebugContinue_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDebugContinue_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDebugContinue_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDebugContinue_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDebugContinue_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDebugContinue_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDebugContinue_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDebugContinue_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDebugContinue_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDebugContinue_SystemCall_10_0_18363 | |
| jmp NtDebugContinue_SystemCall_Unknown | |
| NtDebugContinue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 008ah | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b0h | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00aeh | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00aeh | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00aeh | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00aeh | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00bbh | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00bdh | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c0h | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c1h | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c3h | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c6h | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c7h | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c8h | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00c9h | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00cah | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00cah | |
| jmp NtDebugContinue_Epilogue | |
| NtDebugContinue_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDebugContinue_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDebugContinue ENDP | |
| NtDelayExecution PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDelayExecution_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDelayExecution_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDelayExecution_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDelayExecution_Check_10_0_XXXX | |
| jmp NtDelayExecution_SystemCall_Unknown | |
| NtDelayExecution_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDelayExecution_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDelayExecution_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDelayExecution_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDelayExecution_SystemCall_6_3_XXXX | |
| jmp NtDelayExecution_SystemCall_Unknown | |
| NtDelayExecution_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDelayExecution_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDelayExecution_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDelayExecution_SystemCall_6_0_6002 | |
| jmp NtDelayExecution_SystemCall_Unknown | |
| NtDelayExecution_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDelayExecution_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDelayExecution_SystemCall_6_1_7601 | |
| jmp NtDelayExecution_SystemCall_Unknown | |
| NtDelayExecution_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDelayExecution_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDelayExecution_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDelayExecution_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDelayExecution_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDelayExecution_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDelayExecution_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDelayExecution_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDelayExecution_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDelayExecution_SystemCall_10_0_18363 | |
| jmp NtDelayExecution_SystemCall_Unknown | |
| NtDelayExecution_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0031h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0031h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0031h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0031h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0031h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0031h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0032h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0033h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0034h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0034h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0034h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0034h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0034h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0034h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0034h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0034h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0034h | |
| jmp NtDelayExecution_Epilogue | |
| NtDelayExecution_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDelayExecution_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDelayExecution ENDP | |
| NtDeleteAtom PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeleteAtom_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDeleteAtom_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeleteAtom_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeleteAtom_Check_10_0_XXXX | |
| jmp NtDeleteAtom_SystemCall_Unknown | |
| NtDeleteAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDeleteAtom_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDeleteAtom_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteAtom_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteAtom_SystemCall_6_3_XXXX | |
| jmp NtDeleteAtom_SystemCall_Unknown | |
| NtDeleteAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDeleteAtom_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDeleteAtom_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDeleteAtom_SystemCall_6_0_6002 | |
| jmp NtDeleteAtom_SystemCall_Unknown | |
| NtDeleteAtom_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDeleteAtom_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDeleteAtom_SystemCall_6_1_7601 | |
| jmp NtDeleteAtom_SystemCall_Unknown | |
| NtDeleteAtom_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeleteAtom_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeleteAtom_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeleteAtom_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeleteAtom_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeleteAtom_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeleteAtom_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeleteAtom_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeleteAtom_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeleteAtom_SystemCall_10_0_18363 | |
| jmp NtDeleteAtom_SystemCall_Unknown | |
| NtDeleteAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 008bh | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b1h | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00afh | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00afh | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00afh | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00afh | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00bch | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00beh | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c1h | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c2h | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c4h | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c7h | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c8h | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00c9h | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00cah | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00cbh | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00cbh | |
| jmp NtDeleteAtom_Epilogue | |
| NtDeleteAtom_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeleteAtom_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeleteAtom ENDP | |
| NtDeleteBootEntry PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeleteBootEntry_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDeleteBootEntry_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeleteBootEntry_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeleteBootEntry_Check_10_0_XXXX | |
| jmp NtDeleteBootEntry_SystemCall_Unknown | |
| NtDeleteBootEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDeleteBootEntry_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDeleteBootEntry_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteBootEntry_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteBootEntry_SystemCall_6_3_XXXX | |
| jmp NtDeleteBootEntry_SystemCall_Unknown | |
| NtDeleteBootEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDeleteBootEntry_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDeleteBootEntry_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDeleteBootEntry_SystemCall_6_0_6002 | |
| jmp NtDeleteBootEntry_SystemCall_Unknown | |
| NtDeleteBootEntry_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDeleteBootEntry_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDeleteBootEntry_SystemCall_6_1_7601 | |
| jmp NtDeleteBootEntry_SystemCall_Unknown | |
| NtDeleteBootEntry_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeleteBootEntry_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeleteBootEntry_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeleteBootEntry_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeleteBootEntry_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeleteBootEntry_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeleteBootEntry_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeleteBootEntry_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeleteBootEntry_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeleteBootEntry_SystemCall_10_0_18363 | |
| jmp NtDeleteBootEntry_SystemCall_Unknown | |
| NtDeleteBootEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 008ch | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b2h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b0h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b0h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b0h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b0h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00bdh | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00bfh | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c2h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c3h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c5h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c8h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00c9h | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00cah | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00cbh | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00cch | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00cch | |
| jmp NtDeleteBootEntry_Epilogue | |
| NtDeleteBootEntry_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeleteBootEntry_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeleteBootEntry ENDP | |
| NtDeleteDriverEntry PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeleteDriverEntry_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDeleteDriverEntry_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeleteDriverEntry_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeleteDriverEntry_Check_10_0_XXXX | |
| jmp NtDeleteDriverEntry_SystemCall_Unknown | |
| NtDeleteDriverEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDeleteDriverEntry_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDeleteDriverEntry_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteDriverEntry_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteDriverEntry_SystemCall_6_3_XXXX | |
| jmp NtDeleteDriverEntry_SystemCall_Unknown | |
| NtDeleteDriverEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDeleteDriverEntry_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDeleteDriverEntry_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDeleteDriverEntry_SystemCall_6_0_6002 | |
| jmp NtDeleteDriverEntry_SystemCall_Unknown | |
| NtDeleteDriverEntry_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDeleteDriverEntry_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDeleteDriverEntry_SystemCall_6_1_7601 | |
| jmp NtDeleteDriverEntry_SystemCall_Unknown | |
| NtDeleteDriverEntry_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeleteDriverEntry_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeleteDriverEntry_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeleteDriverEntry_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeleteDriverEntry_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeleteDriverEntry_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeleteDriverEntry_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeleteDriverEntry_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeleteDriverEntry_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeleteDriverEntry_SystemCall_10_0_18363 | |
| jmp NtDeleteDriverEntry_SystemCall_Unknown | |
| NtDeleteDriverEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 008dh | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b3h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b1h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b1h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b1h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b1h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00beh | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c0h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c3h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c4h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c6h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00c9h | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00cah | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00cbh | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00cch | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00cdh | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00cdh | |
| jmp NtDeleteDriverEntry_Epilogue | |
| NtDeleteDriverEntry_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeleteDriverEntry_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeleteDriverEntry ENDP | |
| NtDeleteFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeleteFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDeleteFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeleteFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeleteFile_Check_10_0_XXXX | |
| jmp NtDeleteFile_SystemCall_Unknown | |
| NtDeleteFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDeleteFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDeleteFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteFile_SystemCall_6_3_XXXX | |
| jmp NtDeleteFile_SystemCall_Unknown | |
| NtDeleteFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDeleteFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDeleteFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDeleteFile_SystemCall_6_0_6002 | |
| jmp NtDeleteFile_SystemCall_Unknown | |
| NtDeleteFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDeleteFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDeleteFile_SystemCall_6_1_7601 | |
| jmp NtDeleteFile_SystemCall_Unknown | |
| NtDeleteFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeleteFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeleteFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeleteFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeleteFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeleteFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeleteFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeleteFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeleteFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeleteFile_SystemCall_10_0_18363 | |
| jmp NtDeleteFile_SystemCall_Unknown | |
| NtDeleteFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 008eh | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b4h | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b2h | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b2h | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b2h | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b2h | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00bfh | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c1h | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c4h | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c5h | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c7h | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00cah | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00cbh | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00cch | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00cdh | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00ceh | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00ceh | |
| jmp NtDeleteFile_Epilogue | |
| NtDeleteFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeleteFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeleteFile ENDP | |
| NtDeleteKey PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeleteKey_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDeleteKey_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeleteKey_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeleteKey_Check_10_0_XXXX | |
| jmp NtDeleteKey_SystemCall_Unknown | |
| NtDeleteKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDeleteKey_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDeleteKey_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteKey_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteKey_SystemCall_6_3_XXXX | |
| jmp NtDeleteKey_SystemCall_Unknown | |
| NtDeleteKey_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDeleteKey_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDeleteKey_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDeleteKey_SystemCall_6_0_6002 | |
| jmp NtDeleteKey_SystemCall_Unknown | |
| NtDeleteKey_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDeleteKey_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDeleteKey_SystemCall_6_1_7601 | |
| jmp NtDeleteKey_SystemCall_Unknown | |
| NtDeleteKey_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeleteKey_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeleteKey_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeleteKey_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeleteKey_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeleteKey_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeleteKey_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeleteKey_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeleteKey_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeleteKey_SystemCall_10_0_18363 | |
| jmp NtDeleteKey_SystemCall_Unknown | |
| NtDeleteKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 008fh | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b5h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b3h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b3h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b3h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b3h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c0h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c2h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c5h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c6h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c8h | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00cbh | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00cch | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00cdh | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00ceh | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00cfh | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00cfh | |
| jmp NtDeleteKey_Epilogue | |
| NtDeleteKey_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeleteKey_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeleteKey ENDP | |
| NtDeleteObjectAuditAlarm PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeleteObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDeleteObjectAuditAlarm_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeleteObjectAuditAlarm_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeleteObjectAuditAlarm_Check_10_0_XXXX | |
| jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown | |
| NtDeleteObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDeleteObjectAuditAlarm_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDeleteObjectAuditAlarm_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteObjectAuditAlarm_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteObjectAuditAlarm_SystemCall_6_3_XXXX | |
| jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown | |
| NtDeleteObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDeleteObjectAuditAlarm_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDeleteObjectAuditAlarm_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDeleteObjectAuditAlarm_SystemCall_6_0_6002 | |
| jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown | |
| NtDeleteObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDeleteObjectAuditAlarm_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDeleteObjectAuditAlarm_SystemCall_6_1_7601 | |
| jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown | |
| NtDeleteObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeleteObjectAuditAlarm_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeleteObjectAuditAlarm_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeleteObjectAuditAlarm_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeleteObjectAuditAlarm_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeleteObjectAuditAlarm_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeleteObjectAuditAlarm_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeleteObjectAuditAlarm_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeleteObjectAuditAlarm_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeleteObjectAuditAlarm_SystemCall_10_0_18363 | |
| jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown | |
| NtDeleteObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0090h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b6h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b4h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b4h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b4h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b4h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c1h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c3h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c6h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c7h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00c9h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00cch | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00cdh | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00ceh | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00cfh | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d0h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d0h | |
| jmp NtDeleteObjectAuditAlarm_Epilogue | |
| NtDeleteObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeleteObjectAuditAlarm_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeleteObjectAuditAlarm ENDP | |
| NtDeletePrivateNamespace PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeletePrivateNamespace_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeletePrivateNamespace_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeletePrivateNamespace_Check_10_0_XXXX | |
| jmp NtDeletePrivateNamespace_SystemCall_Unknown | |
| NtDeletePrivateNamespace_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDeletePrivateNamespace_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDeletePrivateNamespace_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeletePrivateNamespace_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeletePrivateNamespace_SystemCall_6_3_XXXX | |
| jmp NtDeletePrivateNamespace_SystemCall_Unknown | |
| NtDeletePrivateNamespace_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDeletePrivateNamespace_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDeletePrivateNamespace_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDeletePrivateNamespace_SystemCall_6_0_6002 | |
| jmp NtDeletePrivateNamespace_SystemCall_Unknown | |
| NtDeletePrivateNamespace_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDeletePrivateNamespace_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDeletePrivateNamespace_SystemCall_6_1_7601 | |
| jmp NtDeletePrivateNamespace_SystemCall_Unknown | |
| NtDeletePrivateNamespace_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeletePrivateNamespace_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeletePrivateNamespace_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeletePrivateNamespace_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeletePrivateNamespace_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeletePrivateNamespace_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeletePrivateNamespace_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeletePrivateNamespace_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeletePrivateNamespace_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeletePrivateNamespace_SystemCall_10_0_18363 | |
| jmp NtDeletePrivateNamespace_SystemCall_Unknown | |
| NtDeletePrivateNamespace_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b7h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b5h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b5h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b5h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b5h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c2h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c4h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c7h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c8h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00cah | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00cdh | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00ceh | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00cfh | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d0h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d1h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d1h | |
| jmp NtDeletePrivateNamespace_Epilogue | |
| NtDeletePrivateNamespace_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeletePrivateNamespace_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeletePrivateNamespace ENDP | |
| NtDeleteValueKey PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeleteValueKey_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDeleteValueKey_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeleteValueKey_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeleteValueKey_Check_10_0_XXXX | |
| jmp NtDeleteValueKey_SystemCall_Unknown | |
| NtDeleteValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDeleteValueKey_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDeleteValueKey_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteValueKey_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteValueKey_SystemCall_6_3_XXXX | |
| jmp NtDeleteValueKey_SystemCall_Unknown | |
| NtDeleteValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDeleteValueKey_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDeleteValueKey_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDeleteValueKey_SystemCall_6_0_6002 | |
| jmp NtDeleteValueKey_SystemCall_Unknown | |
| NtDeleteValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDeleteValueKey_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDeleteValueKey_SystemCall_6_1_7601 | |
| jmp NtDeleteValueKey_SystemCall_Unknown | |
| NtDeleteValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeleteValueKey_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeleteValueKey_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeleteValueKey_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeleteValueKey_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeleteValueKey_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeleteValueKey_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeleteValueKey_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeleteValueKey_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeleteValueKey_SystemCall_10_0_18363 | |
| jmp NtDeleteValueKey_SystemCall_Unknown | |
| NtDeleteValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0091h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b8h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b6h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b6h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b6h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b6h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c3h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c5h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c8h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00c9h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00cbh | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00ceh | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00cfh | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d0h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d1h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d2h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d2h | |
| jmp NtDeleteValueKey_Epilogue | |
| NtDeleteValueKey_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeleteValueKey_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeleteValueKey ENDP | |
| NtDeleteWnfStateData PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeleteWnfStateData_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeleteWnfStateData_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeleteWnfStateData_Check_10_0_XXXX | |
| jmp NtDeleteWnfStateData_SystemCall_Unknown | |
| NtDeleteWnfStateData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteWnfStateData_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteWnfStateData_SystemCall_6_3_XXXX | |
| jmp NtDeleteWnfStateData_SystemCall_Unknown | |
| NtDeleteWnfStateData_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeleteWnfStateData_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeleteWnfStateData_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeleteWnfStateData_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeleteWnfStateData_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeleteWnfStateData_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeleteWnfStateData_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeleteWnfStateData_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeleteWnfStateData_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeleteWnfStateData_SystemCall_10_0_18363 | |
| jmp NtDeleteWnfStateData_SystemCall_Unknown | |
| NtDeleteWnfStateData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c4h | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c6h | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00c9h | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00cah | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00cch | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00cfh | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d0h | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d1h | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d2h | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d3h | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d3h | |
| jmp NtDeleteWnfStateData_Epilogue | |
| NtDeleteWnfStateData_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeleteWnfStateData_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeleteWnfStateData ENDP | |
| NtDeleteWnfStateName PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeleteWnfStateName_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeleteWnfStateName_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeleteWnfStateName_Check_10_0_XXXX | |
| jmp NtDeleteWnfStateName_SystemCall_Unknown | |
| NtDeleteWnfStateName_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteWnfStateName_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeleteWnfStateName_SystemCall_6_3_XXXX | |
| jmp NtDeleteWnfStateName_SystemCall_Unknown | |
| NtDeleteWnfStateName_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeleteWnfStateName_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeleteWnfStateName_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeleteWnfStateName_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeleteWnfStateName_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeleteWnfStateName_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeleteWnfStateName_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeleteWnfStateName_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeleteWnfStateName_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeleteWnfStateName_SystemCall_10_0_18363 | |
| jmp NtDeleteWnfStateName_SystemCall_Unknown | |
| NtDeleteWnfStateName_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c5h | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c7h | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00cah | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00cbh | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00cdh | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d0h | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d1h | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d2h | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d3h | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d4h | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d4h | |
| jmp NtDeleteWnfStateName_Epilogue | |
| NtDeleteWnfStateName_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeleteWnfStateName_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeleteWnfStateName ENDP | |
| NtDeviceIoControlFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDeviceIoControlFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDeviceIoControlFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDeviceIoControlFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDeviceIoControlFile_Check_10_0_XXXX | |
| jmp NtDeviceIoControlFile_SystemCall_Unknown | |
| NtDeviceIoControlFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDeviceIoControlFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDeviceIoControlFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeviceIoControlFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDeviceIoControlFile_SystemCall_6_3_XXXX | |
| jmp NtDeviceIoControlFile_SystemCall_Unknown | |
| NtDeviceIoControlFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDeviceIoControlFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDeviceIoControlFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDeviceIoControlFile_SystemCall_6_0_6002 | |
| jmp NtDeviceIoControlFile_SystemCall_Unknown | |
| NtDeviceIoControlFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDeviceIoControlFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDeviceIoControlFile_SystemCall_6_1_7601 | |
| jmp NtDeviceIoControlFile_SystemCall_Unknown | |
| NtDeviceIoControlFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDeviceIoControlFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDeviceIoControlFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDeviceIoControlFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDeviceIoControlFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDeviceIoControlFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDeviceIoControlFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDeviceIoControlFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDeviceIoControlFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDeviceIoControlFile_SystemCall_10_0_18363 | |
| jmp NtDeviceIoControlFile_SystemCall_Unknown | |
| NtDeviceIoControlFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0004h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0004h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0004h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0004h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0004h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0004h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0005h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0006h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0007h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0007h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0007h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0007h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0007h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0007h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0007h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0007h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0007h | |
| jmp NtDeviceIoControlFile_Epilogue | |
| NtDeviceIoControlFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDeviceIoControlFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDeviceIoControlFile ENDP | |
| NtDisableLastKnownGood PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDisableLastKnownGood_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDisableLastKnownGood_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDisableLastKnownGood_Check_10_0_XXXX | |
| jmp NtDisableLastKnownGood_SystemCall_Unknown | |
| NtDisableLastKnownGood_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDisableLastKnownGood_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDisableLastKnownGood_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDisableLastKnownGood_SystemCall_6_3_XXXX | |
| jmp NtDisableLastKnownGood_SystemCall_Unknown | |
| NtDisableLastKnownGood_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDisableLastKnownGood_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDisableLastKnownGood_SystemCall_6_1_7601 | |
| jmp NtDisableLastKnownGood_SystemCall_Unknown | |
| NtDisableLastKnownGood_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDisableLastKnownGood_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDisableLastKnownGood_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDisableLastKnownGood_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDisableLastKnownGood_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDisableLastKnownGood_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDisableLastKnownGood_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDisableLastKnownGood_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDisableLastKnownGood_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDisableLastKnownGood_SystemCall_10_0_18363 | |
| jmp NtDisableLastKnownGood_SystemCall_Unknown | |
| NtDisableLastKnownGood_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b7h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b7h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c6h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c8h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00cbh | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00cch | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00ceh | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d1h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d2h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d3h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d4h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d5h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d5h | |
| jmp NtDisableLastKnownGood_Epilogue | |
| NtDisableLastKnownGood_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDisableLastKnownGood_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDisableLastKnownGood ENDP | |
| NtDisplayString PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDisplayString_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDisplayString_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDisplayString_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDisplayString_Check_10_0_XXXX | |
| jmp NtDisplayString_SystemCall_Unknown | |
| NtDisplayString_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDisplayString_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDisplayString_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDisplayString_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDisplayString_SystemCall_6_3_XXXX | |
| jmp NtDisplayString_SystemCall_Unknown | |
| NtDisplayString_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDisplayString_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDisplayString_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDisplayString_SystemCall_6_0_6002 | |
| jmp NtDisplayString_SystemCall_Unknown | |
| NtDisplayString_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDisplayString_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDisplayString_SystemCall_6_1_7601 | |
| jmp NtDisplayString_SystemCall_Unknown | |
| NtDisplayString_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDisplayString_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDisplayString_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDisplayString_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDisplayString_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDisplayString_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDisplayString_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDisplayString_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDisplayString_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDisplayString_SystemCall_10_0_18363 | |
| jmp NtDisplayString_SystemCall_Unknown | |
| NtDisplayString_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0092h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00b9h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b7h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b7h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b8h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b8h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c7h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00c9h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00cch | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00cdh | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00cfh | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d2h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d3h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d4h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d5h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d6h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d6h | |
| jmp NtDisplayString_Epilogue | |
| NtDisplayString_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDisplayString_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDisplayString ENDP | |
| NtDrawText PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDrawText_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDrawText_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDrawText_Check_10_0_XXXX | |
| jmp NtDrawText_SystemCall_Unknown | |
| NtDrawText_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDrawText_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDrawText_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDrawText_SystemCall_6_3_XXXX | |
| jmp NtDrawText_SystemCall_Unknown | |
| NtDrawText_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDrawText_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDrawText_SystemCall_6_1_7601 | |
| jmp NtDrawText_SystemCall_Unknown | |
| NtDrawText_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDrawText_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDrawText_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDrawText_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDrawText_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDrawText_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDrawText_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDrawText_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDrawText_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDrawText_SystemCall_10_0_18363 | |
| jmp NtDrawText_SystemCall_Unknown | |
| NtDrawText_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00b9h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00b9h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c8h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00cah | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00cdh | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00ceh | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d0h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d3h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d4h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d5h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d6h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d7h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d7h | |
| jmp NtDrawText_Epilogue | |
| NtDrawText_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDrawText_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDrawText ENDP | |
| NtDuplicateObject PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDuplicateObject_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDuplicateObject_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDuplicateObject_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDuplicateObject_Check_10_0_XXXX | |
| jmp NtDuplicateObject_SystemCall_Unknown | |
| NtDuplicateObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDuplicateObject_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDuplicateObject_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDuplicateObject_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDuplicateObject_SystemCall_6_3_XXXX | |
| jmp NtDuplicateObject_SystemCall_Unknown | |
| NtDuplicateObject_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDuplicateObject_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDuplicateObject_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDuplicateObject_SystemCall_6_0_6002 | |
| jmp NtDuplicateObject_SystemCall_Unknown | |
| NtDuplicateObject_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDuplicateObject_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDuplicateObject_SystemCall_6_1_7601 | |
| jmp NtDuplicateObject_SystemCall_Unknown | |
| NtDuplicateObject_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDuplicateObject_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDuplicateObject_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDuplicateObject_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDuplicateObject_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDuplicateObject_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDuplicateObject_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDuplicateObject_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDuplicateObject_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDuplicateObject_SystemCall_10_0_18363 | |
| jmp NtDuplicateObject_SystemCall_Unknown | |
| NtDuplicateObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0039h | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0039h | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0039h | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0039h | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0039h | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0039h | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 003ah | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 003bh | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 003ch | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 003ch | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 003ch | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 003ch | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 003ch | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 003ch | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 003ch | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 003ch | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 003ch | |
| jmp NtDuplicateObject_Epilogue | |
| NtDuplicateObject_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDuplicateObject_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDuplicateObject ENDP | |
| NtDuplicateToken PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtDuplicateToken_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtDuplicateToken_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtDuplicateToken_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtDuplicateToken_Check_10_0_XXXX | |
| jmp NtDuplicateToken_SystemCall_Unknown | |
| NtDuplicateToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtDuplicateToken_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtDuplicateToken_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDuplicateToken_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtDuplicateToken_SystemCall_6_3_XXXX | |
| jmp NtDuplicateToken_SystemCall_Unknown | |
| NtDuplicateToken_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtDuplicateToken_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtDuplicateToken_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtDuplicateToken_SystemCall_6_0_6002 | |
| jmp NtDuplicateToken_SystemCall_Unknown | |
| NtDuplicateToken_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtDuplicateToken_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtDuplicateToken_SystemCall_6_1_7601 | |
| jmp NtDuplicateToken_SystemCall_Unknown | |
| NtDuplicateToken_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtDuplicateToken_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtDuplicateToken_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtDuplicateToken_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtDuplicateToken_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtDuplicateToken_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtDuplicateToken_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtDuplicateToken_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtDuplicateToken_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtDuplicateToken_SystemCall_10_0_18363 | |
| jmp NtDuplicateToken_SystemCall_Unknown | |
| NtDuplicateToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 003fh | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 003fh | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 003fh | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 003fh | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 003fh | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 003fh | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0040h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0041h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0042h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0042h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0042h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0042h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0042h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0042h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0042h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0042h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0042h | |
| jmp NtDuplicateToken_Epilogue | |
| NtDuplicateToken_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtDuplicateToken_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtDuplicateToken ENDP | |
| NtEnableLastKnownGood PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtEnableLastKnownGood_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtEnableLastKnownGood_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtEnableLastKnownGood_Check_10_0_XXXX | |
| jmp NtEnableLastKnownGood_SystemCall_Unknown | |
| NtEnableLastKnownGood_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtEnableLastKnownGood_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnableLastKnownGood_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnableLastKnownGood_SystemCall_6_3_XXXX | |
| jmp NtEnableLastKnownGood_SystemCall_Unknown | |
| NtEnableLastKnownGood_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtEnableLastKnownGood_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtEnableLastKnownGood_SystemCall_6_1_7601 | |
| jmp NtEnableLastKnownGood_SystemCall_Unknown | |
| NtEnableLastKnownGood_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtEnableLastKnownGood_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtEnableLastKnownGood_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtEnableLastKnownGood_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtEnableLastKnownGood_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtEnableLastKnownGood_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtEnableLastKnownGood_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtEnableLastKnownGood_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtEnableLastKnownGood_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtEnableLastKnownGood_SystemCall_10_0_18363 | |
| jmp NtEnableLastKnownGood_SystemCall_Unknown | |
| NtEnableLastKnownGood_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00bah | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00bah | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00c9h | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00cbh | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00ceh | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00cfh | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d1h | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d4h | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d5h | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d6h | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d7h | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d8h | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d8h | |
| jmp NtEnableLastKnownGood_Epilogue | |
| NtEnableLastKnownGood_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtEnableLastKnownGood_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtEnableLastKnownGood ENDP | |
| NtEnumerateBootEntries PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtEnumerateBootEntries_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtEnumerateBootEntries_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtEnumerateBootEntries_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtEnumerateBootEntries_Check_10_0_XXXX | |
| jmp NtEnumerateBootEntries_SystemCall_Unknown | |
| NtEnumerateBootEntries_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtEnumerateBootEntries_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtEnumerateBootEntries_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateBootEntries_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateBootEntries_SystemCall_6_3_XXXX | |
| jmp NtEnumerateBootEntries_SystemCall_Unknown | |
| NtEnumerateBootEntries_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtEnumerateBootEntries_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtEnumerateBootEntries_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtEnumerateBootEntries_SystemCall_6_0_6002 | |
| jmp NtEnumerateBootEntries_SystemCall_Unknown | |
| NtEnumerateBootEntries_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtEnumerateBootEntries_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtEnumerateBootEntries_SystemCall_6_1_7601 | |
| jmp NtEnumerateBootEntries_SystemCall_Unknown | |
| NtEnumerateBootEntries_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtEnumerateBootEntries_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtEnumerateBootEntries_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtEnumerateBootEntries_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtEnumerateBootEntries_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtEnumerateBootEntries_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtEnumerateBootEntries_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtEnumerateBootEntries_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtEnumerateBootEntries_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtEnumerateBootEntries_SystemCall_10_0_18363 | |
| jmp NtEnumerateBootEntries_SystemCall_Unknown | |
| NtEnumerateBootEntries_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0093h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00bah | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b8h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b8h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00bbh | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00bbh | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00cah | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00cch | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00cfh | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d0h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d2h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d5h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d6h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d7h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d8h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00d9h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00d9h | |
| jmp NtEnumerateBootEntries_Epilogue | |
| NtEnumerateBootEntries_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtEnumerateBootEntries_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtEnumerateBootEntries ENDP | |
| NtEnumerateDriverEntries PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtEnumerateDriverEntries_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtEnumerateDriverEntries_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtEnumerateDriverEntries_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtEnumerateDriverEntries_Check_10_0_XXXX | |
| jmp NtEnumerateDriverEntries_SystemCall_Unknown | |
| NtEnumerateDriverEntries_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtEnumerateDriverEntries_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtEnumerateDriverEntries_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateDriverEntries_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateDriverEntries_SystemCall_6_3_XXXX | |
| jmp NtEnumerateDriverEntries_SystemCall_Unknown | |
| NtEnumerateDriverEntries_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtEnumerateDriverEntries_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtEnumerateDriverEntries_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtEnumerateDriverEntries_SystemCall_6_0_6002 | |
| jmp NtEnumerateDriverEntries_SystemCall_Unknown | |
| NtEnumerateDriverEntries_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtEnumerateDriverEntries_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtEnumerateDriverEntries_SystemCall_6_1_7601 | |
| jmp NtEnumerateDriverEntries_SystemCall_Unknown | |
| NtEnumerateDriverEntries_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtEnumerateDriverEntries_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtEnumerateDriverEntries_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtEnumerateDriverEntries_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtEnumerateDriverEntries_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtEnumerateDriverEntries_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtEnumerateDriverEntries_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtEnumerateDriverEntries_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtEnumerateDriverEntries_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtEnumerateDriverEntries_SystemCall_10_0_18363 | |
| jmp NtEnumerateDriverEntries_SystemCall_Unknown | |
| NtEnumerateDriverEntries_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0094h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00bbh | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00b9h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00b9h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00bch | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00bch | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00cbh | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00cdh | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d0h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d1h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d3h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d6h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d7h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d8h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00d9h | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00dah | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00dah | |
| jmp NtEnumerateDriverEntries_Epilogue | |
| NtEnumerateDriverEntries_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtEnumerateDriverEntries_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtEnumerateDriverEntries ENDP | |
| NtEnumerateKey PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtEnumerateKey_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtEnumerateKey_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtEnumerateKey_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtEnumerateKey_Check_10_0_XXXX | |
| jmp NtEnumerateKey_SystemCall_Unknown | |
| NtEnumerateKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtEnumerateKey_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtEnumerateKey_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateKey_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateKey_SystemCall_6_3_XXXX | |
| jmp NtEnumerateKey_SystemCall_Unknown | |
| NtEnumerateKey_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtEnumerateKey_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtEnumerateKey_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtEnumerateKey_SystemCall_6_0_6002 | |
| jmp NtEnumerateKey_SystemCall_Unknown | |
| NtEnumerateKey_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtEnumerateKey_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtEnumerateKey_SystemCall_6_1_7601 | |
| jmp NtEnumerateKey_SystemCall_Unknown | |
| NtEnumerateKey_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtEnumerateKey_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtEnumerateKey_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtEnumerateKey_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtEnumerateKey_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtEnumerateKey_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtEnumerateKey_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtEnumerateKey_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtEnumerateKey_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtEnumerateKey_SystemCall_10_0_18363 | |
| jmp NtEnumerateKey_SystemCall_Unknown | |
| NtEnumerateKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 002fh | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 002fh | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 002fh | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 002fh | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 002fh | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 002fh | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0030h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0031h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0032h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0032h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0032h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0032h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0032h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0032h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0032h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0032h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0032h | |
| jmp NtEnumerateKey_Epilogue | |
| NtEnumerateKey_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtEnumerateKey_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtEnumerateKey ENDP | |
| NtEnumerateSystemEnvironmentValuesEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtEnumerateSystemEnvironmentValuesEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtEnumerateSystemEnvironmentValuesEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtEnumerateSystemEnvironmentValuesEx_Check_10_0_XXXX | |
| jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown | |
| NtEnumerateSystemEnvironmentValuesEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtEnumerateSystemEnvironmentValuesEx_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtEnumerateSystemEnvironmentValuesEx_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_3_XXXX | |
| jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown | |
| NtEnumerateSystemEnvironmentValuesEx_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6002 | |
| jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown | |
| NtEnumerateSystemEnvironmentValuesEx_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7601 | |
| jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown | |
| NtEnumerateSystemEnvironmentValuesEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18363 | |
| jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0095h | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00bch | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00bah | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00bah | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00bdh | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00bdh | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00cch | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00ceh | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d1h | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d2h | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d4h | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d7h | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d8h | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00d9h | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00dah | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00dbh | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00dbh | |
| jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue | |
| NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtEnumerateSystemEnvironmentValuesEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtEnumerateSystemEnvironmentValuesEx ENDP | |
| NtEnumerateTransactionObject PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtEnumerateTransactionObject_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtEnumerateTransactionObject_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtEnumerateTransactionObject_Check_10_0_XXXX | |
| jmp NtEnumerateTransactionObject_SystemCall_Unknown | |
| NtEnumerateTransactionObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtEnumerateTransactionObject_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtEnumerateTransactionObject_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateTransactionObject_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateTransactionObject_SystemCall_6_3_XXXX | |
| jmp NtEnumerateTransactionObject_SystemCall_Unknown | |
| NtEnumerateTransactionObject_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtEnumerateTransactionObject_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtEnumerateTransactionObject_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtEnumerateTransactionObject_SystemCall_6_0_6002 | |
| jmp NtEnumerateTransactionObject_SystemCall_Unknown | |
| NtEnumerateTransactionObject_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtEnumerateTransactionObject_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtEnumerateTransactionObject_SystemCall_6_1_7601 | |
| jmp NtEnumerateTransactionObject_SystemCall_Unknown | |
| NtEnumerateTransactionObject_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtEnumerateTransactionObject_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtEnumerateTransactionObject_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtEnumerateTransactionObject_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtEnumerateTransactionObject_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtEnumerateTransactionObject_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtEnumerateTransactionObject_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtEnumerateTransactionObject_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtEnumerateTransactionObject_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtEnumerateTransactionObject_SystemCall_10_0_18363 | |
| jmp NtEnumerateTransactionObject_SystemCall_Unknown | |
| NtEnumerateTransactionObject_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00bdh | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00bbh | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00bbh | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00beh | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00beh | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00cdh | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00cfh | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d2h | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d3h | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d5h | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d8h | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00d9h | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00dah | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00dbh | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00dch | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00dch | |
| jmp NtEnumerateTransactionObject_Epilogue | |
| NtEnumerateTransactionObject_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtEnumerateTransactionObject_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtEnumerateTransactionObject ENDP | |
| NtEnumerateValueKey PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtEnumerateValueKey_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtEnumerateValueKey_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtEnumerateValueKey_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtEnumerateValueKey_Check_10_0_XXXX | |
| jmp NtEnumerateValueKey_SystemCall_Unknown | |
| NtEnumerateValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtEnumerateValueKey_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtEnumerateValueKey_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateValueKey_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtEnumerateValueKey_SystemCall_6_3_XXXX | |
| jmp NtEnumerateValueKey_SystemCall_Unknown | |
| NtEnumerateValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtEnumerateValueKey_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtEnumerateValueKey_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtEnumerateValueKey_SystemCall_6_0_6002 | |
| jmp NtEnumerateValueKey_SystemCall_Unknown | |
| NtEnumerateValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtEnumerateValueKey_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtEnumerateValueKey_SystemCall_6_1_7601 | |
| jmp NtEnumerateValueKey_SystemCall_Unknown | |
| NtEnumerateValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtEnumerateValueKey_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtEnumerateValueKey_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtEnumerateValueKey_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtEnumerateValueKey_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtEnumerateValueKey_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtEnumerateValueKey_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtEnumerateValueKey_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtEnumerateValueKey_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtEnumerateValueKey_SystemCall_10_0_18363 | |
| jmp NtEnumerateValueKey_SystemCall_Unknown | |
| NtEnumerateValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0010h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0010h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0010h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0010h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0010h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0010h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0011h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0012h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0013h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0013h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0013h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0013h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0013h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0013h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0013h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0013h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0013h | |
| jmp NtEnumerateValueKey_Epilogue | |
| NtEnumerateValueKey_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtEnumerateValueKey_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtEnumerateValueKey ENDP | |
| NtExtendSection PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtExtendSection_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtExtendSection_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtExtendSection_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtExtendSection_Check_10_0_XXXX | |
| jmp NtExtendSection_SystemCall_Unknown | |
| NtExtendSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtExtendSection_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtExtendSection_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtExtendSection_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtExtendSection_SystemCall_6_3_XXXX | |
| jmp NtExtendSection_SystemCall_Unknown | |
| NtExtendSection_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtExtendSection_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtExtendSection_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtExtendSection_SystemCall_6_0_6002 | |
| jmp NtExtendSection_SystemCall_Unknown | |
| NtExtendSection_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtExtendSection_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtExtendSection_SystemCall_6_1_7601 | |
| jmp NtExtendSection_SystemCall_Unknown | |
| NtExtendSection_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtExtendSection_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtExtendSection_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtExtendSection_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtExtendSection_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtExtendSection_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtExtendSection_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtExtendSection_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtExtendSection_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtExtendSection_SystemCall_10_0_18363 | |
| jmp NtExtendSection_SystemCall_Unknown | |
| NtExtendSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0096h | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00beh | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00bch | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00bch | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00bfh | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00bfh | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00ceh | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d0h | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d3h | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d4h | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d6h | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00d9h | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00dah | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00dbh | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00dch | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00ddh | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00ddh | |
| jmp NtExtendSection_Epilogue | |
| NtExtendSection_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtExtendSection_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtExtendSection ENDP | |
| NtFilterBootOption PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFilterBootOption_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFilterBootOption_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFilterBootOption_Check_10_0_XXXX | |
| jmp NtFilterBootOption_SystemCall_Unknown | |
| NtFilterBootOption_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFilterBootOption_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFilterBootOption_SystemCall_6_3_XXXX | |
| jmp NtFilterBootOption_SystemCall_Unknown | |
| NtFilterBootOption_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFilterBootOption_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFilterBootOption_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFilterBootOption_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFilterBootOption_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFilterBootOption_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFilterBootOption_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFilterBootOption_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFilterBootOption_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFilterBootOption_SystemCall_10_0_18363 | |
| jmp NtFilterBootOption_SystemCall_Unknown | |
| NtFilterBootOption_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00cfh | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d1h | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d4h | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d5h | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d7h | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00dah | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00dbh | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00dch | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00ddh | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00deh | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00deh | |
| jmp NtFilterBootOption_Epilogue | |
| NtFilterBootOption_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFilterBootOption_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFilterBootOption ENDP | |
| NtFilterToken PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFilterToken_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFilterToken_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFilterToken_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFilterToken_Check_10_0_XXXX | |
| jmp NtFilterToken_SystemCall_Unknown | |
| NtFilterToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFilterToken_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFilterToken_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFilterToken_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFilterToken_SystemCall_6_3_XXXX | |
| jmp NtFilterToken_SystemCall_Unknown | |
| NtFilterToken_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFilterToken_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFilterToken_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFilterToken_SystemCall_6_0_6002 | |
| jmp NtFilterToken_SystemCall_Unknown | |
| NtFilterToken_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFilterToken_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFilterToken_SystemCall_6_1_7601 | |
| jmp NtFilterToken_SystemCall_Unknown | |
| NtFilterToken_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFilterToken_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFilterToken_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFilterToken_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFilterToken_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFilterToken_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFilterToken_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFilterToken_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFilterToken_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFilterToken_SystemCall_10_0_18363 | |
| jmp NtFilterToken_SystemCall_Unknown | |
| NtFilterToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0097h | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00bfh | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00bdh | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00bdh | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c0h | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c0h | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d0h | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d2h | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d5h | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d6h | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d8h | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00dbh | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00dch | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00ddh | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00deh | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00dfh | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00dfh | |
| jmp NtFilterToken_Epilogue | |
| NtFilterToken_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFilterToken_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFilterToken ENDP | |
| NtFilterTokenEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFilterTokenEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFilterTokenEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFilterTokenEx_Check_10_0_XXXX | |
| jmp NtFilterTokenEx_SystemCall_Unknown | |
| NtFilterTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFilterTokenEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFilterTokenEx_SystemCall_6_3_XXXX | |
| jmp NtFilterTokenEx_SystemCall_Unknown | |
| NtFilterTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFilterTokenEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFilterTokenEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFilterTokenEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFilterTokenEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFilterTokenEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFilterTokenEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFilterTokenEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFilterTokenEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFilterTokenEx_SystemCall_10_0_18363 | |
| jmp NtFilterTokenEx_SystemCall_Unknown | |
| NtFilterTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d1h | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d3h | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d6h | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d7h | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00d9h | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00dch | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00ddh | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00deh | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00dfh | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e0h | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e0h | |
| jmp NtFilterTokenEx_Epilogue | |
| NtFilterTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFilterTokenEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFilterTokenEx ENDP | |
| NtFindAtom PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFindAtom_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFindAtom_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFindAtom_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFindAtom_Check_10_0_XXXX | |
| jmp NtFindAtom_SystemCall_Unknown | |
| NtFindAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFindAtom_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFindAtom_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFindAtom_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFindAtom_SystemCall_6_3_XXXX | |
| jmp NtFindAtom_SystemCall_Unknown | |
| NtFindAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFindAtom_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFindAtom_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFindAtom_SystemCall_6_0_6002 | |
| jmp NtFindAtom_SystemCall_Unknown | |
| NtFindAtom_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFindAtom_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFindAtom_SystemCall_6_1_7601 | |
| jmp NtFindAtom_SystemCall_Unknown | |
| NtFindAtom_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFindAtom_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFindAtom_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFindAtom_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFindAtom_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFindAtom_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFindAtom_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFindAtom_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFindAtom_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFindAtom_SystemCall_10_0_18363 | |
| jmp NtFindAtom_SystemCall_Unknown | |
| NtFindAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0011h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0011h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0011h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0011h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0011h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0011h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0012h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0013h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0014h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0014h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0014h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0014h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0014h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0014h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0014h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0014h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0014h | |
| jmp NtFindAtom_Epilogue | |
| NtFindAtom_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFindAtom_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFindAtom ENDP | |
| NtFlushBuffersFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFlushBuffersFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFlushBuffersFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFlushBuffersFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFlushBuffersFile_Check_10_0_XXXX | |
| jmp NtFlushBuffersFile_SystemCall_Unknown | |
| NtFlushBuffersFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFlushBuffersFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFlushBuffersFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushBuffersFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushBuffersFile_SystemCall_6_3_XXXX | |
| jmp NtFlushBuffersFile_SystemCall_Unknown | |
| NtFlushBuffersFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFlushBuffersFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFlushBuffersFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFlushBuffersFile_SystemCall_6_0_6002 | |
| jmp NtFlushBuffersFile_SystemCall_Unknown | |
| NtFlushBuffersFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFlushBuffersFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFlushBuffersFile_SystemCall_6_1_7601 | |
| jmp NtFlushBuffersFile_SystemCall_Unknown | |
| NtFlushBuffersFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFlushBuffersFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFlushBuffersFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFlushBuffersFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFlushBuffersFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFlushBuffersFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFlushBuffersFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFlushBuffersFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFlushBuffersFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFlushBuffersFile_SystemCall_10_0_18363 | |
| jmp NtFlushBuffersFile_SystemCall_Unknown | |
| NtFlushBuffersFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0048h | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0048h | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0048h | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0048h | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0048h | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0048h | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0049h | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 004ah | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 004bh | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 004bh | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 004bh | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 004bh | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 004bh | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 004bh | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 004bh | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 004bh | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 004bh | |
| jmp NtFlushBuffersFile_Epilogue | |
| NtFlushBuffersFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFlushBuffersFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFlushBuffersFile ENDP | |
| NtFlushBuffersFileEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFlushBuffersFileEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFlushBuffersFileEx_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFlushBuffersFileEx_Check_10_0_XXXX | |
| jmp NtFlushBuffersFileEx_SystemCall_Unknown | |
| NtFlushBuffersFileEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushBuffersFileEx_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushBuffersFileEx_SystemCall_6_3_XXXX | |
| jmp NtFlushBuffersFileEx_SystemCall_Unknown | |
| NtFlushBuffersFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFlushBuffersFileEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFlushBuffersFileEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFlushBuffersFileEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFlushBuffersFileEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFlushBuffersFileEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFlushBuffersFileEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFlushBuffersFileEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFlushBuffersFileEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFlushBuffersFileEx_SystemCall_10_0_18363 | |
| jmp NtFlushBuffersFileEx_SystemCall_Unknown | |
| NtFlushBuffersFileEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d2h | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d4h | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d7h | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d8h | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00dah | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00ddh | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00deh | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00dfh | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e0h | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e1h | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e1h | |
| jmp NtFlushBuffersFileEx_Epilogue | |
| NtFlushBuffersFileEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFlushBuffersFileEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFlushBuffersFileEx ENDP | |
| NtFlushInstallUILanguage PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFlushInstallUILanguage_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFlushInstallUILanguage_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFlushInstallUILanguage_Check_10_0_XXXX | |
| jmp NtFlushInstallUILanguage_SystemCall_Unknown | |
| NtFlushInstallUILanguage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFlushInstallUILanguage_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFlushInstallUILanguage_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushInstallUILanguage_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushInstallUILanguage_SystemCall_6_3_XXXX | |
| jmp NtFlushInstallUILanguage_SystemCall_Unknown | |
| NtFlushInstallUILanguage_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFlushInstallUILanguage_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFlushInstallUILanguage_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFlushInstallUILanguage_SystemCall_6_0_6002 | |
| jmp NtFlushInstallUILanguage_SystemCall_Unknown | |
| NtFlushInstallUILanguage_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFlushInstallUILanguage_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFlushInstallUILanguage_SystemCall_6_1_7601 | |
| jmp NtFlushInstallUILanguage_SystemCall_Unknown | |
| NtFlushInstallUILanguage_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFlushInstallUILanguage_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFlushInstallUILanguage_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFlushInstallUILanguage_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFlushInstallUILanguage_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFlushInstallUILanguage_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFlushInstallUILanguage_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFlushInstallUILanguage_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFlushInstallUILanguage_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFlushInstallUILanguage_SystemCall_10_0_18363 | |
| jmp NtFlushInstallUILanguage_SystemCall_Unknown | |
| NtFlushInstallUILanguage_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c0h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00beh | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00beh | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c1h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c1h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d3h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d5h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d8h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00d9h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00dbh | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00deh | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00dfh | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e0h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e1h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e2h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e2h | |
| jmp NtFlushInstallUILanguage_Epilogue | |
| NtFlushInstallUILanguage_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFlushInstallUILanguage_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFlushInstallUILanguage ENDP | |
| NtFlushInstructionCache PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFlushInstructionCache_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFlushInstructionCache_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFlushInstructionCache_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFlushInstructionCache_Check_10_0_XXXX | |
| jmp NtFlushInstructionCache_SystemCall_Unknown | |
| NtFlushInstructionCache_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFlushInstructionCache_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFlushInstructionCache_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushInstructionCache_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushInstructionCache_SystemCall_6_3_XXXX | |
| jmp NtFlushInstructionCache_SystemCall_Unknown | |
| NtFlushInstructionCache_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFlushInstructionCache_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFlushInstructionCache_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFlushInstructionCache_SystemCall_6_0_6002 | |
| jmp NtFlushInstructionCache_SystemCall_Unknown | |
| NtFlushInstructionCache_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFlushInstructionCache_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFlushInstructionCache_SystemCall_6_1_7601 | |
| jmp NtFlushInstructionCache_SystemCall_Unknown | |
| NtFlushInstructionCache_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFlushInstructionCache_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFlushInstructionCache_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFlushInstructionCache_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFlushInstructionCache_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFlushInstructionCache_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFlushInstructionCache_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFlushInstructionCache_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFlushInstructionCache_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFlushInstructionCache_SystemCall_10_0_18363 | |
| jmp NtFlushInstructionCache_SystemCall_Unknown | |
| NtFlushInstructionCache_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0098h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c1h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00bfh | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00bfh | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c2h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c2h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d4h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d6h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00d9h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00dah | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00dch | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00dfh | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e0h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e1h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e2h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e3h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e3h | |
| jmp NtFlushInstructionCache_Epilogue | |
| NtFlushInstructionCache_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFlushInstructionCache_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFlushInstructionCache ENDP | |
| NtFlushKey PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFlushKey_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFlushKey_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFlushKey_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFlushKey_Check_10_0_XXXX | |
| jmp NtFlushKey_SystemCall_Unknown | |
| NtFlushKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFlushKey_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFlushKey_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushKey_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushKey_SystemCall_6_3_XXXX | |
| jmp NtFlushKey_SystemCall_Unknown | |
| NtFlushKey_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFlushKey_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFlushKey_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFlushKey_SystemCall_6_0_6002 | |
| jmp NtFlushKey_SystemCall_Unknown | |
| NtFlushKey_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFlushKey_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFlushKey_SystemCall_6_1_7601 | |
| jmp NtFlushKey_SystemCall_Unknown | |
| NtFlushKey_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFlushKey_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFlushKey_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFlushKey_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFlushKey_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFlushKey_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFlushKey_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFlushKey_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFlushKey_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFlushKey_SystemCall_10_0_18363 | |
| jmp NtFlushKey_SystemCall_Unknown | |
| NtFlushKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0099h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c2h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c0h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c0h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c3h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c3h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d5h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d7h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00dah | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00dbh | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00ddh | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e0h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e1h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e2h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e3h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e4h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e4h | |
| jmp NtFlushKey_Epilogue | |
| NtFlushKey_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFlushKey_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFlushKey ENDP | |
| NtFlushProcessWriteBuffers PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFlushProcessWriteBuffers_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFlushProcessWriteBuffers_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFlushProcessWriteBuffers_Check_10_0_XXXX | |
| jmp NtFlushProcessWriteBuffers_SystemCall_Unknown | |
| NtFlushProcessWriteBuffers_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFlushProcessWriteBuffers_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFlushProcessWriteBuffers_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushProcessWriteBuffers_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushProcessWriteBuffers_SystemCall_6_3_XXXX | |
| jmp NtFlushProcessWriteBuffers_SystemCall_Unknown | |
| NtFlushProcessWriteBuffers_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFlushProcessWriteBuffers_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFlushProcessWriteBuffers_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFlushProcessWriteBuffers_SystemCall_6_0_6002 | |
| jmp NtFlushProcessWriteBuffers_SystemCall_Unknown | |
| NtFlushProcessWriteBuffers_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFlushProcessWriteBuffers_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFlushProcessWriteBuffers_SystemCall_6_1_7601 | |
| jmp NtFlushProcessWriteBuffers_SystemCall_Unknown | |
| NtFlushProcessWriteBuffers_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFlushProcessWriteBuffers_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFlushProcessWriteBuffers_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFlushProcessWriteBuffers_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFlushProcessWriteBuffers_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFlushProcessWriteBuffers_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFlushProcessWriteBuffers_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFlushProcessWriteBuffers_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFlushProcessWriteBuffers_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFlushProcessWriteBuffers_SystemCall_10_0_18363 | |
| jmp NtFlushProcessWriteBuffers_SystemCall_Unknown | |
| NtFlushProcessWriteBuffers_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c3h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c1h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c1h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c4h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c4h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d6h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d8h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00dbh | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00dch | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00deh | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e1h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e2h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e3h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e4h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e5h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e5h | |
| jmp NtFlushProcessWriteBuffers_Epilogue | |
| NtFlushProcessWriteBuffers_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFlushProcessWriteBuffers_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFlushProcessWriteBuffers ENDP | |
| NtFlushVirtualMemory PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFlushVirtualMemory_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFlushVirtualMemory_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFlushVirtualMemory_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFlushVirtualMemory_Check_10_0_XXXX | |
| jmp NtFlushVirtualMemory_SystemCall_Unknown | |
| NtFlushVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFlushVirtualMemory_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFlushVirtualMemory_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushVirtualMemory_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushVirtualMemory_SystemCall_6_3_XXXX | |
| jmp NtFlushVirtualMemory_SystemCall_Unknown | |
| NtFlushVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFlushVirtualMemory_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFlushVirtualMemory_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFlushVirtualMemory_SystemCall_6_0_6002 | |
| jmp NtFlushVirtualMemory_SystemCall_Unknown | |
| NtFlushVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFlushVirtualMemory_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFlushVirtualMemory_SystemCall_6_1_7601 | |
| jmp NtFlushVirtualMemory_SystemCall_Unknown | |
| NtFlushVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFlushVirtualMemory_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFlushVirtualMemory_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFlushVirtualMemory_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFlushVirtualMemory_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFlushVirtualMemory_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFlushVirtualMemory_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFlushVirtualMemory_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFlushVirtualMemory_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFlushVirtualMemory_SystemCall_10_0_18363 | |
| jmp NtFlushVirtualMemory_SystemCall_Unknown | |
| NtFlushVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 009ah | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c4h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c2h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c2h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c5h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c5h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d7h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00d9h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00dch | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00ddh | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00dfh | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e2h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e3h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e4h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e5h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e6h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e6h | |
| jmp NtFlushVirtualMemory_Epilogue | |
| NtFlushVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFlushVirtualMemory_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFlushVirtualMemory ENDP | |
| NtFlushWriteBuffer PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFlushWriteBuffer_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFlushWriteBuffer_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFlushWriteBuffer_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFlushWriteBuffer_Check_10_0_XXXX | |
| jmp NtFlushWriteBuffer_SystemCall_Unknown | |
| NtFlushWriteBuffer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFlushWriteBuffer_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFlushWriteBuffer_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushWriteBuffer_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFlushWriteBuffer_SystemCall_6_3_XXXX | |
| jmp NtFlushWriteBuffer_SystemCall_Unknown | |
| NtFlushWriteBuffer_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFlushWriteBuffer_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFlushWriteBuffer_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFlushWriteBuffer_SystemCall_6_0_6002 | |
| jmp NtFlushWriteBuffer_SystemCall_Unknown | |
| NtFlushWriteBuffer_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFlushWriteBuffer_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFlushWriteBuffer_SystemCall_6_1_7601 | |
| jmp NtFlushWriteBuffer_SystemCall_Unknown | |
| NtFlushWriteBuffer_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFlushWriteBuffer_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFlushWriteBuffer_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFlushWriteBuffer_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFlushWriteBuffer_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFlushWriteBuffer_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFlushWriteBuffer_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFlushWriteBuffer_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFlushWriteBuffer_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFlushWriteBuffer_SystemCall_10_0_18363 | |
| jmp NtFlushWriteBuffer_SystemCall_Unknown | |
| NtFlushWriteBuffer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 009bh | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c5h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c3h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c3h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c6h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c6h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d8h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00dah | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00ddh | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00deh | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e0h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e3h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e4h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e5h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e6h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e7h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e7h | |
| jmp NtFlushWriteBuffer_Epilogue | |
| NtFlushWriteBuffer_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFlushWriteBuffer_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFlushWriteBuffer ENDP | |
| NtFreeUserPhysicalPages PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFreeUserPhysicalPages_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFreeUserPhysicalPages_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFreeUserPhysicalPages_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFreeUserPhysicalPages_Check_10_0_XXXX | |
| jmp NtFreeUserPhysicalPages_SystemCall_Unknown | |
| NtFreeUserPhysicalPages_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFreeUserPhysicalPages_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFreeUserPhysicalPages_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFreeUserPhysicalPages_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFreeUserPhysicalPages_SystemCall_6_3_XXXX | |
| jmp NtFreeUserPhysicalPages_SystemCall_Unknown | |
| NtFreeUserPhysicalPages_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFreeUserPhysicalPages_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFreeUserPhysicalPages_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFreeUserPhysicalPages_SystemCall_6_0_6002 | |
| jmp NtFreeUserPhysicalPages_SystemCall_Unknown | |
| NtFreeUserPhysicalPages_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFreeUserPhysicalPages_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFreeUserPhysicalPages_SystemCall_6_1_7601 | |
| jmp NtFreeUserPhysicalPages_SystemCall_Unknown | |
| NtFreeUserPhysicalPages_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFreeUserPhysicalPages_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFreeUserPhysicalPages_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFreeUserPhysicalPages_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFreeUserPhysicalPages_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFreeUserPhysicalPages_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFreeUserPhysicalPages_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFreeUserPhysicalPages_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFreeUserPhysicalPages_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFreeUserPhysicalPages_SystemCall_10_0_18363 | |
| jmp NtFreeUserPhysicalPages_SystemCall_Unknown | |
| NtFreeUserPhysicalPages_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 009ch | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c6h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c4h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c4h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c7h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c7h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00d9h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00dbh | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00deh | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00dfh | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e1h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e4h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e5h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e6h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e7h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e8h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e8h | |
| jmp NtFreeUserPhysicalPages_Epilogue | |
| NtFreeUserPhysicalPages_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFreeUserPhysicalPages_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFreeUserPhysicalPages ENDP | |
| NtFreeVirtualMemory PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFreeVirtualMemory_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFreeVirtualMemory_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFreeVirtualMemory_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFreeVirtualMemory_Check_10_0_XXXX | |
| jmp NtFreeVirtualMemory_SystemCall_Unknown | |
| NtFreeVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFreeVirtualMemory_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFreeVirtualMemory_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFreeVirtualMemory_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFreeVirtualMemory_SystemCall_6_3_XXXX | |
| jmp NtFreeVirtualMemory_SystemCall_Unknown | |
| NtFreeVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFreeVirtualMemory_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFreeVirtualMemory_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFreeVirtualMemory_SystemCall_6_0_6002 | |
| jmp NtFreeVirtualMemory_SystemCall_Unknown | |
| NtFreeVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFreeVirtualMemory_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFreeVirtualMemory_SystemCall_6_1_7601 | |
| jmp NtFreeVirtualMemory_SystemCall_Unknown | |
| NtFreeVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFreeVirtualMemory_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFreeVirtualMemory_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFreeVirtualMemory_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFreeVirtualMemory_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFreeVirtualMemory_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFreeVirtualMemory_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFreeVirtualMemory_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFreeVirtualMemory_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFreeVirtualMemory_SystemCall_10_0_18363 | |
| jmp NtFreeVirtualMemory_SystemCall_Unknown | |
| NtFreeVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 001bh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 001bh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 001bh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 001bh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 001bh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 001bh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 001ch | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 001dh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 001eh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 001eh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 001eh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 001eh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 001eh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 001eh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 001eh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 001eh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 001eh | |
| jmp NtFreeVirtualMemory_Epilogue | |
| NtFreeVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFreeVirtualMemory_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFreeVirtualMemory ENDP | |
| NtFreezeRegistry PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFreezeRegistry_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFreezeRegistry_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFreezeRegistry_Check_10_0_XXXX | |
| jmp NtFreezeRegistry_SystemCall_Unknown | |
| NtFreezeRegistry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFreezeRegistry_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFreezeRegistry_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFreezeRegistry_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFreezeRegistry_SystemCall_6_3_XXXX | |
| jmp NtFreezeRegistry_SystemCall_Unknown | |
| NtFreezeRegistry_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFreezeRegistry_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFreezeRegistry_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFreezeRegistry_SystemCall_6_0_6002 | |
| jmp NtFreezeRegistry_SystemCall_Unknown | |
| NtFreezeRegistry_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFreezeRegistry_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFreezeRegistry_SystemCall_6_1_7601 | |
| jmp NtFreezeRegistry_SystemCall_Unknown | |
| NtFreezeRegistry_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFreezeRegistry_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFreezeRegistry_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFreezeRegistry_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFreezeRegistry_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFreezeRegistry_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFreezeRegistry_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFreezeRegistry_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFreezeRegistry_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFreezeRegistry_SystemCall_10_0_18363 | |
| jmp NtFreezeRegistry_SystemCall_Unknown | |
| NtFreezeRegistry_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c7h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c5h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c5h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c8h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c8h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00dah | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00dch | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00dfh | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e0h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e2h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e5h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e6h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e7h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e8h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00e9h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00e9h | |
| jmp NtFreezeRegistry_Epilogue | |
| NtFreezeRegistry_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFreezeRegistry_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFreezeRegistry ENDP | |
| NtFreezeTransactions PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFreezeTransactions_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFreezeTransactions_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFreezeTransactions_Check_10_0_XXXX | |
| jmp NtFreezeTransactions_SystemCall_Unknown | |
| NtFreezeTransactions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFreezeTransactions_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFreezeTransactions_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFreezeTransactions_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFreezeTransactions_SystemCall_6_3_XXXX | |
| jmp NtFreezeTransactions_SystemCall_Unknown | |
| NtFreezeTransactions_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFreezeTransactions_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFreezeTransactions_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFreezeTransactions_SystemCall_6_0_6002 | |
| jmp NtFreezeTransactions_SystemCall_Unknown | |
| NtFreezeTransactions_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFreezeTransactions_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFreezeTransactions_SystemCall_6_1_7601 | |
| jmp NtFreezeTransactions_SystemCall_Unknown | |
| NtFreezeTransactions_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFreezeTransactions_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFreezeTransactions_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFreezeTransactions_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFreezeTransactions_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFreezeTransactions_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFreezeTransactions_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFreezeTransactions_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFreezeTransactions_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFreezeTransactions_SystemCall_10_0_18363 | |
| jmp NtFreezeTransactions_SystemCall_Unknown | |
| NtFreezeTransactions_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c8h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c6h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c6h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00c9h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00c9h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00dbh | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00ddh | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e0h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e1h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e3h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e6h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e7h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e8h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00e9h | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00eah | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00eah | |
| jmp NtFreezeTransactions_Epilogue | |
| NtFreezeTransactions_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFreezeTransactions_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFreezeTransactions ENDP | |
| NtFsControlFile PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtFsControlFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtFsControlFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtFsControlFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtFsControlFile_Check_10_0_XXXX | |
| jmp NtFsControlFile_SystemCall_Unknown | |
| NtFsControlFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtFsControlFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtFsControlFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFsControlFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtFsControlFile_SystemCall_6_3_XXXX | |
| jmp NtFsControlFile_SystemCall_Unknown | |
| NtFsControlFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtFsControlFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtFsControlFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtFsControlFile_SystemCall_6_0_6002 | |
| jmp NtFsControlFile_SystemCall_Unknown | |
| NtFsControlFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtFsControlFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtFsControlFile_SystemCall_6_1_7601 | |
| jmp NtFsControlFile_SystemCall_Unknown | |
| NtFsControlFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtFsControlFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtFsControlFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtFsControlFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtFsControlFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtFsControlFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtFsControlFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtFsControlFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtFsControlFile_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtFsControlFile_SystemCall_10_0_18363 | |
| jmp NtFsControlFile_SystemCall_Unknown | |
| NtFsControlFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 0036h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0036h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 0036h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 0036h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 0036h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 0036h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 0037h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 0038h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0039h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0039h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0039h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0039h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0039h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0039h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0039h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0039h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 0039h | |
| jmp NtFsControlFile_Epilogue | |
| NtFsControlFile_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtFsControlFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtFsControlFile ENDP | |
| NtGetCachedSigningLevel PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetCachedSigningLevel_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtGetCachedSigningLevel_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetCachedSigningLevel_Check_10_0_XXXX | |
| jmp NtGetCachedSigningLevel_SystemCall_Unknown | |
| NtGetCachedSigningLevel_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetCachedSigningLevel_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetCachedSigningLevel_SystemCall_6_3_XXXX | |
| jmp NtGetCachedSigningLevel_SystemCall_Unknown | |
| NtGetCachedSigningLevel_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetCachedSigningLevel_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetCachedSigningLevel_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetCachedSigningLevel_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetCachedSigningLevel_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetCachedSigningLevel_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetCachedSigningLevel_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetCachedSigningLevel_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetCachedSigningLevel_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetCachedSigningLevel_SystemCall_10_0_18363 | |
| jmp NtGetCachedSigningLevel_SystemCall_Unknown | |
| NtGetCachedSigningLevel_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00dch | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00deh | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e1h | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e2h | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e4h | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e7h | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e8h | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00e9h | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00eah | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00ebh | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00ebh | |
| jmp NtGetCachedSigningLevel_Epilogue | |
| NtGetCachedSigningLevel_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtGetCachedSigningLevel_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtGetCachedSigningLevel ENDP | |
| NtGetCompleteWnfStateSubscription PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetCompleteWnfStateSubscription_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtGetCompleteWnfStateSubscription_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetCompleteWnfStateSubscription_Check_10_0_XXXX | |
| jmp NtGetCompleteWnfStateSubscription_SystemCall_Unknown | |
| NtGetCompleteWnfStateSubscription_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_6_3_XXXX | |
| jmp NtGetCompleteWnfStateSubscription_SystemCall_Unknown | |
| NtGetCompleteWnfStateSubscription_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetCompleteWnfStateSubscription_SystemCall_10_0_18363 | |
| jmp NtGetCompleteWnfStateSubscription_SystemCall_Unknown | |
| NtGetCompleteWnfStateSubscription_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00dfh | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e2h | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e3h | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e5h | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e8h | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00e9h | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00eah | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00ebh | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00ech | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00ech | |
| jmp NtGetCompleteWnfStateSubscription_Epilogue | |
| NtGetCompleteWnfStateSubscription_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtGetCompleteWnfStateSubscription_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtGetCompleteWnfStateSubscription ENDP | |
| NtGetContextThread PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetContextThread_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtGetContextThread_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtGetContextThread_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetContextThread_Check_10_0_XXXX | |
| jmp NtGetContextThread_SystemCall_Unknown | |
| NtGetContextThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtGetContextThread_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtGetContextThread_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetContextThread_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetContextThread_SystemCall_6_3_XXXX | |
| jmp NtGetContextThread_SystemCall_Unknown | |
| NtGetContextThread_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtGetContextThread_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtGetContextThread_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtGetContextThread_SystemCall_6_0_6002 | |
| jmp NtGetContextThread_SystemCall_Unknown | |
| NtGetContextThread_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtGetContextThread_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtGetContextThread_SystemCall_6_1_7601 | |
| jmp NtGetContextThread_SystemCall_Unknown | |
| NtGetContextThread_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetContextThread_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetContextThread_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetContextThread_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetContextThread_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetContextThread_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetContextThread_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetContextThread_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetContextThread_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetContextThread_SystemCall_10_0_18363 | |
| jmp NtGetContextThread_SystemCall_Unknown | |
| NtGetContextThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 009dh | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00c9h | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c7h | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c7h | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00cah | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00cah | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00ddh | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00e0h | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e3h | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e4h | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e6h | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00e9h | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00eah | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00ebh | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00ech | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00edh | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00edh | |
| jmp NtGetContextThread_Epilogue | |
| NtGetContextThread_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtGetContextThread_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtGetContextThread ENDP | |
| NtGetCurrentProcessorNumber PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetCurrentProcessorNumber_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtGetCurrentProcessorNumber_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtGetCurrentProcessorNumber_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetCurrentProcessorNumber_Check_10_0_XXXX | |
| jmp NtGetCurrentProcessorNumber_SystemCall_Unknown | |
| NtGetCurrentProcessorNumber_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtGetCurrentProcessorNumber_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtGetCurrentProcessorNumber_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetCurrentProcessorNumber_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetCurrentProcessorNumber_SystemCall_6_3_XXXX | |
| jmp NtGetCurrentProcessorNumber_SystemCall_Unknown | |
| NtGetCurrentProcessorNumber_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtGetCurrentProcessorNumber_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtGetCurrentProcessorNumber_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtGetCurrentProcessorNumber_SystemCall_6_0_6002 | |
| jmp NtGetCurrentProcessorNumber_SystemCall_Unknown | |
| NtGetCurrentProcessorNumber_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtGetCurrentProcessorNumber_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtGetCurrentProcessorNumber_SystemCall_6_1_7601 | |
| jmp NtGetCurrentProcessorNumber_SystemCall_Unknown | |
| NtGetCurrentProcessorNumber_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetCurrentProcessorNumber_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetCurrentProcessorNumber_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetCurrentProcessorNumber_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetCurrentProcessorNumber_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetCurrentProcessorNumber_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetCurrentProcessorNumber_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetCurrentProcessorNumber_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetCurrentProcessorNumber_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetCurrentProcessorNumber_SystemCall_10_0_18363 | |
| jmp NtGetCurrentProcessorNumber_SystemCall_Unknown | |
| NtGetCurrentProcessorNumber_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 009eh | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00cah | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c8h | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c8h | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00cbh | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00cbh | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00deh | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00e1h | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e4h | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e5h | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e7h | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00eah | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00ebh | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00ech | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00edh | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00eeh | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00eeh | |
| jmp NtGetCurrentProcessorNumber_Epilogue | |
| NtGetCurrentProcessorNumber_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtGetCurrentProcessorNumber_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtGetCurrentProcessorNumber ENDP | |
| NtGetCurrentProcessorNumberEx PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetCurrentProcessorNumberEx_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetCurrentProcessorNumberEx_Check_10_0_XXXX | |
| jmp NtGetCurrentProcessorNumberEx_SystemCall_Unknown | |
| NtGetCurrentProcessorNumberEx_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetCurrentProcessorNumberEx_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetCurrentProcessorNumberEx_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetCurrentProcessorNumberEx_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetCurrentProcessorNumberEx_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetCurrentProcessorNumberEx_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetCurrentProcessorNumberEx_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetCurrentProcessorNumberEx_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetCurrentProcessorNumberEx_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetCurrentProcessorNumberEx_SystemCall_10_0_18363 | |
| jmp NtGetCurrentProcessorNumberEx_SystemCall_Unknown | |
| NtGetCurrentProcessorNumberEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e5h | |
| jmp NtGetCurrentProcessorNumberEx_Epilogue | |
| NtGetCurrentProcessorNumberEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e6h | |
| jmp NtGetCurrentProcessorNumberEx_Epilogue | |
| NtGetCurrentProcessorNumberEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e8h | |
| jmp NtGetCurrentProcessorNumberEx_Epilogue | |
| NtGetCurrentProcessorNumberEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00ebh | |
| jmp NtGetCurrentProcessorNumberEx_Epilogue | |
| NtGetCurrentProcessorNumberEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00ech | |
| jmp NtGetCurrentProcessorNumberEx_Epilogue | |
| NtGetCurrentProcessorNumberEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00edh | |
| jmp NtGetCurrentProcessorNumberEx_Epilogue | |
| NtGetCurrentProcessorNumberEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00eeh | |
| jmp NtGetCurrentProcessorNumberEx_Epilogue | |
| NtGetCurrentProcessorNumberEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00efh | |
| jmp NtGetCurrentProcessorNumberEx_Epilogue | |
| NtGetCurrentProcessorNumberEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00efh | |
| jmp NtGetCurrentProcessorNumberEx_Epilogue | |
| NtGetCurrentProcessorNumberEx_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtGetCurrentProcessorNumberEx_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtGetCurrentProcessorNumberEx ENDP | |
| NtGetDevicePowerState PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetDevicePowerState_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtGetDevicePowerState_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtGetDevicePowerState_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetDevicePowerState_Check_10_0_XXXX | |
| jmp NtGetDevicePowerState_SystemCall_Unknown | |
| NtGetDevicePowerState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtGetDevicePowerState_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtGetDevicePowerState_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetDevicePowerState_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetDevicePowerState_SystemCall_6_3_XXXX | |
| jmp NtGetDevicePowerState_SystemCall_Unknown | |
| NtGetDevicePowerState_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtGetDevicePowerState_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtGetDevicePowerState_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtGetDevicePowerState_SystemCall_6_0_6002 | |
| jmp NtGetDevicePowerState_SystemCall_Unknown | |
| NtGetDevicePowerState_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtGetDevicePowerState_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtGetDevicePowerState_SystemCall_6_1_7601 | |
| jmp NtGetDevicePowerState_SystemCall_Unknown | |
| NtGetDevicePowerState_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetDevicePowerState_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetDevicePowerState_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetDevicePowerState_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetDevicePowerState_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetDevicePowerState_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetDevicePowerState_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetDevicePowerState_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetDevicePowerState_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetDevicePowerState_SystemCall_10_0_18363 | |
| jmp NtGetDevicePowerState_SystemCall_Unknown | |
| NtGetDevicePowerState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 | |
| mov eax, 009fh | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00cbh | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00c9h | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00c9h | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00cch | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00cch | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00dfh | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00e2h | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e6h | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e7h | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00e9h | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00ech | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00edh | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00eeh | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00efh | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00f0h | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00f0h | |
| jmp NtGetDevicePowerState_Epilogue | |
| NtGetDevicePowerState_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtGetDevicePowerState_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtGetDevicePowerState ENDP | |
| NtGetMUIRegistryInfo PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetMUIRegistryInfo_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtGetMUIRegistryInfo_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetMUIRegistryInfo_Check_10_0_XXXX | |
| jmp NtGetMUIRegistryInfo_SystemCall_Unknown | |
| NtGetMUIRegistryInfo_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtGetMUIRegistryInfo_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtGetMUIRegistryInfo_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetMUIRegistryInfo_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetMUIRegistryInfo_SystemCall_6_3_XXXX | |
| jmp NtGetMUIRegistryInfo_SystemCall_Unknown | |
| NtGetMUIRegistryInfo_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtGetMUIRegistryInfo_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtGetMUIRegistryInfo_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtGetMUIRegistryInfo_SystemCall_6_0_6002 | |
| jmp NtGetMUIRegistryInfo_SystemCall_Unknown | |
| NtGetMUIRegistryInfo_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtGetMUIRegistryInfo_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtGetMUIRegistryInfo_SystemCall_6_1_7601 | |
| jmp NtGetMUIRegistryInfo_SystemCall_Unknown | |
| NtGetMUIRegistryInfo_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetMUIRegistryInfo_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetMUIRegistryInfo_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetMUIRegistryInfo_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetMUIRegistryInfo_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetMUIRegistryInfo_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetMUIRegistryInfo_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetMUIRegistryInfo_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetMUIRegistryInfo_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetMUIRegistryInfo_SystemCall_10_0_18363 | |
| jmp NtGetMUIRegistryInfo_SystemCall_Unknown | |
| NtGetMUIRegistryInfo_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00cch | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00cah | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00cah | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00cdh | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00cdh | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00e0h | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00e3h | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e7h | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e8h | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00eah | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00edh | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00eeh | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00efh | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00f0h | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00f1h | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00f1h | |
| jmp NtGetMUIRegistryInfo_Epilogue | |
| NtGetMUIRegistryInfo_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtGetMUIRegistryInfo_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtGetMUIRegistryInfo ENDP | |
| NtGetNextProcess PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetNextProcess_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtGetNextProcess_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetNextProcess_Check_10_0_XXXX | |
| jmp NtGetNextProcess_SystemCall_Unknown | |
| NtGetNextProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtGetNextProcess_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtGetNextProcess_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetNextProcess_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetNextProcess_SystemCall_6_3_XXXX | |
| jmp NtGetNextProcess_SystemCall_Unknown | |
| NtGetNextProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtGetNextProcess_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtGetNextProcess_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtGetNextProcess_SystemCall_6_0_6002 | |
| jmp NtGetNextProcess_SystemCall_Unknown | |
| NtGetNextProcess_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtGetNextProcess_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtGetNextProcess_SystemCall_6_1_7601 | |
| jmp NtGetNextProcess_SystemCall_Unknown | |
| NtGetNextProcess_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetNextProcess_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetNextProcess_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetNextProcess_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetNextProcess_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetNextProcess_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetNextProcess_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetNextProcess_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetNextProcess_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetNextProcess_SystemCall_10_0_18363 | |
| jmp NtGetNextProcess_SystemCall_Unknown | |
| NtGetNextProcess_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00cdh | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00cbh | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00cbh | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00ceh | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00ceh | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00e1h | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00e4h | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e8h | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00e9h | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00ebh | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00eeh | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00efh | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00f0h | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00f1h | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00f2h | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00f2h | |
| jmp NtGetNextProcess_Epilogue | |
| NtGetNextProcess_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtGetNextProcess_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtGetNextProcess ENDP | |
| NtGetNextThread PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetNextThread_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtGetNextThread_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetNextThread_Check_10_0_XXXX | |
| jmp NtGetNextThread_SystemCall_Unknown | |
| NtGetNextThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtGetNextThread_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtGetNextThread_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetNextThread_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetNextThread_SystemCall_6_3_XXXX | |
| jmp NtGetNextThread_SystemCall_Unknown | |
| NtGetNextThread_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtGetNextThread_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtGetNextThread_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtGetNextThread_SystemCall_6_0_6002 | |
| jmp NtGetNextThread_SystemCall_Unknown | |
| NtGetNextThread_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtGetNextThread_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtGetNextThread_SystemCall_6_1_7601 | |
| jmp NtGetNextThread_SystemCall_Unknown | |
| NtGetNextThread_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetNextThread_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetNextThread_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetNextThread_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetNextThread_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetNextThread_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetNextThread_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetNextThread_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetNextThread_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetNextThread_SystemCall_10_0_18363 | |
| jmp NtGetNextThread_SystemCall_Unknown | |
| NtGetNextThread_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00ceh | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00cch | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 | |
| mov eax, 00cch | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_6_1_7600: ; Windows 7 SP0 | |
| mov eax, 00cfh | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 | |
| mov eax, 00cfh | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 | |
| mov eax, 00e2h | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 | |
| mov eax, 00e5h | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 00e9h | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 00eah | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 00ech | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 00efh | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 00f0h | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 00f1h | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 00f2h | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 00f3h | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) | |
| mov eax, 00f3h | |
| jmp NtGetNextThread_Epilogue | |
| NtGetNextThread_SystemCall_Unknown: ; Unknown/unsupported version. | |
| ret | |
| NtGetNextThread_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtGetNextThread ENDP | |
| NtGetNlsSectionPtr PROC | |
| mov rax, gs:[60h] ; Load PEB into RAX. | |
| NtGetNlsSectionPtr_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 6 | |
| je NtGetNlsSectionPtr_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtGetNlsSectionPtr_Check_10_0_XXXX | |
| jmp NtGetNlsSectionPtr_SystemCall_Unknown | |
| NtGetNlsSectionPtr_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtGetNlsSectionPtr_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtGetNlsSectionPtr_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetNlsSectionPtr_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtGetNlsSectionPtr_SystemCall_6_3_XXXX | |
| jmp NtGetNlsSectionPtr_SystemCall_Unknown | |
| NtGetNlsSectionPtr_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtGetNlsSectionPtr_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtGetNlsSectionPtr_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| je NtGetNlsSectionPtr_SystemCall_6_0_6002 | |
| jmp NtGetNlsSectionPtr_SystemCall_Unknown | |
| NtGetNlsSectionPtr_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtGetNlsSectionPtr_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| je NtGetNlsSectionPtr_SystemCall_6_1_7601 | |
| jmp NtGetNlsSectionPtr_SystemCall_Unknown | |
| NtGetNlsSectionPtr_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtGetNlsSectionPtr_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtGetNlsSectionPtr_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtGetNlsSectionPtr_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtGetNlsSectionPtr_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtGetNlsSectionPtr_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtGetNlsSectionPtr_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtGetNlsSectionPtr_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| je NtGetNlsSectionPtr_SystemCall_10_0_18362 | |
| cmp dword ptr [rax+120h], 18363 | |
| je NtGetNlsSectionPtr_SystemCall_10_0_18363 | |
| jmp NtGetNlsSectionPtr_SystemCall_Unknown | |
| NtGetNlsSectionPtr_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 00cfh | |
| jmp NtGetNlsSectionPtr_Epilogue | |
| NtGetNlsSectionPtr_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 | |
| mov eax, 00cdh | |