Gmer.txtGMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-08-08 15:51:07
Windows 5.1.2600 Service Pack 3
Running: nbhbx2b2.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxtdypob.sys
---- System - GMER 1.0.15 ----
SSDT spgc.sys ZwCreateKey [0xF85570E0]
SSDT spgc.sys ZwEnumerateKey [0xF8575CA2]
SSDT spgc.sys ZwEnumerateValueKey [0xF8576030]
SSDT spgc.sys ZwOpenKey [0xF85570C0]
SSDT spgc.sys ZwQueryKey [0xF8576108]
SSDT spgc.sys ZwQueryValueKey [0xF8575F88]
SSDT spgc.sys ZwSetValueKey [0xF857619A]
INT 0x62 ? 82F6BBF8
INT 0x63 ? 82E70F00
INT 0x82 ? 82F6BBF8
INT 0xA4 ? 82E70F00
INT 0xB4 ? 82F6BBF8
INT 0xB4 ? 82F6BBF8
INT 0xB4 ? 82E70F00
INT 0xB4 ? 82F6BBF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution + 192 804E49EC 2 Bytes [A2, 5C]
.text ntoskrnl.exe!ZwYieldExecution + 2F6 804E4B50 2 Bytes [08, 61]
.text ntoskrnl.exe!ZwYieldExecution + 33A 804E4B94 2 Bytes [88, 5F]
.text ntoskrnl.exe!ZwYieldExecution + 452 804E4CAC 2 Bytes [9A, 61]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1E968 80609E00 195 Bytes [65, 64, 20, 2D, 20, 53, 74, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA2C 80609EC4 17 Bytes CALL 804E3494 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA3E 80609ED6 14 Bytes [8B, 45, F0, 89, 45, F4, E9, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA4E 80609EE6 4 Bytes [68, 6A, 9F, 60]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA54 80609EEC 3 Bytes CALL 80501EEA \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!CcMdlRead + 53 8061BED0 36 Bytes [8D, 45, D0, 50, 8D, 45, CC, ...]
PAGE ntoskrnl.exe!CcMdlRead + 78 8061BEF5 45 Bytes CALL 804F1DA2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!CcMdlRead + A6 8061BF23 32 Bytes [C7, 05, 28, 30, 55, 80, 78, ...]
PAGE ntoskrnl.exe!CcMdlRead + C7 8061BF44 49 Bytes [00, 00, 8D, 45, E0, 50, 8D, ...]
PAGE ntoskrnl.exe!CcMdlRead + F9 8061BF76 43 Bytes [9C, 13, 4D, A8, 89, 4D, A0, ...]
PAGE ...
PAGE ntoskrnl.exe!CcMdlReadComplete + 28 8061C158 17 Bytes [75, 08, FF, D1, 84, C0, 75, ...]
PAGE ntoskrnl.exe!CcMdlReadComplete + 3A 8061C16A 156 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 3C 8061C207 5 Bytes [53, E8, D6, 09, 03]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 42 8061C20D 11 Bytes [84, C0, 74, 46, 83, C8, FF, ...]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 4E 8061C219 29 Bytes [F0, 0F, C1, 01, 8B, 45, FC, ...]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 6C 8061C237 2 Bytes [76, 10] {JBE 0x12}
PAGE ntoskrnl.exe!CmUnRegisterCallback + 6F 8061C23A 3 Bytes CALL 805511E7 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!CmRegisterCallback + 2 8061C289 21 Bytes [55, 8B, EC, 51, 53, 56, 57, ...]
PAGE ntoskrnl.exe!CmRegisterCallback + 18 8061C29F 6 Bytes [8B, F0, 33, FF, 3B, F7] {MOV ESI, EAX; XOR EDI, EDI; CMP ESI, EDI}
PAGE ntoskrnl.exe!CmRegisterCallback + 1F 8061C2A6 13 Bytes [84, CB, 00, 00, 00, 53, 6A, ...]
PAGE ntoskrnl.exe!CmRegisterCallback + 2D 8061C2B4 66 Bytes [3B, C7, 89, 46, 10, 74, 19, ...]
PAGE ntoskrnl.exe!CmRegisterCallback + 70 8061C2F7 67 Bytes [40, 04, 89, 00, 8B, 46, 10, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 5 8061C4C2 1 Byte [52]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 5 8061C4C2 27 Bytes CALL 804E2EA1 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 21 8061C4DE 183 Bytes JMP 8061C5CA \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlMdlReadDev + D9 8061C596 25 Bytes [1C, C7, 00, 11, 00, 00, C0, ...]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + F3 8061C5B0 20 Bytes [80, D4, 00, 00, 00, 75, 13, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 30 8061C76B 22 Bytes [6A, 01, 8B, 5D, 10, 53, 8B, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 47 8061C782 51 Bytes [F6, 46, 2C, 10, 0F, 85, 99, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 7B 8061C7B6 215 Bytes [CB, 33, C0, 03, 0F, 13, 47, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 153 8061C88E 96 Bytes CALL 804DA3A1 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 1B4 8061C8EF 37 Bytes CALL 804E842C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!FsRtlPrepareMdlWrite + 48 8061CB83 44 Bytes [40, 08, 8B, 40, 28, 85, C0, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWrite + 75 8061CBB0 37 Bytes [FF, 5F, 5E, 5D, C2, 18, 00, ...]
PAGE ntoskrnl.exe!FsRtlMdlWriteCompleteDev + 13 8061CBD6 74 Bytes [75, 10, FF, 75, 0C, 50, E8, ...]
PAGE ntoskrnl.exe!FsRtlIncrementCcFastReadNotPossible + C 8061CC21 40 Bytes [C3, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + 1A 8061CC4B 100 Bytes [8B, 4D, 10, 8D, 84, 08, FF, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + 7F 8061CCB0 38 Bytes [00, FF, 88, D4, 00, 00, 00, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + A6 8061CCD7 14 Bytes [83, 7E, 18, 00, 0F, 84, 00, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + B5 8061CCE6 32 Bytes [0F, 84, F5, 01, 00, 00, 3C, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + D6 8061CD07 31 Bytes [75, 18, FF, 75, 14, FF, 75, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlCopyWrite + 18 8061CF4F 5 Bytes [8B, 5D, 0C, 83, 3B]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 1E 8061CF55 19 Bytes [75, 0A, 83, 7B, 04, FF, C6, ...] {JNZ 0xc; CMP DWORD [EBX+0x4], -0x1; MOV BYTE [EBP-0x1a], 0x1; JZ 0x10; MOV BYTE [EBP-0x1a], 0x0; MOV EDI, [EBP+0x8]}
PAGE ntoskrnl.exe!FsRtlCopyWrite + 32 8061CF69 26 Bytes [77, 0C, 89, 75, CC, 6A, 00, ...]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 4D 8061CF84 48 Bytes [F6, 47, 2C, 10, 0F, 85, B1, ...]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 7E 8061CFB5 2 Bytes [88, D4] {MOV AH, DL}
PAGE ...
PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 8 8061D663 69 Bytes CALL 804E842D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 4E 8061D6A9 27 Bytes [78, 4C, 00, 74, 04, 32, C0, ...]
PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 6A 8061D6C5 33 Bytes [90, 90, 90, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!FsRtlInitializeMcb + 8 8061D6E7 8 Bytes [E5, ED, FF, CC, CC, CC, CC, ...] {IN EAX, 0xed; DEC ESP; INT 3 ; INT 3 ; INT 3 ; INT 3 }
PAGE ntoskrnl.exe!FsRtlInitializeMcb + 11 8061D6F0 20 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
PAGE ntoskrnl.exe!FsRtlUninitializeMcb + 14 8061D708 114 Bytes [90, A1, 0C, A0, 69, 80, 83, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 30 8061D77B 4 Bytes [75, 08, E8, 27]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 35 8061D780 1 Byte [EC]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 35 8061D780 86 Bytes [EC, FF, 5D, C2, 08, 00, CC, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 8C 8061D7D7 100 Bytes [8B, C6, EB, 7E, 8B, 4E, 1C, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + F1 8061D83C 36 Bytes [C0, 8B, 4D, 10, 8B, 45, E4, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 2F 8061D9D2 5 Bytes [3B, 35, 18, A0, 69]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 35 8061D9D8 67 Bytes [75, 34, A1, 20, A0, 69, 80, ...]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 79 8061DA1C 29 Bytes [57, 6A, 01, 57, 53, E8, A8, ...]
PAGE ntoskrnl.exe!FsRtlDissectDbcs + 2 8061DA3A 19 Bytes [55, 8B, EC, 8B, 45, 10, 8B, ...]
PAGE ntoskrnl.exe!FsRtlDissectDbcs + 16 8061DA4E 157 Bytes [18, 66, 89, 58, 02, 89, 58, ...]
PAGE ntoskrnl.exe!FsRtlDoesDbcsContainWildCards + B 8061DAEC 104 Bytes [B7, 30, 33, D2, 85, F6, 57, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 2 8061DB55 149 Bytes [55, 8B, EC, 81, EC, 84, 00, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 98 8061DBEB 153 Bytes [00, 89, 4D, 8C, 74, 3E, 33, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 132 8061DC85 4 Bytes [74, 2B, 8B, 3D]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 137 8061DC8A 34 Bytes [C4, 56, 80, 0F, B6, F2, 66, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 15A 8061DCAD 45 Bytes [4D, A0, 58, EB, 0B, 66, 0F, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 16 8061DFCA 29 Bytes [00, 38, 5D, 10, 8B, 4D, 0C, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 34 8061DFE8 5 Bytes [14, 8A, 01, 3C, 2E] {ADC AL, 0x8a; ADD [ESI+EBP], EDI}
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 3A 8061DFEE 26 Bytes [05, 38, 41, 01, 74, 66, 3C, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 55 8061E009 30 Bytes [FA, 01, 76, 4D, 41, 66, 4A, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 74 8061E028 98 Bytes [45, 0C, 80, 38, 5C, 74, 39, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlNotifyFullChangeDirectory + 1D 8061E190 97 Bytes [75, 10, FF, 75, 0C, FF, 75, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 7 8061E1F2 12 Bytes [FF, 75, 28, FF, 75, 24, FF, ...] {PUSH DWORD [EBP+0x28]; PUSH DWORD [EBP+0x24]; PUSH DWORD [EBP+0x20]; PUSH DWORD [EBP+0x1c]}
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 14 8061E1FF 1 Byte [75]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 14 8061E1FF 37 Bytes [75, 18, FF, 75, 14, FF, 75, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 3C 8061E227 29 Bytes [8B, FF, 55, 8B, EC, 51, 51, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 5A 8061E245 240 Bytes [B8, FF, 00, 00, 00, 74, 05, ...]
PAGE ...
PAGE ntoskrnl.exe!IoSetPartitionInformation + 4 8061E51B 22 Bytes [EC, 83, EC, 40, 53, BB, 00, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + 1B 8061E532 41 Bytes [89, 55, F8, 73, 03, 89, 5D, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + 45 8061E55C 85 Bytes [89, 5D, E0, EB, 03, 89, 75, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + 9B 8061E5B2 29 Bytes [C8, 57, 8D, 45, C0, 50, E8, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + B9 8061E5D0 13 Bytes CALL 80518D95 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!IoWritePartitionTable + 1C 8061E7A7 42 Bytes [00, 89, 5D, F4, 88, 5D, FE, ...]
PAGE ntoskrnl.exe!IoWritePartitionTable + 47 8061E7D2 3 Bytes CALL 8050D42C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoWritePartitionTable + 4B 8061E7D6 103 Bytes [39, 5D, E0, 74, 12, 53, FF, ...]
PAGE ntoskrnl.exe!IoWritePartitionTable + B3 8061E83E 19 Bytes [23, 75, 03, 88, 45, FF, C6, ...]
PAGE ntoskrnl.exe!IoWritePartitionTable + C7 8061E852 150 Bytes [10, 00, 00, 39, 45, EC, 72, ...]
PAGE ...
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 28 8061F9EE 27 Bytes [06, 2B, C3, 0F, 84, B5, 00, ...]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 44 8061FA0A 20 Bytes [75, FC, 89, 5D, 08, E8, DB, ...]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 59 8061FA1F 6 Bytes [75, FC, E8, C9, F9, FF]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 60 8061FA26 95 Bytes [8B, F8, 3B, FB, 0F, 8C, 87, ...]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + C0 8061FA86 45 Bytes [70, 04, 6A, 01, FF, 73, 34, ...]
PAGE ...
PAGE ntoskrnl.exe!IoVerifyPartitionTable + 27 8061FB07 36 Bytes [F0, 85, F6, 7C, 25, 8B, 45, ...]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + 4C 8061FB2C 89 Bytes [F6, 85, FF, 74, 06, 57, E8, ...]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + A6 8061FB86 31 Bytes [4D, 10, 8D, 04, F6, 57, C1, ...]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + C6 8061FBA6 5 Bytes [51, 20, 89, 50, 20]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + CC 8061FBAC 57 Bytes [51, 24, 6A, 12, 8D, 71, 28, ...]
PAGE ...
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 2F 8061FD59 21 Bytes [7C, 44, 8B, 4D, FC, 8B, 45, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 45 8061FD6F 112 Bytes [74, 19, 49, 74, 07, BE, BB, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + B6 8061FDE0 35 Bytes [8B, 7D, 18, 8B, 45, 14, C1, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + DA 8061FE04 41 Bytes [75, 08, FF, 15, 98, 80, 4D, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 104 8061FE2E 18 Bytes [FF, 89, 73, 08, 89, 73, 04, ...] {DEC DWORD [ECX+0x73890873]; ADD AL, 0x33; SHR BL, 0x32; MOV EAX, [ECX+0x8]; LEA ECX, [EBP+0x10]; PUSH ECX}
PAGE ...
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + D3 80620097 48 Bytes CALL 804DA2A1 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 104 806200C8 11 Bytes CALL 80574887 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 110 806200D4 10 Bytes [6E, 01, 00, 00, 57, 68, 70, ...]
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 11B 806200DF 21 Bytes CALL 804DA2A2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 131 806200F5 8 Bytes [D0, 50, C7, 45, A4, 18, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!IoEnqueueIrp 806202B8 77 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + B 80620306 21 Bytes [A1, 60, A3, 55, 80, 8B, 55, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 21 8062031C 24 Bytes [64, FF, FF, FF, 33, C0, 6A, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 3A 80620335 57 Bytes [33, DB, 43, 89, 85, 24, FF, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 74 8062036F 17 Bytes [FF, FF, 88, 9D, 4D, FF, FF, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 86 80620381 53 Bytes [FF, FF, 64, A1, 24, 01, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + D 8062040D 283 Bytes [53, 8B, 5D, 0C, 81, 3B, 03, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 12A 8062052A 58 Bytes [BE, 9A, 07, 62, 80, 8D, 7D, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 166 80620566 21 Bytes [00, 89, 7D, B0, C7, 45, B8, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 17C 8062057C 116 Bytes [85, C0, 0F, 8C, 09, 01, 00, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 1F1 806205F1 100 Bytes [44, 0F, 85, 8C, 00, 00, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!IoRegisterLastChanceShutdownNotification + 26 80620959 104 Bytes CALL 804DA06A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoSetInformation + 33 806209C2 21 Bytes [89, 7B, 60, C6, 45, 0B, 01, ...]
PAGE ntoskrnl.exe!IoSetInformation + 49 806209D8 113 Bytes [FF, FF, 50, 57, 53, E8, 83, ...]
PAGE ntoskrnl.exe!IoSetInformation + BB 80620A4A 136 Bytes [80, 7D, 0B, 00, 89, 46, 50, ...]
PAGE ntoskrnl.exe!IoSetInformation + 144 80620AD3 82 Bytes [05, 83, C8, 10, EB, 03, 83, ...]
PAGE ntoskrnl.exe!IoSetInformation + 197 80620B26 28 Bytes [F8, 0B, 74, 78, 83, F8, 1F, ...]
PAGE ...
PAGE ntoskrnl.exe!IoUnregisterFsRegistrationChange + 60 80620CA4 27 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + C 80620CC0 17 Bytes [08, 57, 33, DB, 53, 53, 53, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + 1E 80620CD2 44 Bytes CALL 804DC400 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoVerifyVolume + 4B 80620CFF 86 Bytes [8B, F8, 8B, 47, 10, 3B, C3, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + A2 80620D56 22 Bytes [88, 48, 02, C6, 40, 01, 02, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + B9 80620D6D 253 Bytes [CF, FF, 15, 80, B7, 55, 80, ...]
PAGE ntoskrnl.exe!IoCancelFileOpen + 72 80620E6B 19 Bytes CALL A0A8D494
PAGE ntoskrnl.exe!IoCancelFileOpen + 86 80620E7F 5 Bytes [B1, 01, C6, 00, 12] {MOV CL, 0x1; MOV BYTE [EAX], 0x12}
PAGE ntoskrnl.exe!IoCancelFileOpen + 8C 80620E85 26 Bytes [58, 18, FF, 15, 2C, 80, 4D, ...]
PAGE ntoskrnl.exe!IoCancelFileOpen + A7 80620EA0 102 Bytes [89, 79, 04, 8A, C8, 89, 3A, ...]
PAGE ntoskrnl.exe!IoCancelFileOpen + 10F 80620F08 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 1 80620F0C 31 Bytes [FF, 55, 8B, EC, 51, 51, 56, ...]
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 21 80620F2C 5 Bytes [56, 6A, 01, 6A, 01] {PUSH ESI; PUSH 0x1; PUSH 0x1}
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 27 80620F32 1 Byte [75]
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 27 80620F32 6 Bytes [75, 08, E8, 6C, E8, F6]
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 2E 80620F39 45 Bytes [85, C0, 89, 45, F8, 74, 29, ...]
PAGE ...
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 13 80620F99 22 Bytes CALL 804E197E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 2A 80620FB0 93 Bytes [EB, 03, 8B, 00, 47, 3B, C3, ...]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 89 8062100F 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 8D 80621013 27 Bytes [EC, 53, 8B, 5D, 14, 56, 33, ...]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + A9 8062102F 1 Byte [75]
PAGE ...
PAGE ntoskrnl.exe!IoAttachDevice + 6F 80621170 27 Bytes CALL 804E3495 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoAttachDevice + 8B 8062118C 173 Bytes [C6, 5F, 5E, C9, C2, 0C, 00, ...]
PAGE ntoskrnl.exe!IoAttachDevice + 139 8062123A 128 Bytes [50, 04, 6A, 00, 51, FF, 77, ...]
PAGE ntoskrnl.exe!IoAttachDevice + 1BA 806212BB 24 Bytes [76, 78, C6, 45, C4, 00, 53, ...]
PAGE ntoskrnl.exe!IoAttachDevice + 1D3 806212D4 2 Bytes [48, 60] {DEC EAX; PUSHA }
PAGE ...
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 3 80621406 19 Bytes CALL 804E2E9F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 17 8062141A 23 Bytes [89, 45, D4, 8A, 80, 40, 01, ...]
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 2F 80621432 265 Bytes [3B, F0, 72, 02, 89, 18, 8B, ...]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 78 8062153C 99 Bytes JMP 806215D9 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryIoCompletion + DC 806215A0 25 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + F6 806215BA 8 Bytes [00, 89, 45, D8, E8, 23, 15, ...]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + FF 806215C3 143 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + 7 80621653 4 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtQueryEaFile + C 80621658 56 Bytes [33, F6, 89, 75, D4, 89, 75, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + 45 80621691 94 Bytes [30, 8B, 03, 89, 03, 8B, 43, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + A4 806216F0 34 Bytes [3B, 05, D4, 7E, 56, 80, 76, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + C7 80621713 100 Bytes [75, 1C, 8B, F8, 8B, D1, C1, ...]
PAGE ...
PAGE ntoskrnl.exe!NtSetEaFile + 8B 80621C1C 213 Bytes CALL 6A2E91AC
PAGE ntoskrnl.exe!NtSetEaFile + 161 80621CF2 30 Bytes [3B, D8, 75, 21, F6, 47, 2C, ...]
PAGE ntoskrnl.exe!NtSetEaFile + 180 80621D11 6 Bytes JMP 80621EB2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtSetEaFile + 187 80621D18 2 Bytes [7B, 64] {JNP 0x66}
PAGE ntoskrnl.exe!NtSetEaFile + 18A 80621D1B 75 Bytes [4D, C8, 89, 4B, 50, 8A, 4D, ...]
PAGE ...
PAGE ntoskrnl.exe!NtSetQuotaInformationFile + 18 80621EF1 58 Bytes [5D, C2, 10, 00, 90, 90, 90, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 29 80621F2C 68 Bytes [01, 00, 00, 88, 45, DC, 84, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 6E 80621F71 55 Bytes [3B, C8, 72, 05, 0F, B6, 00, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + A6 80621FA9 6 Bytes [76, 05, E8, 04, D5, 02]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + AD 80621FB0 61 Bytes [83, 7D, 1C, 00, 74, 5F, 8B, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + EB 80621FEE 1 Byte [6A]
PAGE ...
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 7 8062241E 9 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 11 80622428 39 Bytes [89, 45, E4, 8B, 45, 08, 89, ...]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 39 80622450 8 Bytes [00, 89, 45, 88, 8A, 80, 40, ...]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 43 8062245A 125 Bytes [88, 45, BB, 84, C0, 74, 6A, ...]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + C1 806224D8 94 Bytes [75, BB, FF, 35, 58, 0D, 56, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwReadFileScatter + A7 8062287E 7 Bytes [8B, 75, 20, 81, E6, FF, 0F]
PAGE ntoskrnl.exe!ZwReadFileScatter + AF 80622886 74 Bytes [00, F7, DE, 1B, F6, F7, DE, ...]
PAGE ntoskrnl.exe!ZwReadFileScatter + FA 806228D1 39 Bytes JMP 80622C95 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwReadFileScatter + 122 806228F9 34 Bytes [45, 9C, 8B, 41, 04, 89, 45, ...]
PAGE ntoskrnl.exe!ZwReadFileScatter + 145 8062291C 167 Bytes [8B, 55, 20, 85, C2, 74, 0A, ...]
PAGE ...
PAGE ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx + 34 80624B15 5 Bytes [10, 58, 75, 09, 57]
PAGE ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx + 3A 80624B1B 46 Bytes CALL 805511E4 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoAssignResources + 14 80624B4B 5 Bytes [8B, 86, B0, 00, 00]
PAGE ntoskrnl.exe!IoAssignResources + 1A 80624B51 44 Bytes [8B, 40, 14, 3B, C3, 0F, 84, ...]
PAGE ntoskrnl.exe!IoAssignResources + 47 80624B7E 164 Bytes [3B, 00, 74, 14, 6A, 02, 53, ...]
PAGE ntoskrnl.exe!IoAssignResources + EC 80624C23 4 Bytes [B0, 98, 00, 00] {MOV AL, 0x98; ADD [EAX], AL}
PAGE ntoskrnl.exe!IoAssignResources + F1 80624C28 110 Bytes CALL 80532DE0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + BB 806256E1 84 Bytes [24, 00, 00, 33, C0, 39, 5D, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 26 80625737 28 Bytes [53, 8B, 5D, 0C, 56, 8D, 73, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 43 80625754 16 Bytes [2B, C7, F7, D8, 1B, C0, 40, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 54 80625765 28 Bytes [3B, F0, 74, 4D, 57, 50, 56, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 71 80625782 117 Bytes [3B, F0, 74, 30, 57, 50, 56, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + E7 806257F8 3 Bytes CALL 804DC401 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 4B 8062A43A 69 Bytes CALL 80538AE2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 91 8062A480 77 Bytes [84, 88, 01, 00, 00, 8B, 71, ...]
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + DF 8062A4CE 23 Bytes [04, 03, 00, 00, 00, 89, 58, ...]
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + F8 8062A4E7 26 Bytes [04, 00, 00, C0, 8B, 4D, F4, ...]
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 113 8062A502 1 Byte [FF]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryInformationPort + 18 8062B3EB 64 Bytes [88, 45, E4, 33, DB, 3A, C3, ...]
PAGE ntoskrnl.exe!ZwQueryInformationPort + 59 8062B42C 39 Bytes [35, 08, 2F, 56, 80, BE, 00, ...]
PAGE ntoskrnl.exe!ZwQueryInformationPort + 81 8062B454 49 Bytes CALL 8056C555 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryInformationPort + B3 8062B486 50 Bytes CALL 805F020E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 7 8062B4B9 90 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 62 8062B514 11 Bytes [4D, FC, FF, EB, 2E, 90, 90, ...]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 6E 8062B520 76 Bytes [EC, 8B, 00, 8B, 00, 89, 45, ...]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + BB 8062B56D 14 Bytes [75, D4, FF, 35, 08, 2F, 56, ...]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + CA 8062B57C 21 Bytes [F4, FF, 3B, C7, 0F, 8C, 93, ...]
PAGE ...
PAGE ntoskrnl.exe!MmMarkPhysicalMemoryAsBad + 18 8062B9C3 13 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 2 8062B9D1 10 Bytes [55, 8B, EC, 6A, 00, FF, 75, ...]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + D 8062B9DC 8 Bytes CALL 80539D79 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 16 8062B9E5 29 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 34 8062BA03 30 Bytes [00, C0, EB, 74, 53, 56, 57, ...]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 53 8062BA22 5 Bytes [53, E8, D8, 09, EB]
PAGE ...
PAGE ntoskrnl.exe!MmAddVerifierThunks + 2A 8062BB1E 16 Bytes JMP 8062BC7D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAddVerifierThunks + 3C 8062BB30 17 Bytes CALL 80551001 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAddVerifierThunks + 4F 8062BB43 46 Bytes JMP 8062BC7C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAddVerifierThunks + 7E 8062BB72 38 Bytes CALL 804DC3FF \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAddVerifierThunks + A6 8062BB9A 6 Bytes [75, 13, 8D, 46, 34, 39]
PAGE ...
PAGE ntoskrnl.exe!MmFreeMappingAddress + 43 8062C920 51 Bytes [75, 0C, 52, 68, 02, 01, 00, ...]
PAGE ntoskrnl.exe!MmFreeMappingAddress + 77 8062C954 29 Bytes [83, C6, 02, 56, 57, E8, B2, ...]
PAGE ntoskrnl.exe!MmFreeMappingAddress + 95 8062C972 130 Bytes CALL 8053767E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmSetBankedSection + 64 8062C9F5 16 Bytes [D7, EB, FF, 8B, F8, 85, FF, ...] {XLATB ; JMP 0x2; MOV EDI, EAX; TEST EDI, EDI; MOV [EBP-0x4], EDI; JZ 0x16c}
PAGE ntoskrnl.exe!MmSetBankedSection + 75 8062CA06 11 Bytes [0F, C1, EE, 0C, 3B, CE, 0F, ...]
PAGE ntoskrnl.exe!MmSetBankedSection + 81 8062CA12 4 Bytes [F6, 47, 16, 08] {TEST BYTE [EDI+0x16], 0x8}
PAGE ntoskrnl.exe!MmSetBankedSection + 86 8062CA17 258 Bytes [84, 45, 01, 00, 00, 8B, 47, ...]
PAGE ntoskrnl.exe!MmSetBankedSection + 189 8062CB1A 66 Bytes [03, 88, 89, 70, 30, 0F, B6, ...]
PAGE ...
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + 87 8062CD11 12 Bytes [04, 8B, D0, 8D, 4B, 1C, C1, ...]
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + 94 8062CD1E 80 Bytes [C8, 89, 45, FC, 89, 55, F0, ...]
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + E5 8062CD6F 3 Bytes CALL 804E9BF6 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + E9 8062CD73 26 Bytes CALL 80504BD9 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + 104 8062CD8E 3 Bytes [8B, 45, FC] {MOV EAX, [EBP-0x4]}
PAGE ...
PAGE ntoskrnl.exe!MmFreeNonCachedMemory + 22 8062CDDD 1 Byte [6A]
PAGE ntoskrnl.exe!MmFreeNonCachedMemory + 22 8062CDDD 7 Bytes [6A, 00, 57, E8, 01, 44, F2]
PAGE ntoskrnl.exe!MmFreeNonCachedMemory + 2A 8062CDE5 19 Bytes [8B, 45, 0C, 8B, C8, 81, E1, ...]
PAGE ntoskrnl.exe!MmFreeNonCachedMemory + 3E 8062CDF9 50 Bytes [6A, 00, 8D, 44, 08, 01, 50, ...]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + 16 8062CE2C 85 Bytes [00, 8B, 4D, 0C, 3B, 48, 44, ...]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + 6C 8062CE82 22 Bytes CALL 804F4026 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + 83 8062CE99 62 Bytes [C2, 10, 00, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + C2 8062CED8 1 Byte [4D]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + C2 8062CED8 66 Bytes CALL 804EA1F5 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwExtendSection + A0 8062D7C9 11 Bytes CALL 8056C559 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwExtendSection + AC 8062D7D5 74 Bytes [45, CC, 50, FF, 75, E4, E8, ...]
PAGE ntoskrnl.exe!ZwExtendSection + F7 8062D820 14 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP}
PAGE ntoskrnl.exe!ZwExtendSection + 106 8062D82F 52 Bytes [EC, 8B, 45, 08, 56, 8B, 75, ...]
PAGE ntoskrnl.exe!ZwExtendSection + 13B 8062D864 8 Bytes [49, 18, 89, 0A, 5E, 5D, C2, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + 58 8062DE1E 84 Bytes JMP 8062E202 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + AD 8062DE73 24 Bytes CALL 8064F4C5 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + C6 8062DE8C 61 Bytes CALL 8064F4B2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + 104 8062DECA 1 Byte [00]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + 104 8062DECA 13 Bytes [00, 00, 40, 03, C6, 89, 45, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + 2 8062E221 169 Bytes [55, 8B, EC, 6A, FF, 68, D8, ...]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + AC 8062E2CB 13 Bytes [E5, 11, 02, 00, 8B, CB, 8B, ...]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + BA 8062E2D9 56 Bytes JMP 0C08D5E0
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + F3 8062E312 63 Bytes [89, 45, D8, 85, C0, 75, 13, ...]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + 133 8062E352 56 Bytes CALL 8064F4B2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + C 8062E776 89 Bytes [33, FF, 89, 7D, D0, 64, A1, ...]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + 66 8062E7D0 3 Bytes CALL 8056E8A0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + 6A 8062E7D4 49 Bytes [EB, 08, 8B, 45, 0C, 8B, 00, ...]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + 9C 8062E806 21 Bytes [4D, B8, 89, 4D, E4, 3B, C7, ...]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + B2 8062E81C 123 Bytes [FF, 35, 78, AC, 69, 80, E8, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 3F 8062EB5C 5 Bytes [00, 88, 45, B0, 33]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 45 8062EB62 1 Byte [84]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 45 8062EB62 13 Bytes [84, C0, 74, 49, 89, 7D, FC, ...]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 53 8062EB70 112 Bytes [0C, 3B, C8, 72, 02, 89, 38, ...]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + C4 8062EBE1 20 Bytes [FF, 0F, 00, 3B, C8, 89, 45, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwFlushWriteBuffer + 15 8062EFDC 15 Bytes [55, 8B, EC, 8B, 45, 08, 8B, ...]
PAGE ntoskrnl.exe!ZwFlushWriteBuffer + 25 8062EFEC 105 Bytes [C0, 75, 32, 53, 8B, 5D, 10, ...]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 1B 8062F056 38 Bytes [75, 68, F6, 45, 14, 03, 74, ...]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 42 8062F07D 16 Bytes [3B, C1, 72, 02, 89, 19, 8B, ...] {CMP EAX, ECX; JB 0x6; MOV [ECX], EBX; MOV ECX, [EAX]; MOV [EAX], ECX; MOV ECX, [0x80567ed4]}
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 53 8062F08E 68 Bytes [55, 10, 3B, D1, 72, 02, 89, ...]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 98 8062F0D3 4 Bytes [35, 58, 97, 56]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 9D 8062F0D8 64 Bytes [6A, 08, FF, 75, 08, E8, 77, ...]
PAGE ...
PAGE ntoskrnl.exe!PoShutdownBugCheck + 13 80632E92 27 Bytes CALL 8062134B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PoShutdownBugCheck + 2F 80632EAE 25 Bytes [00, C0, 89, 45, FC, 6A, 04, ...]
PAGE ntoskrnl.exe!PoShutdownBugCheck + 49 80632EC8 170 Bytes CALL 804E39E6 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PoShutdownBugCheck + F4 80632F73 169 Bytes [55, 8B, EC, 8B, 4D, 08, 8A, ...]
PAGE ntoskrnl.exe!PoShutdownBugCheck + 19E 8063301D 57 Bytes JMP 806330F8 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwRequestWakeupLatency + 3A 80633CC2 80 Bytes [00, 80, 50, 53, 88, 5E, 68, ...]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + 2C 80633D13 30 Bytes [FF, 35, F0, AC, 69, 80, E8, ...]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + 4B 80633D32 111 Bytes [FA, 07, 75, 0F, 38, 5D, CC, ...]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + BB 80633DA2 29 Bytes JMP 80633E72 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwInitiatePowerAction + D9 80633DC0 109 Bytes [89, 5E, 04, 8D, 46, 08, 89, ...]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + 147 80633E2E 148 Bytes [5E, 14, 74, 31, 53, 6A, 01, ...]
PAGE ntoskrnl.exe!ZwRequestDeviceWakeup + 34 80633EC3 123 Bytes [75, 08, F6, 46, 2D, 08, 57, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + C 80633F3F 83 Bytes [64, A1, 24, 01, 00, 00, 8A, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 60 80633F93 56 Bytes [8B, 7D, 0C, 64, A1, 24, 01, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 99 80633FCC 33 Bytes [8B, F0, 8B, 4D, E0, E8, 5A, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + BC 80633FEF 182 Bytes [89, 07, EB, 1E, 90, 90, 90, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 173 806340A6 69 Bytes [55, 8B, EC, 56, 8B, 75, 08, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 7 80635298 86 Bytes [48, 44, 83, B9, BC, 00, 00, ...]
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 5E 806352EF 47 Bytes [34, 68, 88, E4, 52, 80, E8, ...]
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 8E 8063531F 158 Bytes CALL 8056C557 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 12D 806353BE 20 Bytes [00, 83, 4D, FC, FF, 33, C0, ...]
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 142 806353D3 76 Bytes [89, 45, E0, 33, C0, 40, C3, ...]
PAGE ntoskrnl.exe!PsDereferenceImpersonationToken + D 80635420 3 Bytes CALL 804E1931 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsDereferenceImpersonationToken + 11 80635424 144 Bytes [5D, C2, 04, 00, CC, CC, CC, ...]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 16 806354B5 4 Bytes CALL 8064CCB8 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 1B 806354BA 11 Bytes [F0, 85, F6, 74, 1F, 56, E8, ...]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 27 806354C6 1 Byte [45]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 2A 806354C9 9 Bytes [0D, 56, 6A, 00, 57, E8, 10, ...]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 34 806354D3 31 Bytes [84, C0, 75, 17, 56, 57, E8, ...]
PAGE ...
PAGE ntoskrnl.exe!PsSetCreateThreadNotifyRoutine + 39 806355B0 28 Bytes CALL 47783E08
PAGE ntoskrnl.exe!PsSetCreateThreadNotifyRoutine + 56 806355CD 59 Bytes [41, F0, 0F, C1, 08, 33, C0, ...]
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 29 80635609 28 Bytes CALL 8064CBE2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 46 80635626 8 Bytes [00, C0, 5F, 5E, 5B, 5D, C2, ...]
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 4F 8063562F 25 Bytes [B8, C0, 97, 56, 80, 83, C9, ...]
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 69 80635649 42 Bytes CALL 8064CB67 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 94 80635674 34 Bytes [71, 04, 8B, 01, 50, FF, 70, ...]
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 2 80635697 60 Bytes [55, 8B, EC, 53, 57, 33, FF, ...]
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 3F 806356D4 3 Bytes CALL 80581CCF \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 43 806356D8 4 Bytes [B8, 9A, 00, 00]
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 48 806356DD 48 Bytes [5E, 5F, 5B, 5D, C2, 04, 00, ...]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 7 8063570E 39 Bytes [57, 33, DB, BF, 80, 97, 56, ...]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 2F 80635736 37 Bytes [84, C0, 75, 1C, 56, 57, E8, ...]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 55 8063575C 25 Bytes [C9, FF, F0, 0F, C1, 08, 56, ...]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 6F 80635776 20 Bytes CALL 80581CCD \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 84 8063578B 2 Bytes [FF, 55]
PAGE ...
PAGE ntoskrnl.exe!PsGetContextThread + F 80635846 40 Bytes [A1, 60, A3, 55, 80, 89, 45, ...]
PAGE ntoskrnl.exe!PsGetContextThread + 38 8063586F 10 Bytes [FF, F3, AB, 66, AB, 89, 9D, ...]
PAGE ntoskrnl.exe!PsGetContextThread + 43 8063587A 129 Bytes [64, A1, 24, 01, 00, 00, 8B, ...]
PAGE ntoskrnl.exe!PsGetContextThread + C5 806358FC 39 Bytes [FF, 8A, 45, 10, 88, 85, 00, ...]
PAGE ntoskrnl.exe!PsGetContextThread + ED 80635924 40 Bytes [8D, 85, F8, FC, FF, FF, 50, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwGetContextThread + 2 80635A5F 10 Bytes [55, 8B, EC, 51, 56, 64, A1, ...]
PAGE ntoskrnl.exe!ZwGetContextThread + D 80635A6A 48 Bytes [8A, 80, 40, 01, 00, 00, 6A, ...]
PAGE ntoskrnl.exe!ZwGetContextThread + 3E 80635A9B 62 Bytes [00, 10, 75, 10, FF, 75, FC, ...]
PAGE ntoskrnl.exe!PsSetContextThread + B 80635ADA 20 Bytes JMP A360A1FF
PAGE ntoskrnl.exe!PsSetContextThread + 20 80635AEF 8 Bytes [8B, 5D, 0C, 33, F6, 89, B5, ...]
PAGE ntoskrnl.exe!PsSetContextThread + 2A 80635AF9 15 Bytes [FF, 64, A1, 24, 01, 00, 00, ...]
PAGE ntoskrnl.exe!PsSetContextThread + 3A 80635B09 51 Bytes [80, 7D, 10, 00, 74, 15, F6, ...]
PAGE ntoskrnl.exe!PsSetContextThread + 6E 80635B3D 175 Bytes [23, C8, 3B, C8, 74, 0A, C7, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwSetContextThread + 2B 80635CAE 3 Bytes CALL 8056C55A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetContextThread + 2F 80635CB2 38 Bytes [8B, F0, 85, F6, 7C, 2A, 57, ...]
PAGE ntoskrnl.exe!ZwSetContextThread + 56 80635CD9 101 Bytes CALL 804E192D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsSetJobUIRestrictionsClass + 2 80635D3F 140 Bytes [55, 8B, EC, 8B, 45, 0C, 8B, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 3C 80635DCC 30 Bytes [57, EB, 14, F6, 86, 48, 02, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 5B 80635DEB 182 Bytes [8B, F0, 3B, F7, 75, DE, 5F, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 112 80635EA2 147 Bytes [00, 90, 42, 72, 65, 61, 6B, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 1A6 80635F36 56 Bytes [55, 8B, EC, 83, EC, 0C, 83, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 1DF 80635F6F 133 Bytes [00, 00, 75, 13, 56, E8, F0, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwSetLdtEntries + 2 80636991 25 Bytes JMP 806366E7 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetLdtEntries + 1C 806369AB 10 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetLdtEntries + 27 806369B6 19 Bytes [8B, 40, 44, 89, 45, E4, 83, ...]
PAGE ntoskrnl.exe!ZwSetLdtEntries + 3B 806369CA 1 Byte [C0]
PAGE ntoskrnl.exe!ZwSetLdtEntries + 3B 806369CA 118 Bytes JMP 80636C7E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwSuspendThread + 8 8063793F 13 Bytes JMP 89DB33FF
PAGE ntoskrnl.exe!ZwSuspendThread + 16 8063794D 56 Bytes [00, 89, 45, D0, 8A, 80, 40, ...]
PAGE ntoskrnl.exe!ZwSuspendThread + 4F 80637986 35 Bytes [6A, 02, FF, 75, 08, E8, C9, ...]
PAGE ntoskrnl.exe!ZwSuspendThread + 73 806379AA 134 Bytes [C7, 45, FC, 01, 00, 00, 00, ...]
PAGE ntoskrnl.exe!ZwSuspendProcess + 16 80637A31 6 Bytes [45, FC, 8D, 45, 08, 50] {INC EBP; CLD ; LEA EAX, [EBP+0x8]; PUSH EAX}
PAGE ntoskrnl.exe!ZwSuspendProcess + 1D 80637A38 124 Bytes [75, FC, FF, 35, 58, 97, 56, ...]
PAGE ntoskrnl.exe!ZwResumeProcess + 3F 80637AB5 114 Bytes [FF, 8B, 4D, 08, 8B, F0, E8, ...]
PAGE ntoskrnl.exe!ZwAlertResumeThread + 53 80637B29 1 Byte [08]
PAGE ntoskrnl.exe!ZwAlertResumeThread + 53 80637B29 5 Bytes [08, E8, 2A, 4A, F3] {OR AL, CH; SUB CL, [EDX-0xd]}
PAGE ntoskrnl.exe!ZwAlertResumeThread + 59 80637B2F 12 Bytes [3B, C3, 7C, 6D, FF, 75, E4, ...] {CMP EAX, EBX; JL 0x71; PUSH DWORD [EBP-0x1c]; CALL 0xfffffffffff0068c}
PAGE ntoskrnl.exe!ZwAlertResumeThread + 66 80637B3C 19 Bytes CALL 804E192C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwAlertResumeThread + 7A 80637B50 55 Bytes [89, 3E, 83, 4D, FC, FF, 33, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwIsProcessInJob + 1F 80637E52 31 Bytes [35, 58, 97, 56, 80, 68, 00, ...]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 3F 80637E72 74 Bytes [38, 8B, 8F, 34, 01, 00, 00, ...]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 8B 80637EBE 1 Byte [0C]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 8B 80637EBE 5 Bytes [0C, E8, 95, 46, F3]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 91 80637EC4 7 Bytes [85, C0, 8B, 4D, FC, 7D, AE] {TEST EAX, EAX; MOV ECX, [EBP-0x4]; JGE 0xffffffffffffffb5}
PAGE ...
PAGE ntoskrnl.exe!ZwCreateJobSet + 5B 80637FD8 119 Bytes [8A, 80, 40, 01, 00, 00, 88, ...]
PAGE ntoskrnl.exe!ZwCreateJobSet + D3 80638050 4 Bytes [35, E0, 96, 56]
PAGE ntoskrnl.exe!ZwCreateJobSet + D8 80638055 44 Bytes CALL 8056C556 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwCreateJobSet + 105 80638082 95 Bytes [7D, 21, 85, FF, 76, 16, 8D, ...]
PAGE ntoskrnl.exe!ZwCreateJobSet + 165 806380E2 19 Bytes [89, 70, 04, 89, 06, 89, 41, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwOpenJobObject + 56 8063822B 23 Bytes [E0, EB, 4C, 8B, 75, 08, 8D, ...]
PAGE ntoskrnl.exe!ZwOpenJobObject + 6E 80638243 8 Bytes CALL 8057010A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwOpenJobObject + 77 8063824C 4 Bytes [C3, 7C, 32, C7]
PAGE ntoskrnl.exe!ZwOpenJobObject + 7C 80638251 139 Bytes [FC, 01, 00, 00, 00, 8B, 4D, ...]
PAGE ntoskrnl.exe!ZwOpenJobObject + 108 806382DD 27 Bytes [8D, BB, 44, 02, 00, 00, F6, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwTerminateJobObject + 3E 80638391 60 Bytes [53, 8B, 5D, 08, 57, 6A, 01, ...]
PAGE ntoskrnl.exe!ZwTerminateJobObject + 7B 806383CE 166 Bytes CALL 804E192E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwTerminateJobObject + 122 80638475 9 Bytes [45, F8, FF, 75, 0C, 89, 45, ...] {INC EBP; CLC ; PUSH DWORD [EBP+0xc]; MOV [EBP-0x4], EAX; PUSH EAX}
PAGE ntoskrnl.exe!ZwTerminateJobObject + 12C 8063847F 12 Bytes [55, 08, 85, C0, 89, 45, F4, ...]
PAGE ntoskrnl.exe!ZwTerminateJobObject + 139 8063848C 16 Bytes CALL 804DBE11 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!LdrEnumResources + 1B 80638B23 2 Bytes [14, 8B] {ADC AL, 0x8b}
PAGE ntoskrnl.exe!LdrEnumResources + 1E 80638B26 33 Bytes [89, 45, E0, 8B, 45, 14, 89, ...]
PAGE ntoskrnl.exe!LdrEnumResources + 40 80638B48 5 Bytes [C0, E9, F2, 01, 00] {SHR CL, 0xf2; ADD [EAX], EAX}
PAGE ntoskrnl.exe!LdrEnumResources + 46 80638B4E 23 Bytes [0F, B7, 7E, 0E, 0F, B7, 46, ...]
PAGE ntoskrnl.exe!LdrEnumResources + 5E 80638B66 1 Byte [00]
PAGE ...
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 2 80638D98 103 Bytes [55, 8B, EC, 53, 8B, 5D, 08, ...]
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 6A 80638E00 174 Bytes [B6, 58, 0C, 66, 8B, 1C, 5A, ...]
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 119 80638EAF 47 Bytes [FF, 85, FF, 8B, 4D, 0C, 8B, ...]
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 149 80638EDF 30 Bytes [74, 30, 42, 0F, B6, 02, 0F, ...]
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 168 80638EFE 84 Bytes [04, 38, 66, 89, 01, 41, 41, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 2 80638F83 261 Bytes [55, 8B, EC, 8B, 55, 1C, 8B, ...]
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 109 8063908A 13 Bytes [4D, 0C, 8B, 70, 20, 89, 4D, ...]
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 117 80639098 17 Bytes [74, 32, 8B, 45, 18, 0F, B7, ...]
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 129 806390AA 64 Bytes CALL F52414B7
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 16A 806390EB 12 Bytes [90, 79, 90, 63, 80, 6F, 90, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 2 80639139 6 Bytes [55, 8B, EC, 83, EC, 0C] {PUSH EBP; MOV EBP, ESP; SUB ESP, 0xc}
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 9 80639140 24 Bytes [45, 1C, 53, 56, 8B, 75, 08, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 22 80639159 47 Bytes [55, 10, 3B, C2, 73, 02, 8B, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 52 80639189 16 Bytes [63, 80, 0F, B7, 11, 0F, B6, ...] {ARPL [EAX+0xf11b70f], AX; MOV DH, 0x14; ADD CL, [EBX-0x48f0e382]; ADC AL, 0x57}
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 63 8063919A 59 Bytes [45, 0C, 10, 83, C1, 20, 66, ...]
PAGE ...
PAGE ntoskrnl.exe!PfxInitialize + 2 806399CE 48 Bytes [55, 8B, EC, 8B, 45, 08, 66, ...]
PAGE ntoskrnl.exe!PfxRemovePrefix + 11 80639A00 17 Bytes [7C, 68, 81, F9, 02, 02, 00, ...] {JL 0x6a; CMP ECX, 0x202; JG 0x6a; LEA EDX, [EAX+0x8]; MOV EAX, EDX; JMP 0x13}
PAGE ntoskrnl.exe!PfxRemovePrefix + 23 80639A12 48 Bytes [C1, 8B, 08, 3B, C8, 75, F8, ...]
PAGE ntoskrnl.exe!PfxRemovePrefix + 54 80639A43 53 Bytes [4E, 04, 83, C0, F8, EB, 03, ...]
PAGE ntoskrnl.exe!PfxRemovePrefix + 8A 80639A79 221 Bytes [FF, 55, 8B, EC, 56, 57, 8B, ...]
PAGE ntoskrnl.exe!PfxRemovePrefix + 16A 80639B59 2 Bytes [8B, 4E]
PAGE ...
PAGE ntoskrnl.exe!RtlNextUnicodePrefix + 93 80639CE5 162 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
PAGE ntoskrnl.exe!PfxInsertPrefix + 9F 80639D88 36 Bytes [EB, 36, 83, 63, 04, 00, 83, ...]
PAGE ntoskrnl.exe!PfxInsertPrefix + C4 80639DAD 26 Bytes CALL 812B03BA
PAGE ntoskrnl.exe!PfxInsertPrefix + DF 80639DC8 11 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP }
PAGE ntoskrnl.exe!PfxFindPrefix + 1 80639DD4 47 Bytes [FF, 55, 8B, EC, 53, 56, 57, ...]
PAGE ntoskrnl.exe!PfxFindPrefix + 31 80639E04 37 Bytes [75, 0C, 8D, 7B, F8, FF, 77, ...]
PAGE ntoskrnl.exe!PfxFindPrefix + 57 80639E2A 69 Bytes [76, 04, 66, 83, 7E, 02, 00, ...]
PAGE ntoskrnl.exe!PfxFindPrefix + 9D 80639E70 45 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + 13 80639E9E 172 Bytes [00, C0, EB, 5E, 83, 7D, 0C, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + C0 80639F4B 152 Bytes [EC, 56, 8B, 75, 08, 8A, 06, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + 159 80639FE4 34 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + 17C 8063A007 85 Bytes [74, 05, 0D, 80, 00, 00, 00, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + 1D2 8063A05D 48 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!RtlDestroyAtomTable + 7 8063A08E 137 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlDestroyAtomTable + 91 8063A118 28 Bytes [00, 8B, 00, 89, 45, D4, 33, ...]
PAGE ntoskrnl.exe!RtlDestroyAtomTable + AE 8063A135 140 Bytes CALL 804E2EDC \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlEmptyAtomTable + 79 8063A1C2 166 Bytes [45, E0, EB, B7, 53, E8, 97, ...]
PAGE ntoskrnl.exe!RtlEmptyAtomTable + 120 8063A269 39 Bytes [44, 96, 10, 89, 45, DC, 85, ...]
PAGE ntoskrnl.exe!RtlEmptyAtomTable + 148 8063A291 223 Bytes [00, EB, D8, 42, EB, C9, 8B, ...]
PAGE ntoskrnl.exe!RtlMergeRangeLists + 1F 8063A371 33 Bytes [00, 8B, 45, 10, 8B, 30, EB, ...]
PAGE ntoskrnl.exe!RtlMergeRangeLists + 41 8063A393 95 Bytes CALL 805BC437 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlMergeRangeLists + A1 8063A3F3 89 Bytes CALL 805BC436 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlDeleteRange + C 8063A44E 2 Bytes [0B, 83]
PAGE ntoskrnl.exe!RtlDeleteRange + F 8063A451 47 Bytes [1C, 8D, 51, 1C, 56, 8B, 32, ...]
PAGE ntoskrnl.exe!RtlDeleteRange + 3F 8063A481 84 Bytes [00, 00, 77, 09, 39, 45, 14, ...]
PAGE ntoskrnl.exe!RtlDeleteRange + 94 8063A4D6 171 Bytes [3B, 7D, 18, 75, 08, 8B, 7D, ...]
PAGE ntoskrnl.exe!RtlInvertRangeList + 2 8063A582 90 Bytes [55, 8B, EC, 8B, 55, 0C, 53, ...]
PAGE ntoskrnl.exe!RtlInvertRangeList + 5D 8063A5DD 44 Bytes [8D, 7E, 1C, 39, 7D, 0C, 75, ...]
PAGE ntoskrnl.exe!RtlInvertRangeList + 8A 8063A60A 29 Bytes [3B, C3, 7C, 02, 33, C0, 5F, ...]
PAGE ntoskrnl.exe!RtlZeroHeap + 7 8063A628 45 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlZeroHeap + 35 8063A656 24 Bytes [C6, 45, E7, 01, C7, 45, FC, ...]
PAGE ntoskrnl.exe!RtlZeroHeap + 4E 8063A66F 166 Bytes [45, D8, 8B, 4D, DC, 8B, 7C, ...]
PAGE ntoskrnl.exe!RtlZeroHeap + F5 8063A716 28 Bytes CALL 0A2FECA6
PAGE ntoskrnl.exe!RtlZeroHeap + 112 8063A733 17 Bytes [C2, 08, 00, 90, 90, 90, 90, ...] {RET 0x8; NOP ; NOP ; NOP ; NOP ; NOP ; CMP BYTE [EBP-0x19], 0x0; JZ 0x1c; MOV EAX, [EBP-0x28]}
PAGE ...
PAGE ntoskrnl.exe!RtlDestroyHeap + 1E 8063A81D 10 Bytes [53, 8D, 5F, 50, 56, 8B, 33, ...]
PAGE ntoskrnl.exe!RtlDestroyHeap + 29 8063A828 85 Bytes [80, 00, 00, 8D, 45, 08, 50, ...]
PAGE ntoskrnl.exe!RtlDestroyHeap + 7F 8063A87E 113 Bytes [36, 83, 65, 08, 00, 6A, FF, ...]
PAGE ntoskrnl.exe!RtlSizeHeap + E 8063A8F0 3 Bytes [05, 83, C8]
PAGE ntoskrnl.exe!RtlSizeHeap + 12 8063A8F4 55 Bytes [EB, 1C, A8, 08, 74, 0B, 0F, ...]
PAGE ntoskrnl.exe!RtlSizeHeap + 4A 8063A92C 9 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)