From bf4917dba8e4587cb80b72a9d9dee88e710ef3d9 Mon Sep 17 00:00:00 2001 From: jxn Date: Wed, 4 Dec 2019 13:40:38 -0800 Subject: [PATCH] Add example output. --- .gitignore | 1 + README.md | 4 +- output/syscalls.asm | 48827 ++++++++++++++++++++++++++++++++++++++++++ output/syscalls.h | 3992 ++++ 4 files changed, 52823 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 output/syscalls.asm create mode 100644 output/syscalls.h diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3552451 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea diff --git a/README.md b/README.md index 13bd65b..0706ee6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # KernelWhispers -Generate header/ASM files to make direct system calls for evasion purposes. +KernelWhispers generates header/ASM files to let implants make direct system calls for evasion purposes. + +All core syscalls are supported from Windows XP to 10. Example generated files available in `output` folder. ## Introduction diff --git a/output/syscalls.asm b/output/syscalls.asm new file mode 100644 index 0000000..f458048 --- /dev/null +++ b/output/syscalls.asm @@ -0,0 +1,48827 @@ +.code + +NtAcceptConnectPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAcceptConnectPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAcceptConnectPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAcceptConnectPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAcceptConnectPort_Check_10_0_XXXX + jmp NtAcceptConnectPort_SystemCall_Unknown +NtAcceptConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAcceptConnectPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAcceptConnectPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAcceptConnectPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAcceptConnectPort_SystemCall_6_3_XXXX + jmp NtAcceptConnectPort_SystemCall_Unknown +NtAcceptConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAcceptConnectPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAcceptConnectPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAcceptConnectPort_SystemCall_6_0_6002 + jmp NtAcceptConnectPort_SystemCall_Unknown +NtAcceptConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAcceptConnectPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAcceptConnectPort_SystemCall_6_1_7601 + jmp NtAcceptConnectPort_SystemCall_Unknown +NtAcceptConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAcceptConnectPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAcceptConnectPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAcceptConnectPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAcceptConnectPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAcceptConnectPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAcceptConnectPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAcceptConnectPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAcceptConnectPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAcceptConnectPort_SystemCall_10_0_18363 + jmp NtAcceptConnectPort_SystemCall_Unknown +NtAcceptConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0060h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0060h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0060h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0060h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0060h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0060h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0061h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0001h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0002h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0002h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0002h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0002h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0002h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0002h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0002h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0002h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0002h + jmp NtAcceptConnectPort_Epilogue +NtAcceptConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAcceptConnectPort_Epilogue: + mov r10, rcx + syscall + ret +NtAcceptConnectPort ENDP + +NtAccessCheck PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAccessCheck_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAccessCheck_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAccessCheck_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAccessCheck_Check_10_0_XXXX + jmp NtAccessCheck_SystemCall_Unknown +NtAccessCheck_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAccessCheck_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAccessCheck_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheck_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheck_SystemCall_6_3_XXXX + jmp NtAccessCheck_SystemCall_Unknown +NtAccessCheck_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAccessCheck_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAccessCheck_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAccessCheck_SystemCall_6_0_6002 + jmp NtAccessCheck_SystemCall_Unknown +NtAccessCheck_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAccessCheck_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAccessCheck_SystemCall_6_1_7601 + jmp NtAccessCheck_SystemCall_Unknown +NtAccessCheck_Check_10_0_XXXX: ; Check build number for Windows 10. + jmp NtAccessCheck_SystemCall_Unknown +NtAccessCheck_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0061h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0061h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0061h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0061h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0061h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0061h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0062h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0062h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0000h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0000h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0000h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0000h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0000h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0000h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0000h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0000h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0000h + jmp NtAccessCheck_Epilogue +NtAccessCheck_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAccessCheck_Epilogue: + mov r10, rcx + syscall + ret +NtAccessCheck ENDP + +NtAccessCheckAndAuditAlarm PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAccessCheckAndAuditAlarm_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAccessCheckAndAuditAlarm_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAccessCheckAndAuditAlarm_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAccessCheckAndAuditAlarm_Check_10_0_XXXX + jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown +NtAccessCheckAndAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAccessCheckAndAuditAlarm_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAccessCheckAndAuditAlarm_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckAndAuditAlarm_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckAndAuditAlarm_SystemCall_6_3_XXXX + jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown +NtAccessCheckAndAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAccessCheckAndAuditAlarm_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAccessCheckAndAuditAlarm_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAccessCheckAndAuditAlarm_SystemCall_6_0_6002 + jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown +NtAccessCheckAndAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAccessCheckAndAuditAlarm_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAccessCheckAndAuditAlarm_SystemCall_6_1_7601 + jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown +NtAccessCheckAndAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAccessCheckAndAuditAlarm_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAccessCheckAndAuditAlarm_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAccessCheckAndAuditAlarm_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAccessCheckAndAuditAlarm_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAccessCheckAndAuditAlarm_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAccessCheckAndAuditAlarm_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAccessCheckAndAuditAlarm_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAccessCheckAndAuditAlarm_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAccessCheckAndAuditAlarm_SystemCall_10_0_18363 + jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown +NtAccessCheckAndAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0026h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0026h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0026h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0026h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0026h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0026h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0027h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0028h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0029h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0029h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0029h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0029h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0029h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0029h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0029h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0029h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0029h + jmp NtAccessCheckAndAuditAlarm_Epilogue +NtAccessCheckAndAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAccessCheckAndAuditAlarm_Epilogue: + mov r10, rcx + syscall + ret +NtAccessCheckAndAuditAlarm ENDP + +NtAccessCheckByType PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAccessCheckByType_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAccessCheckByType_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAccessCheckByType_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAccessCheckByType_Check_10_0_XXXX + jmp NtAccessCheckByType_SystemCall_Unknown +NtAccessCheckByType_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAccessCheckByType_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAccessCheckByType_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByType_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByType_SystemCall_6_3_XXXX + jmp NtAccessCheckByType_SystemCall_Unknown +NtAccessCheckByType_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAccessCheckByType_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAccessCheckByType_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAccessCheckByType_SystemCall_6_0_6002 + jmp NtAccessCheckByType_SystemCall_Unknown +NtAccessCheckByType_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAccessCheckByType_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAccessCheckByType_SystemCall_6_1_7601 + jmp NtAccessCheckByType_SystemCall_Unknown +NtAccessCheckByType_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAccessCheckByType_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAccessCheckByType_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAccessCheckByType_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAccessCheckByType_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAccessCheckByType_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAccessCheckByType_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAccessCheckByType_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAccessCheckByType_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAccessCheckByType_SystemCall_10_0_18363 + jmp NtAccessCheckByType_SystemCall_Unknown +NtAccessCheckByType_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0062h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0062h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0062h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0062h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0062h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0062h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0063h + jmp NtAccessCheckByType_Epilogue +NtAccessCheckByType_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAccessCheckByType_Epilogue: + mov r10, rcx + syscall + ret +NtAccessCheckByType ENDP + +NtAccessCheckByTypeAndAuditAlarm PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAccessCheckByTypeAndAuditAlarm_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAccessCheckByTypeAndAuditAlarm_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAccessCheckByTypeAndAuditAlarm_Check_10_0_XXXX + jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeAndAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAccessCheckByTypeAndAuditAlarm_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAccessCheckByTypeAndAuditAlarm_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_3_XXXX + jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeAndAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6002 + jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeAndAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7601 + jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeAndAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18363 + jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeAndAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0056h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0056h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0056h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0056h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0056h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0056h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0057h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0058h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0059h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0059h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0059h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0059h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0059h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0059h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0059h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0059h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0059h + jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue +NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAccessCheckByTypeAndAuditAlarm_Epilogue: + mov r10, rcx + syscall + ret +NtAccessCheckByTypeAndAuditAlarm ENDP + +NtAccessCheckByTypeResultList PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAccessCheckByTypeResultList_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAccessCheckByTypeResultList_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAccessCheckByTypeResultList_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAccessCheckByTypeResultList_Check_10_0_XXXX + jmp NtAccessCheckByTypeResultList_SystemCall_Unknown +NtAccessCheckByTypeResultList_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAccessCheckByTypeResultList_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAccessCheckByTypeResultList_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByTypeResultList_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByTypeResultList_SystemCall_6_3_XXXX + jmp NtAccessCheckByTypeResultList_SystemCall_Unknown +NtAccessCheckByTypeResultList_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAccessCheckByTypeResultList_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAccessCheckByTypeResultList_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAccessCheckByTypeResultList_SystemCall_6_0_6002 + jmp NtAccessCheckByTypeResultList_SystemCall_Unknown +NtAccessCheckByTypeResultList_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAccessCheckByTypeResultList_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAccessCheckByTypeResultList_SystemCall_6_1_7601 + jmp NtAccessCheckByTypeResultList_SystemCall_Unknown +NtAccessCheckByTypeResultList_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAccessCheckByTypeResultList_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAccessCheckByTypeResultList_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAccessCheckByTypeResultList_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAccessCheckByTypeResultList_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAccessCheckByTypeResultList_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAccessCheckByTypeResultList_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAccessCheckByTypeResultList_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAccessCheckByTypeResultList_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAccessCheckByTypeResultList_SystemCall_10_0_18363 + jmp NtAccessCheckByTypeResultList_SystemCall_Unknown +NtAccessCheckByTypeResultList_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0063h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0063h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0063h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0063h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0063h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0063h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0064h + jmp NtAccessCheckByTypeResultList_Epilogue +NtAccessCheckByTypeResultList_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAccessCheckByTypeResultList_Epilogue: + mov r10, rcx + syscall + ret +NtAccessCheckByTypeResultList ENDP + +NtAccessCheckByTypeResultListAndAuditAlarm PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAccessCheckByTypeResultListAndAuditAlarm_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAccessCheckByTypeResultListAndAuditAlarm_Check_10_0_XXXX + jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_3_XXXX + jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6002 + jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7601 + jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18363 + jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0064h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0064h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0064h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0064h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0064h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0064h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue: + mov r10, rcx + syscall + ret +NtAccessCheckByTypeResultListAndAuditAlarm ENDP + +NtAccessCheckByTypeResultListAndAuditAlarmByHandle PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_10_0_XXXX + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_3_XXXX + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6002 + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7601 + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18363 + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0065h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0066h + jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue: + mov r10, rcx + syscall + ret +NtAccessCheckByTypeResultListAndAuditAlarmByHandle ENDP + +NtAcquireCMFViewOwnership PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAcquireCMFViewOwnership_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAcquireCMFViewOwnership_Check_6_X_XXXX + jmp NtAcquireCMFViewOwnership_SystemCall_Unknown +NtAcquireCMFViewOwnership_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAcquireCMFViewOwnership_Check_6_0_XXXX + jmp NtAcquireCMFViewOwnership_SystemCall_Unknown +NtAcquireCMFViewOwnership_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAcquireCMFViewOwnership_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAcquireCMFViewOwnership_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAcquireCMFViewOwnership_SystemCall_6_0_6002 + jmp NtAcquireCMFViewOwnership_SystemCall_Unknown +NtAcquireCMFViewOwnership_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0066h + jmp NtAcquireCMFViewOwnership_Epilogue +NtAcquireCMFViewOwnership_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0066h + jmp NtAcquireCMFViewOwnership_Epilogue +NtAcquireCMFViewOwnership_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0066h + jmp NtAcquireCMFViewOwnership_Epilogue +NtAcquireCMFViewOwnership_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAcquireCMFViewOwnership_Epilogue: + mov r10, rcx + syscall + ret +NtAcquireCMFViewOwnership ENDP + +NtAcquireProcessActivityReference PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAcquireProcessActivityReference_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtAcquireProcessActivityReference_Check_10_0_XXXX + jmp NtAcquireProcessActivityReference_SystemCall_Unknown +NtAcquireProcessActivityReference_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 15063 + je NtAcquireProcessActivityReference_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAcquireProcessActivityReference_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAcquireProcessActivityReference_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAcquireProcessActivityReference_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAcquireProcessActivityReference_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAcquireProcessActivityReference_SystemCall_10_0_18363 + jmp NtAcquireProcessActivityReference_SystemCall_Unknown +NtAcquireProcessActivityReference_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0067h + jmp NtAcquireProcessActivityReference_Epilogue +NtAcquireProcessActivityReference_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0067h + jmp NtAcquireProcessActivityReference_Epilogue +NtAcquireProcessActivityReference_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0067h + jmp NtAcquireProcessActivityReference_Epilogue +NtAcquireProcessActivityReference_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0067h + jmp NtAcquireProcessActivityReference_Epilogue +NtAcquireProcessActivityReference_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0067h + jmp NtAcquireProcessActivityReference_Epilogue +NtAcquireProcessActivityReference_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0067h + jmp NtAcquireProcessActivityReference_Epilogue +NtAcquireProcessActivityReference_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAcquireProcessActivityReference_Epilogue: + mov r10, rcx + syscall + ret +NtAcquireProcessActivityReference ENDP + +NtAddAtom PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAddAtom_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAddAtom_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAddAtom_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAddAtom_Check_10_0_XXXX + jmp NtAddAtom_SystemCall_Unknown +NtAddAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAddAtom_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAddAtom_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAddAtom_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAddAtom_SystemCall_6_3_XXXX + jmp NtAddAtom_SystemCall_Unknown +NtAddAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAddAtom_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAddAtom_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAddAtom_SystemCall_6_0_6002 + jmp NtAddAtom_SystemCall_Unknown +NtAddAtom_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAddAtom_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAddAtom_SystemCall_6_1_7601 + jmp NtAddAtom_SystemCall_Unknown +NtAddAtom_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAddAtom_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAddAtom_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAddAtom_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAddAtom_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAddAtom_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAddAtom_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAddAtom_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAddAtom_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAddAtom_SystemCall_10_0_18363 + jmp NtAddAtom_SystemCall_Unknown +NtAddAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0044h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0044h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0044h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0044h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0044h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0044h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0045h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0046h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0047h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0047h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0047h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0047h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0047h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0047h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0047h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0047h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0047h + jmp NtAddAtom_Epilogue +NtAddAtom_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAddAtom_Epilogue: + mov r10, rcx + syscall + ret +NtAddAtom ENDP + +NtAddAtomEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAddAtomEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAddAtomEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAddAtomEx_Check_10_0_XXXX + jmp NtAddAtomEx_SystemCall_Unknown +NtAddAtomEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtAddAtomEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAddAtomEx_SystemCall_6_3_XXXX + jmp NtAddAtomEx_SystemCall_Unknown +NtAddAtomEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAddAtomEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAddAtomEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAddAtomEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAddAtomEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAddAtomEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAddAtomEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAddAtomEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAddAtomEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAddAtomEx_SystemCall_10_0_18363 + jmp NtAddAtomEx_SystemCall_Unknown +NtAddAtomEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0067h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0067h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0067h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0067h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0067h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0068h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0068h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0068h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0068h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0068h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0068h + jmp NtAddAtomEx_Epilogue +NtAddAtomEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAddAtomEx_Epilogue: + mov r10, rcx + syscall + ret +NtAddAtomEx ENDP + +NtAddBootEntry PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAddBootEntry_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAddBootEntry_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAddBootEntry_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAddBootEntry_Check_10_0_XXXX + jmp NtAddBootEntry_SystemCall_Unknown +NtAddBootEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAddBootEntry_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAddBootEntry_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAddBootEntry_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAddBootEntry_SystemCall_6_3_XXXX + jmp NtAddBootEntry_SystemCall_Unknown +NtAddBootEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAddBootEntry_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAddBootEntry_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAddBootEntry_SystemCall_6_0_6002 + jmp NtAddBootEntry_SystemCall_Unknown +NtAddBootEntry_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAddBootEntry_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAddBootEntry_SystemCall_6_1_7601 + jmp NtAddBootEntry_SystemCall_Unknown +NtAddBootEntry_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAddBootEntry_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAddBootEntry_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAddBootEntry_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAddBootEntry_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAddBootEntry_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAddBootEntry_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAddBootEntry_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAddBootEntry_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAddBootEntry_SystemCall_10_0_18363 + jmp NtAddBootEntry_SystemCall_Unknown +NtAddBootEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0066h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0067h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0067h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0067h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0066h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0066h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0068h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0068h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0068h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0068h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0068h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0069h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0069h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0069h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0069h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0069h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0069h + jmp NtAddBootEntry_Epilogue +NtAddBootEntry_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAddBootEntry_Epilogue: + mov r10, rcx + syscall + ret +NtAddBootEntry ENDP + +NtAddDriverEntry PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAddDriverEntry_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAddDriverEntry_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAddDriverEntry_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAddDriverEntry_Check_10_0_XXXX + jmp NtAddDriverEntry_SystemCall_Unknown +NtAddDriverEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAddDriverEntry_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAddDriverEntry_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAddDriverEntry_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAddDriverEntry_SystemCall_6_3_XXXX + jmp NtAddDriverEntry_SystemCall_Unknown +NtAddDriverEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAddDriverEntry_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAddDriverEntry_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAddDriverEntry_SystemCall_6_0_6002 + jmp NtAddDriverEntry_SystemCall_Unknown +NtAddDriverEntry_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAddDriverEntry_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAddDriverEntry_SystemCall_6_1_7601 + jmp NtAddDriverEntry_SystemCall_Unknown +NtAddDriverEntry_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAddDriverEntry_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAddDriverEntry_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAddDriverEntry_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAddDriverEntry_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAddDriverEntry_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAddDriverEntry_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAddDriverEntry_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAddDriverEntry_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAddDriverEntry_SystemCall_10_0_18363 + jmp NtAddDriverEntry_SystemCall_Unknown +NtAddDriverEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0067h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0068h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0068h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0068h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0067h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0067h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0069h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0069h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0069h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0069h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0069h + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 006ah + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 006ah + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 006ah + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 006ah + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 006ah + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 006ah + jmp NtAddDriverEntry_Epilogue +NtAddDriverEntry_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAddDriverEntry_Epilogue: + mov r10, rcx + syscall + ret +NtAddDriverEntry ENDP + +NtAdjustGroupsToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAdjustGroupsToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAdjustGroupsToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAdjustGroupsToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAdjustGroupsToken_Check_10_0_XXXX + jmp NtAdjustGroupsToken_SystemCall_Unknown +NtAdjustGroupsToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAdjustGroupsToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAdjustGroupsToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAdjustGroupsToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAdjustGroupsToken_SystemCall_6_3_XXXX + jmp NtAdjustGroupsToken_SystemCall_Unknown +NtAdjustGroupsToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAdjustGroupsToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAdjustGroupsToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAdjustGroupsToken_SystemCall_6_0_6002 + jmp NtAdjustGroupsToken_SystemCall_Unknown +NtAdjustGroupsToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAdjustGroupsToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAdjustGroupsToken_SystemCall_6_1_7601 + jmp NtAdjustGroupsToken_SystemCall_Unknown +NtAdjustGroupsToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAdjustGroupsToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAdjustGroupsToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAdjustGroupsToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAdjustGroupsToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAdjustGroupsToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAdjustGroupsToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAdjustGroupsToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAdjustGroupsToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAdjustGroupsToken_SystemCall_10_0_18363 + jmp NtAdjustGroupsToken_SystemCall_Unknown +NtAdjustGroupsToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0068h + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0069h + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0069h + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0069h + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0068h + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0068h + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 006ah + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 006ah + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 006ah + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 006ah + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 006ah + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 006bh + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 006bh + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 006bh + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 006bh + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 006bh + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 006bh + jmp NtAdjustGroupsToken_Epilogue +NtAdjustGroupsToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAdjustGroupsToken_Epilogue: + mov r10, rcx + syscall + ret +NtAdjustGroupsToken ENDP + +NtAdjustPrivilegesToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAdjustPrivilegesToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAdjustPrivilegesToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAdjustPrivilegesToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAdjustPrivilegesToken_Check_10_0_XXXX + jmp NtAdjustPrivilegesToken_SystemCall_Unknown +NtAdjustPrivilegesToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAdjustPrivilegesToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAdjustPrivilegesToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAdjustPrivilegesToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAdjustPrivilegesToken_SystemCall_6_3_XXXX + jmp NtAdjustPrivilegesToken_SystemCall_Unknown +NtAdjustPrivilegesToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAdjustPrivilegesToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAdjustPrivilegesToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAdjustPrivilegesToken_SystemCall_6_0_6002 + jmp NtAdjustPrivilegesToken_SystemCall_Unknown +NtAdjustPrivilegesToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAdjustPrivilegesToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAdjustPrivilegesToken_SystemCall_6_1_7601 + jmp NtAdjustPrivilegesToken_SystemCall_Unknown +NtAdjustPrivilegesToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAdjustPrivilegesToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAdjustPrivilegesToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAdjustPrivilegesToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAdjustPrivilegesToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAdjustPrivilegesToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAdjustPrivilegesToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAdjustPrivilegesToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAdjustPrivilegesToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAdjustPrivilegesToken_SystemCall_10_0_18363 + jmp NtAdjustPrivilegesToken_SystemCall_Unknown +NtAdjustPrivilegesToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 003eh + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 003eh + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 003eh + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 003eh + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 003eh + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 003eh + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 003fh + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0040h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0041h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0041h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0041h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0041h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0041h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0041h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0041h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0041h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0041h + jmp NtAdjustPrivilegesToken_Epilogue +NtAdjustPrivilegesToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAdjustPrivilegesToken_Epilogue: + mov r10, rcx + syscall + ret +NtAdjustPrivilegesToken ENDP + +NtAdjustTokenClaimsAndDeviceGroups PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAdjustTokenClaimsAndDeviceGroups_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAdjustTokenClaimsAndDeviceGroups_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAdjustTokenClaimsAndDeviceGroups_Check_10_0_XXXX + jmp NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown +NtAdjustTokenClaimsAndDeviceGroups_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_3_XXXX + jmp NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown +NtAdjustTokenClaimsAndDeviceGroups_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18363 + jmp NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 006bh + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 006bh + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 006bh + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 006bh + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 006bh + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 006ch + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 006ch + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 006ch + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 006ch + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 006ch + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 006ch + jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue +NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAdjustTokenClaimsAndDeviceGroups_Epilogue: + mov r10, rcx + syscall + ret +NtAdjustTokenClaimsAndDeviceGroups ENDP + +NtAlertResumeThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlertResumeThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAlertResumeThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAlertResumeThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlertResumeThread_Check_10_0_XXXX + jmp NtAlertResumeThread_SystemCall_Unknown +NtAlertResumeThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlertResumeThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlertResumeThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlertResumeThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlertResumeThread_SystemCall_6_3_XXXX + jmp NtAlertResumeThread_SystemCall_Unknown +NtAlertResumeThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlertResumeThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlertResumeThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlertResumeThread_SystemCall_6_0_6002 + jmp NtAlertResumeThread_SystemCall_Unknown +NtAlertResumeThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlertResumeThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlertResumeThread_SystemCall_6_1_7601 + jmp NtAlertResumeThread_SystemCall_Unknown +NtAlertResumeThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlertResumeThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlertResumeThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlertResumeThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlertResumeThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlertResumeThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlertResumeThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlertResumeThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlertResumeThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlertResumeThread_SystemCall_10_0_18363 + jmp NtAlertResumeThread_SystemCall_Unknown +NtAlertResumeThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0069h + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 006ah + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 006ah + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 006ah + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0069h + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0069h + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 006ch + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 006ch + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 006ch + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 006ch + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 006ch + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 006dh + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 006dh + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 006dh + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 006dh + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 006dh + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 006dh + jmp NtAlertResumeThread_Epilogue +NtAlertResumeThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlertResumeThread_Epilogue: + mov r10, rcx + syscall + ret +NtAlertResumeThread ENDP + +NtAlertThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlertThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAlertThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAlertThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlertThread_Check_10_0_XXXX + jmp NtAlertThread_SystemCall_Unknown +NtAlertThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlertThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlertThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlertThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlertThread_SystemCall_6_3_XXXX + jmp NtAlertThread_SystemCall_Unknown +NtAlertThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlertThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlertThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlertThread_SystemCall_6_0_6002 + jmp NtAlertThread_SystemCall_Unknown +NtAlertThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlertThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlertThread_SystemCall_6_1_7601 + jmp NtAlertThread_SystemCall_Unknown +NtAlertThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlertThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlertThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlertThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlertThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlertThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlertThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlertThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlertThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlertThread_SystemCall_10_0_18363 + jmp NtAlertThread_SystemCall_Unknown +NtAlertThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 006ah + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 006bh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 006bh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 006bh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 006ah + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 006ah + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 006dh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 006dh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 006dh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 006dh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 006dh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 006eh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 006eh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 006eh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 006eh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 006eh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 006eh + jmp NtAlertThread_Epilogue +NtAlertThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlertThread_Epilogue: + mov r10, rcx + syscall + ret +NtAlertThread ENDP + +NtAlertThreadByThreadId PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlertThreadByThreadId_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlertThreadByThreadId_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlertThreadByThreadId_Check_10_0_XXXX + jmp NtAlertThreadByThreadId_SystemCall_Unknown +NtAlertThreadByThreadId_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtAlertThreadByThreadId_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlertThreadByThreadId_SystemCall_6_3_XXXX + jmp NtAlertThreadByThreadId_SystemCall_Unknown +NtAlertThreadByThreadId_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlertThreadByThreadId_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlertThreadByThreadId_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlertThreadByThreadId_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlertThreadByThreadId_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlertThreadByThreadId_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlertThreadByThreadId_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlertThreadByThreadId_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlertThreadByThreadId_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlertThreadByThreadId_SystemCall_10_0_18363 + jmp NtAlertThreadByThreadId_SystemCall_Unknown +NtAlertThreadByThreadId_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 006eh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 006eh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 006eh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 006eh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 006eh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 006fh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 006fh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 006fh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 006fh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 006fh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 006fh + jmp NtAlertThreadByThreadId_Epilogue +NtAlertThreadByThreadId_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlertThreadByThreadId_Epilogue: + mov r10, rcx + syscall + ret +NtAlertThreadByThreadId ENDP + +NtAllocateLocallyUniqueId PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAllocateLocallyUniqueId_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAllocateLocallyUniqueId_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAllocateLocallyUniqueId_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAllocateLocallyUniqueId_Check_10_0_XXXX + jmp NtAllocateLocallyUniqueId_SystemCall_Unknown +NtAllocateLocallyUniqueId_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAllocateLocallyUniqueId_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAllocateLocallyUniqueId_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateLocallyUniqueId_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateLocallyUniqueId_SystemCall_6_3_XXXX + jmp NtAllocateLocallyUniqueId_SystemCall_Unknown +NtAllocateLocallyUniqueId_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAllocateLocallyUniqueId_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAllocateLocallyUniqueId_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAllocateLocallyUniqueId_SystemCall_6_0_6002 + jmp NtAllocateLocallyUniqueId_SystemCall_Unknown +NtAllocateLocallyUniqueId_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAllocateLocallyUniqueId_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAllocateLocallyUniqueId_SystemCall_6_1_7601 + jmp NtAllocateLocallyUniqueId_SystemCall_Unknown +NtAllocateLocallyUniqueId_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAllocateLocallyUniqueId_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAllocateLocallyUniqueId_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAllocateLocallyUniqueId_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAllocateLocallyUniqueId_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAllocateLocallyUniqueId_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAllocateLocallyUniqueId_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAllocateLocallyUniqueId_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAllocateLocallyUniqueId_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAllocateLocallyUniqueId_SystemCall_10_0_18363 + jmp NtAllocateLocallyUniqueId_SystemCall_Unknown +NtAllocateLocallyUniqueId_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 006bh + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 006ch + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 006ch + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 006ch + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 006bh + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 006bh + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 006fh + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 006fh + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 006fh + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 006fh + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 006fh + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0070h + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0070h + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0070h + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0070h + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0070h + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0070h + jmp NtAllocateLocallyUniqueId_Epilogue +NtAllocateLocallyUniqueId_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAllocateLocallyUniqueId_Epilogue: + mov r10, rcx + syscall + ret +NtAllocateLocallyUniqueId ENDP + +NtAllocateReserveObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAllocateReserveObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAllocateReserveObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAllocateReserveObject_Check_10_0_XXXX + jmp NtAllocateReserveObject_SystemCall_Unknown +NtAllocateReserveObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtAllocateReserveObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateReserveObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateReserveObject_SystemCall_6_3_XXXX + jmp NtAllocateReserveObject_SystemCall_Unknown +NtAllocateReserveObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAllocateReserveObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAllocateReserveObject_SystemCall_6_1_7601 + jmp NtAllocateReserveObject_SystemCall_Unknown +NtAllocateReserveObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAllocateReserveObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAllocateReserveObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAllocateReserveObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAllocateReserveObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAllocateReserveObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAllocateReserveObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAllocateReserveObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAllocateReserveObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAllocateReserveObject_SystemCall_10_0_18363 + jmp NtAllocateReserveObject_SystemCall_Unknown +NtAllocateReserveObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 006ch + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 006ch + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0070h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0070h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0070h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0070h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0070h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0071h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0071h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0071h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0071h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0071h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0071h + jmp NtAllocateReserveObject_Epilogue +NtAllocateReserveObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAllocateReserveObject_Epilogue: + mov r10, rcx + syscall + ret +NtAllocateReserveObject ENDP + +NtAllocateUserPhysicalPages PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAllocateUserPhysicalPages_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAllocateUserPhysicalPages_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAllocateUserPhysicalPages_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAllocateUserPhysicalPages_Check_10_0_XXXX + jmp NtAllocateUserPhysicalPages_SystemCall_Unknown +NtAllocateUserPhysicalPages_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAllocateUserPhysicalPages_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAllocateUserPhysicalPages_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateUserPhysicalPages_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateUserPhysicalPages_SystemCall_6_3_XXXX + jmp NtAllocateUserPhysicalPages_SystemCall_Unknown +NtAllocateUserPhysicalPages_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAllocateUserPhysicalPages_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAllocateUserPhysicalPages_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAllocateUserPhysicalPages_SystemCall_6_0_6002 + jmp NtAllocateUserPhysicalPages_SystemCall_Unknown +NtAllocateUserPhysicalPages_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAllocateUserPhysicalPages_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAllocateUserPhysicalPages_SystemCall_6_1_7601 + jmp NtAllocateUserPhysicalPages_SystemCall_Unknown +NtAllocateUserPhysicalPages_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAllocateUserPhysicalPages_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAllocateUserPhysicalPages_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAllocateUserPhysicalPages_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAllocateUserPhysicalPages_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAllocateUserPhysicalPages_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAllocateUserPhysicalPages_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAllocateUserPhysicalPages_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAllocateUserPhysicalPages_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAllocateUserPhysicalPages_SystemCall_10_0_18363 + jmp NtAllocateUserPhysicalPages_SystemCall_Unknown +NtAllocateUserPhysicalPages_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 006ch + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 006dh + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 006dh + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 006dh + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 006dh + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 006dh + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0071h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0071h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0071h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0071h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0071h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0072h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0072h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0072h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0072h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0072h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0072h + jmp NtAllocateUserPhysicalPages_Epilogue +NtAllocateUserPhysicalPages_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAllocateUserPhysicalPages_Epilogue: + mov r10, rcx + syscall + ret +NtAllocateUserPhysicalPages ENDP + +NtAllocateUuids PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAllocateUuids_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAllocateUuids_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAllocateUuids_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAllocateUuids_Check_10_0_XXXX + jmp NtAllocateUuids_SystemCall_Unknown +NtAllocateUuids_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAllocateUuids_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAllocateUuids_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateUuids_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateUuids_SystemCall_6_3_XXXX + jmp NtAllocateUuids_SystemCall_Unknown +NtAllocateUuids_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAllocateUuids_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAllocateUuids_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAllocateUuids_SystemCall_6_0_6002 + jmp NtAllocateUuids_SystemCall_Unknown +NtAllocateUuids_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAllocateUuids_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAllocateUuids_SystemCall_6_1_7601 + jmp NtAllocateUuids_SystemCall_Unknown +NtAllocateUuids_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAllocateUuids_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAllocateUuids_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAllocateUuids_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAllocateUuids_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAllocateUuids_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAllocateUuids_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAllocateUuids_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAllocateUuids_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAllocateUuids_SystemCall_10_0_18363 + jmp NtAllocateUuids_SystemCall_Unknown +NtAllocateUuids_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 006dh + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 006eh + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 006eh + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 006eh + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 006eh + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 006eh + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0072h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0072h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0072h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0072h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0072h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0073h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0073h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0073h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0073h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0073h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0073h + jmp NtAllocateUuids_Epilogue +NtAllocateUuids_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAllocateUuids_Epilogue: + mov r10, rcx + syscall + ret +NtAllocateUuids ENDP + +NtAllocateVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAllocateVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAllocateVirtualMemory_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAllocateVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAllocateVirtualMemory_Check_10_0_XXXX + jmp NtAllocateVirtualMemory_SystemCall_Unknown +NtAllocateVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAllocateVirtualMemory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAllocateVirtualMemory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAllocateVirtualMemory_SystemCall_6_3_XXXX + jmp NtAllocateVirtualMemory_SystemCall_Unknown +NtAllocateVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAllocateVirtualMemory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAllocateVirtualMemory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAllocateVirtualMemory_SystemCall_6_0_6002 + jmp NtAllocateVirtualMemory_SystemCall_Unknown +NtAllocateVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAllocateVirtualMemory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAllocateVirtualMemory_SystemCall_6_1_7601 + jmp NtAllocateVirtualMemory_SystemCall_Unknown +NtAllocateVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAllocateVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAllocateVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAllocateVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAllocateVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAllocateVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAllocateVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAllocateVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAllocateVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAllocateVirtualMemory_SystemCall_10_0_18363 + jmp NtAllocateVirtualMemory_SystemCall_Unknown +NtAllocateVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0015h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0015h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0015h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0015h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0015h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0015h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0016h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0017h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0018h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0018h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0018h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0018h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0018h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0018h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0018h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0018h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0018h + jmp NtAllocateVirtualMemory_Epilogue +NtAllocateVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAllocateVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtAllocateVirtualMemory ENDP + +NtAllocateVirtualMemoryEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAllocateVirtualMemoryEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtAllocateVirtualMemoryEx_Check_10_0_XXXX + jmp NtAllocateVirtualMemoryEx_SystemCall_Unknown +NtAllocateVirtualMemoryEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 17134 + je NtAllocateVirtualMemoryEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAllocateVirtualMemoryEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAllocateVirtualMemoryEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAllocateVirtualMemoryEx_SystemCall_10_0_18363 + jmp NtAllocateVirtualMemoryEx_SystemCall_Unknown +NtAllocateVirtualMemoryEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0074h + jmp NtAllocateVirtualMemoryEx_Epilogue +NtAllocateVirtualMemoryEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0074h + jmp NtAllocateVirtualMemoryEx_Epilogue +NtAllocateVirtualMemoryEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0074h + jmp NtAllocateVirtualMemoryEx_Epilogue +NtAllocateVirtualMemoryEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0074h + jmp NtAllocateVirtualMemoryEx_Epilogue +NtAllocateVirtualMemoryEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAllocateVirtualMemoryEx_Epilogue: + mov r10, rcx + syscall + ret +NtAllocateVirtualMemoryEx ENDP + +NtAlpcAcceptConnectPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcAcceptConnectPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcAcceptConnectPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcAcceptConnectPort_Check_10_0_XXXX + jmp NtAlpcAcceptConnectPort_SystemCall_Unknown +NtAlpcAcceptConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcAcceptConnectPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcAcceptConnectPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcAcceptConnectPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcAcceptConnectPort_SystemCall_6_3_XXXX + jmp NtAlpcAcceptConnectPort_SystemCall_Unknown +NtAlpcAcceptConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcAcceptConnectPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcAcceptConnectPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcAcceptConnectPort_SystemCall_6_0_6002 + jmp NtAlpcAcceptConnectPort_SystemCall_Unknown +NtAlpcAcceptConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcAcceptConnectPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcAcceptConnectPort_SystemCall_6_1_7601 + jmp NtAlpcAcceptConnectPort_SystemCall_Unknown +NtAlpcAcceptConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcAcceptConnectPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcAcceptConnectPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcAcceptConnectPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcAcceptConnectPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcAcceptConnectPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcAcceptConnectPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcAcceptConnectPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcAcceptConnectPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcAcceptConnectPort_SystemCall_10_0_18363 + jmp NtAlpcAcceptConnectPort_SystemCall_Unknown +NtAlpcAcceptConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 006fh + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 006fh + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 006fh + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 006fh + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 006fh + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0073h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0073h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0073h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0073h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0073h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0074h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0074h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0075h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0075h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0075h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0075h + jmp NtAlpcAcceptConnectPort_Epilogue +NtAlpcAcceptConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcAcceptConnectPort_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcAcceptConnectPort ENDP + +NtAlpcCancelMessage PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcCancelMessage_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcCancelMessage_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcCancelMessage_Check_10_0_XXXX + jmp NtAlpcCancelMessage_SystemCall_Unknown +NtAlpcCancelMessage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcCancelMessage_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcCancelMessage_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCancelMessage_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCancelMessage_SystemCall_6_3_XXXX + jmp NtAlpcCancelMessage_SystemCall_Unknown +NtAlpcCancelMessage_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcCancelMessage_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcCancelMessage_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcCancelMessage_SystemCall_6_0_6002 + jmp NtAlpcCancelMessage_SystemCall_Unknown +NtAlpcCancelMessage_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcCancelMessage_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcCancelMessage_SystemCall_6_1_7601 + jmp NtAlpcCancelMessage_SystemCall_Unknown +NtAlpcCancelMessage_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcCancelMessage_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcCancelMessage_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcCancelMessage_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcCancelMessage_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcCancelMessage_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcCancelMessage_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcCancelMessage_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcCancelMessage_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcCancelMessage_SystemCall_10_0_18363 + jmp NtAlpcCancelMessage_SystemCall_Unknown +NtAlpcCancelMessage_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0070h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0070h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0070h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0070h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0070h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0074h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0074h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0074h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0074h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0074h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0075h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0075h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0076h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0076h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0076h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0076h + jmp NtAlpcCancelMessage_Epilogue +NtAlpcCancelMessage_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcCancelMessage_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcCancelMessage ENDP + +NtAlpcConnectPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcConnectPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcConnectPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcConnectPort_Check_10_0_XXXX + jmp NtAlpcConnectPort_SystemCall_Unknown +NtAlpcConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcConnectPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcConnectPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcConnectPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcConnectPort_SystemCall_6_3_XXXX + jmp NtAlpcConnectPort_SystemCall_Unknown +NtAlpcConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcConnectPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcConnectPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcConnectPort_SystemCall_6_0_6002 + jmp NtAlpcConnectPort_SystemCall_Unknown +NtAlpcConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcConnectPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcConnectPort_SystemCall_6_1_7601 + jmp NtAlpcConnectPort_SystemCall_Unknown +NtAlpcConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcConnectPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcConnectPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcConnectPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcConnectPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcConnectPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcConnectPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcConnectPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcConnectPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcConnectPort_SystemCall_10_0_18363 + jmp NtAlpcConnectPort_SystemCall_Unknown +NtAlpcConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0071h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0071h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0071h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0071h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0071h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0075h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0075h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0075h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0075h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0075h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0076h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0076h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0077h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0077h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0077h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0077h + jmp NtAlpcConnectPort_Epilogue +NtAlpcConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcConnectPort_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcConnectPort ENDP + +NtAlpcConnectPortEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcConnectPortEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcConnectPortEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcConnectPortEx_Check_10_0_XXXX + jmp NtAlpcConnectPortEx_SystemCall_Unknown +NtAlpcConnectPortEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtAlpcConnectPortEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcConnectPortEx_SystemCall_6_3_XXXX + jmp NtAlpcConnectPortEx_SystemCall_Unknown +NtAlpcConnectPortEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcConnectPortEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcConnectPortEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcConnectPortEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcConnectPortEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcConnectPortEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcConnectPortEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcConnectPortEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcConnectPortEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcConnectPortEx_SystemCall_10_0_18363 + jmp NtAlpcConnectPortEx_SystemCall_Unknown +NtAlpcConnectPortEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0076h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0076h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0076h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0076h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0076h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0077h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0077h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0078h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0078h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0078h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0078h + jmp NtAlpcConnectPortEx_Epilogue +NtAlpcConnectPortEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcConnectPortEx_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcConnectPortEx ENDP + +NtAlpcCreatePort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcCreatePort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcCreatePort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcCreatePort_Check_10_0_XXXX + jmp NtAlpcCreatePort_SystemCall_Unknown +NtAlpcCreatePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcCreatePort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcCreatePort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreatePort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreatePort_SystemCall_6_3_XXXX + jmp NtAlpcCreatePort_SystemCall_Unknown +NtAlpcCreatePort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcCreatePort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcCreatePort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcCreatePort_SystemCall_6_0_6002 + jmp NtAlpcCreatePort_SystemCall_Unknown +NtAlpcCreatePort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcCreatePort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcCreatePort_SystemCall_6_1_7601 + jmp NtAlpcCreatePort_SystemCall_Unknown +NtAlpcCreatePort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcCreatePort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcCreatePort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcCreatePort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcCreatePort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcCreatePort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcCreatePort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcCreatePort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcCreatePort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcCreatePort_SystemCall_10_0_18363 + jmp NtAlpcCreatePort_SystemCall_Unknown +NtAlpcCreatePort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0072h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0072h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0072h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0072h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0072h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0077h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0077h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0077h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0077h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0077h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0078h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0078h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0079h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0079h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0079h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0079h + jmp NtAlpcCreatePort_Epilogue +NtAlpcCreatePort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcCreatePort_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcCreatePort ENDP + +NtAlpcCreatePortSection PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcCreatePortSection_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcCreatePortSection_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcCreatePortSection_Check_10_0_XXXX + jmp NtAlpcCreatePortSection_SystemCall_Unknown +NtAlpcCreatePortSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcCreatePortSection_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcCreatePortSection_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreatePortSection_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreatePortSection_SystemCall_6_3_XXXX + jmp NtAlpcCreatePortSection_SystemCall_Unknown +NtAlpcCreatePortSection_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcCreatePortSection_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcCreatePortSection_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcCreatePortSection_SystemCall_6_0_6002 + jmp NtAlpcCreatePortSection_SystemCall_Unknown +NtAlpcCreatePortSection_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcCreatePortSection_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcCreatePortSection_SystemCall_6_1_7601 + jmp NtAlpcCreatePortSection_SystemCall_Unknown +NtAlpcCreatePortSection_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcCreatePortSection_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcCreatePortSection_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcCreatePortSection_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcCreatePortSection_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcCreatePortSection_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcCreatePortSection_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcCreatePortSection_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcCreatePortSection_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcCreatePortSection_SystemCall_10_0_18363 + jmp NtAlpcCreatePortSection_SystemCall_Unknown +NtAlpcCreatePortSection_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0073h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0073h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0073h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0073h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0073h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0078h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0078h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0078h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0078h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0078h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0079h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0079h + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 007ah + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 007ah + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 007ah + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 007ah + jmp NtAlpcCreatePortSection_Epilogue +NtAlpcCreatePortSection_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcCreatePortSection_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcCreatePortSection ENDP + +NtAlpcCreateResourceReserve PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcCreateResourceReserve_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcCreateResourceReserve_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcCreateResourceReserve_Check_10_0_XXXX + jmp NtAlpcCreateResourceReserve_SystemCall_Unknown +NtAlpcCreateResourceReserve_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcCreateResourceReserve_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcCreateResourceReserve_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreateResourceReserve_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreateResourceReserve_SystemCall_6_3_XXXX + jmp NtAlpcCreateResourceReserve_SystemCall_Unknown +NtAlpcCreateResourceReserve_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcCreateResourceReserve_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcCreateResourceReserve_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcCreateResourceReserve_SystemCall_6_0_6002 + jmp NtAlpcCreateResourceReserve_SystemCall_Unknown +NtAlpcCreateResourceReserve_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcCreateResourceReserve_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcCreateResourceReserve_SystemCall_6_1_7601 + jmp NtAlpcCreateResourceReserve_SystemCall_Unknown +NtAlpcCreateResourceReserve_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcCreateResourceReserve_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcCreateResourceReserve_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcCreateResourceReserve_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcCreateResourceReserve_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcCreateResourceReserve_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcCreateResourceReserve_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcCreateResourceReserve_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcCreateResourceReserve_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcCreateResourceReserve_SystemCall_10_0_18363 + jmp NtAlpcCreateResourceReserve_SystemCall_Unknown +NtAlpcCreateResourceReserve_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0074h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0074h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0074h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0074h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0074h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0079h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0079h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0079h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0079h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0079h + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 007ah + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 007ah + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 007bh + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 007bh + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 007bh + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 007bh + jmp NtAlpcCreateResourceReserve_Epilogue +NtAlpcCreateResourceReserve_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcCreateResourceReserve_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcCreateResourceReserve ENDP + +NtAlpcCreateSectionView PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcCreateSectionView_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcCreateSectionView_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcCreateSectionView_Check_10_0_XXXX + jmp NtAlpcCreateSectionView_SystemCall_Unknown +NtAlpcCreateSectionView_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcCreateSectionView_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcCreateSectionView_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreateSectionView_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreateSectionView_SystemCall_6_3_XXXX + jmp NtAlpcCreateSectionView_SystemCall_Unknown +NtAlpcCreateSectionView_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcCreateSectionView_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcCreateSectionView_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcCreateSectionView_SystemCall_6_0_6002 + jmp NtAlpcCreateSectionView_SystemCall_Unknown +NtAlpcCreateSectionView_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcCreateSectionView_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcCreateSectionView_SystemCall_6_1_7601 + jmp NtAlpcCreateSectionView_SystemCall_Unknown +NtAlpcCreateSectionView_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcCreateSectionView_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcCreateSectionView_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcCreateSectionView_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcCreateSectionView_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcCreateSectionView_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcCreateSectionView_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcCreateSectionView_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcCreateSectionView_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcCreateSectionView_SystemCall_10_0_18363 + jmp NtAlpcCreateSectionView_SystemCall_Unknown +NtAlpcCreateSectionView_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0075h + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0075h + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0075h + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0075h + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0075h + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 007ah + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 007ah + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 007ah + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 007ah + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 007ah + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 007bh + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 007bh + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 007ch + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 007ch + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 007ch + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 007ch + jmp NtAlpcCreateSectionView_Epilogue +NtAlpcCreateSectionView_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcCreateSectionView_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcCreateSectionView ENDP + +NtAlpcCreateSecurityContext PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcCreateSecurityContext_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcCreateSecurityContext_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcCreateSecurityContext_Check_10_0_XXXX + jmp NtAlpcCreateSecurityContext_SystemCall_Unknown +NtAlpcCreateSecurityContext_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcCreateSecurityContext_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcCreateSecurityContext_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreateSecurityContext_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcCreateSecurityContext_SystemCall_6_3_XXXX + jmp NtAlpcCreateSecurityContext_SystemCall_Unknown +NtAlpcCreateSecurityContext_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcCreateSecurityContext_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcCreateSecurityContext_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcCreateSecurityContext_SystemCall_6_0_6002 + jmp NtAlpcCreateSecurityContext_SystemCall_Unknown +NtAlpcCreateSecurityContext_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcCreateSecurityContext_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcCreateSecurityContext_SystemCall_6_1_7601 + jmp NtAlpcCreateSecurityContext_SystemCall_Unknown +NtAlpcCreateSecurityContext_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcCreateSecurityContext_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcCreateSecurityContext_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcCreateSecurityContext_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcCreateSecurityContext_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcCreateSecurityContext_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcCreateSecurityContext_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcCreateSecurityContext_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcCreateSecurityContext_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcCreateSecurityContext_SystemCall_10_0_18363 + jmp NtAlpcCreateSecurityContext_SystemCall_Unknown +NtAlpcCreateSecurityContext_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0076h + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0076h + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0076h + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0076h + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0076h + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 007bh + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 007bh + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 007bh + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 007bh + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 007bh + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 007ch + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 007ch + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 007dh + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 007dh + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 007dh + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 007dh + jmp NtAlpcCreateSecurityContext_Epilogue +NtAlpcCreateSecurityContext_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcCreateSecurityContext_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcCreateSecurityContext ENDP + +NtAlpcDeletePortSection PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcDeletePortSection_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcDeletePortSection_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcDeletePortSection_Check_10_0_XXXX + jmp NtAlpcDeletePortSection_SystemCall_Unknown +NtAlpcDeletePortSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcDeletePortSection_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcDeletePortSection_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDeletePortSection_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDeletePortSection_SystemCall_6_3_XXXX + jmp NtAlpcDeletePortSection_SystemCall_Unknown +NtAlpcDeletePortSection_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcDeletePortSection_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcDeletePortSection_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcDeletePortSection_SystemCall_6_0_6002 + jmp NtAlpcDeletePortSection_SystemCall_Unknown +NtAlpcDeletePortSection_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcDeletePortSection_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcDeletePortSection_SystemCall_6_1_7601 + jmp NtAlpcDeletePortSection_SystemCall_Unknown +NtAlpcDeletePortSection_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcDeletePortSection_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcDeletePortSection_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcDeletePortSection_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcDeletePortSection_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcDeletePortSection_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcDeletePortSection_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcDeletePortSection_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcDeletePortSection_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcDeletePortSection_SystemCall_10_0_18363 + jmp NtAlpcDeletePortSection_SystemCall_Unknown +NtAlpcDeletePortSection_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0077h + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0077h + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0077h + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0077h + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0077h + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 007ch + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 007ch + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 007ch + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 007ch + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 007ch + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 007dh + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 007dh + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 007eh + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 007eh + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 007eh + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 007eh + jmp NtAlpcDeletePortSection_Epilogue +NtAlpcDeletePortSection_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcDeletePortSection_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcDeletePortSection ENDP + +NtAlpcDeleteResourceReserve PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcDeleteResourceReserve_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcDeleteResourceReserve_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcDeleteResourceReserve_Check_10_0_XXXX + jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown +NtAlpcDeleteResourceReserve_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcDeleteResourceReserve_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcDeleteResourceReserve_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDeleteResourceReserve_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDeleteResourceReserve_SystemCall_6_3_XXXX + jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown +NtAlpcDeleteResourceReserve_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcDeleteResourceReserve_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcDeleteResourceReserve_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcDeleteResourceReserve_SystemCall_6_0_6002 + jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown +NtAlpcDeleteResourceReserve_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcDeleteResourceReserve_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcDeleteResourceReserve_SystemCall_6_1_7601 + jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown +NtAlpcDeleteResourceReserve_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcDeleteResourceReserve_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcDeleteResourceReserve_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcDeleteResourceReserve_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcDeleteResourceReserve_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcDeleteResourceReserve_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcDeleteResourceReserve_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcDeleteResourceReserve_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcDeleteResourceReserve_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcDeleteResourceReserve_SystemCall_10_0_18363 + jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown +NtAlpcDeleteResourceReserve_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0078h + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0078h + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0078h + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0078h + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0078h + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 007dh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 007dh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 007dh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 007dh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 007dh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 007eh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 007eh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 007fh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 007fh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 007fh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 007fh + jmp NtAlpcDeleteResourceReserve_Epilogue +NtAlpcDeleteResourceReserve_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcDeleteResourceReserve_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcDeleteResourceReserve ENDP + +NtAlpcDeleteSectionView PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcDeleteSectionView_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcDeleteSectionView_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcDeleteSectionView_Check_10_0_XXXX + jmp NtAlpcDeleteSectionView_SystemCall_Unknown +NtAlpcDeleteSectionView_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcDeleteSectionView_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcDeleteSectionView_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDeleteSectionView_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDeleteSectionView_SystemCall_6_3_XXXX + jmp NtAlpcDeleteSectionView_SystemCall_Unknown +NtAlpcDeleteSectionView_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcDeleteSectionView_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcDeleteSectionView_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcDeleteSectionView_SystemCall_6_0_6002 + jmp NtAlpcDeleteSectionView_SystemCall_Unknown +NtAlpcDeleteSectionView_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcDeleteSectionView_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcDeleteSectionView_SystemCall_6_1_7601 + jmp NtAlpcDeleteSectionView_SystemCall_Unknown +NtAlpcDeleteSectionView_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcDeleteSectionView_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcDeleteSectionView_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcDeleteSectionView_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcDeleteSectionView_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcDeleteSectionView_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcDeleteSectionView_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcDeleteSectionView_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcDeleteSectionView_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcDeleteSectionView_SystemCall_10_0_18363 + jmp NtAlpcDeleteSectionView_SystemCall_Unknown +NtAlpcDeleteSectionView_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0079h + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0079h + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0079h + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0079h + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0079h + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 007eh + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 007eh + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 007eh + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 007eh + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 007eh + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 007fh + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 007fh + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0080h + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0080h + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0080h + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0080h + jmp NtAlpcDeleteSectionView_Epilogue +NtAlpcDeleteSectionView_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcDeleteSectionView_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcDeleteSectionView ENDP + +NtAlpcDeleteSecurityContext PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcDeleteSecurityContext_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcDeleteSecurityContext_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcDeleteSecurityContext_Check_10_0_XXXX + jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown +NtAlpcDeleteSecurityContext_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcDeleteSecurityContext_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcDeleteSecurityContext_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDeleteSecurityContext_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDeleteSecurityContext_SystemCall_6_3_XXXX + jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown +NtAlpcDeleteSecurityContext_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcDeleteSecurityContext_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcDeleteSecurityContext_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcDeleteSecurityContext_SystemCall_6_0_6002 + jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown +NtAlpcDeleteSecurityContext_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcDeleteSecurityContext_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcDeleteSecurityContext_SystemCall_6_1_7601 + jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown +NtAlpcDeleteSecurityContext_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcDeleteSecurityContext_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcDeleteSecurityContext_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcDeleteSecurityContext_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcDeleteSecurityContext_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcDeleteSecurityContext_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcDeleteSecurityContext_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcDeleteSecurityContext_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcDeleteSecurityContext_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcDeleteSecurityContext_SystemCall_10_0_18363 + jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown +NtAlpcDeleteSecurityContext_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 007ah + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 007ah + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 007ah + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 007ah + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 007ah + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 007fh + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 007fh + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 007fh + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 007fh + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 007fh + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0080h + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0080h + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0081h + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0081h + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0081h + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0081h + jmp NtAlpcDeleteSecurityContext_Epilogue +NtAlpcDeleteSecurityContext_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcDeleteSecurityContext_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcDeleteSecurityContext ENDP + +NtAlpcDisconnectPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcDisconnectPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcDisconnectPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcDisconnectPort_Check_10_0_XXXX + jmp NtAlpcDisconnectPort_SystemCall_Unknown +NtAlpcDisconnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcDisconnectPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcDisconnectPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDisconnectPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcDisconnectPort_SystemCall_6_3_XXXX + jmp NtAlpcDisconnectPort_SystemCall_Unknown +NtAlpcDisconnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcDisconnectPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcDisconnectPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcDisconnectPort_SystemCall_6_0_6002 + jmp NtAlpcDisconnectPort_SystemCall_Unknown +NtAlpcDisconnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcDisconnectPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcDisconnectPort_SystemCall_6_1_7601 + jmp NtAlpcDisconnectPort_SystemCall_Unknown +NtAlpcDisconnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcDisconnectPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcDisconnectPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcDisconnectPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcDisconnectPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcDisconnectPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcDisconnectPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcDisconnectPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcDisconnectPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcDisconnectPort_SystemCall_10_0_18363 + jmp NtAlpcDisconnectPort_SystemCall_Unknown +NtAlpcDisconnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 007bh + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 007bh + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 007bh + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 007bh + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 007bh + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0080h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0080h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0080h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0080h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0080h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0081h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0081h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0082h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0082h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0082h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0082h + jmp NtAlpcDisconnectPort_Epilogue +NtAlpcDisconnectPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcDisconnectPort_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcDisconnectPort ENDP + +NtAlpcImpersonateClientContainerOfPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcImpersonateClientContainerOfPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtAlpcImpersonateClientContainerOfPort_Check_10_0_XXXX + jmp NtAlpcImpersonateClientContainerOfPort_SystemCall_Unknown +NtAlpcImpersonateClientContainerOfPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18363 + jmp NtAlpcImpersonateClientContainerOfPort_SystemCall_Unknown +NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0081h + jmp NtAlpcImpersonateClientContainerOfPort_Epilogue +NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0081h + jmp NtAlpcImpersonateClientContainerOfPort_Epilogue +NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0081h + jmp NtAlpcImpersonateClientContainerOfPort_Epilogue +NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0082h + jmp NtAlpcImpersonateClientContainerOfPort_Epilogue +NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0082h + jmp NtAlpcImpersonateClientContainerOfPort_Epilogue +NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0083h + jmp NtAlpcImpersonateClientContainerOfPort_Epilogue +NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0083h + jmp NtAlpcImpersonateClientContainerOfPort_Epilogue +NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0083h + jmp NtAlpcImpersonateClientContainerOfPort_Epilogue +NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0083h + jmp NtAlpcImpersonateClientContainerOfPort_Epilogue +NtAlpcImpersonateClientContainerOfPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcImpersonateClientContainerOfPort_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcImpersonateClientContainerOfPort ENDP + +NtAlpcImpersonateClientOfPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcImpersonateClientOfPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcImpersonateClientOfPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcImpersonateClientOfPort_Check_10_0_XXXX + jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown +NtAlpcImpersonateClientOfPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcImpersonateClientOfPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcImpersonateClientOfPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcImpersonateClientOfPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcImpersonateClientOfPort_SystemCall_6_3_XXXX + jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown +NtAlpcImpersonateClientOfPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcImpersonateClientOfPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcImpersonateClientOfPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcImpersonateClientOfPort_SystemCall_6_0_6002 + jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown +NtAlpcImpersonateClientOfPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcImpersonateClientOfPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcImpersonateClientOfPort_SystemCall_6_1_7601 + jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown +NtAlpcImpersonateClientOfPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcImpersonateClientOfPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcImpersonateClientOfPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcImpersonateClientOfPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcImpersonateClientOfPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcImpersonateClientOfPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcImpersonateClientOfPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcImpersonateClientOfPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcImpersonateClientOfPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcImpersonateClientOfPort_SystemCall_10_0_18363 + jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown +NtAlpcImpersonateClientOfPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 007ch + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 007ch + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 007ch + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 007ch + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 007ch + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0081h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0081h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0082h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0082h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0082h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0083h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0083h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0084h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0084h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0084h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0084h + jmp NtAlpcImpersonateClientOfPort_Epilogue +NtAlpcImpersonateClientOfPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcImpersonateClientOfPort_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcImpersonateClientOfPort ENDP + +NtAlpcOpenSenderProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcOpenSenderProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcOpenSenderProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcOpenSenderProcess_Check_10_0_XXXX + jmp NtAlpcOpenSenderProcess_SystemCall_Unknown +NtAlpcOpenSenderProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcOpenSenderProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcOpenSenderProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcOpenSenderProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcOpenSenderProcess_SystemCall_6_3_XXXX + jmp NtAlpcOpenSenderProcess_SystemCall_Unknown +NtAlpcOpenSenderProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcOpenSenderProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcOpenSenderProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcOpenSenderProcess_SystemCall_6_0_6002 + jmp NtAlpcOpenSenderProcess_SystemCall_Unknown +NtAlpcOpenSenderProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcOpenSenderProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcOpenSenderProcess_SystemCall_6_1_7601 + jmp NtAlpcOpenSenderProcess_SystemCall_Unknown +NtAlpcOpenSenderProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcOpenSenderProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcOpenSenderProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcOpenSenderProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcOpenSenderProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcOpenSenderProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcOpenSenderProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcOpenSenderProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcOpenSenderProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcOpenSenderProcess_SystemCall_10_0_18363 + jmp NtAlpcOpenSenderProcess_SystemCall_Unknown +NtAlpcOpenSenderProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 007dh + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 007dh + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 007dh + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 007dh + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 007dh + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0082h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0082h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0083h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0083h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0083h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0084h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0084h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0085h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0085h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0085h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0085h + jmp NtAlpcOpenSenderProcess_Epilogue +NtAlpcOpenSenderProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcOpenSenderProcess_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcOpenSenderProcess ENDP + +NtAlpcOpenSenderThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcOpenSenderThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcOpenSenderThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcOpenSenderThread_Check_10_0_XXXX + jmp NtAlpcOpenSenderThread_SystemCall_Unknown +NtAlpcOpenSenderThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcOpenSenderThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcOpenSenderThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcOpenSenderThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcOpenSenderThread_SystemCall_6_3_XXXX + jmp NtAlpcOpenSenderThread_SystemCall_Unknown +NtAlpcOpenSenderThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcOpenSenderThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcOpenSenderThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcOpenSenderThread_SystemCall_6_0_6002 + jmp NtAlpcOpenSenderThread_SystemCall_Unknown +NtAlpcOpenSenderThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcOpenSenderThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcOpenSenderThread_SystemCall_6_1_7601 + jmp NtAlpcOpenSenderThread_SystemCall_Unknown +NtAlpcOpenSenderThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcOpenSenderThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcOpenSenderThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcOpenSenderThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcOpenSenderThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcOpenSenderThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcOpenSenderThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcOpenSenderThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcOpenSenderThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcOpenSenderThread_SystemCall_10_0_18363 + jmp NtAlpcOpenSenderThread_SystemCall_Unknown +NtAlpcOpenSenderThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 007eh + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 007eh + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 007eh + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 007eh + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 007eh + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0083h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0083h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0084h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0084h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0084h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0085h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0085h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0086h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0086h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0086h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0086h + jmp NtAlpcOpenSenderThread_Epilogue +NtAlpcOpenSenderThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcOpenSenderThread_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcOpenSenderThread ENDP + +NtAlpcQueryInformation PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcQueryInformation_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcQueryInformation_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcQueryInformation_Check_10_0_XXXX + jmp NtAlpcQueryInformation_SystemCall_Unknown +NtAlpcQueryInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcQueryInformation_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcQueryInformation_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcQueryInformation_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcQueryInformation_SystemCall_6_3_XXXX + jmp NtAlpcQueryInformation_SystemCall_Unknown +NtAlpcQueryInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcQueryInformation_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcQueryInformation_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcQueryInformation_SystemCall_6_0_6002 + jmp NtAlpcQueryInformation_SystemCall_Unknown +NtAlpcQueryInformation_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcQueryInformation_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcQueryInformation_SystemCall_6_1_7601 + jmp NtAlpcQueryInformation_SystemCall_Unknown +NtAlpcQueryInformation_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcQueryInformation_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcQueryInformation_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcQueryInformation_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcQueryInformation_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcQueryInformation_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcQueryInformation_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcQueryInformation_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcQueryInformation_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcQueryInformation_SystemCall_10_0_18363 + jmp NtAlpcQueryInformation_SystemCall_Unknown +NtAlpcQueryInformation_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 007fh + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 007fh + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 007fh + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 007fh + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 007fh + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0084h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0084h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0085h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0085h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0085h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0086h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0086h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0087h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0087h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0087h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0087h + jmp NtAlpcQueryInformation_Epilogue +NtAlpcQueryInformation_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcQueryInformation_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcQueryInformation ENDP + +NtAlpcQueryInformationMessage PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcQueryInformationMessage_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcQueryInformationMessage_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcQueryInformationMessage_Check_10_0_XXXX + jmp NtAlpcQueryInformationMessage_SystemCall_Unknown +NtAlpcQueryInformationMessage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcQueryInformationMessage_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcQueryInformationMessage_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcQueryInformationMessage_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcQueryInformationMessage_SystemCall_6_3_XXXX + jmp NtAlpcQueryInformationMessage_SystemCall_Unknown +NtAlpcQueryInformationMessage_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcQueryInformationMessage_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcQueryInformationMessage_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcQueryInformationMessage_SystemCall_6_0_6002 + jmp NtAlpcQueryInformationMessage_SystemCall_Unknown +NtAlpcQueryInformationMessage_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcQueryInformationMessage_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcQueryInformationMessage_SystemCall_6_1_7601 + jmp NtAlpcQueryInformationMessage_SystemCall_Unknown +NtAlpcQueryInformationMessage_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcQueryInformationMessage_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcQueryInformationMessage_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcQueryInformationMessage_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcQueryInformationMessage_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcQueryInformationMessage_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcQueryInformationMessage_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcQueryInformationMessage_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcQueryInformationMessage_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcQueryInformationMessage_SystemCall_10_0_18363 + jmp NtAlpcQueryInformationMessage_SystemCall_Unknown +NtAlpcQueryInformationMessage_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0080h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0080h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0080h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0080h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0080h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0085h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0085h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0086h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0086h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0086h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0087h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0087h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0088h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0088h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0088h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0088h + jmp NtAlpcQueryInformationMessage_Epilogue +NtAlpcQueryInformationMessage_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcQueryInformationMessage_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcQueryInformationMessage ENDP + +NtAlpcRevokeSecurityContext PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcRevokeSecurityContext_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcRevokeSecurityContext_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcRevokeSecurityContext_Check_10_0_XXXX + jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown +NtAlpcRevokeSecurityContext_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcRevokeSecurityContext_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcRevokeSecurityContext_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcRevokeSecurityContext_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcRevokeSecurityContext_SystemCall_6_3_XXXX + jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown +NtAlpcRevokeSecurityContext_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcRevokeSecurityContext_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcRevokeSecurityContext_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcRevokeSecurityContext_SystemCall_6_0_6002 + jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown +NtAlpcRevokeSecurityContext_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcRevokeSecurityContext_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcRevokeSecurityContext_SystemCall_6_1_7601 + jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown +NtAlpcRevokeSecurityContext_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcRevokeSecurityContext_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcRevokeSecurityContext_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcRevokeSecurityContext_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcRevokeSecurityContext_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcRevokeSecurityContext_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcRevokeSecurityContext_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcRevokeSecurityContext_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcRevokeSecurityContext_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcRevokeSecurityContext_SystemCall_10_0_18363 + jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown +NtAlpcRevokeSecurityContext_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0081h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0081h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0081h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0081h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0081h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0086h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0086h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0087h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0087h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0087h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0088h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0088h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0089h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0089h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0089h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0089h + jmp NtAlpcRevokeSecurityContext_Epilogue +NtAlpcRevokeSecurityContext_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcRevokeSecurityContext_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcRevokeSecurityContext ENDP + +NtAlpcSendWaitReceivePort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcSendWaitReceivePort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcSendWaitReceivePort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcSendWaitReceivePort_Check_10_0_XXXX + jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown +NtAlpcSendWaitReceivePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcSendWaitReceivePort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcSendWaitReceivePort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcSendWaitReceivePort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcSendWaitReceivePort_SystemCall_6_3_XXXX + jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown +NtAlpcSendWaitReceivePort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcSendWaitReceivePort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcSendWaitReceivePort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcSendWaitReceivePort_SystemCall_6_0_6002 + jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown +NtAlpcSendWaitReceivePort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcSendWaitReceivePort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcSendWaitReceivePort_SystemCall_6_1_7601 + jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown +NtAlpcSendWaitReceivePort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcSendWaitReceivePort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcSendWaitReceivePort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcSendWaitReceivePort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcSendWaitReceivePort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcSendWaitReceivePort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcSendWaitReceivePort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcSendWaitReceivePort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcSendWaitReceivePort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcSendWaitReceivePort_SystemCall_10_0_18363 + jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown +NtAlpcSendWaitReceivePort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0082h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0082h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0082h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0082h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0082h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0087h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0087h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0088h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0088h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0088h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0089h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0089h + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 008ah + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 008ah + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 008ah + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 008ah + jmp NtAlpcSendWaitReceivePort_Epilogue +NtAlpcSendWaitReceivePort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcSendWaitReceivePort_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcSendWaitReceivePort ENDP + +NtAlpcSetInformation PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAlpcSetInformation_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAlpcSetInformation_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAlpcSetInformation_Check_10_0_XXXX + jmp NtAlpcSetInformation_SystemCall_Unknown +NtAlpcSetInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAlpcSetInformation_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAlpcSetInformation_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcSetInformation_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAlpcSetInformation_SystemCall_6_3_XXXX + jmp NtAlpcSetInformation_SystemCall_Unknown +NtAlpcSetInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAlpcSetInformation_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAlpcSetInformation_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAlpcSetInformation_SystemCall_6_0_6002 + jmp NtAlpcSetInformation_SystemCall_Unknown +NtAlpcSetInformation_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAlpcSetInformation_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAlpcSetInformation_SystemCall_6_1_7601 + jmp NtAlpcSetInformation_SystemCall_Unknown +NtAlpcSetInformation_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAlpcSetInformation_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAlpcSetInformation_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAlpcSetInformation_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAlpcSetInformation_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAlpcSetInformation_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAlpcSetInformation_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAlpcSetInformation_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAlpcSetInformation_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAlpcSetInformation_SystemCall_10_0_18363 + jmp NtAlpcSetInformation_SystemCall_Unknown +NtAlpcSetInformation_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0083h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0083h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0083h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0083h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0083h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0088h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0088h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0089h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0089h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0089h + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 008ah + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 008ah + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 008bh + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 008bh + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 008bh + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 008bh + jmp NtAlpcSetInformation_Epilogue +NtAlpcSetInformation_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAlpcSetInformation_Epilogue: + mov r10, rcx + syscall + ret +NtAlpcSetInformation ENDP + +NtApphelpCacheControl PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtApphelpCacheControl_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtApphelpCacheControl_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtApphelpCacheControl_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtApphelpCacheControl_Check_10_0_XXXX + jmp NtApphelpCacheControl_SystemCall_Unknown +NtApphelpCacheControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtApphelpCacheControl_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtApphelpCacheControl_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtApphelpCacheControl_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtApphelpCacheControl_SystemCall_6_3_XXXX + jmp NtApphelpCacheControl_SystemCall_Unknown +NtApphelpCacheControl_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtApphelpCacheControl_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtApphelpCacheControl_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtApphelpCacheControl_SystemCall_6_0_6002 + jmp NtApphelpCacheControl_SystemCall_Unknown +NtApphelpCacheControl_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtApphelpCacheControl_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtApphelpCacheControl_SystemCall_6_1_7601 + jmp NtApphelpCacheControl_SystemCall_Unknown +NtApphelpCacheControl_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtApphelpCacheControl_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtApphelpCacheControl_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtApphelpCacheControl_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtApphelpCacheControl_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtApphelpCacheControl_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtApphelpCacheControl_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtApphelpCacheControl_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtApphelpCacheControl_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtApphelpCacheControl_SystemCall_10_0_18363 + jmp NtApphelpCacheControl_SystemCall_Unknown +NtApphelpCacheControl_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0049h + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0049h + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0049h + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0049h + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0049h + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0049h + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 004ah + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 004bh + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 004ch + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 004ch + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 004ch + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 004ch + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 004ch + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 004ch + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 004ch + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 004ch + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 004ch + jmp NtApphelpCacheControl_Epilogue +NtApphelpCacheControl_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtApphelpCacheControl_Epilogue: + mov r10, rcx + syscall + ret +NtApphelpCacheControl ENDP + +NtAreMappedFilesTheSame PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAreMappedFilesTheSame_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAreMappedFilesTheSame_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAreMappedFilesTheSame_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAreMappedFilesTheSame_Check_10_0_XXXX + jmp NtAreMappedFilesTheSame_SystemCall_Unknown +NtAreMappedFilesTheSame_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAreMappedFilesTheSame_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAreMappedFilesTheSame_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAreMappedFilesTheSame_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAreMappedFilesTheSame_SystemCall_6_3_XXXX + jmp NtAreMappedFilesTheSame_SystemCall_Unknown +NtAreMappedFilesTheSame_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAreMappedFilesTheSame_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAreMappedFilesTheSame_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAreMappedFilesTheSame_SystemCall_6_0_6002 + jmp NtAreMappedFilesTheSame_SystemCall_Unknown +NtAreMappedFilesTheSame_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAreMappedFilesTheSame_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAreMappedFilesTheSame_SystemCall_6_1_7601 + jmp NtAreMappedFilesTheSame_SystemCall_Unknown +NtAreMappedFilesTheSame_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAreMappedFilesTheSame_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAreMappedFilesTheSame_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAreMappedFilesTheSame_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAreMappedFilesTheSame_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAreMappedFilesTheSame_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAreMappedFilesTheSame_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAreMappedFilesTheSame_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAreMappedFilesTheSame_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAreMappedFilesTheSame_SystemCall_10_0_18363 + jmp NtAreMappedFilesTheSame_SystemCall_Unknown +NtAreMappedFilesTheSame_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 006eh + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0084h + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0084h + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0084h + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0084h + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0084h + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0089h + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0089h + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 008ah + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 008ah + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 008ah + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 008bh + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 008bh + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 008ch + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 008ch + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 008ch + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 008ch + jmp NtAreMappedFilesTheSame_Epilogue +NtAreMappedFilesTheSame_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAreMappedFilesTheSame_Epilogue: + mov r10, rcx + syscall + ret +NtAreMappedFilesTheSame ENDP + +NtAssignProcessToJobObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAssignProcessToJobObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtAssignProcessToJobObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtAssignProcessToJobObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAssignProcessToJobObject_Check_10_0_XXXX + jmp NtAssignProcessToJobObject_SystemCall_Unknown +NtAssignProcessToJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtAssignProcessToJobObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtAssignProcessToJobObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAssignProcessToJobObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAssignProcessToJobObject_SystemCall_6_3_XXXX + jmp NtAssignProcessToJobObject_SystemCall_Unknown +NtAssignProcessToJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtAssignProcessToJobObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtAssignProcessToJobObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtAssignProcessToJobObject_SystemCall_6_0_6002 + jmp NtAssignProcessToJobObject_SystemCall_Unknown +NtAssignProcessToJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtAssignProcessToJobObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtAssignProcessToJobObject_SystemCall_6_1_7601 + jmp NtAssignProcessToJobObject_SystemCall_Unknown +NtAssignProcessToJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAssignProcessToJobObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAssignProcessToJobObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAssignProcessToJobObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAssignProcessToJobObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAssignProcessToJobObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAssignProcessToJobObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAssignProcessToJobObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAssignProcessToJobObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAssignProcessToJobObject_SystemCall_10_0_18363 + jmp NtAssignProcessToJobObject_SystemCall_Unknown +NtAssignProcessToJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 006fh + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0085h + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0085h + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0085h + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0085h + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0085h + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 008ah + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 008ah + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 008bh + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 008bh + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 008bh + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 008ch + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 008ch + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 008dh + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 008dh + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 008dh + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 008dh + jmp NtAssignProcessToJobObject_Epilogue +NtAssignProcessToJobObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAssignProcessToJobObject_Epilogue: + mov r10, rcx + syscall + ret +NtAssignProcessToJobObject ENDP + +NtAssociateWaitCompletionPacket PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtAssociateWaitCompletionPacket_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtAssociateWaitCompletionPacket_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtAssociateWaitCompletionPacket_Check_10_0_XXXX + jmp NtAssociateWaitCompletionPacket_SystemCall_Unknown +NtAssociateWaitCompletionPacket_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtAssociateWaitCompletionPacket_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtAssociateWaitCompletionPacket_SystemCall_6_3_XXXX + jmp NtAssociateWaitCompletionPacket_SystemCall_Unknown +NtAssociateWaitCompletionPacket_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtAssociateWaitCompletionPacket_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtAssociateWaitCompletionPacket_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtAssociateWaitCompletionPacket_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtAssociateWaitCompletionPacket_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtAssociateWaitCompletionPacket_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtAssociateWaitCompletionPacket_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtAssociateWaitCompletionPacket_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtAssociateWaitCompletionPacket_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtAssociateWaitCompletionPacket_SystemCall_10_0_18363 + jmp NtAssociateWaitCompletionPacket_SystemCall_Unknown +NtAssociateWaitCompletionPacket_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 008bh + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 008bh + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 008ch + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 008ch + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 008ch + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 008dh + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 008dh + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 008eh + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 008eh + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 008eh + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 008eh + jmp NtAssociateWaitCompletionPacket_Epilogue +NtAssociateWaitCompletionPacket_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtAssociateWaitCompletionPacket_Epilogue: + mov r10, rcx + syscall + ret +NtAssociateWaitCompletionPacket ENDP + +NtCallEnclave PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCallEnclave_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtCallEnclave_Check_10_0_XXXX + jmp NtCallEnclave_SystemCall_Unknown +NtCallEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 16299 + je NtCallEnclave_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCallEnclave_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCallEnclave_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCallEnclave_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCallEnclave_SystemCall_10_0_18363 + jmp NtCallEnclave_SystemCall_Unknown +NtCallEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 008eh + jmp NtCallEnclave_Epilogue +NtCallEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 008fh + jmp NtCallEnclave_Epilogue +NtCallEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 008fh + jmp NtCallEnclave_Epilogue +NtCallEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 008fh + jmp NtCallEnclave_Epilogue +NtCallEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 008fh + jmp NtCallEnclave_Epilogue +NtCallEnclave_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCallEnclave_Epilogue: + mov r10, rcx + syscall + ret +NtCallEnclave ENDP + +NtCallbackReturn PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCallbackReturn_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCallbackReturn_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCallbackReturn_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCallbackReturn_Check_10_0_XXXX + jmp NtCallbackReturn_SystemCall_Unknown +NtCallbackReturn_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCallbackReturn_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCallbackReturn_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCallbackReturn_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCallbackReturn_SystemCall_6_3_XXXX + jmp NtCallbackReturn_SystemCall_Unknown +NtCallbackReturn_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCallbackReturn_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCallbackReturn_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCallbackReturn_SystemCall_6_0_6002 + jmp NtCallbackReturn_SystemCall_Unknown +NtCallbackReturn_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCallbackReturn_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCallbackReturn_SystemCall_6_1_7601 + jmp NtCallbackReturn_SystemCall_Unknown +NtCallbackReturn_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCallbackReturn_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCallbackReturn_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCallbackReturn_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCallbackReturn_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCallbackReturn_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCallbackReturn_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCallbackReturn_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCallbackReturn_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCallbackReturn_SystemCall_10_0_18363 + jmp NtCallbackReturn_SystemCall_Unknown +NtCallbackReturn_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0002h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0002h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0002h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0002h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0002h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0002h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0003h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0004h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0005h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0005h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0005h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0005h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0005h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0005h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0005h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0005h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0005h + jmp NtCallbackReturn_Epilogue +NtCallbackReturn_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCallbackReturn_Epilogue: + mov r10, rcx + syscall + ret +NtCallbackReturn ENDP + +NtCancelDeviceWakeupRequest PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCancelDeviceWakeupRequest_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCancelDeviceWakeupRequest_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCancelDeviceWakeupRequest_Check_6_X_XXXX + jmp NtCancelDeviceWakeupRequest_SystemCall_Unknown +NtCancelDeviceWakeupRequest_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCancelDeviceWakeupRequest_Check_6_0_XXXX + jmp NtCancelDeviceWakeupRequest_SystemCall_Unknown +NtCancelDeviceWakeupRequest_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCancelDeviceWakeupRequest_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCancelDeviceWakeupRequest_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCancelDeviceWakeupRequest_SystemCall_6_0_6002 + jmp NtCancelDeviceWakeupRequest_SystemCall_Unknown +NtCancelDeviceWakeupRequest_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0070h + jmp NtCancelDeviceWakeupRequest_Epilogue +NtCancelDeviceWakeupRequest_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0086h + jmp NtCancelDeviceWakeupRequest_Epilogue +NtCancelDeviceWakeupRequest_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0086h + jmp NtCancelDeviceWakeupRequest_Epilogue +NtCancelDeviceWakeupRequest_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0086h + jmp NtCancelDeviceWakeupRequest_Epilogue +NtCancelDeviceWakeupRequest_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCancelDeviceWakeupRequest_Epilogue: + mov r10, rcx + syscall + ret +NtCancelDeviceWakeupRequest ENDP + +NtCancelIoFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCancelIoFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCancelIoFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCancelIoFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCancelIoFile_Check_10_0_XXXX + jmp NtCancelIoFile_SystemCall_Unknown +NtCancelIoFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCancelIoFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCancelIoFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCancelIoFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCancelIoFile_SystemCall_6_3_XXXX + jmp NtCancelIoFile_SystemCall_Unknown +NtCancelIoFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCancelIoFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCancelIoFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCancelIoFile_SystemCall_6_0_6002 + jmp NtCancelIoFile_SystemCall_Unknown +NtCancelIoFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCancelIoFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCancelIoFile_SystemCall_6_1_7601 + jmp NtCancelIoFile_SystemCall_Unknown +NtCancelIoFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCancelIoFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCancelIoFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCancelIoFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCancelIoFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCancelIoFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCancelIoFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCancelIoFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCancelIoFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCancelIoFile_SystemCall_10_0_18363 + jmp NtCancelIoFile_SystemCall_Unknown +NtCancelIoFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 005ah + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 005ah + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 005ah + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 005ah + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 005ah + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 005ah + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 005bh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 005ch + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 005dh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 005dh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 005dh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 005dh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 005dh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 005dh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 005dh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 005dh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 005dh + jmp NtCancelIoFile_Epilogue +NtCancelIoFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCancelIoFile_Epilogue: + mov r10, rcx + syscall + ret +NtCancelIoFile ENDP + +NtCancelIoFileEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCancelIoFileEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCancelIoFileEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCancelIoFileEx_Check_10_0_XXXX + jmp NtCancelIoFileEx_SystemCall_Unknown +NtCancelIoFileEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCancelIoFileEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCancelIoFileEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCancelIoFileEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCancelIoFileEx_SystemCall_6_3_XXXX + jmp NtCancelIoFileEx_SystemCall_Unknown +NtCancelIoFileEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCancelIoFileEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCancelIoFileEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCancelIoFileEx_SystemCall_6_0_6002 + jmp NtCancelIoFileEx_SystemCall_Unknown +NtCancelIoFileEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCancelIoFileEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCancelIoFileEx_SystemCall_6_1_7601 + jmp NtCancelIoFileEx_SystemCall_Unknown +NtCancelIoFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCancelIoFileEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCancelIoFileEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCancelIoFileEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCancelIoFileEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCancelIoFileEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCancelIoFileEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCancelIoFileEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCancelIoFileEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCancelIoFileEx_SystemCall_10_0_18363 + jmp NtCancelIoFileEx_SystemCall_Unknown +NtCancelIoFileEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0087h + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0087h + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0087h + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0086h + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0086h + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 008ch + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 008ch + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 008dh + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 008dh + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 008dh + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 008eh + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 008fh + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0090h + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0090h + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0090h + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0090h + jmp NtCancelIoFileEx_Epilogue +NtCancelIoFileEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCancelIoFileEx_Epilogue: + mov r10, rcx + syscall + ret +NtCancelIoFileEx ENDP + +NtCancelSynchronousIoFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCancelSynchronousIoFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCancelSynchronousIoFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCancelSynchronousIoFile_Check_10_0_XXXX + jmp NtCancelSynchronousIoFile_SystemCall_Unknown +NtCancelSynchronousIoFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCancelSynchronousIoFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCancelSynchronousIoFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCancelSynchronousIoFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCancelSynchronousIoFile_SystemCall_6_3_XXXX + jmp NtCancelSynchronousIoFile_SystemCall_Unknown +NtCancelSynchronousIoFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCancelSynchronousIoFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCancelSynchronousIoFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCancelSynchronousIoFile_SystemCall_6_0_6002 + jmp NtCancelSynchronousIoFile_SystemCall_Unknown +NtCancelSynchronousIoFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCancelSynchronousIoFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCancelSynchronousIoFile_SystemCall_6_1_7601 + jmp NtCancelSynchronousIoFile_SystemCall_Unknown +NtCancelSynchronousIoFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCancelSynchronousIoFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCancelSynchronousIoFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCancelSynchronousIoFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCancelSynchronousIoFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCancelSynchronousIoFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCancelSynchronousIoFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCancelSynchronousIoFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCancelSynchronousIoFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCancelSynchronousIoFile_SystemCall_10_0_18363 + jmp NtCancelSynchronousIoFile_SystemCall_Unknown +NtCancelSynchronousIoFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0088h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0088h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0088h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0087h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0087h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 008dh + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 008dh + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 008eh + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 008eh + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 008eh + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 008fh + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0090h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0091h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0091h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0091h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0091h + jmp NtCancelSynchronousIoFile_Epilogue +NtCancelSynchronousIoFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCancelSynchronousIoFile_Epilogue: + mov r10, rcx + syscall + ret +NtCancelSynchronousIoFile ENDP + +NtCancelTimer PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCancelTimer_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCancelTimer_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCancelTimer_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCancelTimer_Check_10_0_XXXX + jmp NtCancelTimer_SystemCall_Unknown +NtCancelTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCancelTimer_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCancelTimer_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCancelTimer_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCancelTimer_SystemCall_6_3_XXXX + jmp NtCancelTimer_SystemCall_Unknown +NtCancelTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCancelTimer_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCancelTimer_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCancelTimer_SystemCall_6_0_6002 + jmp NtCancelTimer_SystemCall_Unknown +NtCancelTimer_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCancelTimer_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCancelTimer_SystemCall_6_1_7601 + jmp NtCancelTimer_SystemCall_Unknown +NtCancelTimer_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCancelTimer_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCancelTimer_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCancelTimer_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCancelTimer_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCancelTimer_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCancelTimer_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCancelTimer_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCancelTimer_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCancelTimer_SystemCall_10_0_18363 + jmp NtCancelTimer_SystemCall_Unknown +NtCancelTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 005eh + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 005eh + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 005eh + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 005eh + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 005eh + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 005eh + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 005fh + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0060h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0061h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0061h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0061h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0061h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0061h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0061h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0061h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0061h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0061h + jmp NtCancelTimer_Epilogue +NtCancelTimer_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCancelTimer_Epilogue: + mov r10, rcx + syscall + ret +NtCancelTimer ENDP + +NtCancelTimer2 PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCancelTimer2_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCancelTimer2_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCancelTimer2_Check_10_0_XXXX + jmp NtCancelTimer2_SystemCall_Unknown +NtCancelTimer2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtCancelTimer2_SystemCall_6_3_XXXX + jmp NtCancelTimer2_SystemCall_Unknown +NtCancelTimer2_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCancelTimer2_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCancelTimer2_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCancelTimer2_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCancelTimer2_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCancelTimer2_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCancelTimer2_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCancelTimer2_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCancelTimer2_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCancelTimer2_SystemCall_10_0_18363 + jmp NtCancelTimer2_SystemCall_Unknown +NtCancelTimer2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 008eh + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 008fh + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 008fh + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 008fh + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0090h + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0091h + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0092h + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0092h + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0092h + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0092h + jmp NtCancelTimer2_Epilogue +NtCancelTimer2_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCancelTimer2_Epilogue: + mov r10, rcx + syscall + ret +NtCancelTimer2 ENDP + +NtCancelWaitCompletionPacket PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCancelWaitCompletionPacket_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCancelWaitCompletionPacket_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCancelWaitCompletionPacket_Check_10_0_XXXX + jmp NtCancelWaitCompletionPacket_SystemCall_Unknown +NtCancelWaitCompletionPacket_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtCancelWaitCompletionPacket_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCancelWaitCompletionPacket_SystemCall_6_3_XXXX + jmp NtCancelWaitCompletionPacket_SystemCall_Unknown +NtCancelWaitCompletionPacket_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCancelWaitCompletionPacket_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCancelWaitCompletionPacket_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCancelWaitCompletionPacket_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCancelWaitCompletionPacket_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCancelWaitCompletionPacket_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCancelWaitCompletionPacket_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCancelWaitCompletionPacket_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCancelWaitCompletionPacket_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCancelWaitCompletionPacket_SystemCall_10_0_18363 + jmp NtCancelWaitCompletionPacket_SystemCall_Unknown +NtCancelWaitCompletionPacket_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 008eh + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 008fh + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0090h + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0090h + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0090h + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0091h + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0092h + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0093h + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0093h + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0093h + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0093h + jmp NtCancelWaitCompletionPacket_Epilogue +NtCancelWaitCompletionPacket_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCancelWaitCompletionPacket_Epilogue: + mov r10, rcx + syscall + ret +NtCancelWaitCompletionPacket ENDP + +NtClearAllSavepointsTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtClearAllSavepointsTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtClearAllSavepointsTransaction_Check_6_X_XXXX + jmp NtClearAllSavepointsTransaction_SystemCall_Unknown +NtClearAllSavepointsTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtClearAllSavepointsTransaction_Check_6_0_XXXX + jmp NtClearAllSavepointsTransaction_SystemCall_Unknown +NtClearAllSavepointsTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtClearAllSavepointsTransaction_SystemCall_6_0_6000 + jmp NtClearAllSavepointsTransaction_SystemCall_Unknown +NtClearAllSavepointsTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0089h + jmp NtClearAllSavepointsTransaction_Epilogue +NtClearAllSavepointsTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtClearAllSavepointsTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtClearAllSavepointsTransaction ENDP + +NtClearEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtClearEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtClearEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtClearEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtClearEvent_Check_10_0_XXXX + jmp NtClearEvent_SystemCall_Unknown +NtClearEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtClearEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtClearEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtClearEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtClearEvent_SystemCall_6_3_XXXX + jmp NtClearEvent_SystemCall_Unknown +NtClearEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtClearEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtClearEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtClearEvent_SystemCall_6_0_6002 + jmp NtClearEvent_SystemCall_Unknown +NtClearEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtClearEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtClearEvent_SystemCall_6_1_7601 + jmp NtClearEvent_SystemCall_Unknown +NtClearEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtClearEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtClearEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtClearEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtClearEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtClearEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtClearEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtClearEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtClearEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtClearEvent_SystemCall_10_0_18363 + jmp NtClearEvent_SystemCall_Unknown +NtClearEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 003bh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 003bh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 003bh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 003bh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 003bh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 003bh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 003ch + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 003dh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 003eh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 003eh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 003eh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 003eh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 003eh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 003eh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 003eh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 003eh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 003eh + jmp NtClearEvent_Epilogue +NtClearEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtClearEvent_Epilogue: + mov r10, rcx + syscall + ret +NtClearEvent ENDP + +NtClearSavepointTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtClearSavepointTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtClearSavepointTransaction_Check_6_X_XXXX + jmp NtClearSavepointTransaction_SystemCall_Unknown +NtClearSavepointTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtClearSavepointTransaction_Check_6_0_XXXX + jmp NtClearSavepointTransaction_SystemCall_Unknown +NtClearSavepointTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtClearSavepointTransaction_SystemCall_6_0_6000 + jmp NtClearSavepointTransaction_SystemCall_Unknown +NtClearSavepointTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 008ah + jmp NtClearSavepointTransaction_Epilogue +NtClearSavepointTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtClearSavepointTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtClearSavepointTransaction ENDP + +NtClose PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtClose_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtClose_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtClose_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtClose_Check_10_0_XXXX + jmp NtClose_SystemCall_Unknown +NtClose_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtClose_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtClose_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtClose_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtClose_SystemCall_6_3_XXXX + jmp NtClose_SystemCall_Unknown +NtClose_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtClose_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtClose_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtClose_SystemCall_6_0_6002 + jmp NtClose_SystemCall_Unknown +NtClose_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtClose_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtClose_SystemCall_6_1_7601 + jmp NtClose_SystemCall_Unknown +NtClose_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtClose_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtClose_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtClose_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtClose_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtClose_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtClose_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtClose_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtClose_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtClose_SystemCall_10_0_18363 + jmp NtClose_SystemCall_Unknown +NtClose_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 000ch + jmp NtClose_Epilogue +NtClose_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 000ch + jmp NtClose_Epilogue +NtClose_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 000ch + jmp NtClose_Epilogue +NtClose_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 000ch + jmp NtClose_Epilogue +NtClose_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 000ch + jmp NtClose_Epilogue +NtClose_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 000ch + jmp NtClose_Epilogue +NtClose_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 000dh + jmp NtClose_Epilogue +NtClose_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 000eh + jmp NtClose_Epilogue +NtClose_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 000fh + jmp NtClose_Epilogue +NtClose_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 000fh + jmp NtClose_Epilogue +NtClose_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 000fh + jmp NtClose_Epilogue +NtClose_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 000fh + jmp NtClose_Epilogue +NtClose_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 000fh + jmp NtClose_Epilogue +NtClose_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 000fh + jmp NtClose_Epilogue +NtClose_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 000fh + jmp NtClose_Epilogue +NtClose_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 000fh + jmp NtClose_Epilogue +NtClose_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 000fh + jmp NtClose_Epilogue +NtClose_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtClose_Epilogue: + mov r10, rcx + syscall + ret +NtClose ENDP + +NtCloseObjectAuditAlarm PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCloseObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCloseObjectAuditAlarm_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCloseObjectAuditAlarm_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCloseObjectAuditAlarm_Check_10_0_XXXX + jmp NtCloseObjectAuditAlarm_SystemCall_Unknown +NtCloseObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCloseObjectAuditAlarm_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCloseObjectAuditAlarm_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCloseObjectAuditAlarm_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCloseObjectAuditAlarm_SystemCall_6_3_XXXX + jmp NtCloseObjectAuditAlarm_SystemCall_Unknown +NtCloseObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCloseObjectAuditAlarm_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCloseObjectAuditAlarm_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCloseObjectAuditAlarm_SystemCall_6_0_6002 + jmp NtCloseObjectAuditAlarm_SystemCall_Unknown +NtCloseObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCloseObjectAuditAlarm_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCloseObjectAuditAlarm_SystemCall_6_1_7601 + jmp NtCloseObjectAuditAlarm_SystemCall_Unknown +NtCloseObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCloseObjectAuditAlarm_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCloseObjectAuditAlarm_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCloseObjectAuditAlarm_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCloseObjectAuditAlarm_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCloseObjectAuditAlarm_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCloseObjectAuditAlarm_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCloseObjectAuditAlarm_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCloseObjectAuditAlarm_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCloseObjectAuditAlarm_SystemCall_10_0_18363 + jmp NtCloseObjectAuditAlarm_SystemCall_Unknown +NtCloseObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0038h + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0038h + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0038h + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0038h + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0038h + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0038h + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0039h + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 003ah + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 003bh + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 003bh + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 003bh + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 003bh + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 003bh + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 003bh + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 003bh + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 003bh + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 003bh + jmp NtCloseObjectAuditAlarm_Epilogue +NtCloseObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCloseObjectAuditAlarm_Epilogue: + mov r10, rcx + syscall + ret +NtCloseObjectAuditAlarm ENDP + +NtCommitComplete PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCommitComplete_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCommitComplete_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCommitComplete_Check_10_0_XXXX + jmp NtCommitComplete_SystemCall_Unknown +NtCommitComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCommitComplete_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCommitComplete_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCommitComplete_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCommitComplete_SystemCall_6_3_XXXX + jmp NtCommitComplete_SystemCall_Unknown +NtCommitComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCommitComplete_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCommitComplete_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCommitComplete_SystemCall_6_0_6002 + jmp NtCommitComplete_SystemCall_Unknown +NtCommitComplete_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCommitComplete_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCommitComplete_SystemCall_6_1_7601 + jmp NtCommitComplete_SystemCall_Unknown +NtCommitComplete_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCommitComplete_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCommitComplete_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCommitComplete_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCommitComplete_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCommitComplete_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCommitComplete_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCommitComplete_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCommitComplete_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCommitComplete_SystemCall_10_0_18363 + jmp NtCommitComplete_SystemCall_Unknown +NtCommitComplete_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 008bh + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0089h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0089h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0088h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0088h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 008fh + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0090h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0091h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0091h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0091h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0092h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0093h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0094h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0094h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0094h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0094h + jmp NtCommitComplete_Epilogue +NtCommitComplete_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCommitComplete_Epilogue: + mov r10, rcx + syscall + ret +NtCommitComplete ENDP + +NtCommitEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCommitEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCommitEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCommitEnlistment_Check_10_0_XXXX + jmp NtCommitEnlistment_SystemCall_Unknown +NtCommitEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCommitEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCommitEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCommitEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCommitEnlistment_SystemCall_6_3_XXXX + jmp NtCommitEnlistment_SystemCall_Unknown +NtCommitEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCommitEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCommitEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCommitEnlistment_SystemCall_6_0_6002 + jmp NtCommitEnlistment_SystemCall_Unknown +NtCommitEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCommitEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCommitEnlistment_SystemCall_6_1_7601 + jmp NtCommitEnlistment_SystemCall_Unknown +NtCommitEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCommitEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCommitEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCommitEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCommitEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCommitEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCommitEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCommitEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCommitEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCommitEnlistment_SystemCall_10_0_18363 + jmp NtCommitEnlistment_SystemCall_Unknown +NtCommitEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 008ch + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 008ah + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 008ah + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0089h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0089h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0090h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0091h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0092h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0092h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0092h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0093h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0094h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0095h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0095h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0095h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0095h + jmp NtCommitEnlistment_Epilogue +NtCommitEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCommitEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtCommitEnlistment ENDP + +NtCommitRegistryTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCommitRegistryTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtCommitRegistryTransaction_Check_10_0_XXXX + jmp NtCommitRegistryTransaction_SystemCall_Unknown +NtCommitRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 14393 + je NtCommitRegistryTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCommitRegistryTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCommitRegistryTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCommitRegistryTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCommitRegistryTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCommitRegistryTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCommitRegistryTransaction_SystemCall_10_0_18363 + jmp NtCommitRegistryTransaction_SystemCall_Unknown +NtCommitRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0093h + jmp NtCommitRegistryTransaction_Epilogue +NtCommitRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0094h + jmp NtCommitRegistryTransaction_Epilogue +NtCommitRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0095h + jmp NtCommitRegistryTransaction_Epilogue +NtCommitRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0096h + jmp NtCommitRegistryTransaction_Epilogue +NtCommitRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0096h + jmp NtCommitRegistryTransaction_Epilogue +NtCommitRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0096h + jmp NtCommitRegistryTransaction_Epilogue +NtCommitRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0096h + jmp NtCommitRegistryTransaction_Epilogue +NtCommitRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCommitRegistryTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtCommitRegistryTransaction ENDP + +NtCommitTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCommitTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCommitTransaction_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCommitTransaction_Check_10_0_XXXX + jmp NtCommitTransaction_SystemCall_Unknown +NtCommitTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCommitTransaction_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCommitTransaction_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCommitTransaction_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCommitTransaction_SystemCall_6_3_XXXX + jmp NtCommitTransaction_SystemCall_Unknown +NtCommitTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCommitTransaction_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCommitTransaction_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCommitTransaction_SystemCall_6_0_6002 + jmp NtCommitTransaction_SystemCall_Unknown +NtCommitTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCommitTransaction_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCommitTransaction_SystemCall_6_1_7601 + jmp NtCommitTransaction_SystemCall_Unknown +NtCommitTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCommitTransaction_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCommitTransaction_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCommitTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCommitTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCommitTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCommitTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCommitTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCommitTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCommitTransaction_SystemCall_10_0_18363 + jmp NtCommitTransaction_SystemCall_Unknown +NtCommitTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 008dh + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 008bh + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 008bh + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 008ah + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 008ah + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0091h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0092h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0093h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0093h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0094h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0095h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0096h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0097h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0097h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0097h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0097h + jmp NtCommitTransaction_Epilogue +NtCommitTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCommitTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtCommitTransaction ENDP + +NtCompactKeys PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCompactKeys_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCompactKeys_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCompactKeys_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCompactKeys_Check_10_0_XXXX + jmp NtCompactKeys_SystemCall_Unknown +NtCompactKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCompactKeys_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCompactKeys_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCompactKeys_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCompactKeys_SystemCall_6_3_XXXX + jmp NtCompactKeys_SystemCall_Unknown +NtCompactKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCompactKeys_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCompactKeys_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCompactKeys_SystemCall_6_0_6002 + jmp NtCompactKeys_SystemCall_Unknown +NtCompactKeys_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCompactKeys_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCompactKeys_SystemCall_6_1_7601 + jmp NtCompactKeys_SystemCall_Unknown +NtCompactKeys_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCompactKeys_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCompactKeys_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCompactKeys_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCompactKeys_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCompactKeys_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCompactKeys_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCompactKeys_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCompactKeys_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCompactKeys_SystemCall_10_0_18363 + jmp NtCompactKeys_SystemCall_Unknown +NtCompactKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0071h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 008eh + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 008ch + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 008ch + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 008bh + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 008bh + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0092h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0093h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0094h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0094h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0095h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0096h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0097h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0098h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0098h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0098h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0098h + jmp NtCompactKeys_Epilogue +NtCompactKeys_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCompactKeys_Epilogue: + mov r10, rcx + syscall + ret +NtCompactKeys ENDP + +NtCompareObjects PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCompareObjects_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtCompareObjects_Check_10_0_XXXX + jmp NtCompareObjects_SystemCall_Unknown +NtCompareObjects_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCompareObjects_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCompareObjects_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCompareObjects_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCompareObjects_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCompareObjects_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCompareObjects_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCompareObjects_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCompareObjects_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCompareObjects_SystemCall_10_0_18363 + jmp NtCompareObjects_SystemCall_Unknown +NtCompareObjects_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0095h + jmp NtCompareObjects_Epilogue +NtCompareObjects_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0095h + jmp NtCompareObjects_Epilogue +NtCompareObjects_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0096h + jmp NtCompareObjects_Epilogue +NtCompareObjects_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0097h + jmp NtCompareObjects_Epilogue +NtCompareObjects_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0098h + jmp NtCompareObjects_Epilogue +NtCompareObjects_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0099h + jmp NtCompareObjects_Epilogue +NtCompareObjects_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0099h + jmp NtCompareObjects_Epilogue +NtCompareObjects_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0099h + jmp NtCompareObjects_Epilogue +NtCompareObjects_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0099h + jmp NtCompareObjects_Epilogue +NtCompareObjects_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCompareObjects_Epilogue: + mov r10, rcx + syscall + ret +NtCompareObjects ENDP + +NtCompareSigningLevels PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCompareSigningLevels_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtCompareSigningLevels_Check_10_0_XXXX + jmp NtCompareSigningLevels_SystemCall_Unknown +NtCompareSigningLevels_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 15063 + je NtCompareSigningLevels_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCompareSigningLevels_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCompareSigningLevels_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCompareSigningLevels_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCompareSigningLevels_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCompareSigningLevels_SystemCall_10_0_18363 + jmp NtCompareSigningLevels_SystemCall_Unknown +NtCompareSigningLevels_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0098h + jmp NtCompareSigningLevels_Epilogue +NtCompareSigningLevels_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0099h + jmp NtCompareSigningLevels_Epilogue +NtCompareSigningLevels_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 009ah + jmp NtCompareSigningLevels_Epilogue +NtCompareSigningLevels_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 009ah + jmp NtCompareSigningLevels_Epilogue +NtCompareSigningLevels_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 009ah + jmp NtCompareSigningLevels_Epilogue +NtCompareSigningLevels_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 009ah + jmp NtCompareSigningLevels_Epilogue +NtCompareSigningLevels_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCompareSigningLevels_Epilogue: + mov r10, rcx + syscall + ret +NtCompareSigningLevels ENDP + +NtCompareTokens PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCompareTokens_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCompareTokens_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCompareTokens_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCompareTokens_Check_10_0_XXXX + jmp NtCompareTokens_SystemCall_Unknown +NtCompareTokens_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCompareTokens_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCompareTokens_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCompareTokens_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCompareTokens_SystemCall_6_3_XXXX + jmp NtCompareTokens_SystemCall_Unknown +NtCompareTokens_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCompareTokens_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCompareTokens_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCompareTokens_SystemCall_6_0_6002 + jmp NtCompareTokens_SystemCall_Unknown +NtCompareTokens_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCompareTokens_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCompareTokens_SystemCall_6_1_7601 + jmp NtCompareTokens_SystemCall_Unknown +NtCompareTokens_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCompareTokens_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCompareTokens_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCompareTokens_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCompareTokens_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCompareTokens_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCompareTokens_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCompareTokens_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCompareTokens_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCompareTokens_SystemCall_10_0_18363 + jmp NtCompareTokens_SystemCall_Unknown +NtCompareTokens_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0072h + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 008fh + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 008dh + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 008dh + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 008ch + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 008ch + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0093h + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0094h + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0096h + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0096h + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0097h + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0099h + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 009ah + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 009bh + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 009bh + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 009bh + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 009bh + jmp NtCompareTokens_Epilogue +NtCompareTokens_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCompareTokens_Epilogue: + mov r10, rcx + syscall + ret +NtCompareTokens ENDP + +NtCompleteConnectPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCompleteConnectPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCompleteConnectPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCompleteConnectPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCompleteConnectPort_Check_10_0_XXXX + jmp NtCompleteConnectPort_SystemCall_Unknown +NtCompleteConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCompleteConnectPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCompleteConnectPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCompleteConnectPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCompleteConnectPort_SystemCall_6_3_XXXX + jmp NtCompleteConnectPort_SystemCall_Unknown +NtCompleteConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCompleteConnectPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCompleteConnectPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCompleteConnectPort_SystemCall_6_0_6002 + jmp NtCompleteConnectPort_SystemCall_Unknown +NtCompleteConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCompleteConnectPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCompleteConnectPort_SystemCall_6_1_7601 + jmp NtCompleteConnectPort_SystemCall_Unknown +NtCompleteConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCompleteConnectPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCompleteConnectPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCompleteConnectPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCompleteConnectPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCompleteConnectPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCompleteConnectPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCompleteConnectPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCompleteConnectPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCompleteConnectPort_SystemCall_10_0_18363 + jmp NtCompleteConnectPort_SystemCall_Unknown +NtCompleteConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0073h + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0090h + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 008eh + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 008eh + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 008dh + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 008dh + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0094h + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0095h + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0097h + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0097h + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0098h + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 009ah + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 009bh + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 009ch + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 009ch + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 009ch + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 009ch + jmp NtCompleteConnectPort_Epilogue +NtCompleteConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCompleteConnectPort_Epilogue: + mov r10, rcx + syscall + ret +NtCompleteConnectPort ENDP + +NtCompressKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCompressKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCompressKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCompressKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCompressKey_Check_10_0_XXXX + jmp NtCompressKey_SystemCall_Unknown +NtCompressKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCompressKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCompressKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCompressKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCompressKey_SystemCall_6_3_XXXX + jmp NtCompressKey_SystemCall_Unknown +NtCompressKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCompressKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCompressKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCompressKey_SystemCall_6_0_6002 + jmp NtCompressKey_SystemCall_Unknown +NtCompressKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCompressKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCompressKey_SystemCall_6_1_7601 + jmp NtCompressKey_SystemCall_Unknown +NtCompressKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCompressKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCompressKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCompressKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCompressKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCompressKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCompressKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCompressKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCompressKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCompressKey_SystemCall_10_0_18363 + jmp NtCompressKey_SystemCall_Unknown +NtCompressKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0074h + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0091h + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 008fh + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 008fh + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 008eh + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 008eh + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0095h + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0096h + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0098h + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0098h + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0099h + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 009bh + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 009ch + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 009dh + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 009dh + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 009dh + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 009dh + jmp NtCompressKey_Epilogue +NtCompressKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCompressKey_Epilogue: + mov r10, rcx + syscall + ret +NtCompressKey ENDP + +NtConnectPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtConnectPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtConnectPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtConnectPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtConnectPort_Check_10_0_XXXX + jmp NtConnectPort_SystemCall_Unknown +NtConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtConnectPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtConnectPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtConnectPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtConnectPort_SystemCall_6_3_XXXX + jmp NtConnectPort_SystemCall_Unknown +NtConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtConnectPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtConnectPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtConnectPort_SystemCall_6_0_6002 + jmp NtConnectPort_SystemCall_Unknown +NtConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtConnectPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtConnectPort_SystemCall_6_1_7601 + jmp NtConnectPort_SystemCall_Unknown +NtConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtConnectPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtConnectPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtConnectPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtConnectPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtConnectPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtConnectPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtConnectPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtConnectPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtConnectPort_SystemCall_10_0_18363 + jmp NtConnectPort_SystemCall_Unknown +NtConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0075h + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0092h + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0090h + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0090h + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 008fh + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 008fh + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0096h + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0097h + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0099h + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0099h + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 009ah + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 009ch + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 009dh + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 009eh + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 009eh + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 009eh + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 009eh + jmp NtConnectPort_Epilogue +NtConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtConnectPort_Epilogue: + mov r10, rcx + syscall + ret +NtConnectPort ENDP + +NtContinue PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtContinue_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtContinue_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtContinue_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtContinue_Check_10_0_XXXX + jmp NtContinue_SystemCall_Unknown +NtContinue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtContinue_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtContinue_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtContinue_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtContinue_SystemCall_6_3_XXXX + jmp NtContinue_SystemCall_Unknown +NtContinue_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtContinue_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtContinue_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtContinue_SystemCall_6_0_6002 + jmp NtContinue_SystemCall_Unknown +NtContinue_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtContinue_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtContinue_SystemCall_6_1_7601 + jmp NtContinue_SystemCall_Unknown +NtContinue_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtContinue_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtContinue_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtContinue_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtContinue_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtContinue_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtContinue_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtContinue_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtContinue_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtContinue_SystemCall_10_0_18363 + jmp NtContinue_SystemCall_Unknown +NtContinue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0040h + jmp NtContinue_Epilogue +NtContinue_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0040h + jmp NtContinue_Epilogue +NtContinue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0040h + jmp NtContinue_Epilogue +NtContinue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0040h + jmp NtContinue_Epilogue +NtContinue_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0040h + jmp NtContinue_Epilogue +NtContinue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0040h + jmp NtContinue_Epilogue +NtContinue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0041h + jmp NtContinue_Epilogue +NtContinue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0042h + jmp NtContinue_Epilogue +NtContinue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0043h + jmp NtContinue_Epilogue +NtContinue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0043h + jmp NtContinue_Epilogue +NtContinue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0043h + jmp NtContinue_Epilogue +NtContinue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0043h + jmp NtContinue_Epilogue +NtContinue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0043h + jmp NtContinue_Epilogue +NtContinue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0043h + jmp NtContinue_Epilogue +NtContinue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0043h + jmp NtContinue_Epilogue +NtContinue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0043h + jmp NtContinue_Epilogue +NtContinue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0043h + jmp NtContinue_Epilogue +NtContinue_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtContinue_Epilogue: + mov r10, rcx + syscall + ret +NtContinue ENDP + +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Check_10_0_XXXX + jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_Unknown +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 15063 + je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18363 + jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_Unknown +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 009dh + jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 009eh + jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 009fh + jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 009fh + jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 009fh + jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 009fh + jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue: + mov r10, rcx + syscall + ret +NtConvertBetweenAuxiliaryCounterAndPerformanceCounter ENDP + +NtCreateCrossVmEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateCrossVmEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtCreateCrossVmEvent_Check_10_0_XXXX + jmp NtCreateCrossVmEvent_SystemCall_Unknown +NtCreateCrossVmEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 18362 + je NtCreateCrossVmEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateCrossVmEvent_SystemCall_10_0_18363 + jmp NtCreateCrossVmEvent_SystemCall_Unknown +NtCreateCrossVmEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a0h + jmp NtCreateCrossVmEvent_Epilogue +NtCreateCrossVmEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a0h + jmp NtCreateCrossVmEvent_Epilogue +NtCreateCrossVmEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateCrossVmEvent_Epilogue: + mov r10, rcx + syscall + ret +NtCreateCrossVmEvent ENDP + +NtCreateDebugObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateDebugObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateDebugObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateDebugObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateDebugObject_Check_10_0_XXXX + jmp NtCreateDebugObject_SystemCall_Unknown +NtCreateDebugObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateDebugObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateDebugObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateDebugObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateDebugObject_SystemCall_6_3_XXXX + jmp NtCreateDebugObject_SystemCall_Unknown +NtCreateDebugObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateDebugObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateDebugObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateDebugObject_SystemCall_6_0_6002 + jmp NtCreateDebugObject_SystemCall_Unknown +NtCreateDebugObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateDebugObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateDebugObject_SystemCall_6_1_7601 + jmp NtCreateDebugObject_SystemCall_Unknown +NtCreateDebugObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateDebugObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateDebugObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateDebugObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateDebugObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateDebugObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateDebugObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateDebugObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateDebugObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateDebugObject_SystemCall_10_0_18363 + jmp NtCreateDebugObject_SystemCall_Unknown +NtCreateDebugObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0076h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0093h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0091h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0091h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0090h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0090h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0097h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0098h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 009ah + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 009ah + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 009bh + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 009eh + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 009fh + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a0h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a0h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a1h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a1h + jmp NtCreateDebugObject_Epilogue +NtCreateDebugObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateDebugObject_Epilogue: + mov r10, rcx + syscall + ret +NtCreateDebugObject ENDP + +NtCreateDirectoryObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateDirectoryObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateDirectoryObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateDirectoryObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateDirectoryObject_Check_10_0_XXXX + jmp NtCreateDirectoryObject_SystemCall_Unknown +NtCreateDirectoryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateDirectoryObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateDirectoryObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateDirectoryObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateDirectoryObject_SystemCall_6_3_XXXX + jmp NtCreateDirectoryObject_SystemCall_Unknown +NtCreateDirectoryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateDirectoryObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateDirectoryObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateDirectoryObject_SystemCall_6_0_6002 + jmp NtCreateDirectoryObject_SystemCall_Unknown +NtCreateDirectoryObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateDirectoryObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateDirectoryObject_SystemCall_6_1_7601 + jmp NtCreateDirectoryObject_SystemCall_Unknown +NtCreateDirectoryObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateDirectoryObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateDirectoryObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateDirectoryObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateDirectoryObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateDirectoryObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateDirectoryObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateDirectoryObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateDirectoryObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateDirectoryObject_SystemCall_10_0_18363 + jmp NtCreateDirectoryObject_SystemCall_Unknown +NtCreateDirectoryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0077h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0094h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0092h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0092h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0091h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0091h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0098h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0099h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 009bh + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 009bh + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 009ch + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 009fh + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a0h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a1h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a1h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a2h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a2h + jmp NtCreateDirectoryObject_Epilogue +NtCreateDirectoryObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateDirectoryObject_Epilogue: + mov r10, rcx + syscall + ret +NtCreateDirectoryObject ENDP + +NtCreateDirectoryObjectEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateDirectoryObjectEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateDirectoryObjectEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateDirectoryObjectEx_Check_10_0_XXXX + jmp NtCreateDirectoryObjectEx_SystemCall_Unknown +NtCreateDirectoryObjectEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtCreateDirectoryObjectEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateDirectoryObjectEx_SystemCall_6_3_XXXX + jmp NtCreateDirectoryObjectEx_SystemCall_Unknown +NtCreateDirectoryObjectEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateDirectoryObjectEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateDirectoryObjectEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateDirectoryObjectEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateDirectoryObjectEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateDirectoryObjectEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateDirectoryObjectEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateDirectoryObjectEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateDirectoryObjectEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateDirectoryObjectEx_SystemCall_10_0_18363 + jmp NtCreateDirectoryObjectEx_SystemCall_Unknown +NtCreateDirectoryObjectEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0099h + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 009ah + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 009ch + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 009ch + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 009dh + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a0h + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a1h + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a2h + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a2h + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a3h + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a3h + jmp NtCreateDirectoryObjectEx_Epilogue +NtCreateDirectoryObjectEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateDirectoryObjectEx_Epilogue: + mov r10, rcx + syscall + ret +NtCreateDirectoryObjectEx ENDP + +NtCreateEnclave PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateEnclave_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtCreateEnclave_Check_10_0_XXXX + jmp NtCreateEnclave_SystemCall_Unknown +NtCreateEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10586 + je NtCreateEnclave_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateEnclave_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateEnclave_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateEnclave_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateEnclave_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateEnclave_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateEnclave_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateEnclave_SystemCall_10_0_18363 + jmp NtCreateEnclave_SystemCall_Unknown +NtCreateEnclave_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 009dh + jmp NtCreateEnclave_Epilogue +NtCreateEnclave_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 009eh + jmp NtCreateEnclave_Epilogue +NtCreateEnclave_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a1h + jmp NtCreateEnclave_Epilogue +NtCreateEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a2h + jmp NtCreateEnclave_Epilogue +NtCreateEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a3h + jmp NtCreateEnclave_Epilogue +NtCreateEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a3h + jmp NtCreateEnclave_Epilogue +NtCreateEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a4h + jmp NtCreateEnclave_Epilogue +NtCreateEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a4h + jmp NtCreateEnclave_Epilogue +NtCreateEnclave_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateEnclave_Epilogue: + mov r10, rcx + syscall + ret +NtCreateEnclave ENDP + +NtCreateEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateEnlistment_Check_10_0_XXXX + jmp NtCreateEnlistment_SystemCall_Unknown +NtCreateEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateEnlistment_SystemCall_6_3_XXXX + jmp NtCreateEnlistment_SystemCall_Unknown +NtCreateEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateEnlistment_SystemCall_6_0_6002 + jmp NtCreateEnlistment_SystemCall_Unknown +NtCreateEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateEnlistment_SystemCall_6_1_7601 + jmp NtCreateEnlistment_SystemCall_Unknown +NtCreateEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateEnlistment_SystemCall_10_0_18363 + jmp NtCreateEnlistment_SystemCall_Unknown +NtCreateEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0095h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0093h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0093h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0092h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0092h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 009ah + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 009bh + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 009dh + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 009eh + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 009fh + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a2h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a3h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a4h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a4h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a5h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a5h + jmp NtCreateEnlistment_Epilogue +NtCreateEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtCreateEnlistment ENDP + +NtCreateEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateEvent_Check_10_0_XXXX + jmp NtCreateEvent_SystemCall_Unknown +NtCreateEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateEvent_SystemCall_6_3_XXXX + jmp NtCreateEvent_SystemCall_Unknown +NtCreateEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateEvent_SystemCall_6_0_6002 + jmp NtCreateEvent_SystemCall_Unknown +NtCreateEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateEvent_SystemCall_6_1_7601 + jmp NtCreateEvent_SystemCall_Unknown +NtCreateEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateEvent_SystemCall_10_0_18363 + jmp NtCreateEvent_SystemCall_Unknown +NtCreateEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0045h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0045h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0045h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0045h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0045h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0045h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0046h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0047h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0048h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0048h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0048h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0048h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0048h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0048h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0048h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0048h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0048h + jmp NtCreateEvent_Epilogue +NtCreateEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateEvent_Epilogue: + mov r10, rcx + syscall + ret +NtCreateEvent ENDP + +NtCreateEventPair PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateEventPair_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateEventPair_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateEventPair_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateEventPair_Check_10_0_XXXX + jmp NtCreateEventPair_SystemCall_Unknown +NtCreateEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateEventPair_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateEventPair_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateEventPair_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateEventPair_SystemCall_6_3_XXXX + jmp NtCreateEventPair_SystemCall_Unknown +NtCreateEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateEventPair_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateEventPair_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateEventPair_SystemCall_6_0_6002 + jmp NtCreateEventPair_SystemCall_Unknown +NtCreateEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateEventPair_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateEventPair_SystemCall_6_1_7601 + jmp NtCreateEventPair_SystemCall_Unknown +NtCreateEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateEventPair_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateEventPair_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateEventPair_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateEventPair_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateEventPair_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateEventPair_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateEventPair_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateEventPair_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateEventPair_SystemCall_10_0_18363 + jmp NtCreateEventPair_SystemCall_Unknown +NtCreateEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0078h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0096h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0094h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0094h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0093h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0093h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 009bh + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 009ch + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 009eh + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 009fh + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a0h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a3h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a4h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a5h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a5h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a6h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a6h + jmp NtCreateEventPair_Epilogue +NtCreateEventPair_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateEventPair_Epilogue: + mov r10, rcx + syscall + ret +NtCreateEventPair ENDP + +NtCreateFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateFile_Check_10_0_XXXX + jmp NtCreateFile_SystemCall_Unknown +NtCreateFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateFile_SystemCall_6_3_XXXX + jmp NtCreateFile_SystemCall_Unknown +NtCreateFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateFile_SystemCall_6_0_6002 + jmp NtCreateFile_SystemCall_Unknown +NtCreateFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateFile_SystemCall_6_1_7601 + jmp NtCreateFile_SystemCall_Unknown +NtCreateFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateFile_SystemCall_10_0_18363 + jmp NtCreateFile_SystemCall_Unknown +NtCreateFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0052h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0052h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0052h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0052h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0052h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0052h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0053h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0054h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0055h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0055h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0055h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0055h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0055h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0055h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0055h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0055h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0055h + jmp NtCreateFile_Epilogue +NtCreateFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateFile_Epilogue: + mov r10, rcx + syscall + ret +NtCreateFile ENDP + +NtCreateIRTimer PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateIRTimer_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateIRTimer_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateIRTimer_Check_10_0_XXXX + jmp NtCreateIRTimer_SystemCall_Unknown +NtCreateIRTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtCreateIRTimer_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateIRTimer_SystemCall_6_3_XXXX + jmp NtCreateIRTimer_SystemCall_Unknown +NtCreateIRTimer_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateIRTimer_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateIRTimer_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateIRTimer_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateIRTimer_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateIRTimer_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateIRTimer_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateIRTimer_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateIRTimer_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateIRTimer_SystemCall_10_0_18363 + jmp NtCreateIRTimer_SystemCall_Unknown +NtCreateIRTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 009ch + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 009dh + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 009fh + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a0h + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a1h + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a4h + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a5h + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a6h + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a6h + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a7h + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a7h + jmp NtCreateIRTimer_Epilogue +NtCreateIRTimer_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateIRTimer_Epilogue: + mov r10, rcx + syscall + ret +NtCreateIRTimer ENDP + +NtCreateIoCompletion PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateIoCompletion_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateIoCompletion_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateIoCompletion_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateIoCompletion_Check_10_0_XXXX + jmp NtCreateIoCompletion_SystemCall_Unknown +NtCreateIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateIoCompletion_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateIoCompletion_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateIoCompletion_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateIoCompletion_SystemCall_6_3_XXXX + jmp NtCreateIoCompletion_SystemCall_Unknown +NtCreateIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateIoCompletion_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateIoCompletion_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateIoCompletion_SystemCall_6_0_6002 + jmp NtCreateIoCompletion_SystemCall_Unknown +NtCreateIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateIoCompletion_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateIoCompletion_SystemCall_6_1_7601 + jmp NtCreateIoCompletion_SystemCall_Unknown +NtCreateIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateIoCompletion_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateIoCompletion_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateIoCompletion_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateIoCompletion_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateIoCompletion_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateIoCompletion_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateIoCompletion_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateIoCompletion_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateIoCompletion_SystemCall_10_0_18363 + jmp NtCreateIoCompletion_SystemCall_Unknown +NtCreateIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0079h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0097h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0095h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0095h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0094h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0094h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 009dh + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 009eh + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a0h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a1h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a2h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a5h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a6h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a7h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a7h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a8h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a8h + jmp NtCreateIoCompletion_Epilogue +NtCreateIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateIoCompletion_Epilogue: + mov r10, rcx + syscall + ret +NtCreateIoCompletion ENDP + +NtCreateJobObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateJobObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateJobObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateJobObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateJobObject_Check_10_0_XXXX + jmp NtCreateJobObject_SystemCall_Unknown +NtCreateJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateJobObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateJobObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateJobObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateJobObject_SystemCall_6_3_XXXX + jmp NtCreateJobObject_SystemCall_Unknown +NtCreateJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateJobObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateJobObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateJobObject_SystemCall_6_0_6002 + jmp NtCreateJobObject_SystemCall_Unknown +NtCreateJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateJobObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateJobObject_SystemCall_6_1_7601 + jmp NtCreateJobObject_SystemCall_Unknown +NtCreateJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateJobObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateJobObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateJobObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateJobObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateJobObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateJobObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateJobObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateJobObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateJobObject_SystemCall_10_0_18363 + jmp NtCreateJobObject_SystemCall_Unknown +NtCreateJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 007ah + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0098h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0096h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0096h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0095h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0095h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 009eh + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 009fh + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a1h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a2h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a3h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a6h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a7h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a8h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a8h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00a9h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00a9h + jmp NtCreateJobObject_Epilogue +NtCreateJobObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateJobObject_Epilogue: + mov r10, rcx + syscall + ret +NtCreateJobObject ENDP + +NtCreateJobSet PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateJobSet_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateJobSet_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateJobSet_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateJobSet_Check_10_0_XXXX + jmp NtCreateJobSet_SystemCall_Unknown +NtCreateJobSet_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateJobSet_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateJobSet_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateJobSet_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateJobSet_SystemCall_6_3_XXXX + jmp NtCreateJobSet_SystemCall_Unknown +NtCreateJobSet_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateJobSet_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateJobSet_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateJobSet_SystemCall_6_0_6002 + jmp NtCreateJobSet_SystemCall_Unknown +NtCreateJobSet_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateJobSet_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateJobSet_SystemCall_6_1_7601 + jmp NtCreateJobSet_SystemCall_Unknown +NtCreateJobSet_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateJobSet_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateJobSet_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateJobSet_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateJobSet_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateJobSet_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateJobSet_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateJobSet_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateJobSet_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateJobSet_SystemCall_10_0_18363 + jmp NtCreateJobSet_SystemCall_Unknown +NtCreateJobSet_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 007bh + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0099h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0097h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0097h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0096h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0096h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 009fh + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a0h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a2h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a3h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a4h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a7h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a8h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00a9h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00a9h + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00aah + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00aah + jmp NtCreateJobSet_Epilogue +NtCreateJobSet_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateJobSet_Epilogue: + mov r10, rcx + syscall + ret +NtCreateJobSet ENDP + +NtCreateKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateKey_Check_10_0_XXXX + jmp NtCreateKey_SystemCall_Unknown +NtCreateKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateKey_SystemCall_6_3_XXXX + jmp NtCreateKey_SystemCall_Unknown +NtCreateKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateKey_SystemCall_6_0_6002 + jmp NtCreateKey_SystemCall_Unknown +NtCreateKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateKey_SystemCall_6_1_7601 + jmp NtCreateKey_SystemCall_Unknown +NtCreateKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateKey_SystemCall_10_0_18363 + jmp NtCreateKey_SystemCall_Unknown +NtCreateKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 001ah + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 001ah + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 001ah + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 001ah + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 001ah + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 001ah + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 001bh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 001ch + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 001dh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 001dh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 001dh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 001dh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 001dh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 001dh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 001dh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 001dh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 001dh + jmp NtCreateKey_Epilogue +NtCreateKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateKey_Epilogue: + mov r10, rcx + syscall + ret +NtCreateKey ENDP + +NtCreateKeyTransacted PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateKeyTransacted_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateKeyTransacted_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateKeyTransacted_Check_10_0_XXXX + jmp NtCreateKeyTransacted_SystemCall_Unknown +NtCreateKeyTransacted_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateKeyTransacted_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateKeyTransacted_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateKeyTransacted_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateKeyTransacted_SystemCall_6_3_XXXX + jmp NtCreateKeyTransacted_SystemCall_Unknown +NtCreateKeyTransacted_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateKeyTransacted_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateKeyTransacted_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateKeyTransacted_SystemCall_6_0_6002 + jmp NtCreateKeyTransacted_SystemCall_Unknown +NtCreateKeyTransacted_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateKeyTransacted_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateKeyTransacted_SystemCall_6_1_7601 + jmp NtCreateKeyTransacted_SystemCall_Unknown +NtCreateKeyTransacted_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateKeyTransacted_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateKeyTransacted_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateKeyTransacted_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateKeyTransacted_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateKeyTransacted_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateKeyTransacted_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateKeyTransacted_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateKeyTransacted_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateKeyTransacted_SystemCall_10_0_18363 + jmp NtCreateKeyTransacted_SystemCall_Unknown +NtCreateKeyTransacted_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 009ah + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0098h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0098h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0097h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0097h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a0h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a1h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a3h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a4h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a5h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a8h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00a9h + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00aah + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00aah + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00abh + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00abh + jmp NtCreateKeyTransacted_Epilogue +NtCreateKeyTransacted_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateKeyTransacted_Epilogue: + mov r10, rcx + syscall + ret +NtCreateKeyTransacted ENDP + +NtCreateKeyedEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateKeyedEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateKeyedEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateKeyedEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateKeyedEvent_Check_10_0_XXXX + jmp NtCreateKeyedEvent_SystemCall_Unknown +NtCreateKeyedEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateKeyedEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateKeyedEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateKeyedEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateKeyedEvent_SystemCall_6_3_XXXX + jmp NtCreateKeyedEvent_SystemCall_Unknown +NtCreateKeyedEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateKeyedEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateKeyedEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateKeyedEvent_SystemCall_6_0_6002 + jmp NtCreateKeyedEvent_SystemCall_Unknown +NtCreateKeyedEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateKeyedEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateKeyedEvent_SystemCall_6_1_7601 + jmp NtCreateKeyedEvent_SystemCall_Unknown +NtCreateKeyedEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateKeyedEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateKeyedEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateKeyedEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateKeyedEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateKeyedEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateKeyedEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateKeyedEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateKeyedEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateKeyedEvent_SystemCall_10_0_18363 + jmp NtCreateKeyedEvent_SystemCall_Unknown +NtCreateKeyedEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 007ch + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 009bh + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0099h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0099h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0098h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0098h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a1h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a2h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a4h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a5h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a6h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00a9h + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00aah + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00abh + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00abh + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00ach + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00ach + jmp NtCreateKeyedEvent_Epilogue +NtCreateKeyedEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateKeyedEvent_Epilogue: + mov r10, rcx + syscall + ret +NtCreateKeyedEvent ENDP + +NtCreateLowBoxToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateLowBoxToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateLowBoxToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateLowBoxToken_Check_10_0_XXXX + jmp NtCreateLowBoxToken_SystemCall_Unknown +NtCreateLowBoxToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtCreateLowBoxToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateLowBoxToken_SystemCall_6_3_XXXX + jmp NtCreateLowBoxToken_SystemCall_Unknown +NtCreateLowBoxToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateLowBoxToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateLowBoxToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateLowBoxToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateLowBoxToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateLowBoxToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateLowBoxToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateLowBoxToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateLowBoxToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateLowBoxToken_SystemCall_10_0_18363 + jmp NtCreateLowBoxToken_SystemCall_Unknown +NtCreateLowBoxToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a2h + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a3h + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a5h + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a6h + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a7h + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00aah + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00abh + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00ach + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00ach + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00adh + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00adh + jmp NtCreateLowBoxToken_Epilogue +NtCreateLowBoxToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateLowBoxToken_Epilogue: + mov r10, rcx + syscall + ret +NtCreateLowBoxToken ENDP + +NtCreateMailslotFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateMailslotFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateMailslotFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateMailslotFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateMailslotFile_Check_10_0_XXXX + jmp NtCreateMailslotFile_SystemCall_Unknown +NtCreateMailslotFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateMailslotFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateMailslotFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateMailslotFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateMailslotFile_SystemCall_6_3_XXXX + jmp NtCreateMailslotFile_SystemCall_Unknown +NtCreateMailslotFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateMailslotFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateMailslotFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateMailslotFile_SystemCall_6_0_6002 + jmp NtCreateMailslotFile_SystemCall_Unknown +NtCreateMailslotFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateMailslotFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateMailslotFile_SystemCall_6_1_7601 + jmp NtCreateMailslotFile_SystemCall_Unknown +NtCreateMailslotFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateMailslotFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateMailslotFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateMailslotFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateMailslotFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateMailslotFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateMailslotFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateMailslotFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateMailslotFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateMailslotFile_SystemCall_10_0_18363 + jmp NtCreateMailslotFile_SystemCall_Unknown +NtCreateMailslotFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 007dh + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 009ch + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 009ah + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 009ah + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0099h + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0099h + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a3h + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a4h + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a6h + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a7h + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a8h + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00abh + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00ach + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00adh + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00adh + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00aeh + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00aeh + jmp NtCreateMailslotFile_Epilogue +NtCreateMailslotFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateMailslotFile_Epilogue: + mov r10, rcx + syscall + ret +NtCreateMailslotFile ENDP + +NtCreateMutant PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateMutant_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateMutant_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateMutant_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateMutant_Check_10_0_XXXX + jmp NtCreateMutant_SystemCall_Unknown +NtCreateMutant_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateMutant_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateMutant_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateMutant_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateMutant_SystemCall_6_3_XXXX + jmp NtCreateMutant_SystemCall_Unknown +NtCreateMutant_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateMutant_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateMutant_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateMutant_SystemCall_6_0_6002 + jmp NtCreateMutant_SystemCall_Unknown +NtCreateMutant_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateMutant_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateMutant_SystemCall_6_1_7601 + jmp NtCreateMutant_SystemCall_Unknown +NtCreateMutant_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateMutant_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateMutant_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateMutant_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateMutant_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateMutant_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateMutant_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateMutant_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateMutant_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateMutant_SystemCall_10_0_18363 + jmp NtCreateMutant_SystemCall_Unknown +NtCreateMutant_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 007eh + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 009dh + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 009bh + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 009bh + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 009ah + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 009ah + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a4h + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a5h + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a7h + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a8h + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00a9h + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00ach + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00adh + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00aeh + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00aeh + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00afh + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00afh + jmp NtCreateMutant_Epilogue +NtCreateMutant_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateMutant_Epilogue: + mov r10, rcx + syscall + ret +NtCreateMutant ENDP + +NtCreateNamedPipeFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateNamedPipeFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateNamedPipeFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateNamedPipeFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateNamedPipeFile_Check_10_0_XXXX + jmp NtCreateNamedPipeFile_SystemCall_Unknown +NtCreateNamedPipeFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateNamedPipeFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateNamedPipeFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateNamedPipeFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateNamedPipeFile_SystemCall_6_3_XXXX + jmp NtCreateNamedPipeFile_SystemCall_Unknown +NtCreateNamedPipeFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateNamedPipeFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateNamedPipeFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateNamedPipeFile_SystemCall_6_0_6002 + jmp NtCreateNamedPipeFile_SystemCall_Unknown +NtCreateNamedPipeFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateNamedPipeFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateNamedPipeFile_SystemCall_6_1_7601 + jmp NtCreateNamedPipeFile_SystemCall_Unknown +NtCreateNamedPipeFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateNamedPipeFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateNamedPipeFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateNamedPipeFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateNamedPipeFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateNamedPipeFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateNamedPipeFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateNamedPipeFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateNamedPipeFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateNamedPipeFile_SystemCall_10_0_18363 + jmp NtCreateNamedPipeFile_SystemCall_Unknown +NtCreateNamedPipeFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 007fh + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 009eh + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 009ch + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 009ch + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 009bh + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 009bh + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a5h + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a6h + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a8h + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00a9h + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00aah + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00adh + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00aeh + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00afh + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00afh + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b0h + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b0h + jmp NtCreateNamedPipeFile_Epilogue +NtCreateNamedPipeFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateNamedPipeFile_Epilogue: + mov r10, rcx + syscall + ret +NtCreateNamedPipeFile ENDP + +NtCreatePagingFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreatePagingFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreatePagingFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreatePagingFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreatePagingFile_Check_10_0_XXXX + jmp NtCreatePagingFile_SystemCall_Unknown +NtCreatePagingFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreatePagingFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreatePagingFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreatePagingFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreatePagingFile_SystemCall_6_3_XXXX + jmp NtCreatePagingFile_SystemCall_Unknown +NtCreatePagingFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreatePagingFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreatePagingFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreatePagingFile_SystemCall_6_0_6002 + jmp NtCreatePagingFile_SystemCall_Unknown +NtCreatePagingFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreatePagingFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreatePagingFile_SystemCall_6_1_7601 + jmp NtCreatePagingFile_SystemCall_Unknown +NtCreatePagingFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreatePagingFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreatePagingFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreatePagingFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreatePagingFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreatePagingFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreatePagingFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreatePagingFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreatePagingFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreatePagingFile_SystemCall_10_0_18363 + jmp NtCreatePagingFile_SystemCall_Unknown +NtCreatePagingFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0080h + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 009fh + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 009dh + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 009dh + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 009ch + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 009ch + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a6h + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a7h + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00a9h + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00aah + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00abh + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00aeh + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00afh + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b0h + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b0h + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b1h + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b1h + jmp NtCreatePagingFile_Epilogue +NtCreatePagingFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreatePagingFile_Epilogue: + mov r10, rcx + syscall + ret +NtCreatePagingFile ENDP + +NtCreatePartition PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreatePartition_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtCreatePartition_Check_10_0_XXXX + jmp NtCreatePartition_SystemCall_Unknown +NtCreatePartition_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreatePartition_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreatePartition_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreatePartition_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreatePartition_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreatePartition_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreatePartition_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreatePartition_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreatePartition_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreatePartition_SystemCall_10_0_18363 + jmp NtCreatePartition_SystemCall_Unknown +NtCreatePartition_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00aah + jmp NtCreatePartition_Epilogue +NtCreatePartition_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00abh + jmp NtCreatePartition_Epilogue +NtCreatePartition_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00ach + jmp NtCreatePartition_Epilogue +NtCreatePartition_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00afh + jmp NtCreatePartition_Epilogue +NtCreatePartition_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b0h + jmp NtCreatePartition_Epilogue +NtCreatePartition_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b1h + jmp NtCreatePartition_Epilogue +NtCreatePartition_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b1h + jmp NtCreatePartition_Epilogue +NtCreatePartition_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b2h + jmp NtCreatePartition_Epilogue +NtCreatePartition_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b2h + jmp NtCreatePartition_Epilogue +NtCreatePartition_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreatePartition_Epilogue: + mov r10, rcx + syscall + ret +NtCreatePartition ENDP + +NtCreatePort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreatePort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreatePort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreatePort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreatePort_Check_10_0_XXXX + jmp NtCreatePort_SystemCall_Unknown +NtCreatePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreatePort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreatePort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreatePort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreatePort_SystemCall_6_3_XXXX + jmp NtCreatePort_SystemCall_Unknown +NtCreatePort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreatePort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreatePort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreatePort_SystemCall_6_0_6002 + jmp NtCreatePort_SystemCall_Unknown +NtCreatePort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreatePort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreatePort_SystemCall_6_1_7601 + jmp NtCreatePort_SystemCall_Unknown +NtCreatePort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreatePort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreatePort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreatePort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreatePort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreatePort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreatePort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreatePort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreatePort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreatePort_SystemCall_10_0_18363 + jmp NtCreatePort_SystemCall_Unknown +NtCreatePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0081h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a0h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 009eh + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 009eh + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 009dh + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 009dh + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a7h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a8h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00abh + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00ach + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00adh + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b0h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b1h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b2h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b2h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b3h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b3h + jmp NtCreatePort_Epilogue +NtCreatePort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreatePort_Epilogue: + mov r10, rcx + syscall + ret +NtCreatePort ENDP + +NtCreatePrivateNamespace PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreatePrivateNamespace_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreatePrivateNamespace_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreatePrivateNamespace_Check_10_0_XXXX + jmp NtCreatePrivateNamespace_SystemCall_Unknown +NtCreatePrivateNamespace_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreatePrivateNamespace_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreatePrivateNamespace_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreatePrivateNamespace_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreatePrivateNamespace_SystemCall_6_3_XXXX + jmp NtCreatePrivateNamespace_SystemCall_Unknown +NtCreatePrivateNamespace_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreatePrivateNamespace_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreatePrivateNamespace_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreatePrivateNamespace_SystemCall_6_0_6002 + jmp NtCreatePrivateNamespace_SystemCall_Unknown +NtCreatePrivateNamespace_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreatePrivateNamespace_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreatePrivateNamespace_SystemCall_6_1_7601 + jmp NtCreatePrivateNamespace_SystemCall_Unknown +NtCreatePrivateNamespace_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreatePrivateNamespace_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreatePrivateNamespace_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreatePrivateNamespace_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreatePrivateNamespace_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreatePrivateNamespace_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreatePrivateNamespace_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreatePrivateNamespace_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreatePrivateNamespace_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreatePrivateNamespace_SystemCall_10_0_18363 + jmp NtCreatePrivateNamespace_SystemCall_Unknown +NtCreatePrivateNamespace_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a1h + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 009fh + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 009fh + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 009eh + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 009eh + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a8h + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00a9h + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00ach + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00adh + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00aeh + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b1h + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b2h + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b3h + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b3h + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b4h + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b4h + jmp NtCreatePrivateNamespace_Epilogue +NtCreatePrivateNamespace_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreatePrivateNamespace_Epilogue: + mov r10, rcx + syscall + ret +NtCreatePrivateNamespace ENDP + +NtCreateProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateProcess_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateProcess_Check_10_0_XXXX + jmp NtCreateProcess_SystemCall_Unknown +NtCreateProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateProcess_SystemCall_6_3_XXXX + jmp NtCreateProcess_SystemCall_Unknown +NtCreateProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateProcess_SystemCall_6_0_6002 + jmp NtCreateProcess_SystemCall_Unknown +NtCreateProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateProcess_SystemCall_6_1_7601 + jmp NtCreateProcess_SystemCall_Unknown +NtCreateProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateProcess_SystemCall_10_0_18363 + jmp NtCreateProcess_SystemCall_Unknown +NtCreateProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0082h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a2h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a0h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a0h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 009fh + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 009fh + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00a9h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00aah + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00adh + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00aeh + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00afh + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b2h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b3h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b4h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b4h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b5h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b5h + jmp NtCreateProcess_Epilogue +NtCreateProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateProcess_Epilogue: + mov r10, rcx + syscall + ret +NtCreateProcess ENDP + +NtCreateProcessEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateProcessEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateProcessEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateProcessEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateProcessEx_Check_10_0_XXXX + jmp NtCreateProcessEx_SystemCall_Unknown +NtCreateProcessEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateProcessEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateProcessEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateProcessEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateProcessEx_SystemCall_6_3_XXXX + jmp NtCreateProcessEx_SystemCall_Unknown +NtCreateProcessEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateProcessEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateProcessEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateProcessEx_SystemCall_6_0_6002 + jmp NtCreateProcessEx_SystemCall_Unknown +NtCreateProcessEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateProcessEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateProcessEx_SystemCall_6_1_7601 + jmp NtCreateProcessEx_SystemCall_Unknown +NtCreateProcessEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateProcessEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateProcessEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateProcessEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateProcessEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateProcessEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateProcessEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateProcessEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateProcessEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateProcessEx_SystemCall_10_0_18363 + jmp NtCreateProcessEx_SystemCall_Unknown +NtCreateProcessEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 004ah + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 004ah + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 004ah + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 004ah + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 004ah + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 004ah + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 004bh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 004ch + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 004dh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 004dh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 004dh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 004dh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 004dh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 004dh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 004dh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 004dh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 004dh + jmp NtCreateProcessEx_Epilogue +NtCreateProcessEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateProcessEx_Epilogue: + mov r10, rcx + syscall + ret +NtCreateProcessEx ENDP + +NtCreateProfile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateProfile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateProfile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateProfile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateProfile_Check_10_0_XXXX + jmp NtCreateProfile_SystemCall_Unknown +NtCreateProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateProfile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateProfile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateProfile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateProfile_SystemCall_6_3_XXXX + jmp NtCreateProfile_SystemCall_Unknown +NtCreateProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateProfile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateProfile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateProfile_SystemCall_6_0_6002 + jmp NtCreateProfile_SystemCall_Unknown +NtCreateProfile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateProfile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateProfile_SystemCall_6_1_7601 + jmp NtCreateProfile_SystemCall_Unknown +NtCreateProfile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateProfile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateProfile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateProfile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateProfile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateProfile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateProfile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateProfile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateProfile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateProfile_SystemCall_10_0_18363 + jmp NtCreateProfile_SystemCall_Unknown +NtCreateProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0083h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a3h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a1h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a1h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a0h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a0h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00aah + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00abh + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00aeh + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00afh + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b0h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b3h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b4h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b5h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b5h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b6h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b6h + jmp NtCreateProfile_Epilogue +NtCreateProfile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateProfile_Epilogue: + mov r10, rcx + syscall + ret +NtCreateProfile ENDP + +NtCreateProfileEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateProfileEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateProfileEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateProfileEx_Check_10_0_XXXX + jmp NtCreateProfileEx_SystemCall_Unknown +NtCreateProfileEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtCreateProfileEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateProfileEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateProfileEx_SystemCall_6_3_XXXX + jmp NtCreateProfileEx_SystemCall_Unknown +NtCreateProfileEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateProfileEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateProfileEx_SystemCall_6_1_7601 + jmp NtCreateProfileEx_SystemCall_Unknown +NtCreateProfileEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateProfileEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateProfileEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateProfileEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateProfileEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateProfileEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateProfileEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateProfileEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateProfileEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateProfileEx_SystemCall_10_0_18363 + jmp NtCreateProfileEx_SystemCall_Unknown +NtCreateProfileEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a1h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a1h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00abh + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00ach + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00afh + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b0h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b1h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b4h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b5h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b6h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b6h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b7h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b7h + jmp NtCreateProfileEx_Epilogue +NtCreateProfileEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateProfileEx_Epilogue: + mov r10, rcx + syscall + ret +NtCreateProfileEx ENDP + +NtCreateRegistryTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateRegistryTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtCreateRegistryTransaction_Check_10_0_XXXX + jmp NtCreateRegistryTransaction_SystemCall_Unknown +NtCreateRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 14393 + je NtCreateRegistryTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateRegistryTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateRegistryTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateRegistryTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateRegistryTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateRegistryTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateRegistryTransaction_SystemCall_10_0_18363 + jmp NtCreateRegistryTransaction_SystemCall_Unknown +NtCreateRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b2h + jmp NtCreateRegistryTransaction_Epilogue +NtCreateRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b5h + jmp NtCreateRegistryTransaction_Epilogue +NtCreateRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b6h + jmp NtCreateRegistryTransaction_Epilogue +NtCreateRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b7h + jmp NtCreateRegistryTransaction_Epilogue +NtCreateRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b7h + jmp NtCreateRegistryTransaction_Epilogue +NtCreateRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b8h + jmp NtCreateRegistryTransaction_Epilogue +NtCreateRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b8h + jmp NtCreateRegistryTransaction_Epilogue +NtCreateRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateRegistryTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtCreateRegistryTransaction ENDP + +NtCreateResourceManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateResourceManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateResourceManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateResourceManager_Check_10_0_XXXX + jmp NtCreateResourceManager_SystemCall_Unknown +NtCreateResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateResourceManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateResourceManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateResourceManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateResourceManager_SystemCall_6_3_XXXX + jmp NtCreateResourceManager_SystemCall_Unknown +NtCreateResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateResourceManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateResourceManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateResourceManager_SystemCall_6_0_6002 + jmp NtCreateResourceManager_SystemCall_Unknown +NtCreateResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateResourceManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateResourceManager_SystemCall_6_1_7601 + jmp NtCreateResourceManager_SystemCall_Unknown +NtCreateResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateResourceManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateResourceManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateResourceManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateResourceManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateResourceManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateResourceManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateResourceManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateResourceManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateResourceManager_SystemCall_10_0_18363 + jmp NtCreateResourceManager_SystemCall_Unknown +NtCreateResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a4h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a2h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a2h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a2h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a2h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00ach + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00adh + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b0h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b1h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b3h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b6h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b7h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b8h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b8h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00b9h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00b9h + jmp NtCreateResourceManager_Epilogue +NtCreateResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateResourceManager_Epilogue: + mov r10, rcx + syscall + ret +NtCreateResourceManager ENDP + +NtCreateSection PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateSection_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateSection_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateSection_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateSection_Check_10_0_XXXX + jmp NtCreateSection_SystemCall_Unknown +NtCreateSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateSection_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateSection_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateSection_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateSection_SystemCall_6_3_XXXX + jmp NtCreateSection_SystemCall_Unknown +NtCreateSection_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateSection_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateSection_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateSection_SystemCall_6_0_6002 + jmp NtCreateSection_SystemCall_Unknown +NtCreateSection_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateSection_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateSection_SystemCall_6_1_7601 + jmp NtCreateSection_SystemCall_Unknown +NtCreateSection_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateSection_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateSection_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateSection_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateSection_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateSection_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateSection_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateSection_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateSection_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateSection_SystemCall_10_0_18363 + jmp NtCreateSection_SystemCall_Unknown +NtCreateSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0047h + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0047h + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0047h + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0047h + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0047h + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0047h + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0048h + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0049h + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 004ah + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 004ah + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 004ah + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 004ah + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 004ah + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 004ah + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 004ah + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 004ah + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 004ah + jmp NtCreateSection_Epilogue +NtCreateSection_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateSection_Epilogue: + mov r10, rcx + syscall + ret +NtCreateSection ENDP + +NtCreateSectionEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateSectionEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtCreateSectionEx_Check_10_0_XXXX + jmp NtCreateSectionEx_SystemCall_Unknown +NtCreateSectionEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 17763 + je NtCreateSectionEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateSectionEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateSectionEx_SystemCall_10_0_18363 + jmp NtCreateSectionEx_SystemCall_Unknown +NtCreateSectionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00b9h + jmp NtCreateSectionEx_Epilogue +NtCreateSectionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00bah + jmp NtCreateSectionEx_Epilogue +NtCreateSectionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00bah + jmp NtCreateSectionEx_Epilogue +NtCreateSectionEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateSectionEx_Epilogue: + mov r10, rcx + syscall + ret +NtCreateSectionEx ENDP + +NtCreateSemaphore PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateSemaphore_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateSemaphore_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateSemaphore_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateSemaphore_Check_10_0_XXXX + jmp NtCreateSemaphore_SystemCall_Unknown +NtCreateSemaphore_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateSemaphore_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateSemaphore_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateSemaphore_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateSemaphore_SystemCall_6_3_XXXX + jmp NtCreateSemaphore_SystemCall_Unknown +NtCreateSemaphore_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateSemaphore_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateSemaphore_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateSemaphore_SystemCall_6_0_6002 + jmp NtCreateSemaphore_SystemCall_Unknown +NtCreateSemaphore_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateSemaphore_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateSemaphore_SystemCall_6_1_7601 + jmp NtCreateSemaphore_SystemCall_Unknown +NtCreateSemaphore_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateSemaphore_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateSemaphore_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateSemaphore_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateSemaphore_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateSemaphore_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateSemaphore_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateSemaphore_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateSemaphore_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateSemaphore_SystemCall_10_0_18363 + jmp NtCreateSemaphore_SystemCall_Unknown +NtCreateSemaphore_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0084h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a5h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a3h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a3h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a3h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a3h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00adh + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00aeh + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b1h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b2h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b4h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b7h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b8h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00b9h + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00bah + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00bbh + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00bbh + jmp NtCreateSemaphore_Epilogue +NtCreateSemaphore_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateSemaphore_Epilogue: + mov r10, rcx + syscall + ret +NtCreateSemaphore ENDP + +NtCreateSymbolicLinkObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateSymbolicLinkObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateSymbolicLinkObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateSymbolicLinkObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateSymbolicLinkObject_Check_10_0_XXXX + jmp NtCreateSymbolicLinkObject_SystemCall_Unknown +NtCreateSymbolicLinkObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateSymbolicLinkObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateSymbolicLinkObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateSymbolicLinkObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateSymbolicLinkObject_SystemCall_6_3_XXXX + jmp NtCreateSymbolicLinkObject_SystemCall_Unknown +NtCreateSymbolicLinkObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateSymbolicLinkObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateSymbolicLinkObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateSymbolicLinkObject_SystemCall_6_0_6002 + jmp NtCreateSymbolicLinkObject_SystemCall_Unknown +NtCreateSymbolicLinkObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateSymbolicLinkObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateSymbolicLinkObject_SystemCall_6_1_7601 + jmp NtCreateSymbolicLinkObject_SystemCall_Unknown +NtCreateSymbolicLinkObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateSymbolicLinkObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateSymbolicLinkObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateSymbolicLinkObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateSymbolicLinkObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateSymbolicLinkObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateSymbolicLinkObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateSymbolicLinkObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateSymbolicLinkObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateSymbolicLinkObject_SystemCall_10_0_18363 + jmp NtCreateSymbolicLinkObject_SystemCall_Unknown +NtCreateSymbolicLinkObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0085h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a6h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a4h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a4h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a4h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a4h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00aeh + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00afh + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b2h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b3h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b5h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b8h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00b9h + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00bah + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00bbh + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00bch + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00bch + jmp NtCreateSymbolicLinkObject_Epilogue +NtCreateSymbolicLinkObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateSymbolicLinkObject_Epilogue: + mov r10, rcx + syscall + ret +NtCreateSymbolicLinkObject ENDP + +NtCreateThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateThread_Check_10_0_XXXX + jmp NtCreateThread_SystemCall_Unknown +NtCreateThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateThread_SystemCall_6_3_XXXX + jmp NtCreateThread_SystemCall_Unknown +NtCreateThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateThread_SystemCall_6_0_6002 + jmp NtCreateThread_SystemCall_Unknown +NtCreateThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateThread_SystemCall_6_1_7601 + jmp NtCreateThread_SystemCall_Unknown +NtCreateThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateThread_SystemCall_10_0_18363 + jmp NtCreateThread_SystemCall_Unknown +NtCreateThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 004bh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 004bh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 004bh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 004bh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 004bh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 004bh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 004ch + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 004dh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 004eh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 004eh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 004eh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 004eh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 004eh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 004eh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 004eh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 004eh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 004eh + jmp NtCreateThread_Epilogue +NtCreateThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateThread_Epilogue: + mov r10, rcx + syscall + ret +NtCreateThread ENDP + +NtCreateThreadEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateThreadEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateThreadEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateThreadEx_Check_10_0_XXXX + jmp NtCreateThreadEx_SystemCall_Unknown +NtCreateThreadEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateThreadEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateThreadEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateThreadEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateThreadEx_SystemCall_6_3_XXXX + jmp NtCreateThreadEx_SystemCall_Unknown +NtCreateThreadEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateThreadEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateThreadEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateThreadEx_SystemCall_6_0_6002 + jmp NtCreateThreadEx_SystemCall_Unknown +NtCreateThreadEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateThreadEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateThreadEx_SystemCall_6_1_7601 + jmp NtCreateThreadEx_SystemCall_Unknown +NtCreateThreadEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateThreadEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateThreadEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateThreadEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateThreadEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateThreadEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateThreadEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateThreadEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateThreadEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateThreadEx_SystemCall_10_0_18363 + jmp NtCreateThreadEx_SystemCall_Unknown +NtCreateThreadEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a7h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a5h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a5h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a5h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a5h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00afh + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b0h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b3h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b4h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b6h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00b9h + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00bah + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00bbh + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00bch + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00bdh + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00bdh + jmp NtCreateThreadEx_Epilogue +NtCreateThreadEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateThreadEx_Epilogue: + mov r10, rcx + syscall + ret +NtCreateThreadEx ENDP + +NtCreateTimer PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateTimer_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateTimer_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateTimer_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateTimer_Check_10_0_XXXX + jmp NtCreateTimer_SystemCall_Unknown +NtCreateTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateTimer_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateTimer_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateTimer_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateTimer_SystemCall_6_3_XXXX + jmp NtCreateTimer_SystemCall_Unknown +NtCreateTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateTimer_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateTimer_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateTimer_SystemCall_6_0_6002 + jmp NtCreateTimer_SystemCall_Unknown +NtCreateTimer_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateTimer_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateTimer_SystemCall_6_1_7601 + jmp NtCreateTimer_SystemCall_Unknown +NtCreateTimer_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateTimer_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateTimer_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateTimer_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateTimer_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateTimer_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateTimer_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateTimer_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateTimer_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateTimer_SystemCall_10_0_18363 + jmp NtCreateTimer_SystemCall_Unknown +NtCreateTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0086h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a8h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a6h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a6h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a6h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a6h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b0h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b1h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b4h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b5h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b7h + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00bah + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00bbh + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00bch + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00bdh + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00beh + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00beh + jmp NtCreateTimer_Epilogue +NtCreateTimer_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateTimer_Epilogue: + mov r10, rcx + syscall + ret +NtCreateTimer ENDP + +NtCreateTimer2 PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateTimer2_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateTimer2_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateTimer2_Check_10_0_XXXX + jmp NtCreateTimer2_SystemCall_Unknown +NtCreateTimer2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtCreateTimer2_SystemCall_6_3_XXXX + jmp NtCreateTimer2_SystemCall_Unknown +NtCreateTimer2_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateTimer2_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateTimer2_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateTimer2_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateTimer2_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateTimer2_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateTimer2_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateTimer2_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateTimer2_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateTimer2_SystemCall_10_0_18363 + jmp NtCreateTimer2_SystemCall_Unknown +NtCreateTimer2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b2h + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b5h + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b6h + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b8h + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00bbh + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00bch + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00bdh + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00beh + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00bfh + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00bfh + jmp NtCreateTimer2_Epilogue +NtCreateTimer2_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateTimer2_Epilogue: + mov r10, rcx + syscall + ret +NtCreateTimer2 ENDP + +NtCreateToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateToken_Check_10_0_XXXX + jmp NtCreateToken_SystemCall_Unknown +NtCreateToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateToken_SystemCall_6_3_XXXX + jmp NtCreateToken_SystemCall_Unknown +NtCreateToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateToken_SystemCall_6_0_6002 + jmp NtCreateToken_SystemCall_Unknown +NtCreateToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateToken_SystemCall_6_1_7601 + jmp NtCreateToken_SystemCall_Unknown +NtCreateToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateToken_SystemCall_10_0_18363 + jmp NtCreateToken_SystemCall_Unknown +NtCreateToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0087h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00a9h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a7h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a7h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a7h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a7h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b1h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b3h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b6h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b7h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00b9h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00bch + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00bdh + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00beh + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00bfh + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c0h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c0h + jmp NtCreateToken_Epilogue +NtCreateToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateToken_Epilogue: + mov r10, rcx + syscall + ret +NtCreateToken ENDP + +NtCreateTokenEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateTokenEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateTokenEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateTokenEx_Check_10_0_XXXX + jmp NtCreateTokenEx_SystemCall_Unknown +NtCreateTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtCreateTokenEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateTokenEx_SystemCall_6_3_XXXX + jmp NtCreateTokenEx_SystemCall_Unknown +NtCreateTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateTokenEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateTokenEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateTokenEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateTokenEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateTokenEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateTokenEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateTokenEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateTokenEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateTokenEx_SystemCall_10_0_18363 + jmp NtCreateTokenEx_SystemCall_Unknown +NtCreateTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b2h + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b4h + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b7h + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b8h + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00bah + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00bdh + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00beh + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00bfh + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c0h + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c1h + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c1h + jmp NtCreateTokenEx_Epilogue +NtCreateTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateTokenEx_Epilogue: + mov r10, rcx + syscall + ret +NtCreateTokenEx ENDP + +NtCreateTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateTransaction_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateTransaction_Check_10_0_XXXX + jmp NtCreateTransaction_SystemCall_Unknown +NtCreateTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateTransaction_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateTransaction_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateTransaction_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateTransaction_SystemCall_6_3_XXXX + jmp NtCreateTransaction_SystemCall_Unknown +NtCreateTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateTransaction_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateTransaction_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateTransaction_SystemCall_6_0_6002 + jmp NtCreateTransaction_SystemCall_Unknown +NtCreateTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateTransaction_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateTransaction_SystemCall_6_1_7601 + jmp NtCreateTransaction_SystemCall_Unknown +NtCreateTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateTransaction_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateTransaction_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateTransaction_SystemCall_10_0_18363 + jmp NtCreateTransaction_SystemCall_Unknown +NtCreateTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00aah + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a8h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a8h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a8h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a8h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b3h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b5h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b8h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00b9h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00bbh + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00beh + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00bfh + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c0h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c1h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c2h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c2h + jmp NtCreateTransaction_Epilogue +NtCreateTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtCreateTransaction ENDP + +NtCreateTransactionManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateTransactionManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateTransactionManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateTransactionManager_Check_10_0_XXXX + jmp NtCreateTransactionManager_SystemCall_Unknown +NtCreateTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateTransactionManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateTransactionManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateTransactionManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateTransactionManager_SystemCall_6_3_XXXX + jmp NtCreateTransactionManager_SystemCall_Unknown +NtCreateTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateTransactionManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateTransactionManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateTransactionManager_SystemCall_6_0_6002 + jmp NtCreateTransactionManager_SystemCall_Unknown +NtCreateTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateTransactionManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateTransactionManager_SystemCall_6_1_7601 + jmp NtCreateTransactionManager_SystemCall_Unknown +NtCreateTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateTransactionManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateTransactionManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateTransactionManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateTransactionManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateTransactionManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateTransactionManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateTransactionManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateTransactionManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateTransactionManager_SystemCall_10_0_18363 + jmp NtCreateTransactionManager_SystemCall_Unknown +NtCreateTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00abh + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00a9h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00a9h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00a9h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00a9h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b4h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b6h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00b9h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00bah + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00bch + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00bfh + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c0h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c1h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c2h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c3h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c3h + jmp NtCreateTransactionManager_Epilogue +NtCreateTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateTransactionManager_Epilogue: + mov r10, rcx + syscall + ret +NtCreateTransactionManager ENDP + +NtCreateUserProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateUserProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateUserProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateUserProcess_Check_10_0_XXXX + jmp NtCreateUserProcess_SystemCall_Unknown +NtCreateUserProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateUserProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateUserProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateUserProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateUserProcess_SystemCall_6_3_XXXX + jmp NtCreateUserProcess_SystemCall_Unknown +NtCreateUserProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateUserProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateUserProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateUserProcess_SystemCall_6_0_6002 + jmp NtCreateUserProcess_SystemCall_Unknown +NtCreateUserProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateUserProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateUserProcess_SystemCall_6_1_7601 + jmp NtCreateUserProcess_SystemCall_Unknown +NtCreateUserProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateUserProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateUserProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateUserProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateUserProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateUserProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateUserProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateUserProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateUserProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateUserProcess_SystemCall_10_0_18363 + jmp NtCreateUserProcess_SystemCall_Unknown +NtCreateUserProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00ach + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00aah + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00aah + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00aah + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00aah + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b5h + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b7h + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00bah + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00bbh + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00bdh + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c0h + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c1h + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c2h + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c3h + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c4h + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c4h + jmp NtCreateUserProcess_Epilogue +NtCreateUserProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateUserProcess_Epilogue: + mov r10, rcx + syscall + ret +NtCreateUserProcess ENDP + +NtCreateWaitCompletionPacket PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateWaitCompletionPacket_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateWaitCompletionPacket_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateWaitCompletionPacket_Check_10_0_XXXX + jmp NtCreateWaitCompletionPacket_SystemCall_Unknown +NtCreateWaitCompletionPacket_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtCreateWaitCompletionPacket_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateWaitCompletionPacket_SystemCall_6_3_XXXX + jmp NtCreateWaitCompletionPacket_SystemCall_Unknown +NtCreateWaitCompletionPacket_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateWaitCompletionPacket_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateWaitCompletionPacket_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateWaitCompletionPacket_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateWaitCompletionPacket_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateWaitCompletionPacket_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateWaitCompletionPacket_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateWaitCompletionPacket_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateWaitCompletionPacket_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateWaitCompletionPacket_SystemCall_10_0_18363 + jmp NtCreateWaitCompletionPacket_SystemCall_Unknown +NtCreateWaitCompletionPacket_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b6h + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b8h + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00bbh + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00bch + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00beh + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c1h + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c2h + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c3h + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c4h + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c5h + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c5h + jmp NtCreateWaitCompletionPacket_Epilogue +NtCreateWaitCompletionPacket_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateWaitCompletionPacket_Epilogue: + mov r10, rcx + syscall + ret +NtCreateWaitCompletionPacket ENDP + +NtCreateWaitablePort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateWaitablePort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtCreateWaitablePort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtCreateWaitablePort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateWaitablePort_Check_10_0_XXXX + jmp NtCreateWaitablePort_SystemCall_Unknown +NtCreateWaitablePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateWaitablePort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateWaitablePort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateWaitablePort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateWaitablePort_SystemCall_6_3_XXXX + jmp NtCreateWaitablePort_SystemCall_Unknown +NtCreateWaitablePort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateWaitablePort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateWaitablePort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateWaitablePort_SystemCall_6_0_6002 + jmp NtCreateWaitablePort_SystemCall_Unknown +NtCreateWaitablePort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateWaitablePort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateWaitablePort_SystemCall_6_1_7601 + jmp NtCreateWaitablePort_SystemCall_Unknown +NtCreateWaitablePort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateWaitablePort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateWaitablePort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateWaitablePort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateWaitablePort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateWaitablePort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateWaitablePort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateWaitablePort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateWaitablePort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateWaitablePort_SystemCall_10_0_18363 + jmp NtCreateWaitablePort_SystemCall_Unknown +NtCreateWaitablePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0088h + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00adh + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00abh + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00abh + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00abh + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00abh + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b7h + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00b9h + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00bch + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00bdh + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00bfh + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c2h + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c3h + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c4h + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c5h + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c6h + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c6h + jmp NtCreateWaitablePort_Epilogue +NtCreateWaitablePort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateWaitablePort_Epilogue: + mov r10, rcx + syscall + ret +NtCreateWaitablePort ENDP + +NtCreateWnfStateName PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateWnfStateName_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateWnfStateName_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateWnfStateName_Check_10_0_XXXX + jmp NtCreateWnfStateName_SystemCall_Unknown +NtCreateWnfStateName_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtCreateWnfStateName_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateWnfStateName_SystemCall_6_3_XXXX + jmp NtCreateWnfStateName_SystemCall_Unknown +NtCreateWnfStateName_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateWnfStateName_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateWnfStateName_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateWnfStateName_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateWnfStateName_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateWnfStateName_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateWnfStateName_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateWnfStateName_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateWnfStateName_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateWnfStateName_SystemCall_10_0_18363 + jmp NtCreateWnfStateName_SystemCall_Unknown +NtCreateWnfStateName_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b8h + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00bah + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00bdh + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00beh + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c0h + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c3h + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c4h + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c5h + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c6h + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c7h + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c7h + jmp NtCreateWnfStateName_Epilogue +NtCreateWnfStateName_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateWnfStateName_Epilogue: + mov r10, rcx + syscall + ret +NtCreateWnfStateName ENDP + +NtCreateWorkerFactory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtCreateWorkerFactory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtCreateWorkerFactory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtCreateWorkerFactory_Check_10_0_XXXX + jmp NtCreateWorkerFactory_SystemCall_Unknown +NtCreateWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtCreateWorkerFactory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtCreateWorkerFactory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateWorkerFactory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtCreateWorkerFactory_SystemCall_6_3_XXXX + jmp NtCreateWorkerFactory_SystemCall_Unknown +NtCreateWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtCreateWorkerFactory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtCreateWorkerFactory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtCreateWorkerFactory_SystemCall_6_0_6002 + jmp NtCreateWorkerFactory_SystemCall_Unknown +NtCreateWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtCreateWorkerFactory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtCreateWorkerFactory_SystemCall_6_1_7601 + jmp NtCreateWorkerFactory_SystemCall_Unknown +NtCreateWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtCreateWorkerFactory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtCreateWorkerFactory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtCreateWorkerFactory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtCreateWorkerFactory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtCreateWorkerFactory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtCreateWorkerFactory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtCreateWorkerFactory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtCreateWorkerFactory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtCreateWorkerFactory_SystemCall_10_0_18363 + jmp NtCreateWorkerFactory_SystemCall_Unknown +NtCreateWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00aeh + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00ach + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00ach + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00ach + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00ach + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00b9h + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00bbh + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00beh + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00bfh + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c1h + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c4h + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c5h + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c6h + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c7h + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c8h + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c8h + jmp NtCreateWorkerFactory_Epilogue +NtCreateWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtCreateWorkerFactory_Epilogue: + mov r10, rcx + syscall + ret +NtCreateWorkerFactory ENDP + +NtDebugActiveProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDebugActiveProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDebugActiveProcess_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDebugActiveProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDebugActiveProcess_Check_10_0_XXXX + jmp NtDebugActiveProcess_SystemCall_Unknown +NtDebugActiveProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDebugActiveProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDebugActiveProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDebugActiveProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDebugActiveProcess_SystemCall_6_3_XXXX + jmp NtDebugActiveProcess_SystemCall_Unknown +NtDebugActiveProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDebugActiveProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDebugActiveProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDebugActiveProcess_SystemCall_6_0_6002 + jmp NtDebugActiveProcess_SystemCall_Unknown +NtDebugActiveProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDebugActiveProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDebugActiveProcess_SystemCall_6_1_7601 + jmp NtDebugActiveProcess_SystemCall_Unknown +NtDebugActiveProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDebugActiveProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDebugActiveProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDebugActiveProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDebugActiveProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDebugActiveProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDebugActiveProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDebugActiveProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDebugActiveProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDebugActiveProcess_SystemCall_10_0_18363 + jmp NtDebugActiveProcess_SystemCall_Unknown +NtDebugActiveProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0089h + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00afh + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00adh + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00adh + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00adh + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00adh + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00bah + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00bch + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00bfh + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c0h + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c2h + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c5h + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c6h + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c7h + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c8h + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00c9h + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00c9h + jmp NtDebugActiveProcess_Epilogue +NtDebugActiveProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDebugActiveProcess_Epilogue: + mov r10, rcx + syscall + ret +NtDebugActiveProcess ENDP + +NtDebugContinue PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDebugContinue_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDebugContinue_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDebugContinue_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDebugContinue_Check_10_0_XXXX + jmp NtDebugContinue_SystemCall_Unknown +NtDebugContinue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDebugContinue_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDebugContinue_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDebugContinue_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDebugContinue_SystemCall_6_3_XXXX + jmp NtDebugContinue_SystemCall_Unknown +NtDebugContinue_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDebugContinue_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDebugContinue_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDebugContinue_SystemCall_6_0_6002 + jmp NtDebugContinue_SystemCall_Unknown +NtDebugContinue_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDebugContinue_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDebugContinue_SystemCall_6_1_7601 + jmp NtDebugContinue_SystemCall_Unknown +NtDebugContinue_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDebugContinue_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDebugContinue_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDebugContinue_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDebugContinue_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDebugContinue_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDebugContinue_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDebugContinue_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDebugContinue_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDebugContinue_SystemCall_10_0_18363 + jmp NtDebugContinue_SystemCall_Unknown +NtDebugContinue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 008ah + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b0h + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00aeh + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00aeh + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00aeh + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00aeh + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00bbh + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00bdh + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c0h + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c1h + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c3h + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c6h + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c7h + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c8h + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00c9h + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00cah + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00cah + jmp NtDebugContinue_Epilogue +NtDebugContinue_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDebugContinue_Epilogue: + mov r10, rcx + syscall + ret +NtDebugContinue ENDP + +NtDelayExecution PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDelayExecution_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDelayExecution_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDelayExecution_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDelayExecution_Check_10_0_XXXX + jmp NtDelayExecution_SystemCall_Unknown +NtDelayExecution_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDelayExecution_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDelayExecution_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDelayExecution_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDelayExecution_SystemCall_6_3_XXXX + jmp NtDelayExecution_SystemCall_Unknown +NtDelayExecution_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDelayExecution_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDelayExecution_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDelayExecution_SystemCall_6_0_6002 + jmp NtDelayExecution_SystemCall_Unknown +NtDelayExecution_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDelayExecution_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDelayExecution_SystemCall_6_1_7601 + jmp NtDelayExecution_SystemCall_Unknown +NtDelayExecution_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDelayExecution_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDelayExecution_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDelayExecution_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDelayExecution_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDelayExecution_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDelayExecution_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDelayExecution_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDelayExecution_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDelayExecution_SystemCall_10_0_18363 + jmp NtDelayExecution_SystemCall_Unknown +NtDelayExecution_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0031h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0031h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0031h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0031h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0031h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0031h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0032h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0033h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0034h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0034h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0034h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0034h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0034h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0034h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0034h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0034h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0034h + jmp NtDelayExecution_Epilogue +NtDelayExecution_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDelayExecution_Epilogue: + mov r10, rcx + syscall + ret +NtDelayExecution ENDP + +NtDeleteAtom PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeleteAtom_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDeleteAtom_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDeleteAtom_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeleteAtom_Check_10_0_XXXX + jmp NtDeleteAtom_SystemCall_Unknown +NtDeleteAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDeleteAtom_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDeleteAtom_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteAtom_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteAtom_SystemCall_6_3_XXXX + jmp NtDeleteAtom_SystemCall_Unknown +NtDeleteAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDeleteAtom_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDeleteAtom_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDeleteAtom_SystemCall_6_0_6002 + jmp NtDeleteAtom_SystemCall_Unknown +NtDeleteAtom_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDeleteAtom_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDeleteAtom_SystemCall_6_1_7601 + jmp NtDeleteAtom_SystemCall_Unknown +NtDeleteAtom_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeleteAtom_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeleteAtom_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeleteAtom_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeleteAtom_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeleteAtom_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeleteAtom_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeleteAtom_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeleteAtom_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeleteAtom_SystemCall_10_0_18363 + jmp NtDeleteAtom_SystemCall_Unknown +NtDeleteAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 008bh + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b1h + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00afh + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00afh + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00afh + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00afh + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00bch + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00beh + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c1h + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c2h + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c4h + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c7h + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c8h + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00c9h + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00cah + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00cbh + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00cbh + jmp NtDeleteAtom_Epilogue +NtDeleteAtom_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeleteAtom_Epilogue: + mov r10, rcx + syscall + ret +NtDeleteAtom ENDP + +NtDeleteBootEntry PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeleteBootEntry_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDeleteBootEntry_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDeleteBootEntry_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeleteBootEntry_Check_10_0_XXXX + jmp NtDeleteBootEntry_SystemCall_Unknown +NtDeleteBootEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDeleteBootEntry_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDeleteBootEntry_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteBootEntry_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteBootEntry_SystemCall_6_3_XXXX + jmp NtDeleteBootEntry_SystemCall_Unknown +NtDeleteBootEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDeleteBootEntry_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDeleteBootEntry_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDeleteBootEntry_SystemCall_6_0_6002 + jmp NtDeleteBootEntry_SystemCall_Unknown +NtDeleteBootEntry_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDeleteBootEntry_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDeleteBootEntry_SystemCall_6_1_7601 + jmp NtDeleteBootEntry_SystemCall_Unknown +NtDeleteBootEntry_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeleteBootEntry_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeleteBootEntry_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeleteBootEntry_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeleteBootEntry_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeleteBootEntry_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeleteBootEntry_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeleteBootEntry_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeleteBootEntry_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeleteBootEntry_SystemCall_10_0_18363 + jmp NtDeleteBootEntry_SystemCall_Unknown +NtDeleteBootEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 008ch + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b2h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b0h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b0h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b0h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b0h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00bdh + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00bfh + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c2h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c3h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c5h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c8h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00c9h + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00cah + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00cbh + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00cch + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00cch + jmp NtDeleteBootEntry_Epilogue +NtDeleteBootEntry_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeleteBootEntry_Epilogue: + mov r10, rcx + syscall + ret +NtDeleteBootEntry ENDP + +NtDeleteDriverEntry PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeleteDriverEntry_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDeleteDriverEntry_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDeleteDriverEntry_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeleteDriverEntry_Check_10_0_XXXX + jmp NtDeleteDriverEntry_SystemCall_Unknown +NtDeleteDriverEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDeleteDriverEntry_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDeleteDriverEntry_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteDriverEntry_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteDriverEntry_SystemCall_6_3_XXXX + jmp NtDeleteDriverEntry_SystemCall_Unknown +NtDeleteDriverEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDeleteDriverEntry_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDeleteDriverEntry_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDeleteDriverEntry_SystemCall_6_0_6002 + jmp NtDeleteDriverEntry_SystemCall_Unknown +NtDeleteDriverEntry_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDeleteDriverEntry_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDeleteDriverEntry_SystemCall_6_1_7601 + jmp NtDeleteDriverEntry_SystemCall_Unknown +NtDeleteDriverEntry_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeleteDriverEntry_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeleteDriverEntry_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeleteDriverEntry_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeleteDriverEntry_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeleteDriverEntry_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeleteDriverEntry_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeleteDriverEntry_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeleteDriverEntry_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeleteDriverEntry_SystemCall_10_0_18363 + jmp NtDeleteDriverEntry_SystemCall_Unknown +NtDeleteDriverEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 008dh + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b3h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b1h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b1h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b1h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b1h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00beh + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c0h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c3h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c4h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c6h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00c9h + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00cah + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00cbh + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00cch + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00cdh + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00cdh + jmp NtDeleteDriverEntry_Epilogue +NtDeleteDriverEntry_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeleteDriverEntry_Epilogue: + mov r10, rcx + syscall + ret +NtDeleteDriverEntry ENDP + +NtDeleteFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeleteFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDeleteFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDeleteFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeleteFile_Check_10_0_XXXX + jmp NtDeleteFile_SystemCall_Unknown +NtDeleteFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDeleteFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDeleteFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteFile_SystemCall_6_3_XXXX + jmp NtDeleteFile_SystemCall_Unknown +NtDeleteFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDeleteFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDeleteFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDeleteFile_SystemCall_6_0_6002 + jmp NtDeleteFile_SystemCall_Unknown +NtDeleteFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDeleteFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDeleteFile_SystemCall_6_1_7601 + jmp NtDeleteFile_SystemCall_Unknown +NtDeleteFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeleteFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeleteFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeleteFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeleteFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeleteFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeleteFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeleteFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeleteFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeleteFile_SystemCall_10_0_18363 + jmp NtDeleteFile_SystemCall_Unknown +NtDeleteFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 008eh + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b4h + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b2h + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b2h + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b2h + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b2h + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00bfh + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c1h + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c4h + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c5h + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c7h + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00cah + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00cbh + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00cch + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00cdh + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00ceh + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00ceh + jmp NtDeleteFile_Epilogue +NtDeleteFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeleteFile_Epilogue: + mov r10, rcx + syscall + ret +NtDeleteFile ENDP + +NtDeleteKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeleteKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDeleteKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDeleteKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeleteKey_Check_10_0_XXXX + jmp NtDeleteKey_SystemCall_Unknown +NtDeleteKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDeleteKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDeleteKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteKey_SystemCall_6_3_XXXX + jmp NtDeleteKey_SystemCall_Unknown +NtDeleteKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDeleteKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDeleteKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDeleteKey_SystemCall_6_0_6002 + jmp NtDeleteKey_SystemCall_Unknown +NtDeleteKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDeleteKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDeleteKey_SystemCall_6_1_7601 + jmp NtDeleteKey_SystemCall_Unknown +NtDeleteKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeleteKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeleteKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeleteKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeleteKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeleteKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeleteKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeleteKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeleteKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeleteKey_SystemCall_10_0_18363 + jmp NtDeleteKey_SystemCall_Unknown +NtDeleteKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 008fh + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b5h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b3h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b3h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b3h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b3h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c0h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c2h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c5h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c6h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c8h + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00cbh + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00cch + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00cdh + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00ceh + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00cfh + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00cfh + jmp NtDeleteKey_Epilogue +NtDeleteKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeleteKey_Epilogue: + mov r10, rcx + syscall + ret +NtDeleteKey ENDP + +NtDeleteObjectAuditAlarm PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeleteObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDeleteObjectAuditAlarm_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDeleteObjectAuditAlarm_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeleteObjectAuditAlarm_Check_10_0_XXXX + jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown +NtDeleteObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDeleteObjectAuditAlarm_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDeleteObjectAuditAlarm_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteObjectAuditAlarm_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteObjectAuditAlarm_SystemCall_6_3_XXXX + jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown +NtDeleteObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDeleteObjectAuditAlarm_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDeleteObjectAuditAlarm_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDeleteObjectAuditAlarm_SystemCall_6_0_6002 + jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown +NtDeleteObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDeleteObjectAuditAlarm_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDeleteObjectAuditAlarm_SystemCall_6_1_7601 + jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown +NtDeleteObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeleteObjectAuditAlarm_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeleteObjectAuditAlarm_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeleteObjectAuditAlarm_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeleteObjectAuditAlarm_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeleteObjectAuditAlarm_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeleteObjectAuditAlarm_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeleteObjectAuditAlarm_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeleteObjectAuditAlarm_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeleteObjectAuditAlarm_SystemCall_10_0_18363 + jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown +NtDeleteObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0090h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b6h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b4h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b4h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b4h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b4h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c1h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c3h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c6h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c7h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00c9h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00cch + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00cdh + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00ceh + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00cfh + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d0h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d0h + jmp NtDeleteObjectAuditAlarm_Epilogue +NtDeleteObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeleteObjectAuditAlarm_Epilogue: + mov r10, rcx + syscall + ret +NtDeleteObjectAuditAlarm ENDP + +NtDeletePrivateNamespace PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeletePrivateNamespace_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtDeletePrivateNamespace_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeletePrivateNamespace_Check_10_0_XXXX + jmp NtDeletePrivateNamespace_SystemCall_Unknown +NtDeletePrivateNamespace_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDeletePrivateNamespace_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDeletePrivateNamespace_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeletePrivateNamespace_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeletePrivateNamespace_SystemCall_6_3_XXXX + jmp NtDeletePrivateNamespace_SystemCall_Unknown +NtDeletePrivateNamespace_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDeletePrivateNamespace_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDeletePrivateNamespace_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDeletePrivateNamespace_SystemCall_6_0_6002 + jmp NtDeletePrivateNamespace_SystemCall_Unknown +NtDeletePrivateNamespace_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDeletePrivateNamespace_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDeletePrivateNamespace_SystemCall_6_1_7601 + jmp NtDeletePrivateNamespace_SystemCall_Unknown +NtDeletePrivateNamespace_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeletePrivateNamespace_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeletePrivateNamespace_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeletePrivateNamespace_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeletePrivateNamespace_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeletePrivateNamespace_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeletePrivateNamespace_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeletePrivateNamespace_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeletePrivateNamespace_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeletePrivateNamespace_SystemCall_10_0_18363 + jmp NtDeletePrivateNamespace_SystemCall_Unknown +NtDeletePrivateNamespace_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b7h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b5h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b5h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b5h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b5h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c2h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c4h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c7h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c8h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00cah + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00cdh + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00ceh + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00cfh + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d0h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d1h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d1h + jmp NtDeletePrivateNamespace_Epilogue +NtDeletePrivateNamespace_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeletePrivateNamespace_Epilogue: + mov r10, rcx + syscall + ret +NtDeletePrivateNamespace ENDP + +NtDeleteValueKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeleteValueKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDeleteValueKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDeleteValueKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeleteValueKey_Check_10_0_XXXX + jmp NtDeleteValueKey_SystemCall_Unknown +NtDeleteValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDeleteValueKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDeleteValueKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteValueKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteValueKey_SystemCall_6_3_XXXX + jmp NtDeleteValueKey_SystemCall_Unknown +NtDeleteValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDeleteValueKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDeleteValueKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDeleteValueKey_SystemCall_6_0_6002 + jmp NtDeleteValueKey_SystemCall_Unknown +NtDeleteValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDeleteValueKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDeleteValueKey_SystemCall_6_1_7601 + jmp NtDeleteValueKey_SystemCall_Unknown +NtDeleteValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeleteValueKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeleteValueKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeleteValueKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeleteValueKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeleteValueKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeleteValueKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeleteValueKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeleteValueKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeleteValueKey_SystemCall_10_0_18363 + jmp NtDeleteValueKey_SystemCall_Unknown +NtDeleteValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0091h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b8h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b6h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b6h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b6h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b6h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c3h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c5h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c8h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00c9h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00cbh + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00ceh + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00cfh + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d0h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d1h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d2h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d2h + jmp NtDeleteValueKey_Epilogue +NtDeleteValueKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeleteValueKey_Epilogue: + mov r10, rcx + syscall + ret +NtDeleteValueKey ENDP + +NtDeleteWnfStateData PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeleteWnfStateData_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtDeleteWnfStateData_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeleteWnfStateData_Check_10_0_XXXX + jmp NtDeleteWnfStateData_SystemCall_Unknown +NtDeleteWnfStateData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtDeleteWnfStateData_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteWnfStateData_SystemCall_6_3_XXXX + jmp NtDeleteWnfStateData_SystemCall_Unknown +NtDeleteWnfStateData_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeleteWnfStateData_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeleteWnfStateData_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeleteWnfStateData_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeleteWnfStateData_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeleteWnfStateData_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeleteWnfStateData_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeleteWnfStateData_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeleteWnfStateData_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeleteWnfStateData_SystemCall_10_0_18363 + jmp NtDeleteWnfStateData_SystemCall_Unknown +NtDeleteWnfStateData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c4h + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c6h + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00c9h + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00cah + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00cch + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00cfh + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d0h + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d1h + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d2h + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d3h + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d3h + jmp NtDeleteWnfStateData_Epilogue +NtDeleteWnfStateData_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeleteWnfStateData_Epilogue: + mov r10, rcx + syscall + ret +NtDeleteWnfStateData ENDP + +NtDeleteWnfStateName PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeleteWnfStateName_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtDeleteWnfStateName_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeleteWnfStateName_Check_10_0_XXXX + jmp NtDeleteWnfStateName_SystemCall_Unknown +NtDeleteWnfStateName_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtDeleteWnfStateName_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeleteWnfStateName_SystemCall_6_3_XXXX + jmp NtDeleteWnfStateName_SystemCall_Unknown +NtDeleteWnfStateName_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeleteWnfStateName_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeleteWnfStateName_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeleteWnfStateName_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeleteWnfStateName_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeleteWnfStateName_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeleteWnfStateName_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeleteWnfStateName_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeleteWnfStateName_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeleteWnfStateName_SystemCall_10_0_18363 + jmp NtDeleteWnfStateName_SystemCall_Unknown +NtDeleteWnfStateName_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c5h + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c7h + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00cah + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00cbh + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00cdh + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d0h + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d1h + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d2h + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d3h + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d4h + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d4h + jmp NtDeleteWnfStateName_Epilogue +NtDeleteWnfStateName_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeleteWnfStateName_Epilogue: + mov r10, rcx + syscall + ret +NtDeleteWnfStateName ENDP + +NtDeviceIoControlFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDeviceIoControlFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDeviceIoControlFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDeviceIoControlFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDeviceIoControlFile_Check_10_0_XXXX + jmp NtDeviceIoControlFile_SystemCall_Unknown +NtDeviceIoControlFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDeviceIoControlFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDeviceIoControlFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeviceIoControlFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDeviceIoControlFile_SystemCall_6_3_XXXX + jmp NtDeviceIoControlFile_SystemCall_Unknown +NtDeviceIoControlFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDeviceIoControlFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDeviceIoControlFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDeviceIoControlFile_SystemCall_6_0_6002 + jmp NtDeviceIoControlFile_SystemCall_Unknown +NtDeviceIoControlFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDeviceIoControlFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDeviceIoControlFile_SystemCall_6_1_7601 + jmp NtDeviceIoControlFile_SystemCall_Unknown +NtDeviceIoControlFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDeviceIoControlFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDeviceIoControlFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDeviceIoControlFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDeviceIoControlFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDeviceIoControlFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDeviceIoControlFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDeviceIoControlFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDeviceIoControlFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDeviceIoControlFile_SystemCall_10_0_18363 + jmp NtDeviceIoControlFile_SystemCall_Unknown +NtDeviceIoControlFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0004h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0004h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0004h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0004h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0004h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0004h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0005h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0006h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0007h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0007h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0007h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0007h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0007h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0007h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0007h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0007h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0007h + jmp NtDeviceIoControlFile_Epilogue +NtDeviceIoControlFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDeviceIoControlFile_Epilogue: + mov r10, rcx + syscall + ret +NtDeviceIoControlFile ENDP + +NtDisableLastKnownGood PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDisableLastKnownGood_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtDisableLastKnownGood_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDisableLastKnownGood_Check_10_0_XXXX + jmp NtDisableLastKnownGood_SystemCall_Unknown +NtDisableLastKnownGood_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtDisableLastKnownGood_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDisableLastKnownGood_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDisableLastKnownGood_SystemCall_6_3_XXXX + jmp NtDisableLastKnownGood_SystemCall_Unknown +NtDisableLastKnownGood_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDisableLastKnownGood_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDisableLastKnownGood_SystemCall_6_1_7601 + jmp NtDisableLastKnownGood_SystemCall_Unknown +NtDisableLastKnownGood_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDisableLastKnownGood_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDisableLastKnownGood_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDisableLastKnownGood_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDisableLastKnownGood_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDisableLastKnownGood_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDisableLastKnownGood_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDisableLastKnownGood_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDisableLastKnownGood_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDisableLastKnownGood_SystemCall_10_0_18363 + jmp NtDisableLastKnownGood_SystemCall_Unknown +NtDisableLastKnownGood_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b7h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b7h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c6h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c8h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00cbh + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00cch + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00ceh + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d1h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d2h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d3h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d4h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d5h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d5h + jmp NtDisableLastKnownGood_Epilogue +NtDisableLastKnownGood_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDisableLastKnownGood_Epilogue: + mov r10, rcx + syscall + ret +NtDisableLastKnownGood ENDP + +NtDisplayString PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDisplayString_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDisplayString_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDisplayString_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDisplayString_Check_10_0_XXXX + jmp NtDisplayString_SystemCall_Unknown +NtDisplayString_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDisplayString_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDisplayString_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDisplayString_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDisplayString_SystemCall_6_3_XXXX + jmp NtDisplayString_SystemCall_Unknown +NtDisplayString_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDisplayString_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDisplayString_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDisplayString_SystemCall_6_0_6002 + jmp NtDisplayString_SystemCall_Unknown +NtDisplayString_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDisplayString_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDisplayString_SystemCall_6_1_7601 + jmp NtDisplayString_SystemCall_Unknown +NtDisplayString_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDisplayString_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDisplayString_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDisplayString_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDisplayString_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDisplayString_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDisplayString_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDisplayString_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDisplayString_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDisplayString_SystemCall_10_0_18363 + jmp NtDisplayString_SystemCall_Unknown +NtDisplayString_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0092h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00b9h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b7h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b7h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b8h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b8h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c7h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00c9h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00cch + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00cdh + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00cfh + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d2h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d3h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d4h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d5h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d6h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d6h + jmp NtDisplayString_Epilogue +NtDisplayString_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDisplayString_Epilogue: + mov r10, rcx + syscall + ret +NtDisplayString ENDP + +NtDrawText PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDrawText_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtDrawText_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDrawText_Check_10_0_XXXX + jmp NtDrawText_SystemCall_Unknown +NtDrawText_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtDrawText_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDrawText_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDrawText_SystemCall_6_3_XXXX + jmp NtDrawText_SystemCall_Unknown +NtDrawText_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDrawText_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDrawText_SystemCall_6_1_7601 + jmp NtDrawText_SystemCall_Unknown +NtDrawText_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDrawText_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDrawText_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDrawText_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDrawText_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDrawText_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDrawText_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDrawText_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDrawText_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDrawText_SystemCall_10_0_18363 + jmp NtDrawText_SystemCall_Unknown +NtDrawText_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00b9h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00b9h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c8h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00cah + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00cdh + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00ceh + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d0h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d3h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d4h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d5h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d6h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d7h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d7h + jmp NtDrawText_Epilogue +NtDrawText_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDrawText_Epilogue: + mov r10, rcx + syscall + ret +NtDrawText ENDP + +NtDuplicateObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDuplicateObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDuplicateObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDuplicateObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDuplicateObject_Check_10_0_XXXX + jmp NtDuplicateObject_SystemCall_Unknown +NtDuplicateObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDuplicateObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDuplicateObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDuplicateObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDuplicateObject_SystemCall_6_3_XXXX + jmp NtDuplicateObject_SystemCall_Unknown +NtDuplicateObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDuplicateObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDuplicateObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDuplicateObject_SystemCall_6_0_6002 + jmp NtDuplicateObject_SystemCall_Unknown +NtDuplicateObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDuplicateObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDuplicateObject_SystemCall_6_1_7601 + jmp NtDuplicateObject_SystemCall_Unknown +NtDuplicateObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDuplicateObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDuplicateObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDuplicateObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDuplicateObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDuplicateObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDuplicateObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDuplicateObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDuplicateObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDuplicateObject_SystemCall_10_0_18363 + jmp NtDuplicateObject_SystemCall_Unknown +NtDuplicateObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0039h + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0039h + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0039h + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0039h + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0039h + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0039h + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 003ah + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 003bh + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 003ch + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 003ch + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 003ch + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 003ch + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 003ch + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 003ch + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 003ch + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 003ch + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 003ch + jmp NtDuplicateObject_Epilogue +NtDuplicateObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDuplicateObject_Epilogue: + mov r10, rcx + syscall + ret +NtDuplicateObject ENDP + +NtDuplicateToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtDuplicateToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtDuplicateToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtDuplicateToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtDuplicateToken_Check_10_0_XXXX + jmp NtDuplicateToken_SystemCall_Unknown +NtDuplicateToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtDuplicateToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtDuplicateToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDuplicateToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtDuplicateToken_SystemCall_6_3_XXXX + jmp NtDuplicateToken_SystemCall_Unknown +NtDuplicateToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtDuplicateToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtDuplicateToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtDuplicateToken_SystemCall_6_0_6002 + jmp NtDuplicateToken_SystemCall_Unknown +NtDuplicateToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtDuplicateToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtDuplicateToken_SystemCall_6_1_7601 + jmp NtDuplicateToken_SystemCall_Unknown +NtDuplicateToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtDuplicateToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtDuplicateToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtDuplicateToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtDuplicateToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtDuplicateToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtDuplicateToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtDuplicateToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtDuplicateToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtDuplicateToken_SystemCall_10_0_18363 + jmp NtDuplicateToken_SystemCall_Unknown +NtDuplicateToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 003fh + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 003fh + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 003fh + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 003fh + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 003fh + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 003fh + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0040h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0041h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0042h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0042h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0042h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0042h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0042h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0042h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0042h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0042h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0042h + jmp NtDuplicateToken_Epilogue +NtDuplicateToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtDuplicateToken_Epilogue: + mov r10, rcx + syscall + ret +NtDuplicateToken ENDP + +NtEnableLastKnownGood PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtEnableLastKnownGood_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtEnableLastKnownGood_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtEnableLastKnownGood_Check_10_0_XXXX + jmp NtEnableLastKnownGood_SystemCall_Unknown +NtEnableLastKnownGood_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtEnableLastKnownGood_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnableLastKnownGood_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnableLastKnownGood_SystemCall_6_3_XXXX + jmp NtEnableLastKnownGood_SystemCall_Unknown +NtEnableLastKnownGood_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtEnableLastKnownGood_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtEnableLastKnownGood_SystemCall_6_1_7601 + jmp NtEnableLastKnownGood_SystemCall_Unknown +NtEnableLastKnownGood_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtEnableLastKnownGood_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtEnableLastKnownGood_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtEnableLastKnownGood_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtEnableLastKnownGood_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtEnableLastKnownGood_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtEnableLastKnownGood_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtEnableLastKnownGood_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtEnableLastKnownGood_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtEnableLastKnownGood_SystemCall_10_0_18363 + jmp NtEnableLastKnownGood_SystemCall_Unknown +NtEnableLastKnownGood_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00bah + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00bah + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00c9h + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00cbh + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00ceh + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00cfh + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d1h + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d4h + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d5h + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d6h + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d7h + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d8h + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d8h + jmp NtEnableLastKnownGood_Epilogue +NtEnableLastKnownGood_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtEnableLastKnownGood_Epilogue: + mov r10, rcx + syscall + ret +NtEnableLastKnownGood ENDP + +NtEnumerateBootEntries PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtEnumerateBootEntries_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtEnumerateBootEntries_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtEnumerateBootEntries_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtEnumerateBootEntries_Check_10_0_XXXX + jmp NtEnumerateBootEntries_SystemCall_Unknown +NtEnumerateBootEntries_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtEnumerateBootEntries_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtEnumerateBootEntries_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateBootEntries_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateBootEntries_SystemCall_6_3_XXXX + jmp NtEnumerateBootEntries_SystemCall_Unknown +NtEnumerateBootEntries_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtEnumerateBootEntries_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtEnumerateBootEntries_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtEnumerateBootEntries_SystemCall_6_0_6002 + jmp NtEnumerateBootEntries_SystemCall_Unknown +NtEnumerateBootEntries_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtEnumerateBootEntries_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtEnumerateBootEntries_SystemCall_6_1_7601 + jmp NtEnumerateBootEntries_SystemCall_Unknown +NtEnumerateBootEntries_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtEnumerateBootEntries_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtEnumerateBootEntries_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtEnumerateBootEntries_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtEnumerateBootEntries_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtEnumerateBootEntries_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtEnumerateBootEntries_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtEnumerateBootEntries_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtEnumerateBootEntries_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtEnumerateBootEntries_SystemCall_10_0_18363 + jmp NtEnumerateBootEntries_SystemCall_Unknown +NtEnumerateBootEntries_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0093h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00bah + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b8h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b8h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00bbh + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00bbh + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00cah + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00cch + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00cfh + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d0h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d2h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d5h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d6h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d7h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d8h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00d9h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00d9h + jmp NtEnumerateBootEntries_Epilogue +NtEnumerateBootEntries_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtEnumerateBootEntries_Epilogue: + mov r10, rcx + syscall + ret +NtEnumerateBootEntries ENDP + +NtEnumerateDriverEntries PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtEnumerateDriverEntries_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtEnumerateDriverEntries_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtEnumerateDriverEntries_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtEnumerateDriverEntries_Check_10_0_XXXX + jmp NtEnumerateDriverEntries_SystemCall_Unknown +NtEnumerateDriverEntries_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtEnumerateDriverEntries_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtEnumerateDriverEntries_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateDriverEntries_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateDriverEntries_SystemCall_6_3_XXXX + jmp NtEnumerateDriverEntries_SystemCall_Unknown +NtEnumerateDriverEntries_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtEnumerateDriverEntries_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtEnumerateDriverEntries_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtEnumerateDriverEntries_SystemCall_6_0_6002 + jmp NtEnumerateDriverEntries_SystemCall_Unknown +NtEnumerateDriverEntries_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtEnumerateDriverEntries_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtEnumerateDriverEntries_SystemCall_6_1_7601 + jmp NtEnumerateDriverEntries_SystemCall_Unknown +NtEnumerateDriverEntries_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtEnumerateDriverEntries_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtEnumerateDriverEntries_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtEnumerateDriverEntries_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtEnumerateDriverEntries_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtEnumerateDriverEntries_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtEnumerateDriverEntries_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtEnumerateDriverEntries_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtEnumerateDriverEntries_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtEnumerateDriverEntries_SystemCall_10_0_18363 + jmp NtEnumerateDriverEntries_SystemCall_Unknown +NtEnumerateDriverEntries_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0094h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00bbh + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00b9h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00b9h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00bch + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00bch + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00cbh + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00cdh + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d0h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d1h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d3h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d6h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d7h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d8h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00d9h + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00dah + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00dah + jmp NtEnumerateDriverEntries_Epilogue +NtEnumerateDriverEntries_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtEnumerateDriverEntries_Epilogue: + mov r10, rcx + syscall + ret +NtEnumerateDriverEntries ENDP + +NtEnumerateKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtEnumerateKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtEnumerateKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtEnumerateKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtEnumerateKey_Check_10_0_XXXX + jmp NtEnumerateKey_SystemCall_Unknown +NtEnumerateKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtEnumerateKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtEnumerateKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateKey_SystemCall_6_3_XXXX + jmp NtEnumerateKey_SystemCall_Unknown +NtEnumerateKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtEnumerateKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtEnumerateKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtEnumerateKey_SystemCall_6_0_6002 + jmp NtEnumerateKey_SystemCall_Unknown +NtEnumerateKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtEnumerateKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtEnumerateKey_SystemCall_6_1_7601 + jmp NtEnumerateKey_SystemCall_Unknown +NtEnumerateKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtEnumerateKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtEnumerateKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtEnumerateKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtEnumerateKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtEnumerateKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtEnumerateKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtEnumerateKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtEnumerateKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtEnumerateKey_SystemCall_10_0_18363 + jmp NtEnumerateKey_SystemCall_Unknown +NtEnumerateKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 002fh + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 002fh + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 002fh + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 002fh + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 002fh + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 002fh + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0030h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0031h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0032h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0032h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0032h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0032h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0032h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0032h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0032h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0032h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0032h + jmp NtEnumerateKey_Epilogue +NtEnumerateKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtEnumerateKey_Epilogue: + mov r10, rcx + syscall + ret +NtEnumerateKey ENDP + +NtEnumerateSystemEnvironmentValuesEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtEnumerateSystemEnvironmentValuesEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtEnumerateSystemEnvironmentValuesEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtEnumerateSystemEnvironmentValuesEx_Check_10_0_XXXX + jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown +NtEnumerateSystemEnvironmentValuesEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtEnumerateSystemEnvironmentValuesEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtEnumerateSystemEnvironmentValuesEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_3_XXXX + jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown +NtEnumerateSystemEnvironmentValuesEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6002 + jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown +NtEnumerateSystemEnvironmentValuesEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7601 + jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown +NtEnumerateSystemEnvironmentValuesEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18363 + jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown +NtEnumerateSystemEnvironmentValuesEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0095h + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00bch + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00bah + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00bah + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00bdh + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00bdh + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00cch + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00ceh + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d1h + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d2h + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d4h + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d7h + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d8h + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00d9h + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00dah + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00dbh + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00dbh + jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue +NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtEnumerateSystemEnvironmentValuesEx_Epilogue: + mov r10, rcx + syscall + ret +NtEnumerateSystemEnvironmentValuesEx ENDP + +NtEnumerateTransactionObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtEnumerateTransactionObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtEnumerateTransactionObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtEnumerateTransactionObject_Check_10_0_XXXX + jmp NtEnumerateTransactionObject_SystemCall_Unknown +NtEnumerateTransactionObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtEnumerateTransactionObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtEnumerateTransactionObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateTransactionObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateTransactionObject_SystemCall_6_3_XXXX + jmp NtEnumerateTransactionObject_SystemCall_Unknown +NtEnumerateTransactionObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtEnumerateTransactionObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtEnumerateTransactionObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtEnumerateTransactionObject_SystemCall_6_0_6002 + jmp NtEnumerateTransactionObject_SystemCall_Unknown +NtEnumerateTransactionObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtEnumerateTransactionObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtEnumerateTransactionObject_SystemCall_6_1_7601 + jmp NtEnumerateTransactionObject_SystemCall_Unknown +NtEnumerateTransactionObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtEnumerateTransactionObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtEnumerateTransactionObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtEnumerateTransactionObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtEnumerateTransactionObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtEnumerateTransactionObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtEnumerateTransactionObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtEnumerateTransactionObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtEnumerateTransactionObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtEnumerateTransactionObject_SystemCall_10_0_18363 + jmp NtEnumerateTransactionObject_SystemCall_Unknown +NtEnumerateTransactionObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00bdh + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00bbh + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00bbh + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00beh + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00beh + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00cdh + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00cfh + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d2h + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d3h + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d5h + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d8h + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00d9h + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00dah + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00dbh + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00dch + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00dch + jmp NtEnumerateTransactionObject_Epilogue +NtEnumerateTransactionObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtEnumerateTransactionObject_Epilogue: + mov r10, rcx + syscall + ret +NtEnumerateTransactionObject ENDP + +NtEnumerateValueKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtEnumerateValueKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtEnumerateValueKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtEnumerateValueKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtEnumerateValueKey_Check_10_0_XXXX + jmp NtEnumerateValueKey_SystemCall_Unknown +NtEnumerateValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtEnumerateValueKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtEnumerateValueKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateValueKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtEnumerateValueKey_SystemCall_6_3_XXXX + jmp NtEnumerateValueKey_SystemCall_Unknown +NtEnumerateValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtEnumerateValueKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtEnumerateValueKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtEnumerateValueKey_SystemCall_6_0_6002 + jmp NtEnumerateValueKey_SystemCall_Unknown +NtEnumerateValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtEnumerateValueKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtEnumerateValueKey_SystemCall_6_1_7601 + jmp NtEnumerateValueKey_SystemCall_Unknown +NtEnumerateValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtEnumerateValueKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtEnumerateValueKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtEnumerateValueKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtEnumerateValueKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtEnumerateValueKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtEnumerateValueKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtEnumerateValueKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtEnumerateValueKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtEnumerateValueKey_SystemCall_10_0_18363 + jmp NtEnumerateValueKey_SystemCall_Unknown +NtEnumerateValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0010h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0010h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0010h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0010h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0010h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0010h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0011h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0012h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0013h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0013h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0013h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0013h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0013h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0013h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0013h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0013h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0013h + jmp NtEnumerateValueKey_Epilogue +NtEnumerateValueKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtEnumerateValueKey_Epilogue: + mov r10, rcx + syscall + ret +NtEnumerateValueKey ENDP + +NtExtendSection PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtExtendSection_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtExtendSection_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtExtendSection_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtExtendSection_Check_10_0_XXXX + jmp NtExtendSection_SystemCall_Unknown +NtExtendSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtExtendSection_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtExtendSection_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtExtendSection_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtExtendSection_SystemCall_6_3_XXXX + jmp NtExtendSection_SystemCall_Unknown +NtExtendSection_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtExtendSection_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtExtendSection_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtExtendSection_SystemCall_6_0_6002 + jmp NtExtendSection_SystemCall_Unknown +NtExtendSection_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtExtendSection_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtExtendSection_SystemCall_6_1_7601 + jmp NtExtendSection_SystemCall_Unknown +NtExtendSection_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtExtendSection_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtExtendSection_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtExtendSection_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtExtendSection_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtExtendSection_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtExtendSection_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtExtendSection_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtExtendSection_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtExtendSection_SystemCall_10_0_18363 + jmp NtExtendSection_SystemCall_Unknown +NtExtendSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0096h + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00beh + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00bch + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00bch + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00bfh + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00bfh + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00ceh + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d0h + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d3h + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d4h + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d6h + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00d9h + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00dah + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00dbh + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00dch + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00ddh + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00ddh + jmp NtExtendSection_Epilogue +NtExtendSection_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtExtendSection_Epilogue: + mov r10, rcx + syscall + ret +NtExtendSection ENDP + +NtFilterBootOption PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFilterBootOption_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtFilterBootOption_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFilterBootOption_Check_10_0_XXXX + jmp NtFilterBootOption_SystemCall_Unknown +NtFilterBootOption_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtFilterBootOption_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFilterBootOption_SystemCall_6_3_XXXX + jmp NtFilterBootOption_SystemCall_Unknown +NtFilterBootOption_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFilterBootOption_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFilterBootOption_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFilterBootOption_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFilterBootOption_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFilterBootOption_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFilterBootOption_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFilterBootOption_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFilterBootOption_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFilterBootOption_SystemCall_10_0_18363 + jmp NtFilterBootOption_SystemCall_Unknown +NtFilterBootOption_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00cfh + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d1h + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d4h + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d5h + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d7h + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00dah + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00dbh + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00dch + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00ddh + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00deh + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00deh + jmp NtFilterBootOption_Epilogue +NtFilterBootOption_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFilterBootOption_Epilogue: + mov r10, rcx + syscall + ret +NtFilterBootOption ENDP + +NtFilterToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFilterToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFilterToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFilterToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFilterToken_Check_10_0_XXXX + jmp NtFilterToken_SystemCall_Unknown +NtFilterToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFilterToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFilterToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFilterToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFilterToken_SystemCall_6_3_XXXX + jmp NtFilterToken_SystemCall_Unknown +NtFilterToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFilterToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFilterToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFilterToken_SystemCall_6_0_6002 + jmp NtFilterToken_SystemCall_Unknown +NtFilterToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFilterToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFilterToken_SystemCall_6_1_7601 + jmp NtFilterToken_SystemCall_Unknown +NtFilterToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFilterToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFilterToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFilterToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFilterToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFilterToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFilterToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFilterToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFilterToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFilterToken_SystemCall_10_0_18363 + jmp NtFilterToken_SystemCall_Unknown +NtFilterToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0097h + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00bfh + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00bdh + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00bdh + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c0h + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c0h + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d0h + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d2h + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d5h + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d6h + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d8h + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00dbh + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00dch + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00ddh + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00deh + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00dfh + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00dfh + jmp NtFilterToken_Epilogue +NtFilterToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFilterToken_Epilogue: + mov r10, rcx + syscall + ret +NtFilterToken ENDP + +NtFilterTokenEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFilterTokenEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtFilterTokenEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFilterTokenEx_Check_10_0_XXXX + jmp NtFilterTokenEx_SystemCall_Unknown +NtFilterTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtFilterTokenEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFilterTokenEx_SystemCall_6_3_XXXX + jmp NtFilterTokenEx_SystemCall_Unknown +NtFilterTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFilterTokenEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFilterTokenEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFilterTokenEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFilterTokenEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFilterTokenEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFilterTokenEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFilterTokenEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFilterTokenEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFilterTokenEx_SystemCall_10_0_18363 + jmp NtFilterTokenEx_SystemCall_Unknown +NtFilterTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d1h + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d3h + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d6h + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d7h + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00d9h + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00dch + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00ddh + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00deh + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00dfh + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e0h + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e0h + jmp NtFilterTokenEx_Epilogue +NtFilterTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFilterTokenEx_Epilogue: + mov r10, rcx + syscall + ret +NtFilterTokenEx ENDP + +NtFindAtom PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFindAtom_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFindAtom_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFindAtom_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFindAtom_Check_10_0_XXXX + jmp NtFindAtom_SystemCall_Unknown +NtFindAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFindAtom_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFindAtom_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFindAtom_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFindAtom_SystemCall_6_3_XXXX + jmp NtFindAtom_SystemCall_Unknown +NtFindAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFindAtom_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFindAtom_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFindAtom_SystemCall_6_0_6002 + jmp NtFindAtom_SystemCall_Unknown +NtFindAtom_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFindAtom_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFindAtom_SystemCall_6_1_7601 + jmp NtFindAtom_SystemCall_Unknown +NtFindAtom_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFindAtom_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFindAtom_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFindAtom_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFindAtom_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFindAtom_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFindAtom_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFindAtom_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFindAtom_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFindAtom_SystemCall_10_0_18363 + jmp NtFindAtom_SystemCall_Unknown +NtFindAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0011h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0011h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0011h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0011h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0011h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0011h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0012h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0013h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0014h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0014h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0014h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0014h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0014h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0014h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0014h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0014h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0014h + jmp NtFindAtom_Epilogue +NtFindAtom_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFindAtom_Epilogue: + mov r10, rcx + syscall + ret +NtFindAtom ENDP + +NtFlushBuffersFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFlushBuffersFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFlushBuffersFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFlushBuffersFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFlushBuffersFile_Check_10_0_XXXX + jmp NtFlushBuffersFile_SystemCall_Unknown +NtFlushBuffersFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFlushBuffersFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFlushBuffersFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushBuffersFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushBuffersFile_SystemCall_6_3_XXXX + jmp NtFlushBuffersFile_SystemCall_Unknown +NtFlushBuffersFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFlushBuffersFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFlushBuffersFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFlushBuffersFile_SystemCall_6_0_6002 + jmp NtFlushBuffersFile_SystemCall_Unknown +NtFlushBuffersFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFlushBuffersFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFlushBuffersFile_SystemCall_6_1_7601 + jmp NtFlushBuffersFile_SystemCall_Unknown +NtFlushBuffersFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFlushBuffersFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFlushBuffersFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFlushBuffersFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFlushBuffersFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFlushBuffersFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFlushBuffersFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFlushBuffersFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFlushBuffersFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFlushBuffersFile_SystemCall_10_0_18363 + jmp NtFlushBuffersFile_SystemCall_Unknown +NtFlushBuffersFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0048h + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0048h + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0048h + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0048h + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0048h + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0048h + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0049h + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 004ah + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 004bh + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 004bh + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 004bh + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 004bh + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 004bh + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 004bh + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 004bh + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 004bh + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 004bh + jmp NtFlushBuffersFile_Epilogue +NtFlushBuffersFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFlushBuffersFile_Epilogue: + mov r10, rcx + syscall + ret +NtFlushBuffersFile ENDP + +NtFlushBuffersFileEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFlushBuffersFileEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtFlushBuffersFileEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFlushBuffersFileEx_Check_10_0_XXXX + jmp NtFlushBuffersFileEx_SystemCall_Unknown +NtFlushBuffersFileEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtFlushBuffersFileEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushBuffersFileEx_SystemCall_6_3_XXXX + jmp NtFlushBuffersFileEx_SystemCall_Unknown +NtFlushBuffersFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFlushBuffersFileEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFlushBuffersFileEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFlushBuffersFileEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFlushBuffersFileEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFlushBuffersFileEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFlushBuffersFileEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFlushBuffersFileEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFlushBuffersFileEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFlushBuffersFileEx_SystemCall_10_0_18363 + jmp NtFlushBuffersFileEx_SystemCall_Unknown +NtFlushBuffersFileEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d2h + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d4h + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d7h + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d8h + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00dah + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00ddh + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00deh + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00dfh + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e0h + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e1h + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e1h + jmp NtFlushBuffersFileEx_Epilogue +NtFlushBuffersFileEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFlushBuffersFileEx_Epilogue: + mov r10, rcx + syscall + ret +NtFlushBuffersFileEx ENDP + +NtFlushInstallUILanguage PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFlushInstallUILanguage_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtFlushInstallUILanguage_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFlushInstallUILanguage_Check_10_0_XXXX + jmp NtFlushInstallUILanguage_SystemCall_Unknown +NtFlushInstallUILanguage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFlushInstallUILanguage_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFlushInstallUILanguage_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushInstallUILanguage_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushInstallUILanguage_SystemCall_6_3_XXXX + jmp NtFlushInstallUILanguage_SystemCall_Unknown +NtFlushInstallUILanguage_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFlushInstallUILanguage_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFlushInstallUILanguage_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFlushInstallUILanguage_SystemCall_6_0_6002 + jmp NtFlushInstallUILanguage_SystemCall_Unknown +NtFlushInstallUILanguage_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFlushInstallUILanguage_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFlushInstallUILanguage_SystemCall_6_1_7601 + jmp NtFlushInstallUILanguage_SystemCall_Unknown +NtFlushInstallUILanguage_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFlushInstallUILanguage_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFlushInstallUILanguage_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFlushInstallUILanguage_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFlushInstallUILanguage_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFlushInstallUILanguage_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFlushInstallUILanguage_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFlushInstallUILanguage_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFlushInstallUILanguage_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFlushInstallUILanguage_SystemCall_10_0_18363 + jmp NtFlushInstallUILanguage_SystemCall_Unknown +NtFlushInstallUILanguage_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c0h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00beh + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00beh + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c1h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c1h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d3h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d5h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d8h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00d9h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00dbh + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00deh + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00dfh + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e0h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e1h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e2h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e2h + jmp NtFlushInstallUILanguage_Epilogue +NtFlushInstallUILanguage_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFlushInstallUILanguage_Epilogue: + mov r10, rcx + syscall + ret +NtFlushInstallUILanguage ENDP + +NtFlushInstructionCache PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFlushInstructionCache_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFlushInstructionCache_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFlushInstructionCache_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFlushInstructionCache_Check_10_0_XXXX + jmp NtFlushInstructionCache_SystemCall_Unknown +NtFlushInstructionCache_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFlushInstructionCache_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFlushInstructionCache_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushInstructionCache_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushInstructionCache_SystemCall_6_3_XXXX + jmp NtFlushInstructionCache_SystemCall_Unknown +NtFlushInstructionCache_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFlushInstructionCache_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFlushInstructionCache_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFlushInstructionCache_SystemCall_6_0_6002 + jmp NtFlushInstructionCache_SystemCall_Unknown +NtFlushInstructionCache_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFlushInstructionCache_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFlushInstructionCache_SystemCall_6_1_7601 + jmp NtFlushInstructionCache_SystemCall_Unknown +NtFlushInstructionCache_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFlushInstructionCache_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFlushInstructionCache_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFlushInstructionCache_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFlushInstructionCache_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFlushInstructionCache_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFlushInstructionCache_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFlushInstructionCache_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFlushInstructionCache_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFlushInstructionCache_SystemCall_10_0_18363 + jmp NtFlushInstructionCache_SystemCall_Unknown +NtFlushInstructionCache_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0098h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c1h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00bfh + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00bfh + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c2h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c2h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d4h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d6h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00d9h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00dah + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00dch + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00dfh + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e0h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e1h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e2h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e3h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e3h + jmp NtFlushInstructionCache_Epilogue +NtFlushInstructionCache_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFlushInstructionCache_Epilogue: + mov r10, rcx + syscall + ret +NtFlushInstructionCache ENDP + +NtFlushKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFlushKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFlushKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFlushKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFlushKey_Check_10_0_XXXX + jmp NtFlushKey_SystemCall_Unknown +NtFlushKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFlushKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFlushKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushKey_SystemCall_6_3_XXXX + jmp NtFlushKey_SystemCall_Unknown +NtFlushKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFlushKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFlushKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFlushKey_SystemCall_6_0_6002 + jmp NtFlushKey_SystemCall_Unknown +NtFlushKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFlushKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFlushKey_SystemCall_6_1_7601 + jmp NtFlushKey_SystemCall_Unknown +NtFlushKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFlushKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFlushKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFlushKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFlushKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFlushKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFlushKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFlushKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFlushKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFlushKey_SystemCall_10_0_18363 + jmp NtFlushKey_SystemCall_Unknown +NtFlushKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0099h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c2h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c0h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c0h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c3h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c3h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d5h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d7h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00dah + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00dbh + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00ddh + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e0h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e1h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e2h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e3h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e4h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e4h + jmp NtFlushKey_Epilogue +NtFlushKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFlushKey_Epilogue: + mov r10, rcx + syscall + ret +NtFlushKey ENDP + +NtFlushProcessWriteBuffers PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFlushProcessWriteBuffers_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtFlushProcessWriteBuffers_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFlushProcessWriteBuffers_Check_10_0_XXXX + jmp NtFlushProcessWriteBuffers_SystemCall_Unknown +NtFlushProcessWriteBuffers_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFlushProcessWriteBuffers_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFlushProcessWriteBuffers_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushProcessWriteBuffers_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushProcessWriteBuffers_SystemCall_6_3_XXXX + jmp NtFlushProcessWriteBuffers_SystemCall_Unknown +NtFlushProcessWriteBuffers_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFlushProcessWriteBuffers_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFlushProcessWriteBuffers_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFlushProcessWriteBuffers_SystemCall_6_0_6002 + jmp NtFlushProcessWriteBuffers_SystemCall_Unknown +NtFlushProcessWriteBuffers_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFlushProcessWriteBuffers_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFlushProcessWriteBuffers_SystemCall_6_1_7601 + jmp NtFlushProcessWriteBuffers_SystemCall_Unknown +NtFlushProcessWriteBuffers_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFlushProcessWriteBuffers_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFlushProcessWriteBuffers_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFlushProcessWriteBuffers_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFlushProcessWriteBuffers_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFlushProcessWriteBuffers_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFlushProcessWriteBuffers_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFlushProcessWriteBuffers_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFlushProcessWriteBuffers_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFlushProcessWriteBuffers_SystemCall_10_0_18363 + jmp NtFlushProcessWriteBuffers_SystemCall_Unknown +NtFlushProcessWriteBuffers_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c3h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c1h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c1h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c4h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c4h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d6h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d8h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00dbh + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00dch + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00deh + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e1h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e2h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e3h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e4h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e5h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e5h + jmp NtFlushProcessWriteBuffers_Epilogue +NtFlushProcessWriteBuffers_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFlushProcessWriteBuffers_Epilogue: + mov r10, rcx + syscall + ret +NtFlushProcessWriteBuffers ENDP + +NtFlushVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFlushVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFlushVirtualMemory_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFlushVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFlushVirtualMemory_Check_10_0_XXXX + jmp NtFlushVirtualMemory_SystemCall_Unknown +NtFlushVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFlushVirtualMemory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFlushVirtualMemory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushVirtualMemory_SystemCall_6_3_XXXX + jmp NtFlushVirtualMemory_SystemCall_Unknown +NtFlushVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFlushVirtualMemory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFlushVirtualMemory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFlushVirtualMemory_SystemCall_6_0_6002 + jmp NtFlushVirtualMemory_SystemCall_Unknown +NtFlushVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFlushVirtualMemory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFlushVirtualMemory_SystemCall_6_1_7601 + jmp NtFlushVirtualMemory_SystemCall_Unknown +NtFlushVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFlushVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFlushVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFlushVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFlushVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFlushVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFlushVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFlushVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFlushVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFlushVirtualMemory_SystemCall_10_0_18363 + jmp NtFlushVirtualMemory_SystemCall_Unknown +NtFlushVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 009ah + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c4h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c2h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c2h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c5h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c5h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d7h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00d9h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00dch + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00ddh + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00dfh + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e2h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e3h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e4h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e5h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e6h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e6h + jmp NtFlushVirtualMemory_Epilogue +NtFlushVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFlushVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtFlushVirtualMemory ENDP + +NtFlushWriteBuffer PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFlushWriteBuffer_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFlushWriteBuffer_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFlushWriteBuffer_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFlushWriteBuffer_Check_10_0_XXXX + jmp NtFlushWriteBuffer_SystemCall_Unknown +NtFlushWriteBuffer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFlushWriteBuffer_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFlushWriteBuffer_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushWriteBuffer_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFlushWriteBuffer_SystemCall_6_3_XXXX + jmp NtFlushWriteBuffer_SystemCall_Unknown +NtFlushWriteBuffer_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFlushWriteBuffer_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFlushWriteBuffer_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFlushWriteBuffer_SystemCall_6_0_6002 + jmp NtFlushWriteBuffer_SystemCall_Unknown +NtFlushWriteBuffer_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFlushWriteBuffer_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFlushWriteBuffer_SystemCall_6_1_7601 + jmp NtFlushWriteBuffer_SystemCall_Unknown +NtFlushWriteBuffer_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFlushWriteBuffer_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFlushWriteBuffer_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFlushWriteBuffer_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFlushWriteBuffer_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFlushWriteBuffer_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFlushWriteBuffer_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFlushWriteBuffer_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFlushWriteBuffer_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFlushWriteBuffer_SystemCall_10_0_18363 + jmp NtFlushWriteBuffer_SystemCall_Unknown +NtFlushWriteBuffer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 009bh + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c5h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c3h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c3h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c6h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c6h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d8h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00dah + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00ddh + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00deh + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e0h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e3h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e4h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e5h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e6h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e7h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e7h + jmp NtFlushWriteBuffer_Epilogue +NtFlushWriteBuffer_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFlushWriteBuffer_Epilogue: + mov r10, rcx + syscall + ret +NtFlushWriteBuffer ENDP + +NtFreeUserPhysicalPages PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFreeUserPhysicalPages_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFreeUserPhysicalPages_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFreeUserPhysicalPages_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFreeUserPhysicalPages_Check_10_0_XXXX + jmp NtFreeUserPhysicalPages_SystemCall_Unknown +NtFreeUserPhysicalPages_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFreeUserPhysicalPages_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFreeUserPhysicalPages_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFreeUserPhysicalPages_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFreeUserPhysicalPages_SystemCall_6_3_XXXX + jmp NtFreeUserPhysicalPages_SystemCall_Unknown +NtFreeUserPhysicalPages_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFreeUserPhysicalPages_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFreeUserPhysicalPages_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFreeUserPhysicalPages_SystemCall_6_0_6002 + jmp NtFreeUserPhysicalPages_SystemCall_Unknown +NtFreeUserPhysicalPages_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFreeUserPhysicalPages_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFreeUserPhysicalPages_SystemCall_6_1_7601 + jmp NtFreeUserPhysicalPages_SystemCall_Unknown +NtFreeUserPhysicalPages_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFreeUserPhysicalPages_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFreeUserPhysicalPages_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFreeUserPhysicalPages_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFreeUserPhysicalPages_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFreeUserPhysicalPages_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFreeUserPhysicalPages_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFreeUserPhysicalPages_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFreeUserPhysicalPages_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFreeUserPhysicalPages_SystemCall_10_0_18363 + jmp NtFreeUserPhysicalPages_SystemCall_Unknown +NtFreeUserPhysicalPages_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 009ch + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c6h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c4h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c4h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c7h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c7h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00d9h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00dbh + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00deh + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00dfh + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e1h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e4h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e5h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e6h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e7h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e8h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e8h + jmp NtFreeUserPhysicalPages_Epilogue +NtFreeUserPhysicalPages_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFreeUserPhysicalPages_Epilogue: + mov r10, rcx + syscall + ret +NtFreeUserPhysicalPages ENDP + +NtFreeVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFreeVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFreeVirtualMemory_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFreeVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFreeVirtualMemory_Check_10_0_XXXX + jmp NtFreeVirtualMemory_SystemCall_Unknown +NtFreeVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFreeVirtualMemory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFreeVirtualMemory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFreeVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFreeVirtualMemory_SystemCall_6_3_XXXX + jmp NtFreeVirtualMemory_SystemCall_Unknown +NtFreeVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFreeVirtualMemory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFreeVirtualMemory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFreeVirtualMemory_SystemCall_6_0_6002 + jmp NtFreeVirtualMemory_SystemCall_Unknown +NtFreeVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFreeVirtualMemory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFreeVirtualMemory_SystemCall_6_1_7601 + jmp NtFreeVirtualMemory_SystemCall_Unknown +NtFreeVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFreeVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFreeVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFreeVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFreeVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFreeVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFreeVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFreeVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFreeVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFreeVirtualMemory_SystemCall_10_0_18363 + jmp NtFreeVirtualMemory_SystemCall_Unknown +NtFreeVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 001bh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 001bh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 001bh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 001bh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 001bh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 001bh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 001ch + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 001dh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 001eh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 001eh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 001eh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 001eh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 001eh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 001eh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 001eh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 001eh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 001eh + jmp NtFreeVirtualMemory_Epilogue +NtFreeVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFreeVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtFreeVirtualMemory ENDP + +NtFreezeRegistry PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFreezeRegistry_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtFreezeRegistry_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFreezeRegistry_Check_10_0_XXXX + jmp NtFreezeRegistry_SystemCall_Unknown +NtFreezeRegistry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFreezeRegistry_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFreezeRegistry_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFreezeRegistry_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFreezeRegistry_SystemCall_6_3_XXXX + jmp NtFreezeRegistry_SystemCall_Unknown +NtFreezeRegistry_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFreezeRegistry_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFreezeRegistry_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFreezeRegistry_SystemCall_6_0_6002 + jmp NtFreezeRegistry_SystemCall_Unknown +NtFreezeRegistry_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFreezeRegistry_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFreezeRegistry_SystemCall_6_1_7601 + jmp NtFreezeRegistry_SystemCall_Unknown +NtFreezeRegistry_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFreezeRegistry_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFreezeRegistry_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFreezeRegistry_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFreezeRegistry_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFreezeRegistry_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFreezeRegistry_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFreezeRegistry_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFreezeRegistry_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFreezeRegistry_SystemCall_10_0_18363 + jmp NtFreezeRegistry_SystemCall_Unknown +NtFreezeRegistry_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c7h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c5h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c5h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c8h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c8h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00dah + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00dch + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00dfh + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e0h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e2h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e5h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e6h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e7h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e8h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00e9h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00e9h + jmp NtFreezeRegistry_Epilogue +NtFreezeRegistry_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFreezeRegistry_Epilogue: + mov r10, rcx + syscall + ret +NtFreezeRegistry ENDP + +NtFreezeTransactions PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFreezeTransactions_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtFreezeTransactions_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFreezeTransactions_Check_10_0_XXXX + jmp NtFreezeTransactions_SystemCall_Unknown +NtFreezeTransactions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFreezeTransactions_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFreezeTransactions_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFreezeTransactions_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFreezeTransactions_SystemCall_6_3_XXXX + jmp NtFreezeTransactions_SystemCall_Unknown +NtFreezeTransactions_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFreezeTransactions_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFreezeTransactions_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFreezeTransactions_SystemCall_6_0_6002 + jmp NtFreezeTransactions_SystemCall_Unknown +NtFreezeTransactions_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFreezeTransactions_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFreezeTransactions_SystemCall_6_1_7601 + jmp NtFreezeTransactions_SystemCall_Unknown +NtFreezeTransactions_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFreezeTransactions_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFreezeTransactions_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFreezeTransactions_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFreezeTransactions_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFreezeTransactions_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFreezeTransactions_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFreezeTransactions_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFreezeTransactions_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFreezeTransactions_SystemCall_10_0_18363 + jmp NtFreezeTransactions_SystemCall_Unknown +NtFreezeTransactions_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c8h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c6h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c6h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00c9h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00c9h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00dbh + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00ddh + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e0h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e1h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e3h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e6h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e7h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e8h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00e9h + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00eah + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00eah + jmp NtFreezeTransactions_Epilogue +NtFreezeTransactions_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFreezeTransactions_Epilogue: + mov r10, rcx + syscall + ret +NtFreezeTransactions ENDP + +NtFsControlFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtFsControlFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtFsControlFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtFsControlFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtFsControlFile_Check_10_0_XXXX + jmp NtFsControlFile_SystemCall_Unknown +NtFsControlFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtFsControlFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtFsControlFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFsControlFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtFsControlFile_SystemCall_6_3_XXXX + jmp NtFsControlFile_SystemCall_Unknown +NtFsControlFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtFsControlFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtFsControlFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtFsControlFile_SystemCall_6_0_6002 + jmp NtFsControlFile_SystemCall_Unknown +NtFsControlFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtFsControlFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtFsControlFile_SystemCall_6_1_7601 + jmp NtFsControlFile_SystemCall_Unknown +NtFsControlFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtFsControlFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtFsControlFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtFsControlFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtFsControlFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtFsControlFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtFsControlFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtFsControlFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtFsControlFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtFsControlFile_SystemCall_10_0_18363 + jmp NtFsControlFile_SystemCall_Unknown +NtFsControlFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0036h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0036h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0036h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0036h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0036h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0036h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0037h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0038h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0039h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0039h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0039h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0039h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0039h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0039h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0039h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0039h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0039h + jmp NtFsControlFile_Epilogue +NtFsControlFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtFsControlFile_Epilogue: + mov r10, rcx + syscall + ret +NtFsControlFile ENDP + +NtGetCachedSigningLevel PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetCachedSigningLevel_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtGetCachedSigningLevel_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetCachedSigningLevel_Check_10_0_XXXX + jmp NtGetCachedSigningLevel_SystemCall_Unknown +NtGetCachedSigningLevel_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtGetCachedSigningLevel_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetCachedSigningLevel_SystemCall_6_3_XXXX + jmp NtGetCachedSigningLevel_SystemCall_Unknown +NtGetCachedSigningLevel_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetCachedSigningLevel_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetCachedSigningLevel_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetCachedSigningLevel_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetCachedSigningLevel_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetCachedSigningLevel_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetCachedSigningLevel_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetCachedSigningLevel_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetCachedSigningLevel_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetCachedSigningLevel_SystemCall_10_0_18363 + jmp NtGetCachedSigningLevel_SystemCall_Unknown +NtGetCachedSigningLevel_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00dch + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00deh + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e1h + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e2h + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e4h + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e7h + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e8h + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00e9h + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00eah + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00ebh + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00ebh + jmp NtGetCachedSigningLevel_Epilogue +NtGetCachedSigningLevel_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetCachedSigningLevel_Epilogue: + mov r10, rcx + syscall + ret +NtGetCachedSigningLevel ENDP + +NtGetCompleteWnfStateSubscription PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetCompleteWnfStateSubscription_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtGetCompleteWnfStateSubscription_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetCompleteWnfStateSubscription_Check_10_0_XXXX + jmp NtGetCompleteWnfStateSubscription_SystemCall_Unknown +NtGetCompleteWnfStateSubscription_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtGetCompleteWnfStateSubscription_SystemCall_6_3_XXXX + jmp NtGetCompleteWnfStateSubscription_SystemCall_Unknown +NtGetCompleteWnfStateSubscription_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetCompleteWnfStateSubscription_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetCompleteWnfStateSubscription_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetCompleteWnfStateSubscription_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetCompleteWnfStateSubscription_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetCompleteWnfStateSubscription_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetCompleteWnfStateSubscription_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetCompleteWnfStateSubscription_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetCompleteWnfStateSubscription_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetCompleteWnfStateSubscription_SystemCall_10_0_18363 + jmp NtGetCompleteWnfStateSubscription_SystemCall_Unknown +NtGetCompleteWnfStateSubscription_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00dfh + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e2h + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e3h + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e5h + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e8h + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00e9h + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00eah + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00ebh + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00ech + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00ech + jmp NtGetCompleteWnfStateSubscription_Epilogue +NtGetCompleteWnfStateSubscription_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetCompleteWnfStateSubscription_Epilogue: + mov r10, rcx + syscall + ret +NtGetCompleteWnfStateSubscription ENDP + +NtGetContextThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetContextThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtGetContextThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtGetContextThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetContextThread_Check_10_0_XXXX + jmp NtGetContextThread_SystemCall_Unknown +NtGetContextThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetContextThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetContextThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetContextThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetContextThread_SystemCall_6_3_XXXX + jmp NtGetContextThread_SystemCall_Unknown +NtGetContextThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetContextThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetContextThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetContextThread_SystemCall_6_0_6002 + jmp NtGetContextThread_SystemCall_Unknown +NtGetContextThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetContextThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetContextThread_SystemCall_6_1_7601 + jmp NtGetContextThread_SystemCall_Unknown +NtGetContextThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetContextThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetContextThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetContextThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetContextThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetContextThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetContextThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetContextThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetContextThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetContextThread_SystemCall_10_0_18363 + jmp NtGetContextThread_SystemCall_Unknown +NtGetContextThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 009dh + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00c9h + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c7h + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c7h + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00cah + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00cah + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00ddh + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e0h + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e3h + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e4h + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e6h + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00e9h + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00eah + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00ebh + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00ech + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00edh + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00edh + jmp NtGetContextThread_Epilogue +NtGetContextThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetContextThread_Epilogue: + mov r10, rcx + syscall + ret +NtGetContextThread ENDP + +NtGetCurrentProcessorNumber PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetCurrentProcessorNumber_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtGetCurrentProcessorNumber_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtGetCurrentProcessorNumber_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetCurrentProcessorNumber_Check_10_0_XXXX + jmp NtGetCurrentProcessorNumber_SystemCall_Unknown +NtGetCurrentProcessorNumber_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetCurrentProcessorNumber_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetCurrentProcessorNumber_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetCurrentProcessorNumber_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetCurrentProcessorNumber_SystemCall_6_3_XXXX + jmp NtGetCurrentProcessorNumber_SystemCall_Unknown +NtGetCurrentProcessorNumber_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetCurrentProcessorNumber_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetCurrentProcessorNumber_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetCurrentProcessorNumber_SystemCall_6_0_6002 + jmp NtGetCurrentProcessorNumber_SystemCall_Unknown +NtGetCurrentProcessorNumber_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetCurrentProcessorNumber_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetCurrentProcessorNumber_SystemCall_6_1_7601 + jmp NtGetCurrentProcessorNumber_SystemCall_Unknown +NtGetCurrentProcessorNumber_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetCurrentProcessorNumber_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetCurrentProcessorNumber_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetCurrentProcessorNumber_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetCurrentProcessorNumber_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetCurrentProcessorNumber_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetCurrentProcessorNumber_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetCurrentProcessorNumber_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetCurrentProcessorNumber_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetCurrentProcessorNumber_SystemCall_10_0_18363 + jmp NtGetCurrentProcessorNumber_SystemCall_Unknown +NtGetCurrentProcessorNumber_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 009eh + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00cah + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c8h + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c8h + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00cbh + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00cbh + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00deh + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e1h + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e4h + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e5h + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e7h + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00eah + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00ebh + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00ech + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00edh + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00eeh + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00eeh + jmp NtGetCurrentProcessorNumber_Epilogue +NtGetCurrentProcessorNumber_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetCurrentProcessorNumber_Epilogue: + mov r10, rcx + syscall + ret +NtGetCurrentProcessorNumber ENDP + +NtGetCurrentProcessorNumberEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetCurrentProcessorNumberEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtGetCurrentProcessorNumberEx_Check_10_0_XXXX + jmp NtGetCurrentProcessorNumberEx_SystemCall_Unknown +NtGetCurrentProcessorNumberEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetCurrentProcessorNumberEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetCurrentProcessorNumberEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetCurrentProcessorNumberEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetCurrentProcessorNumberEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetCurrentProcessorNumberEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetCurrentProcessorNumberEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetCurrentProcessorNumberEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetCurrentProcessorNumberEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetCurrentProcessorNumberEx_SystemCall_10_0_18363 + jmp NtGetCurrentProcessorNumberEx_SystemCall_Unknown +NtGetCurrentProcessorNumberEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e5h + jmp NtGetCurrentProcessorNumberEx_Epilogue +NtGetCurrentProcessorNumberEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e6h + jmp NtGetCurrentProcessorNumberEx_Epilogue +NtGetCurrentProcessorNumberEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e8h + jmp NtGetCurrentProcessorNumberEx_Epilogue +NtGetCurrentProcessorNumberEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00ebh + jmp NtGetCurrentProcessorNumberEx_Epilogue +NtGetCurrentProcessorNumberEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00ech + jmp NtGetCurrentProcessorNumberEx_Epilogue +NtGetCurrentProcessorNumberEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00edh + jmp NtGetCurrentProcessorNumberEx_Epilogue +NtGetCurrentProcessorNumberEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00eeh + jmp NtGetCurrentProcessorNumberEx_Epilogue +NtGetCurrentProcessorNumberEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00efh + jmp NtGetCurrentProcessorNumberEx_Epilogue +NtGetCurrentProcessorNumberEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00efh + jmp NtGetCurrentProcessorNumberEx_Epilogue +NtGetCurrentProcessorNumberEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetCurrentProcessorNumberEx_Epilogue: + mov r10, rcx + syscall + ret +NtGetCurrentProcessorNumberEx ENDP + +NtGetDevicePowerState PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetDevicePowerState_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtGetDevicePowerState_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtGetDevicePowerState_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetDevicePowerState_Check_10_0_XXXX + jmp NtGetDevicePowerState_SystemCall_Unknown +NtGetDevicePowerState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetDevicePowerState_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetDevicePowerState_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetDevicePowerState_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetDevicePowerState_SystemCall_6_3_XXXX + jmp NtGetDevicePowerState_SystemCall_Unknown +NtGetDevicePowerState_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetDevicePowerState_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetDevicePowerState_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetDevicePowerState_SystemCall_6_0_6002 + jmp NtGetDevicePowerState_SystemCall_Unknown +NtGetDevicePowerState_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetDevicePowerState_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetDevicePowerState_SystemCall_6_1_7601 + jmp NtGetDevicePowerState_SystemCall_Unknown +NtGetDevicePowerState_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetDevicePowerState_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetDevicePowerState_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetDevicePowerState_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetDevicePowerState_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetDevicePowerState_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetDevicePowerState_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetDevicePowerState_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetDevicePowerState_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetDevicePowerState_SystemCall_10_0_18363 + jmp NtGetDevicePowerState_SystemCall_Unknown +NtGetDevicePowerState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 009fh + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00cbh + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00c9h + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00c9h + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00cch + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00cch + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00dfh + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e2h + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e6h + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e7h + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00e9h + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00ech + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00edh + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00eeh + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00efh + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f0h + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f0h + jmp NtGetDevicePowerState_Epilogue +NtGetDevicePowerState_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetDevicePowerState_Epilogue: + mov r10, rcx + syscall + ret +NtGetDevicePowerState ENDP + +NtGetMUIRegistryInfo PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetMUIRegistryInfo_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtGetMUIRegistryInfo_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetMUIRegistryInfo_Check_10_0_XXXX + jmp NtGetMUIRegistryInfo_SystemCall_Unknown +NtGetMUIRegistryInfo_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetMUIRegistryInfo_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetMUIRegistryInfo_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetMUIRegistryInfo_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetMUIRegistryInfo_SystemCall_6_3_XXXX + jmp NtGetMUIRegistryInfo_SystemCall_Unknown +NtGetMUIRegistryInfo_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetMUIRegistryInfo_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetMUIRegistryInfo_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetMUIRegistryInfo_SystemCall_6_0_6002 + jmp NtGetMUIRegistryInfo_SystemCall_Unknown +NtGetMUIRegistryInfo_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetMUIRegistryInfo_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetMUIRegistryInfo_SystemCall_6_1_7601 + jmp NtGetMUIRegistryInfo_SystemCall_Unknown +NtGetMUIRegistryInfo_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetMUIRegistryInfo_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetMUIRegistryInfo_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetMUIRegistryInfo_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetMUIRegistryInfo_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetMUIRegistryInfo_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetMUIRegistryInfo_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetMUIRegistryInfo_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetMUIRegistryInfo_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetMUIRegistryInfo_SystemCall_10_0_18363 + jmp NtGetMUIRegistryInfo_SystemCall_Unknown +NtGetMUIRegistryInfo_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00cch + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00cah + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00cah + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00cdh + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00cdh + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e0h + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e3h + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e7h + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e8h + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00eah + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00edh + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00eeh + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00efh + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f0h + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f1h + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f1h + jmp NtGetMUIRegistryInfo_Epilogue +NtGetMUIRegistryInfo_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetMUIRegistryInfo_Epilogue: + mov r10, rcx + syscall + ret +NtGetMUIRegistryInfo ENDP + +NtGetNextProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetNextProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtGetNextProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetNextProcess_Check_10_0_XXXX + jmp NtGetNextProcess_SystemCall_Unknown +NtGetNextProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetNextProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetNextProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetNextProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetNextProcess_SystemCall_6_3_XXXX + jmp NtGetNextProcess_SystemCall_Unknown +NtGetNextProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetNextProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetNextProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetNextProcess_SystemCall_6_0_6002 + jmp NtGetNextProcess_SystemCall_Unknown +NtGetNextProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetNextProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetNextProcess_SystemCall_6_1_7601 + jmp NtGetNextProcess_SystemCall_Unknown +NtGetNextProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetNextProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetNextProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetNextProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetNextProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetNextProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetNextProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetNextProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetNextProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetNextProcess_SystemCall_10_0_18363 + jmp NtGetNextProcess_SystemCall_Unknown +NtGetNextProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00cdh + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00cbh + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00cbh + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00ceh + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00ceh + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e1h + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e4h + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e8h + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00e9h + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00ebh + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00eeh + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00efh + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f0h + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f1h + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f2h + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f2h + jmp NtGetNextProcess_Epilogue +NtGetNextProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetNextProcess_Epilogue: + mov r10, rcx + syscall + ret +NtGetNextProcess ENDP + +NtGetNextThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetNextThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtGetNextThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetNextThread_Check_10_0_XXXX + jmp NtGetNextThread_SystemCall_Unknown +NtGetNextThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetNextThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetNextThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetNextThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetNextThread_SystemCall_6_3_XXXX + jmp NtGetNextThread_SystemCall_Unknown +NtGetNextThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetNextThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetNextThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetNextThread_SystemCall_6_0_6002 + jmp NtGetNextThread_SystemCall_Unknown +NtGetNextThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetNextThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetNextThread_SystemCall_6_1_7601 + jmp NtGetNextThread_SystemCall_Unknown +NtGetNextThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetNextThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetNextThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetNextThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetNextThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetNextThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetNextThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetNextThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetNextThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetNextThread_SystemCall_10_0_18363 + jmp NtGetNextThread_SystemCall_Unknown +NtGetNextThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00ceh + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00cch + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00cch + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00cfh + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00cfh + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e2h + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e5h + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00e9h + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00eah + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00ech + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00efh + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f0h + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f1h + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f2h + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f3h + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f3h + jmp NtGetNextThread_Epilogue +NtGetNextThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetNextThread_Epilogue: + mov r10, rcx + syscall + ret +NtGetNextThread ENDP + +NtGetNlsSectionPtr PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetNlsSectionPtr_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtGetNlsSectionPtr_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetNlsSectionPtr_Check_10_0_XXXX + jmp NtGetNlsSectionPtr_SystemCall_Unknown +NtGetNlsSectionPtr_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetNlsSectionPtr_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetNlsSectionPtr_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetNlsSectionPtr_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetNlsSectionPtr_SystemCall_6_3_XXXX + jmp NtGetNlsSectionPtr_SystemCall_Unknown +NtGetNlsSectionPtr_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetNlsSectionPtr_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetNlsSectionPtr_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetNlsSectionPtr_SystemCall_6_0_6002 + jmp NtGetNlsSectionPtr_SystemCall_Unknown +NtGetNlsSectionPtr_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetNlsSectionPtr_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetNlsSectionPtr_SystemCall_6_1_7601 + jmp NtGetNlsSectionPtr_SystemCall_Unknown +NtGetNlsSectionPtr_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetNlsSectionPtr_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetNlsSectionPtr_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetNlsSectionPtr_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetNlsSectionPtr_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetNlsSectionPtr_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetNlsSectionPtr_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetNlsSectionPtr_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetNlsSectionPtr_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetNlsSectionPtr_SystemCall_10_0_18363 + jmp NtGetNlsSectionPtr_SystemCall_Unknown +NtGetNlsSectionPtr_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00cfh + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00cdh + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00cdh + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d0h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d0h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e3h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e6h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00eah + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00ebh + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00edh + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f0h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f1h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f2h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f3h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f4h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f4h + jmp NtGetNlsSectionPtr_Epilogue +NtGetNlsSectionPtr_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetNlsSectionPtr_Epilogue: + mov r10, rcx + syscall + ret +NtGetNlsSectionPtr ENDP + +NtGetNotificationResourceManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetNotificationResourceManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtGetNotificationResourceManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetNotificationResourceManager_Check_10_0_XXXX + jmp NtGetNotificationResourceManager_SystemCall_Unknown +NtGetNotificationResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetNotificationResourceManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetNotificationResourceManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetNotificationResourceManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetNotificationResourceManager_SystemCall_6_3_XXXX + jmp NtGetNotificationResourceManager_SystemCall_Unknown +NtGetNotificationResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetNotificationResourceManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetNotificationResourceManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetNotificationResourceManager_SystemCall_6_0_6002 + jmp NtGetNotificationResourceManager_SystemCall_Unknown +NtGetNotificationResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetNotificationResourceManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetNotificationResourceManager_SystemCall_6_1_7601 + jmp NtGetNotificationResourceManager_SystemCall_Unknown +NtGetNotificationResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetNotificationResourceManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetNotificationResourceManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetNotificationResourceManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetNotificationResourceManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetNotificationResourceManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetNotificationResourceManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetNotificationResourceManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetNotificationResourceManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetNotificationResourceManager_SystemCall_10_0_18363 + jmp NtGetNotificationResourceManager_SystemCall_Unknown +NtGetNotificationResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d0h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00ceh + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00ceh + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d1h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d1h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e4h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e7h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00ebh + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00ech + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00eeh + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f1h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f2h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f3h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f4h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f5h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f5h + jmp NtGetNotificationResourceManager_Epilogue +NtGetNotificationResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetNotificationResourceManager_Epilogue: + mov r10, rcx + syscall + ret +NtGetNotificationResourceManager ENDP + +NtGetPlugPlayEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetPlugPlayEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtGetPlugPlayEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtGetPlugPlayEvent_Check_6_X_XXXX + jmp NtGetPlugPlayEvent_SystemCall_Unknown +NtGetPlugPlayEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetPlugPlayEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetPlugPlayEvent_Check_6_1_XXXX + jmp NtGetPlugPlayEvent_SystemCall_Unknown +NtGetPlugPlayEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetPlugPlayEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetPlugPlayEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetPlugPlayEvent_SystemCall_6_0_6002 + jmp NtGetPlugPlayEvent_SystemCall_Unknown +NtGetPlugPlayEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetPlugPlayEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetPlugPlayEvent_SystemCall_6_1_7601 + jmp NtGetPlugPlayEvent_SystemCall_Unknown +NtGetPlugPlayEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a0h + jmp NtGetPlugPlayEvent_Epilogue +NtGetPlugPlayEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d1h + jmp NtGetPlugPlayEvent_Epilogue +NtGetPlugPlayEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00cfh + jmp NtGetPlugPlayEvent_Epilogue +NtGetPlugPlayEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00cfh + jmp NtGetPlugPlayEvent_Epilogue +NtGetPlugPlayEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d2h + jmp NtGetPlugPlayEvent_Epilogue +NtGetPlugPlayEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d2h + jmp NtGetPlugPlayEvent_Epilogue +NtGetPlugPlayEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetPlugPlayEvent_Epilogue: + mov r10, rcx + syscall + ret +NtGetPlugPlayEvent ENDP + +NtGetWriteWatch PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtGetWriteWatch_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtGetWriteWatch_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtGetWriteWatch_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtGetWriteWatch_Check_10_0_XXXX + jmp NtGetWriteWatch_SystemCall_Unknown +NtGetWriteWatch_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtGetWriteWatch_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtGetWriteWatch_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetWriteWatch_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtGetWriteWatch_SystemCall_6_3_XXXX + jmp NtGetWriteWatch_SystemCall_Unknown +NtGetWriteWatch_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtGetWriteWatch_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtGetWriteWatch_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtGetWriteWatch_SystemCall_6_0_6002 + jmp NtGetWriteWatch_SystemCall_Unknown +NtGetWriteWatch_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtGetWriteWatch_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtGetWriteWatch_SystemCall_6_1_7601 + jmp NtGetWriteWatch_SystemCall_Unknown +NtGetWriteWatch_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtGetWriteWatch_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtGetWriteWatch_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtGetWriteWatch_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtGetWriteWatch_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtGetWriteWatch_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtGetWriteWatch_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtGetWriteWatch_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtGetWriteWatch_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtGetWriteWatch_SystemCall_10_0_18363 + jmp NtGetWriteWatch_SystemCall_Unknown +NtGetWriteWatch_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a1h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d2h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d0h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d0h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d3h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d3h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e5h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e8h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00ech + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00edh + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00efh + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f2h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f3h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f4h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f5h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f6h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f6h + jmp NtGetWriteWatch_Epilogue +NtGetWriteWatch_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtGetWriteWatch_Epilogue: + mov r10, rcx + syscall + ret +NtGetWriteWatch ENDP + +NtImpersonateAnonymousToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtImpersonateAnonymousToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtImpersonateAnonymousToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtImpersonateAnonymousToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtImpersonateAnonymousToken_Check_10_0_XXXX + jmp NtImpersonateAnonymousToken_SystemCall_Unknown +NtImpersonateAnonymousToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtImpersonateAnonymousToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtImpersonateAnonymousToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtImpersonateAnonymousToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtImpersonateAnonymousToken_SystemCall_6_3_XXXX + jmp NtImpersonateAnonymousToken_SystemCall_Unknown +NtImpersonateAnonymousToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtImpersonateAnonymousToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtImpersonateAnonymousToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtImpersonateAnonymousToken_SystemCall_6_0_6002 + jmp NtImpersonateAnonymousToken_SystemCall_Unknown +NtImpersonateAnonymousToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtImpersonateAnonymousToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtImpersonateAnonymousToken_SystemCall_6_1_7601 + jmp NtImpersonateAnonymousToken_SystemCall_Unknown +NtImpersonateAnonymousToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtImpersonateAnonymousToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtImpersonateAnonymousToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtImpersonateAnonymousToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtImpersonateAnonymousToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtImpersonateAnonymousToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtImpersonateAnonymousToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtImpersonateAnonymousToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtImpersonateAnonymousToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtImpersonateAnonymousToken_SystemCall_10_0_18363 + jmp NtImpersonateAnonymousToken_SystemCall_Unknown +NtImpersonateAnonymousToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a2h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d3h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d1h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d1h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d4h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d4h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e6h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00e9h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00edh + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00eeh + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f0h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f3h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f4h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f5h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f6h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f7h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f7h + jmp NtImpersonateAnonymousToken_Epilogue +NtImpersonateAnonymousToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtImpersonateAnonymousToken_Epilogue: + mov r10, rcx + syscall + ret +NtImpersonateAnonymousToken ENDP + +NtImpersonateClientOfPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtImpersonateClientOfPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtImpersonateClientOfPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtImpersonateClientOfPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtImpersonateClientOfPort_Check_10_0_XXXX + jmp NtImpersonateClientOfPort_SystemCall_Unknown +NtImpersonateClientOfPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtImpersonateClientOfPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtImpersonateClientOfPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtImpersonateClientOfPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtImpersonateClientOfPort_SystemCall_6_3_XXXX + jmp NtImpersonateClientOfPort_SystemCall_Unknown +NtImpersonateClientOfPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtImpersonateClientOfPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtImpersonateClientOfPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtImpersonateClientOfPort_SystemCall_6_0_6002 + jmp NtImpersonateClientOfPort_SystemCall_Unknown +NtImpersonateClientOfPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtImpersonateClientOfPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtImpersonateClientOfPort_SystemCall_6_1_7601 + jmp NtImpersonateClientOfPort_SystemCall_Unknown +NtImpersonateClientOfPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtImpersonateClientOfPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtImpersonateClientOfPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtImpersonateClientOfPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtImpersonateClientOfPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtImpersonateClientOfPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtImpersonateClientOfPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtImpersonateClientOfPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtImpersonateClientOfPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtImpersonateClientOfPort_SystemCall_10_0_18363 + jmp NtImpersonateClientOfPort_SystemCall_Unknown +NtImpersonateClientOfPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 001ch + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 001ch + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 001ch + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 001ch + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 001ch + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 001ch + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 001dh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 001eh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 001fh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 001fh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 001fh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 001fh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 001fh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 001fh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 001fh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 001fh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 001fh + jmp NtImpersonateClientOfPort_Epilogue +NtImpersonateClientOfPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtImpersonateClientOfPort_Epilogue: + mov r10, rcx + syscall + ret +NtImpersonateClientOfPort ENDP + +NtImpersonateThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtImpersonateThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtImpersonateThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtImpersonateThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtImpersonateThread_Check_10_0_XXXX + jmp NtImpersonateThread_SystemCall_Unknown +NtImpersonateThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtImpersonateThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtImpersonateThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtImpersonateThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtImpersonateThread_SystemCall_6_3_XXXX + jmp NtImpersonateThread_SystemCall_Unknown +NtImpersonateThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtImpersonateThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtImpersonateThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtImpersonateThread_SystemCall_6_0_6002 + jmp NtImpersonateThread_SystemCall_Unknown +NtImpersonateThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtImpersonateThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtImpersonateThread_SystemCall_6_1_7601 + jmp NtImpersonateThread_SystemCall_Unknown +NtImpersonateThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtImpersonateThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtImpersonateThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtImpersonateThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtImpersonateThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtImpersonateThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtImpersonateThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtImpersonateThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtImpersonateThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtImpersonateThread_SystemCall_10_0_18363 + jmp NtImpersonateThread_SystemCall_Unknown +NtImpersonateThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a3h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d4h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d2h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d2h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d5h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d5h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e7h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00eah + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00eeh + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00efh + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f1h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f4h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f5h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f6h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f7h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f8h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f8h + jmp NtImpersonateThread_Epilogue +NtImpersonateThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtImpersonateThread_Epilogue: + mov r10, rcx + syscall + ret +NtImpersonateThread ENDP + +NtInitializeEnclave PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtInitializeEnclave_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtInitializeEnclave_Check_10_0_XXXX + jmp NtInitializeEnclave_SystemCall_Unknown +NtInitializeEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10586 + je NtInitializeEnclave_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtInitializeEnclave_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtInitializeEnclave_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtInitializeEnclave_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtInitializeEnclave_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtInitializeEnclave_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtInitializeEnclave_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtInitializeEnclave_SystemCall_10_0_18363 + jmp NtInitializeEnclave_SystemCall_Unknown +NtInitializeEnclave_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f0h + jmp NtInitializeEnclave_Epilogue +NtInitializeEnclave_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f2h + jmp NtInitializeEnclave_Epilogue +NtInitializeEnclave_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f5h + jmp NtInitializeEnclave_Epilogue +NtInitializeEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f6h + jmp NtInitializeEnclave_Epilogue +NtInitializeEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f7h + jmp NtInitializeEnclave_Epilogue +NtInitializeEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f8h + jmp NtInitializeEnclave_Epilogue +NtInitializeEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00f9h + jmp NtInitializeEnclave_Epilogue +NtInitializeEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00f9h + jmp NtInitializeEnclave_Epilogue +NtInitializeEnclave_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtInitializeEnclave_Epilogue: + mov r10, rcx + syscall + ret +NtInitializeEnclave ENDP + +NtInitializeNlsFiles PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtInitializeNlsFiles_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtInitializeNlsFiles_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtInitializeNlsFiles_Check_10_0_XXXX + jmp NtInitializeNlsFiles_SystemCall_Unknown +NtInitializeNlsFiles_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtInitializeNlsFiles_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtInitializeNlsFiles_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtInitializeNlsFiles_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtInitializeNlsFiles_SystemCall_6_3_XXXX + jmp NtInitializeNlsFiles_SystemCall_Unknown +NtInitializeNlsFiles_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtInitializeNlsFiles_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtInitializeNlsFiles_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtInitializeNlsFiles_SystemCall_6_0_6002 + jmp NtInitializeNlsFiles_SystemCall_Unknown +NtInitializeNlsFiles_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtInitializeNlsFiles_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtInitializeNlsFiles_SystemCall_6_1_7601 + jmp NtInitializeNlsFiles_SystemCall_Unknown +NtInitializeNlsFiles_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtInitializeNlsFiles_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtInitializeNlsFiles_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtInitializeNlsFiles_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtInitializeNlsFiles_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtInitializeNlsFiles_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtInitializeNlsFiles_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtInitializeNlsFiles_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtInitializeNlsFiles_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtInitializeNlsFiles_SystemCall_10_0_18363 + jmp NtInitializeNlsFiles_SystemCall_Unknown +NtInitializeNlsFiles_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d5h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d3h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d3h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d6h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d6h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e8h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00ebh + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00efh + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f1h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f3h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f6h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f7h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f8h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00f9h + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00fah + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00fah + jmp NtInitializeNlsFiles_Epilogue +NtInitializeNlsFiles_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtInitializeNlsFiles_Epilogue: + mov r10, rcx + syscall + ret +NtInitializeNlsFiles ENDP + +NtInitializeRegistry PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtInitializeRegistry_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtInitializeRegistry_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtInitializeRegistry_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtInitializeRegistry_Check_10_0_XXXX + jmp NtInitializeRegistry_SystemCall_Unknown +NtInitializeRegistry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtInitializeRegistry_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtInitializeRegistry_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtInitializeRegistry_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtInitializeRegistry_SystemCall_6_3_XXXX + jmp NtInitializeRegistry_SystemCall_Unknown +NtInitializeRegistry_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtInitializeRegistry_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtInitializeRegistry_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtInitializeRegistry_SystemCall_6_0_6002 + jmp NtInitializeRegistry_SystemCall_Unknown +NtInitializeRegistry_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtInitializeRegistry_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtInitializeRegistry_SystemCall_6_1_7601 + jmp NtInitializeRegistry_SystemCall_Unknown +NtInitializeRegistry_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtInitializeRegistry_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtInitializeRegistry_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtInitializeRegistry_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtInitializeRegistry_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtInitializeRegistry_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtInitializeRegistry_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtInitializeRegistry_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtInitializeRegistry_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtInitializeRegistry_SystemCall_10_0_18363 + jmp NtInitializeRegistry_SystemCall_Unknown +NtInitializeRegistry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a4h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d6h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d4h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d4h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d7h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d7h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00e9h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00ech + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f0h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f2h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f4h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f7h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f8h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00f9h + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00fah + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00fbh + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00fbh + jmp NtInitializeRegistry_Epilogue +NtInitializeRegistry_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtInitializeRegistry_Epilogue: + mov r10, rcx + syscall + ret +NtInitializeRegistry ENDP + +NtInitiatePowerAction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtInitiatePowerAction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtInitiatePowerAction_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtInitiatePowerAction_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtInitiatePowerAction_Check_10_0_XXXX + jmp NtInitiatePowerAction_SystemCall_Unknown +NtInitiatePowerAction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtInitiatePowerAction_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtInitiatePowerAction_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtInitiatePowerAction_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtInitiatePowerAction_SystemCall_6_3_XXXX + jmp NtInitiatePowerAction_SystemCall_Unknown +NtInitiatePowerAction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtInitiatePowerAction_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtInitiatePowerAction_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtInitiatePowerAction_SystemCall_6_0_6002 + jmp NtInitiatePowerAction_SystemCall_Unknown +NtInitiatePowerAction_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtInitiatePowerAction_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtInitiatePowerAction_SystemCall_6_1_7601 + jmp NtInitiatePowerAction_SystemCall_Unknown +NtInitiatePowerAction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtInitiatePowerAction_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtInitiatePowerAction_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtInitiatePowerAction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtInitiatePowerAction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtInitiatePowerAction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtInitiatePowerAction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtInitiatePowerAction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtInitiatePowerAction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtInitiatePowerAction_SystemCall_10_0_18363 + jmp NtInitiatePowerAction_SystemCall_Unknown +NtInitiatePowerAction_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a5h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d7h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d5h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d5h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d8h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d8h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00eah + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00edh + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f1h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f3h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f5h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f8h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00f9h + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00fah + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00fbh + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00fch + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00fch + jmp NtInitiatePowerAction_Epilogue +NtInitiatePowerAction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtInitiatePowerAction_Epilogue: + mov r10, rcx + syscall + ret +NtInitiatePowerAction ENDP + +NtIsProcessInJob PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtIsProcessInJob_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtIsProcessInJob_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtIsProcessInJob_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtIsProcessInJob_Check_10_0_XXXX + jmp NtIsProcessInJob_SystemCall_Unknown +NtIsProcessInJob_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtIsProcessInJob_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtIsProcessInJob_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtIsProcessInJob_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtIsProcessInJob_SystemCall_6_3_XXXX + jmp NtIsProcessInJob_SystemCall_Unknown +NtIsProcessInJob_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtIsProcessInJob_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtIsProcessInJob_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtIsProcessInJob_SystemCall_6_0_6002 + jmp NtIsProcessInJob_SystemCall_Unknown +NtIsProcessInJob_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtIsProcessInJob_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtIsProcessInJob_SystemCall_6_1_7601 + jmp NtIsProcessInJob_SystemCall_Unknown +NtIsProcessInJob_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtIsProcessInJob_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtIsProcessInJob_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtIsProcessInJob_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtIsProcessInJob_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtIsProcessInJob_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtIsProcessInJob_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtIsProcessInJob_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtIsProcessInJob_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtIsProcessInJob_SystemCall_10_0_18363 + jmp NtIsProcessInJob_SystemCall_Unknown +NtIsProcessInJob_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 004ch + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 004ch + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 004ch + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 004ch + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 004ch + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 004ch + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 004dh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 004eh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 004fh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 004fh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 004fh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 004fh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 004fh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 004fh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 004fh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 004fh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 004fh + jmp NtIsProcessInJob_Epilogue +NtIsProcessInJob_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtIsProcessInJob_Epilogue: + mov r10, rcx + syscall + ret +NtIsProcessInJob ENDP + +NtIsSystemResumeAutomatic PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtIsSystemResumeAutomatic_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtIsSystemResumeAutomatic_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtIsSystemResumeAutomatic_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtIsSystemResumeAutomatic_Check_10_0_XXXX + jmp NtIsSystemResumeAutomatic_SystemCall_Unknown +NtIsSystemResumeAutomatic_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtIsSystemResumeAutomatic_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtIsSystemResumeAutomatic_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtIsSystemResumeAutomatic_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtIsSystemResumeAutomatic_SystemCall_6_3_XXXX + jmp NtIsSystemResumeAutomatic_SystemCall_Unknown +NtIsSystemResumeAutomatic_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtIsSystemResumeAutomatic_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtIsSystemResumeAutomatic_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtIsSystemResumeAutomatic_SystemCall_6_0_6002 + jmp NtIsSystemResumeAutomatic_SystemCall_Unknown +NtIsSystemResumeAutomatic_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtIsSystemResumeAutomatic_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtIsSystemResumeAutomatic_SystemCall_6_1_7601 + jmp NtIsSystemResumeAutomatic_SystemCall_Unknown +NtIsSystemResumeAutomatic_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtIsSystemResumeAutomatic_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtIsSystemResumeAutomatic_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtIsSystemResumeAutomatic_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtIsSystemResumeAutomatic_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtIsSystemResumeAutomatic_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtIsSystemResumeAutomatic_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtIsSystemResumeAutomatic_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtIsSystemResumeAutomatic_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtIsSystemResumeAutomatic_SystemCall_10_0_18363 + jmp NtIsSystemResumeAutomatic_SystemCall_Unknown +NtIsSystemResumeAutomatic_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a6h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d8h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d6h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d6h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00d9h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00d9h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00ebh + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00eeh + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f2h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f4h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f6h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00f9h + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00fah + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00fbh + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00fch + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00fdh + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00fdh + jmp NtIsSystemResumeAutomatic_Epilogue +NtIsSystemResumeAutomatic_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtIsSystemResumeAutomatic_Epilogue: + mov r10, rcx + syscall + ret +NtIsSystemResumeAutomatic ENDP + +NtIsUILanguageComitted PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtIsUILanguageComitted_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtIsUILanguageComitted_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtIsUILanguageComitted_Check_10_0_XXXX + jmp NtIsUILanguageComitted_SystemCall_Unknown +NtIsUILanguageComitted_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtIsUILanguageComitted_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtIsUILanguageComitted_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtIsUILanguageComitted_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtIsUILanguageComitted_SystemCall_6_3_XXXX + jmp NtIsUILanguageComitted_SystemCall_Unknown +NtIsUILanguageComitted_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtIsUILanguageComitted_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtIsUILanguageComitted_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtIsUILanguageComitted_SystemCall_6_0_6002 + jmp NtIsUILanguageComitted_SystemCall_Unknown +NtIsUILanguageComitted_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtIsUILanguageComitted_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtIsUILanguageComitted_SystemCall_6_1_7601 + jmp NtIsUILanguageComitted_SystemCall_Unknown +NtIsUILanguageComitted_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtIsUILanguageComitted_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtIsUILanguageComitted_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtIsUILanguageComitted_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtIsUILanguageComitted_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtIsUILanguageComitted_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtIsUILanguageComitted_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtIsUILanguageComitted_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtIsUILanguageComitted_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtIsUILanguageComitted_SystemCall_10_0_18363 + jmp NtIsUILanguageComitted_SystemCall_Unknown +NtIsUILanguageComitted_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00d9h + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d7h + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d7h + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00dah + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00dah + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00ech + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00efh + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f3h + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f5h + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f7h + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00fah + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00fbh + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00fch + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00fdh + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00feh + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00feh + jmp NtIsUILanguageComitted_Epilogue +NtIsUILanguageComitted_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtIsUILanguageComitted_Epilogue: + mov r10, rcx + syscall + ret +NtIsUILanguageComitted ENDP + +NtListTransactions PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtListTransactions_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtListTransactions_Check_6_X_XXXX + jmp NtListTransactions_SystemCall_Unknown +NtListTransactions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtListTransactions_Check_6_0_XXXX + jmp NtListTransactions_SystemCall_Unknown +NtListTransactions_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtListTransactions_SystemCall_6_0_6000 + jmp NtListTransactions_SystemCall_Unknown +NtListTransactions_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00dah + jmp NtListTransactions_Epilogue +NtListTransactions_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtListTransactions_Epilogue: + mov r10, rcx + syscall + ret +NtListTransactions ENDP + +NtListenPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtListenPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtListenPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtListenPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtListenPort_Check_10_0_XXXX + jmp NtListenPort_SystemCall_Unknown +NtListenPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtListenPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtListenPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtListenPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtListenPort_SystemCall_6_3_XXXX + jmp NtListenPort_SystemCall_Unknown +NtListenPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtListenPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtListenPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtListenPort_SystemCall_6_0_6002 + jmp NtListenPort_SystemCall_Unknown +NtListenPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtListenPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtListenPort_SystemCall_6_1_7601 + jmp NtListenPort_SystemCall_Unknown +NtListenPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtListenPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtListenPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtListenPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtListenPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtListenPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtListenPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtListenPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtListenPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtListenPort_SystemCall_10_0_18363 + jmp NtListenPort_SystemCall_Unknown +NtListenPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a7h + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00dbh + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d8h + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d8h + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00dbh + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00dbh + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00edh + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f0h + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f4h + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f6h + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f8h + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00fbh + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00fch + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00fdh + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00feh + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 00ffh + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 00ffh + jmp NtListenPort_Epilogue +NtListenPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtListenPort_Epilogue: + mov r10, rcx + syscall + ret +NtListenPort ENDP + +NtLoadDriver PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLoadDriver_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtLoadDriver_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtLoadDriver_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtLoadDriver_Check_10_0_XXXX + jmp NtLoadDriver_SystemCall_Unknown +NtLoadDriver_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtLoadDriver_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtLoadDriver_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLoadDriver_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLoadDriver_SystemCall_6_3_XXXX + jmp NtLoadDriver_SystemCall_Unknown +NtLoadDriver_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtLoadDriver_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtLoadDriver_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtLoadDriver_SystemCall_6_0_6002 + jmp NtLoadDriver_SystemCall_Unknown +NtLoadDriver_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtLoadDriver_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtLoadDriver_SystemCall_6_1_7601 + jmp NtLoadDriver_SystemCall_Unknown +NtLoadDriver_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtLoadDriver_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtLoadDriver_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtLoadDriver_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtLoadDriver_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLoadDriver_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLoadDriver_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtLoadDriver_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtLoadDriver_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtLoadDriver_SystemCall_10_0_18363 + jmp NtLoadDriver_SystemCall_Unknown +NtLoadDriver_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a8h + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00dch + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00d9h + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00d9h + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00dch + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00dch + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00eeh + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f1h + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f5h + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f7h + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00f9h + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00fch + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00fdh + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00feh + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 00ffh + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0100h + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0100h + jmp NtLoadDriver_Epilogue +NtLoadDriver_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLoadDriver_Epilogue: + mov r10, rcx + syscall + ret +NtLoadDriver ENDP + +NtLoadEnclaveData PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLoadEnclaveData_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtLoadEnclaveData_Check_10_0_XXXX + jmp NtLoadEnclaveData_SystemCall_Unknown +NtLoadEnclaveData_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10586 + je NtLoadEnclaveData_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtLoadEnclaveData_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtLoadEnclaveData_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLoadEnclaveData_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLoadEnclaveData_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtLoadEnclaveData_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtLoadEnclaveData_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtLoadEnclaveData_SystemCall_10_0_18363 + jmp NtLoadEnclaveData_SystemCall_Unknown +NtLoadEnclaveData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f8h + jmp NtLoadEnclaveData_Epilogue +NtLoadEnclaveData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00fah + jmp NtLoadEnclaveData_Epilogue +NtLoadEnclaveData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00fdh + jmp NtLoadEnclaveData_Epilogue +NtLoadEnclaveData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00feh + jmp NtLoadEnclaveData_Epilogue +NtLoadEnclaveData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 00ffh + jmp NtLoadEnclaveData_Epilogue +NtLoadEnclaveData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0100h + jmp NtLoadEnclaveData_Epilogue +NtLoadEnclaveData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0101h + jmp NtLoadEnclaveData_Epilogue +NtLoadEnclaveData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0101h + jmp NtLoadEnclaveData_Epilogue +NtLoadEnclaveData_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLoadEnclaveData_Epilogue: + mov r10, rcx + syscall + ret +NtLoadEnclaveData ENDP + +NtLoadHotPatch PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLoadHotPatch_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtLoadHotPatch_Check_10_0_XXXX + jmp NtLoadHotPatch_SystemCall_Unknown +NtLoadHotPatch_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 15063 + je NtLoadHotPatch_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLoadHotPatch_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLoadHotPatch_SystemCall_10_0_17134 + jmp NtLoadHotPatch_SystemCall_Unknown +NtLoadHotPatch_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00feh + jmp NtLoadHotPatch_Epilogue +NtLoadHotPatch_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 00ffh + jmp NtLoadHotPatch_Epilogue +NtLoadHotPatch_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0100h + jmp NtLoadHotPatch_Epilogue +NtLoadHotPatch_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLoadHotPatch_Epilogue: + mov r10, rcx + syscall + ret +NtLoadHotPatch ENDP + +NtLoadKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLoadKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtLoadKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtLoadKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtLoadKey_Check_10_0_XXXX + jmp NtLoadKey_SystemCall_Unknown +NtLoadKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtLoadKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtLoadKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLoadKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLoadKey_SystemCall_6_3_XXXX + jmp NtLoadKey_SystemCall_Unknown +NtLoadKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtLoadKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtLoadKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtLoadKey_SystemCall_6_0_6002 + jmp NtLoadKey_SystemCall_Unknown +NtLoadKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtLoadKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtLoadKey_SystemCall_6_1_7601 + jmp NtLoadKey_SystemCall_Unknown +NtLoadKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtLoadKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtLoadKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtLoadKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtLoadKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLoadKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLoadKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtLoadKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtLoadKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtLoadKey_SystemCall_10_0_18363 + jmp NtLoadKey_SystemCall_Unknown +NtLoadKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00a9h + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00ddh + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00dah + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00dah + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00ddh + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00ddh + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00efh + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f2h + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f6h + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00f9h + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00fbh + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 00ffh + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0100h + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0101h + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0101h + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0102h + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0102h + jmp NtLoadKey_Epilogue +NtLoadKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLoadKey_Epilogue: + mov r10, rcx + syscall + ret +NtLoadKey ENDP + +NtLoadKey2 PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLoadKey2_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtLoadKey2_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtLoadKey2_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtLoadKey2_Check_10_0_XXXX + jmp NtLoadKey2_SystemCall_Unknown +NtLoadKey2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtLoadKey2_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtLoadKey2_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLoadKey2_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLoadKey2_SystemCall_6_3_XXXX + jmp NtLoadKey2_SystemCall_Unknown +NtLoadKey2_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtLoadKey2_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtLoadKey2_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtLoadKey2_SystemCall_6_0_6002 + jmp NtLoadKey2_SystemCall_Unknown +NtLoadKey2_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtLoadKey2_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtLoadKey2_SystemCall_6_1_7601 + jmp NtLoadKey2_SystemCall_Unknown +NtLoadKey2_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtLoadKey2_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtLoadKey2_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtLoadKey2_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtLoadKey2_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLoadKey2_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLoadKey2_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtLoadKey2_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtLoadKey2_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtLoadKey2_SystemCall_10_0_18363 + jmp NtLoadKey2_SystemCall_Unknown +NtLoadKey2_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00aah + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00deh + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00dbh + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00dbh + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00deh + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00deh + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f0h + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f3h + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f7h + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00fah + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00fch + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0100h + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0101h + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0102h + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0102h + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0103h + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0103h + jmp NtLoadKey2_Epilogue +NtLoadKey2_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLoadKey2_Epilogue: + mov r10, rcx + syscall + ret +NtLoadKey2 ENDP + +NtLoadKeyEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLoadKeyEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtLoadKeyEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtLoadKeyEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtLoadKeyEx_Check_10_0_XXXX + jmp NtLoadKeyEx_SystemCall_Unknown +NtLoadKeyEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtLoadKeyEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtLoadKeyEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLoadKeyEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLoadKeyEx_SystemCall_6_3_XXXX + jmp NtLoadKeyEx_SystemCall_Unknown +NtLoadKeyEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtLoadKeyEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtLoadKeyEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtLoadKeyEx_SystemCall_6_0_6002 + jmp NtLoadKeyEx_SystemCall_Unknown +NtLoadKeyEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtLoadKeyEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtLoadKeyEx_SystemCall_6_1_7601 + jmp NtLoadKeyEx_SystemCall_Unknown +NtLoadKeyEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtLoadKeyEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtLoadKeyEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtLoadKeyEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtLoadKeyEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLoadKeyEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLoadKeyEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtLoadKeyEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtLoadKeyEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtLoadKeyEx_SystemCall_10_0_18363 + jmp NtLoadKeyEx_SystemCall_Unknown +NtLoadKeyEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00abh + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00dfh + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00dch + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00dch + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00dfh + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00dfh + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f1h + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f4h + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f8h + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00fbh + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00fdh + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0101h + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0102h + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0103h + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0103h + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0104h + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0104h + jmp NtLoadKeyEx_Epilogue +NtLoadKeyEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLoadKeyEx_Epilogue: + mov r10, rcx + syscall + ret +NtLoadKeyEx ENDP + +NtLockFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLockFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtLockFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtLockFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtLockFile_Check_10_0_XXXX + jmp NtLockFile_SystemCall_Unknown +NtLockFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtLockFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtLockFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLockFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLockFile_SystemCall_6_3_XXXX + jmp NtLockFile_SystemCall_Unknown +NtLockFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtLockFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtLockFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtLockFile_SystemCall_6_0_6002 + jmp NtLockFile_SystemCall_Unknown +NtLockFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtLockFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtLockFile_SystemCall_6_1_7601 + jmp NtLockFile_SystemCall_Unknown +NtLockFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtLockFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtLockFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtLockFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtLockFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLockFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLockFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtLockFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtLockFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtLockFile_SystemCall_10_0_18363 + jmp NtLockFile_SystemCall_Unknown +NtLockFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00ach + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e0h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00ddh + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00ddh + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e0h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e0h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f2h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f5h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00f9h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00fch + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00feh + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0102h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0103h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0104h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0104h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0105h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0105h + jmp NtLockFile_Epilogue +NtLockFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLockFile_Epilogue: + mov r10, rcx + syscall + ret +NtLockFile ENDP + +NtLockProductActivationKeys PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLockProductActivationKeys_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtLockProductActivationKeys_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtLockProductActivationKeys_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtLockProductActivationKeys_Check_10_0_XXXX + jmp NtLockProductActivationKeys_SystemCall_Unknown +NtLockProductActivationKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtLockProductActivationKeys_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtLockProductActivationKeys_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLockProductActivationKeys_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLockProductActivationKeys_SystemCall_6_3_XXXX + jmp NtLockProductActivationKeys_SystemCall_Unknown +NtLockProductActivationKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtLockProductActivationKeys_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtLockProductActivationKeys_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtLockProductActivationKeys_SystemCall_6_0_6002 + jmp NtLockProductActivationKeys_SystemCall_Unknown +NtLockProductActivationKeys_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtLockProductActivationKeys_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtLockProductActivationKeys_SystemCall_6_1_7601 + jmp NtLockProductActivationKeys_SystemCall_Unknown +NtLockProductActivationKeys_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtLockProductActivationKeys_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtLockProductActivationKeys_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtLockProductActivationKeys_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtLockProductActivationKeys_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLockProductActivationKeys_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLockProductActivationKeys_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtLockProductActivationKeys_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtLockProductActivationKeys_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtLockProductActivationKeys_SystemCall_10_0_18363 + jmp NtLockProductActivationKeys_SystemCall_Unknown +NtLockProductActivationKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00adh + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e1h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00deh + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00deh + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e1h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e1h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f3h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f6h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00fah + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00fdh + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 00ffh + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0103h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0104h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0105h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0105h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0106h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0106h + jmp NtLockProductActivationKeys_Epilogue +NtLockProductActivationKeys_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLockProductActivationKeys_Epilogue: + mov r10, rcx + syscall + ret +NtLockProductActivationKeys ENDP + +NtLockRegistryKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLockRegistryKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtLockRegistryKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtLockRegistryKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtLockRegistryKey_Check_10_0_XXXX + jmp NtLockRegistryKey_SystemCall_Unknown +NtLockRegistryKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtLockRegistryKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtLockRegistryKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLockRegistryKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLockRegistryKey_SystemCall_6_3_XXXX + jmp NtLockRegistryKey_SystemCall_Unknown +NtLockRegistryKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtLockRegistryKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtLockRegistryKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtLockRegistryKey_SystemCall_6_0_6002 + jmp NtLockRegistryKey_SystemCall_Unknown +NtLockRegistryKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtLockRegistryKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtLockRegistryKey_SystemCall_6_1_7601 + jmp NtLockRegistryKey_SystemCall_Unknown +NtLockRegistryKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtLockRegistryKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtLockRegistryKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtLockRegistryKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtLockRegistryKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLockRegistryKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLockRegistryKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtLockRegistryKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtLockRegistryKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtLockRegistryKey_SystemCall_10_0_18363 + jmp NtLockRegistryKey_SystemCall_Unknown +NtLockRegistryKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00aeh + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e2h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00dfh + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00dfh + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e2h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e2h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f4h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f7h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00fbh + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00feh + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0100h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0104h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0105h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0106h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0106h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0107h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0107h + jmp NtLockRegistryKey_Epilogue +NtLockRegistryKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLockRegistryKey_Epilogue: + mov r10, rcx + syscall + ret +NtLockRegistryKey ENDP + +NtLockVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtLockVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtLockVirtualMemory_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtLockVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtLockVirtualMemory_Check_10_0_XXXX + jmp NtLockVirtualMemory_SystemCall_Unknown +NtLockVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtLockVirtualMemory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtLockVirtualMemory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLockVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtLockVirtualMemory_SystemCall_6_3_XXXX + jmp NtLockVirtualMemory_SystemCall_Unknown +NtLockVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtLockVirtualMemory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtLockVirtualMemory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtLockVirtualMemory_SystemCall_6_0_6002 + jmp NtLockVirtualMemory_SystemCall_Unknown +NtLockVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtLockVirtualMemory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtLockVirtualMemory_SystemCall_6_1_7601 + jmp NtLockVirtualMemory_SystemCall_Unknown +NtLockVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtLockVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtLockVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtLockVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtLockVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtLockVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtLockVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtLockVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtLockVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtLockVirtualMemory_SystemCall_10_0_18363 + jmp NtLockVirtualMemory_SystemCall_Unknown +NtLockVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00afh + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e3h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e0h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e0h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e3h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e3h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f5h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f8h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00fch + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 00ffh + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0101h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0105h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0106h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0107h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0107h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0108h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0108h + jmp NtLockVirtualMemory_Epilogue +NtLockVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtLockVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtLockVirtualMemory ENDP + +NtMakePermanentObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtMakePermanentObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtMakePermanentObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtMakePermanentObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtMakePermanentObject_Check_10_0_XXXX + jmp NtMakePermanentObject_SystemCall_Unknown +NtMakePermanentObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtMakePermanentObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtMakePermanentObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMakePermanentObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMakePermanentObject_SystemCall_6_3_XXXX + jmp NtMakePermanentObject_SystemCall_Unknown +NtMakePermanentObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtMakePermanentObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtMakePermanentObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtMakePermanentObject_SystemCall_6_0_6002 + jmp NtMakePermanentObject_SystemCall_Unknown +NtMakePermanentObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtMakePermanentObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtMakePermanentObject_SystemCall_6_1_7601 + jmp NtMakePermanentObject_SystemCall_Unknown +NtMakePermanentObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtMakePermanentObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtMakePermanentObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtMakePermanentObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtMakePermanentObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtMakePermanentObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtMakePermanentObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtMakePermanentObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtMakePermanentObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtMakePermanentObject_SystemCall_10_0_18363 + jmp NtMakePermanentObject_SystemCall_Unknown +NtMakePermanentObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b0h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e4h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e1h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e1h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e4h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e4h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f6h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00f9h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00fdh + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0100h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0102h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0106h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0107h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0108h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0108h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0109h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0109h + jmp NtMakePermanentObject_Epilogue +NtMakePermanentObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtMakePermanentObject_Epilogue: + mov r10, rcx + syscall + ret +NtMakePermanentObject ENDP + +NtMakeTemporaryObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtMakeTemporaryObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtMakeTemporaryObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtMakeTemporaryObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtMakeTemporaryObject_Check_10_0_XXXX + jmp NtMakeTemporaryObject_SystemCall_Unknown +NtMakeTemporaryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtMakeTemporaryObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtMakeTemporaryObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMakeTemporaryObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMakeTemporaryObject_SystemCall_6_3_XXXX + jmp NtMakeTemporaryObject_SystemCall_Unknown +NtMakeTemporaryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtMakeTemporaryObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtMakeTemporaryObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtMakeTemporaryObject_SystemCall_6_0_6002 + jmp NtMakeTemporaryObject_SystemCall_Unknown +NtMakeTemporaryObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtMakeTemporaryObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtMakeTemporaryObject_SystemCall_6_1_7601 + jmp NtMakeTemporaryObject_SystemCall_Unknown +NtMakeTemporaryObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtMakeTemporaryObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtMakeTemporaryObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtMakeTemporaryObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtMakeTemporaryObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtMakeTemporaryObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtMakeTemporaryObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtMakeTemporaryObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtMakeTemporaryObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtMakeTemporaryObject_SystemCall_10_0_18363 + jmp NtMakeTemporaryObject_SystemCall_Unknown +NtMakeTemporaryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b1h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e5h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e2h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e2h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e5h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e5h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f7h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00fah + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00feh + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0101h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0103h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0107h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0108h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0109h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0109h + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 010ah + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 010ah + jmp NtMakeTemporaryObject_Epilogue +NtMakeTemporaryObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtMakeTemporaryObject_Epilogue: + mov r10, rcx + syscall + ret +NtMakeTemporaryObject ENDP + +NtManageHotPatch PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtManageHotPatch_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtManageHotPatch_Check_10_0_XXXX + jmp NtManageHotPatch_SystemCall_Unknown +NtManageHotPatch_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 17763 + je NtManageHotPatch_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtManageHotPatch_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtManageHotPatch_SystemCall_10_0_18363 + jmp NtManageHotPatch_SystemCall_Unknown +NtManageHotPatch_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 010ah + jmp NtManageHotPatch_Epilogue +NtManageHotPatch_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 010bh + jmp NtManageHotPatch_Epilogue +NtManageHotPatch_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 010bh + jmp NtManageHotPatch_Epilogue +NtManageHotPatch_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtManageHotPatch_Epilogue: + mov r10, rcx + syscall + ret +NtManageHotPatch ENDP + +NtManagePartition PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtManagePartition_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtManagePartition_Check_10_0_XXXX + jmp NtManagePartition_SystemCall_Unknown +NtManagePartition_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtManagePartition_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtManagePartition_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtManagePartition_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtManagePartition_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtManagePartition_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtManagePartition_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtManagePartition_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtManagePartition_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtManagePartition_SystemCall_10_0_18363 + jmp NtManagePartition_SystemCall_Unknown +NtManagePartition_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 00ffh + jmp NtManagePartition_Epilogue +NtManagePartition_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0102h + jmp NtManagePartition_Epilogue +NtManagePartition_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0104h + jmp NtManagePartition_Epilogue +NtManagePartition_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0108h + jmp NtManagePartition_Epilogue +NtManagePartition_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0109h + jmp NtManagePartition_Epilogue +NtManagePartition_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 010ah + jmp NtManagePartition_Epilogue +NtManagePartition_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 010bh + jmp NtManagePartition_Epilogue +NtManagePartition_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 010ch + jmp NtManagePartition_Epilogue +NtManagePartition_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 010ch + jmp NtManagePartition_Epilogue +NtManagePartition_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtManagePartition_Epilogue: + mov r10, rcx + syscall + ret +NtManagePartition ENDP + +NtMapCMFModule PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtMapCMFModule_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtMapCMFModule_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtMapCMFModule_Check_10_0_XXXX + jmp NtMapCMFModule_SystemCall_Unknown +NtMapCMFModule_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtMapCMFModule_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtMapCMFModule_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMapCMFModule_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMapCMFModule_SystemCall_6_3_XXXX + jmp NtMapCMFModule_SystemCall_Unknown +NtMapCMFModule_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtMapCMFModule_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtMapCMFModule_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtMapCMFModule_SystemCall_6_0_6002 + jmp NtMapCMFModule_SystemCall_Unknown +NtMapCMFModule_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtMapCMFModule_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtMapCMFModule_SystemCall_6_1_7601 + jmp NtMapCMFModule_SystemCall_Unknown +NtMapCMFModule_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtMapCMFModule_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtMapCMFModule_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtMapCMFModule_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtMapCMFModule_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtMapCMFModule_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtMapCMFModule_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtMapCMFModule_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtMapCMFModule_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtMapCMFModule_SystemCall_10_0_18363 + jmp NtMapCMFModule_SystemCall_Unknown +NtMapCMFModule_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e6h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e3h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e3h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e6h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e6h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f8h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00fbh + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0100h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0103h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0105h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0109h + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 010ah + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 010bh + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 010ch + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 010dh + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 010dh + jmp NtMapCMFModule_Epilogue +NtMapCMFModule_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtMapCMFModule_Epilogue: + mov r10, rcx + syscall + ret +NtMapCMFModule ENDP + +NtMapUserPhysicalPages PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtMapUserPhysicalPages_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtMapUserPhysicalPages_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtMapUserPhysicalPages_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtMapUserPhysicalPages_Check_10_0_XXXX + jmp NtMapUserPhysicalPages_SystemCall_Unknown +NtMapUserPhysicalPages_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtMapUserPhysicalPages_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtMapUserPhysicalPages_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMapUserPhysicalPages_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMapUserPhysicalPages_SystemCall_6_3_XXXX + jmp NtMapUserPhysicalPages_SystemCall_Unknown +NtMapUserPhysicalPages_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtMapUserPhysicalPages_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtMapUserPhysicalPages_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtMapUserPhysicalPages_SystemCall_6_0_6002 + jmp NtMapUserPhysicalPages_SystemCall_Unknown +NtMapUserPhysicalPages_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtMapUserPhysicalPages_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtMapUserPhysicalPages_SystemCall_6_1_7601 + jmp NtMapUserPhysicalPages_SystemCall_Unknown +NtMapUserPhysicalPages_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtMapUserPhysicalPages_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtMapUserPhysicalPages_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtMapUserPhysicalPages_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtMapUserPhysicalPages_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtMapUserPhysicalPages_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtMapUserPhysicalPages_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtMapUserPhysicalPages_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtMapUserPhysicalPages_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtMapUserPhysicalPages_SystemCall_10_0_18363 + jmp NtMapUserPhysicalPages_SystemCall_Unknown +NtMapUserPhysicalPages_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b2h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e7h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e4h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e4h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e7h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e7h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00f9h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00fch + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0101h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0104h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0106h + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 010ah + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 010bh + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 010ch + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 010dh + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 010eh + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 010eh + jmp NtMapUserPhysicalPages_Epilogue +NtMapUserPhysicalPages_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtMapUserPhysicalPages_Epilogue: + mov r10, rcx + syscall + ret +NtMapUserPhysicalPages ENDP + +NtMapUserPhysicalPagesScatter PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtMapUserPhysicalPagesScatter_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtMapUserPhysicalPagesScatter_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtMapUserPhysicalPagesScatter_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtMapUserPhysicalPagesScatter_Check_10_0_XXXX + jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown +NtMapUserPhysicalPagesScatter_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtMapUserPhysicalPagesScatter_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtMapUserPhysicalPagesScatter_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMapUserPhysicalPagesScatter_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMapUserPhysicalPagesScatter_SystemCall_6_3_XXXX + jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown +NtMapUserPhysicalPagesScatter_Check_6_0_XXXX: ; Check build number for Windows Vista. + jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown +NtMapUserPhysicalPagesScatter_Check_6_1_XXXX: ; Check build number for Windows 7. + jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown +NtMapUserPhysicalPagesScatter_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtMapUserPhysicalPagesScatter_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtMapUserPhysicalPagesScatter_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtMapUserPhysicalPagesScatter_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtMapUserPhysicalPagesScatter_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtMapUserPhysicalPagesScatter_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtMapUserPhysicalPagesScatter_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtMapUserPhysicalPagesScatter_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtMapUserPhysicalPagesScatter_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtMapUserPhysicalPagesScatter_SystemCall_10_0_18363 + jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown +NtMapUserPhysicalPagesScatter_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0000h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0000h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0000h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0000h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0000h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0000h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0001h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0002h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0003h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0003h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0003h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0003h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0003h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0003h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0003h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0003h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0003h + jmp NtMapUserPhysicalPagesScatter_Epilogue +NtMapUserPhysicalPagesScatter_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtMapUserPhysicalPagesScatter_Epilogue: + mov r10, rcx + syscall + ret +NtMapUserPhysicalPagesScatter ENDP + +NtMapViewOfSection PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtMapViewOfSection_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtMapViewOfSection_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtMapViewOfSection_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtMapViewOfSection_Check_10_0_XXXX + jmp NtMapViewOfSection_SystemCall_Unknown +NtMapViewOfSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtMapViewOfSection_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtMapViewOfSection_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMapViewOfSection_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtMapViewOfSection_SystemCall_6_3_XXXX + jmp NtMapViewOfSection_SystemCall_Unknown +NtMapViewOfSection_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtMapViewOfSection_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtMapViewOfSection_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtMapViewOfSection_SystemCall_6_0_6002 + jmp NtMapViewOfSection_SystemCall_Unknown +NtMapViewOfSection_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtMapViewOfSection_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtMapViewOfSection_SystemCall_6_1_7601 + jmp NtMapViewOfSection_SystemCall_Unknown +NtMapViewOfSection_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtMapViewOfSection_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtMapViewOfSection_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtMapViewOfSection_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtMapViewOfSection_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtMapViewOfSection_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtMapViewOfSection_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtMapViewOfSection_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtMapViewOfSection_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtMapViewOfSection_SystemCall_10_0_18363 + jmp NtMapViewOfSection_SystemCall_Unknown +NtMapViewOfSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0025h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0025h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0025h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0025h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0025h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0025h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0026h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0027h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0028h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0028h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0028h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0028h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0028h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0028h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0028h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0028h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0028h + jmp NtMapViewOfSection_Epilogue +NtMapViewOfSection_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtMapViewOfSection_Epilogue: + mov r10, rcx + syscall + ret +NtMapViewOfSection ENDP + +NtMapViewOfSectionEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtMapViewOfSectionEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtMapViewOfSectionEx_Check_10_0_XXXX + jmp NtMapViewOfSectionEx_SystemCall_Unknown +NtMapViewOfSectionEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 17134 + je NtMapViewOfSectionEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtMapViewOfSectionEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtMapViewOfSectionEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtMapViewOfSectionEx_SystemCall_10_0_18363 + jmp NtMapViewOfSectionEx_SystemCall_Unknown +NtMapViewOfSectionEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 010dh + jmp NtMapViewOfSectionEx_Epilogue +NtMapViewOfSectionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 010eh + jmp NtMapViewOfSectionEx_Epilogue +NtMapViewOfSectionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 010fh + jmp NtMapViewOfSectionEx_Epilogue +NtMapViewOfSectionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 010fh + jmp NtMapViewOfSectionEx_Epilogue +NtMapViewOfSectionEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtMapViewOfSectionEx_Epilogue: + mov r10, rcx + syscall + ret +NtMapViewOfSectionEx ENDP + +NtMarshallTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtMarshallTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtMarshallTransaction_Check_6_X_XXXX + jmp NtMarshallTransaction_SystemCall_Unknown +NtMarshallTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtMarshallTransaction_Check_6_0_XXXX + jmp NtMarshallTransaction_SystemCall_Unknown +NtMarshallTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtMarshallTransaction_SystemCall_6_0_6000 + jmp NtMarshallTransaction_SystemCall_Unknown +NtMarshallTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e8h + jmp NtMarshallTransaction_Epilogue +NtMarshallTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtMarshallTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtMarshallTransaction ENDP + +NtModifyBootEntry PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtModifyBootEntry_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtModifyBootEntry_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtModifyBootEntry_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtModifyBootEntry_Check_10_0_XXXX + jmp NtModifyBootEntry_SystemCall_Unknown +NtModifyBootEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtModifyBootEntry_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtModifyBootEntry_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtModifyBootEntry_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtModifyBootEntry_SystemCall_6_3_XXXX + jmp NtModifyBootEntry_SystemCall_Unknown +NtModifyBootEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtModifyBootEntry_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtModifyBootEntry_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtModifyBootEntry_SystemCall_6_0_6002 + jmp NtModifyBootEntry_SystemCall_Unknown +NtModifyBootEntry_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtModifyBootEntry_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtModifyBootEntry_SystemCall_6_1_7601 + jmp NtModifyBootEntry_SystemCall_Unknown +NtModifyBootEntry_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtModifyBootEntry_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtModifyBootEntry_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtModifyBootEntry_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtModifyBootEntry_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtModifyBootEntry_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtModifyBootEntry_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtModifyBootEntry_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtModifyBootEntry_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtModifyBootEntry_SystemCall_10_0_18363 + jmp NtModifyBootEntry_SystemCall_Unknown +NtModifyBootEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b3h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00e9h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e5h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e5h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e8h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e8h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00fah + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00fdh + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0102h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0105h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0107h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 010bh + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 010ch + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 010eh + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 010fh + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0110h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0110h + jmp NtModifyBootEntry_Epilogue +NtModifyBootEntry_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtModifyBootEntry_Epilogue: + mov r10, rcx + syscall + ret +NtModifyBootEntry ENDP + +NtModifyDriverEntry PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtModifyDriverEntry_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtModifyDriverEntry_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtModifyDriverEntry_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtModifyDriverEntry_Check_10_0_XXXX + jmp NtModifyDriverEntry_SystemCall_Unknown +NtModifyDriverEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtModifyDriverEntry_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtModifyDriverEntry_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtModifyDriverEntry_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtModifyDriverEntry_SystemCall_6_3_XXXX + jmp NtModifyDriverEntry_SystemCall_Unknown +NtModifyDriverEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtModifyDriverEntry_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtModifyDriverEntry_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtModifyDriverEntry_SystemCall_6_0_6002 + jmp NtModifyDriverEntry_SystemCall_Unknown +NtModifyDriverEntry_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtModifyDriverEntry_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtModifyDriverEntry_SystemCall_6_1_7601 + jmp NtModifyDriverEntry_SystemCall_Unknown +NtModifyDriverEntry_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtModifyDriverEntry_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtModifyDriverEntry_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtModifyDriverEntry_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtModifyDriverEntry_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtModifyDriverEntry_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtModifyDriverEntry_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtModifyDriverEntry_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtModifyDriverEntry_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtModifyDriverEntry_SystemCall_10_0_18363 + jmp NtModifyDriverEntry_SystemCall_Unknown +NtModifyDriverEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b4h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00eah + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e6h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e6h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00e9h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00e9h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00fbh + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00feh + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0103h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0106h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0108h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 010ch + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 010dh + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 010fh + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0110h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0111h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0111h + jmp NtModifyDriverEntry_Epilogue +NtModifyDriverEntry_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtModifyDriverEntry_Epilogue: + mov r10, rcx + syscall + ret +NtModifyDriverEntry ENDP + +NtNotifyChangeDirectoryFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtNotifyChangeDirectoryFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtNotifyChangeDirectoryFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtNotifyChangeDirectoryFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtNotifyChangeDirectoryFile_Check_10_0_XXXX + jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown +NtNotifyChangeDirectoryFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtNotifyChangeDirectoryFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtNotifyChangeDirectoryFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtNotifyChangeDirectoryFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtNotifyChangeDirectoryFile_SystemCall_6_3_XXXX + jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown +NtNotifyChangeDirectoryFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtNotifyChangeDirectoryFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtNotifyChangeDirectoryFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtNotifyChangeDirectoryFile_SystemCall_6_0_6002 + jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown +NtNotifyChangeDirectoryFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtNotifyChangeDirectoryFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtNotifyChangeDirectoryFile_SystemCall_6_1_7601 + jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown +NtNotifyChangeDirectoryFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtNotifyChangeDirectoryFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtNotifyChangeDirectoryFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtNotifyChangeDirectoryFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtNotifyChangeDirectoryFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtNotifyChangeDirectoryFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtNotifyChangeDirectoryFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtNotifyChangeDirectoryFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtNotifyChangeDirectoryFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtNotifyChangeDirectoryFile_SystemCall_10_0_18363 + jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown +NtNotifyChangeDirectoryFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b5h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00ebh + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e7h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e7h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00eah + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00eah + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00fch + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 00ffh + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0104h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0107h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0109h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 010dh + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 010eh + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0110h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0111h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0112h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0112h + jmp NtNotifyChangeDirectoryFile_Epilogue +NtNotifyChangeDirectoryFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtNotifyChangeDirectoryFile_Epilogue: + mov r10, rcx + syscall + ret +NtNotifyChangeDirectoryFile ENDP + +NtNotifyChangeDirectoryFileEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtNotifyChangeDirectoryFileEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtNotifyChangeDirectoryFileEx_Check_10_0_XXXX + jmp NtNotifyChangeDirectoryFileEx_SystemCall_Unknown +NtNotifyChangeDirectoryFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 16299 + je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_18363 + jmp NtNotifyChangeDirectoryFileEx_SystemCall_Unknown +NtNotifyChangeDirectoryFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 010fh + jmp NtNotifyChangeDirectoryFileEx_Epilogue +NtNotifyChangeDirectoryFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0111h + jmp NtNotifyChangeDirectoryFileEx_Epilogue +NtNotifyChangeDirectoryFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0112h + jmp NtNotifyChangeDirectoryFileEx_Epilogue +NtNotifyChangeDirectoryFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0113h + jmp NtNotifyChangeDirectoryFileEx_Epilogue +NtNotifyChangeDirectoryFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0113h + jmp NtNotifyChangeDirectoryFileEx_Epilogue +NtNotifyChangeDirectoryFileEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtNotifyChangeDirectoryFileEx_Epilogue: + mov r10, rcx + syscall + ret +NtNotifyChangeDirectoryFileEx ENDP + +NtNotifyChangeKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtNotifyChangeKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtNotifyChangeKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtNotifyChangeKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtNotifyChangeKey_Check_10_0_XXXX + jmp NtNotifyChangeKey_SystemCall_Unknown +NtNotifyChangeKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtNotifyChangeKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtNotifyChangeKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtNotifyChangeKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtNotifyChangeKey_SystemCall_6_3_XXXX + jmp NtNotifyChangeKey_SystemCall_Unknown +NtNotifyChangeKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtNotifyChangeKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtNotifyChangeKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtNotifyChangeKey_SystemCall_6_0_6002 + jmp NtNotifyChangeKey_SystemCall_Unknown +NtNotifyChangeKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtNotifyChangeKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtNotifyChangeKey_SystemCall_6_1_7601 + jmp NtNotifyChangeKey_SystemCall_Unknown +NtNotifyChangeKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtNotifyChangeKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtNotifyChangeKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtNotifyChangeKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtNotifyChangeKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtNotifyChangeKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtNotifyChangeKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtNotifyChangeKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtNotifyChangeKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtNotifyChangeKey_SystemCall_10_0_18363 + jmp NtNotifyChangeKey_SystemCall_Unknown +NtNotifyChangeKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b6h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00ech + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e8h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e8h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00ebh + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00ebh + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00fdh + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0100h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0105h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0108h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 010ah + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 010eh + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0110h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0112h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0113h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0114h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0114h + jmp NtNotifyChangeKey_Epilogue +NtNotifyChangeKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtNotifyChangeKey_Epilogue: + mov r10, rcx + syscall + ret +NtNotifyChangeKey ENDP + +NtNotifyChangeMultipleKeys PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtNotifyChangeMultipleKeys_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtNotifyChangeMultipleKeys_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtNotifyChangeMultipleKeys_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtNotifyChangeMultipleKeys_Check_10_0_XXXX + jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown +NtNotifyChangeMultipleKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtNotifyChangeMultipleKeys_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtNotifyChangeMultipleKeys_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtNotifyChangeMultipleKeys_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtNotifyChangeMultipleKeys_SystemCall_6_3_XXXX + jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown +NtNotifyChangeMultipleKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtNotifyChangeMultipleKeys_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtNotifyChangeMultipleKeys_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtNotifyChangeMultipleKeys_SystemCall_6_0_6002 + jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown +NtNotifyChangeMultipleKeys_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtNotifyChangeMultipleKeys_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtNotifyChangeMultipleKeys_SystemCall_6_1_7601 + jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown +NtNotifyChangeMultipleKeys_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtNotifyChangeMultipleKeys_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtNotifyChangeMultipleKeys_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtNotifyChangeMultipleKeys_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtNotifyChangeMultipleKeys_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtNotifyChangeMultipleKeys_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtNotifyChangeMultipleKeys_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtNotifyChangeMultipleKeys_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtNotifyChangeMultipleKeys_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtNotifyChangeMultipleKeys_SystemCall_10_0_18363 + jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown +NtNotifyChangeMultipleKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b7h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00edh + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00e9h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00e9h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00ech + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00ech + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00feh + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0101h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0106h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0109h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 010bh + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 010fh + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0111h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0113h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0114h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0115h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0115h + jmp NtNotifyChangeMultipleKeys_Epilogue +NtNotifyChangeMultipleKeys_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtNotifyChangeMultipleKeys_Epilogue: + mov r10, rcx + syscall + ret +NtNotifyChangeMultipleKeys ENDP + +NtNotifyChangeSession PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtNotifyChangeSession_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtNotifyChangeSession_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtNotifyChangeSession_Check_10_0_XXXX + jmp NtNotifyChangeSession_SystemCall_Unknown +NtNotifyChangeSession_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtNotifyChangeSession_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtNotifyChangeSession_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtNotifyChangeSession_SystemCall_6_3_XXXX + jmp NtNotifyChangeSession_SystemCall_Unknown +NtNotifyChangeSession_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtNotifyChangeSession_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtNotifyChangeSession_SystemCall_6_1_7601 + jmp NtNotifyChangeSession_SystemCall_Unknown +NtNotifyChangeSession_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtNotifyChangeSession_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtNotifyChangeSession_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtNotifyChangeSession_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtNotifyChangeSession_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtNotifyChangeSession_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtNotifyChangeSession_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtNotifyChangeSession_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtNotifyChangeSession_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtNotifyChangeSession_SystemCall_10_0_18363 + jmp NtNotifyChangeSession_SystemCall_Unknown +NtNotifyChangeSession_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00edh + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00edh + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 00ffh + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0102h + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0107h + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 010ah + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 010ch + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0110h + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0112h + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0114h + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0115h + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0116h + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0116h + jmp NtNotifyChangeSession_Epilogue +NtNotifyChangeSession_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtNotifyChangeSession_Epilogue: + mov r10, rcx + syscall + ret +NtNotifyChangeSession ENDP + +NtOpenDirectoryObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenDirectoryObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenDirectoryObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenDirectoryObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenDirectoryObject_Check_10_0_XXXX + jmp NtOpenDirectoryObject_SystemCall_Unknown +NtOpenDirectoryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenDirectoryObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenDirectoryObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenDirectoryObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenDirectoryObject_SystemCall_6_3_XXXX + jmp NtOpenDirectoryObject_SystemCall_Unknown +NtOpenDirectoryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenDirectoryObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenDirectoryObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenDirectoryObject_SystemCall_6_0_6002 + jmp NtOpenDirectoryObject_SystemCall_Unknown +NtOpenDirectoryObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenDirectoryObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenDirectoryObject_SystemCall_6_1_7601 + jmp NtOpenDirectoryObject_SystemCall_Unknown +NtOpenDirectoryObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenDirectoryObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenDirectoryObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenDirectoryObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenDirectoryObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenDirectoryObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenDirectoryObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenDirectoryObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenDirectoryObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenDirectoryObject_SystemCall_10_0_18363 + jmp NtOpenDirectoryObject_SystemCall_Unknown +NtOpenDirectoryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0055h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0055h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0055h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0055h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0055h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0055h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0056h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0057h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0058h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0058h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0058h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0058h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0058h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0058h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0058h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0058h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0058h + jmp NtOpenDirectoryObject_Epilogue +NtOpenDirectoryObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenDirectoryObject_Epilogue: + mov r10, rcx + syscall + ret +NtOpenDirectoryObject ENDP + +NtOpenEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtOpenEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenEnlistment_Check_10_0_XXXX + jmp NtOpenEnlistment_SystemCall_Unknown +NtOpenEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenEnlistment_SystemCall_6_3_XXXX + jmp NtOpenEnlistment_SystemCall_Unknown +NtOpenEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenEnlistment_SystemCall_6_0_6002 + jmp NtOpenEnlistment_SystemCall_Unknown +NtOpenEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenEnlistment_SystemCall_6_1_7601 + jmp NtOpenEnlistment_SystemCall_Unknown +NtOpenEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenEnlistment_SystemCall_10_0_18363 + jmp NtOpenEnlistment_SystemCall_Unknown +NtOpenEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00eeh + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00eah + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00eah + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00eeh + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00eeh + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0100h + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0103h + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0108h + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 010bh + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 010dh + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0111h + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0113h + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0115h + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0116h + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0117h + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0117h + jmp NtOpenEnlistment_Epilogue +NtOpenEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtOpenEnlistment ENDP + +NtOpenEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenEvent_Check_10_0_XXXX + jmp NtOpenEvent_SystemCall_Unknown +NtOpenEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenEvent_SystemCall_6_3_XXXX + jmp NtOpenEvent_SystemCall_Unknown +NtOpenEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenEvent_SystemCall_6_0_6002 + jmp NtOpenEvent_SystemCall_Unknown +NtOpenEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenEvent_SystemCall_6_1_7601 + jmp NtOpenEvent_SystemCall_Unknown +NtOpenEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenEvent_SystemCall_10_0_18363 + jmp NtOpenEvent_SystemCall_Unknown +NtOpenEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 003dh + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 003dh + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 003dh + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 003dh + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 003dh + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 003dh + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 003eh + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 003fh + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0040h + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0040h + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0040h + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0040h + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0040h + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0040h + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0040h + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0040h + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0040h + jmp NtOpenEvent_Epilogue +NtOpenEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenEvent_Epilogue: + mov r10, rcx + syscall + ret +NtOpenEvent ENDP + +NtOpenEventPair PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenEventPair_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenEventPair_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenEventPair_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenEventPair_Check_10_0_XXXX + jmp NtOpenEventPair_SystemCall_Unknown +NtOpenEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenEventPair_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenEventPair_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenEventPair_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenEventPair_SystemCall_6_3_XXXX + jmp NtOpenEventPair_SystemCall_Unknown +NtOpenEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenEventPair_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenEventPair_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenEventPair_SystemCall_6_0_6002 + jmp NtOpenEventPair_SystemCall_Unknown +NtOpenEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenEventPair_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenEventPair_SystemCall_6_1_7601 + jmp NtOpenEventPair_SystemCall_Unknown +NtOpenEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenEventPair_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenEventPair_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenEventPair_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenEventPair_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenEventPair_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenEventPair_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenEventPair_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenEventPair_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenEventPair_SystemCall_10_0_18363 + jmp NtOpenEventPair_SystemCall_Unknown +NtOpenEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b8h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00efh + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00ebh + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00ebh + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00efh + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00efh + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0101h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0104h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0109h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 010ch + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 010eh + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0112h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0114h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0116h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0117h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0118h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0118h + jmp NtOpenEventPair_Epilogue +NtOpenEventPair_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenEventPair_Epilogue: + mov r10, rcx + syscall + ret +NtOpenEventPair ENDP + +NtOpenFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenFile_Check_10_0_XXXX + jmp NtOpenFile_SystemCall_Unknown +NtOpenFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenFile_SystemCall_6_3_XXXX + jmp NtOpenFile_SystemCall_Unknown +NtOpenFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenFile_SystemCall_6_0_6002 + jmp NtOpenFile_SystemCall_Unknown +NtOpenFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenFile_SystemCall_6_1_7601 + jmp NtOpenFile_SystemCall_Unknown +NtOpenFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenFile_SystemCall_10_0_18363 + jmp NtOpenFile_SystemCall_Unknown +NtOpenFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0030h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0030h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0030h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0030h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0030h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0030h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0031h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0032h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0033h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0033h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0033h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0033h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0033h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0033h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0033h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0033h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0033h + jmp NtOpenFile_Epilogue +NtOpenFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenFile_Epilogue: + mov r10, rcx + syscall + ret +NtOpenFile ENDP + +NtOpenIoCompletion PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenIoCompletion_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenIoCompletion_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenIoCompletion_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenIoCompletion_Check_10_0_XXXX + jmp NtOpenIoCompletion_SystemCall_Unknown +NtOpenIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenIoCompletion_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenIoCompletion_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenIoCompletion_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenIoCompletion_SystemCall_6_3_XXXX + jmp NtOpenIoCompletion_SystemCall_Unknown +NtOpenIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenIoCompletion_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenIoCompletion_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenIoCompletion_SystemCall_6_0_6002 + jmp NtOpenIoCompletion_SystemCall_Unknown +NtOpenIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenIoCompletion_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenIoCompletion_SystemCall_6_1_7601 + jmp NtOpenIoCompletion_SystemCall_Unknown +NtOpenIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenIoCompletion_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenIoCompletion_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenIoCompletion_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenIoCompletion_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenIoCompletion_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenIoCompletion_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenIoCompletion_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenIoCompletion_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenIoCompletion_SystemCall_10_0_18363 + jmp NtOpenIoCompletion_SystemCall_Unknown +NtOpenIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00b9h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f0h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00ech + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00ech + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f0h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f0h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0102h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0105h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 010ah + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 010dh + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 010fh + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0113h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0115h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0117h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0118h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0119h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0119h + jmp NtOpenIoCompletion_Epilogue +NtOpenIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenIoCompletion_Epilogue: + mov r10, rcx + syscall + ret +NtOpenIoCompletion ENDP + +NtOpenJobObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenJobObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenJobObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenJobObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenJobObject_Check_10_0_XXXX + jmp NtOpenJobObject_SystemCall_Unknown +NtOpenJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenJobObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenJobObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenJobObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenJobObject_SystemCall_6_3_XXXX + jmp NtOpenJobObject_SystemCall_Unknown +NtOpenJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenJobObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenJobObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenJobObject_SystemCall_6_0_6002 + jmp NtOpenJobObject_SystemCall_Unknown +NtOpenJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenJobObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenJobObject_SystemCall_6_1_7601 + jmp NtOpenJobObject_SystemCall_Unknown +NtOpenJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenJobObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenJobObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenJobObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenJobObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenJobObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenJobObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenJobObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenJobObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenJobObject_SystemCall_10_0_18363 + jmp NtOpenJobObject_SystemCall_Unknown +NtOpenJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00bah + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f1h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00edh + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00edh + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f1h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f1h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0103h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0106h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 010bh + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 010eh + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0110h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0114h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0116h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0118h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0119h + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 011ah + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 011ah + jmp NtOpenJobObject_Epilogue +NtOpenJobObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenJobObject_Epilogue: + mov r10, rcx + syscall + ret +NtOpenJobObject ENDP + +NtOpenKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenKey_Check_10_0_XXXX + jmp NtOpenKey_SystemCall_Unknown +NtOpenKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKey_SystemCall_6_3_XXXX + jmp NtOpenKey_SystemCall_Unknown +NtOpenKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenKey_SystemCall_6_0_6002 + jmp NtOpenKey_SystemCall_Unknown +NtOpenKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenKey_SystemCall_6_1_7601 + jmp NtOpenKey_SystemCall_Unknown +NtOpenKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenKey_SystemCall_10_0_18363 + jmp NtOpenKey_SystemCall_Unknown +NtOpenKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 000fh + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 000fh + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 000fh + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 000fh + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 000fh + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 000fh + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0010h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0011h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0012h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0012h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0012h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0012h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0012h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0012h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0012h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0012h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0012h + jmp NtOpenKey_Epilogue +NtOpenKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenKey_Epilogue: + mov r10, rcx + syscall + ret +NtOpenKey ENDP + +NtOpenKeyEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenKeyEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtOpenKeyEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenKeyEx_Check_10_0_XXXX + jmp NtOpenKeyEx_SystemCall_Unknown +NtOpenKeyEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtOpenKeyEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKeyEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKeyEx_SystemCall_6_3_XXXX + jmp NtOpenKeyEx_SystemCall_Unknown +NtOpenKeyEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenKeyEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenKeyEx_SystemCall_6_1_7601 + jmp NtOpenKeyEx_SystemCall_Unknown +NtOpenKeyEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenKeyEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenKeyEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenKeyEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenKeyEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenKeyEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenKeyEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenKeyEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenKeyEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenKeyEx_SystemCall_10_0_18363 + jmp NtOpenKeyEx_SystemCall_Unknown +NtOpenKeyEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f2h + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f2h + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0104h + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0107h + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 010ch + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 010fh + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0111h + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0115h + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0117h + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0119h + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 011ah + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 011bh + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 011bh + jmp NtOpenKeyEx_Epilogue +NtOpenKeyEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenKeyEx_Epilogue: + mov r10, rcx + syscall + ret +NtOpenKeyEx ENDP + +NtOpenKeyTransacted PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenKeyTransacted_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtOpenKeyTransacted_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenKeyTransacted_Check_10_0_XXXX + jmp NtOpenKeyTransacted_SystemCall_Unknown +NtOpenKeyTransacted_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenKeyTransacted_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenKeyTransacted_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKeyTransacted_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKeyTransacted_SystemCall_6_3_XXXX + jmp NtOpenKeyTransacted_SystemCall_Unknown +NtOpenKeyTransacted_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenKeyTransacted_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenKeyTransacted_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenKeyTransacted_SystemCall_6_0_6002 + jmp NtOpenKeyTransacted_SystemCall_Unknown +NtOpenKeyTransacted_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenKeyTransacted_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenKeyTransacted_SystemCall_6_1_7601 + jmp NtOpenKeyTransacted_SystemCall_Unknown +NtOpenKeyTransacted_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenKeyTransacted_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenKeyTransacted_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenKeyTransacted_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenKeyTransacted_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenKeyTransacted_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenKeyTransacted_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenKeyTransacted_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenKeyTransacted_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenKeyTransacted_SystemCall_10_0_18363 + jmp NtOpenKeyTransacted_SystemCall_Unknown +NtOpenKeyTransacted_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f2h + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00eeh + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00eeh + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f3h + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f3h + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0105h + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0108h + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 010dh + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0110h + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0112h + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0116h + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0118h + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 011ah + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 011bh + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 011ch + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 011ch + jmp NtOpenKeyTransacted_Epilogue +NtOpenKeyTransacted_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenKeyTransacted_Epilogue: + mov r10, rcx + syscall + ret +NtOpenKeyTransacted ENDP + +NtOpenKeyTransactedEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenKeyTransactedEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtOpenKeyTransactedEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenKeyTransactedEx_Check_10_0_XXXX + jmp NtOpenKeyTransactedEx_SystemCall_Unknown +NtOpenKeyTransactedEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtOpenKeyTransactedEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKeyTransactedEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKeyTransactedEx_SystemCall_6_3_XXXX + jmp NtOpenKeyTransactedEx_SystemCall_Unknown +NtOpenKeyTransactedEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenKeyTransactedEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenKeyTransactedEx_SystemCall_6_1_7601 + jmp NtOpenKeyTransactedEx_SystemCall_Unknown +NtOpenKeyTransactedEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenKeyTransactedEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenKeyTransactedEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenKeyTransactedEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenKeyTransactedEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenKeyTransactedEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenKeyTransactedEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenKeyTransactedEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenKeyTransactedEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenKeyTransactedEx_SystemCall_10_0_18363 + jmp NtOpenKeyTransactedEx_SystemCall_Unknown +NtOpenKeyTransactedEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f4h + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f4h + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0106h + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0109h + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 010eh + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0111h + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0113h + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0117h + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0119h + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 011bh + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 011ch + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 011dh + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 011dh + jmp NtOpenKeyTransactedEx_Epilogue +NtOpenKeyTransactedEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenKeyTransactedEx_Epilogue: + mov r10, rcx + syscall + ret +NtOpenKeyTransactedEx ENDP + +NtOpenKeyedEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenKeyedEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenKeyedEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenKeyedEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenKeyedEvent_Check_10_0_XXXX + jmp NtOpenKeyedEvent_SystemCall_Unknown +NtOpenKeyedEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenKeyedEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenKeyedEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKeyedEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenKeyedEvent_SystemCall_6_3_XXXX + jmp NtOpenKeyedEvent_SystemCall_Unknown +NtOpenKeyedEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenKeyedEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenKeyedEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenKeyedEvent_SystemCall_6_0_6002 + jmp NtOpenKeyedEvent_SystemCall_Unknown +NtOpenKeyedEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenKeyedEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenKeyedEvent_SystemCall_6_1_7601 + jmp NtOpenKeyedEvent_SystemCall_Unknown +NtOpenKeyedEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenKeyedEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenKeyedEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenKeyedEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenKeyedEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenKeyedEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenKeyedEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenKeyedEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenKeyedEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenKeyedEvent_SystemCall_10_0_18363 + jmp NtOpenKeyedEvent_SystemCall_Unknown +NtOpenKeyedEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00bbh + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f3h + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00efh + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00efh + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f5h + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f5h + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0107h + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 010ah + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 010fh + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0112h + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0114h + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0118h + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 011ah + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 011ch + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 011dh + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 011eh + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 011eh + jmp NtOpenKeyedEvent_Epilogue +NtOpenKeyedEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenKeyedEvent_Epilogue: + mov r10, rcx + syscall + ret +NtOpenKeyedEvent ENDP + +NtOpenMutant PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenMutant_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenMutant_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenMutant_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenMutant_Check_10_0_XXXX + jmp NtOpenMutant_SystemCall_Unknown +NtOpenMutant_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenMutant_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenMutant_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenMutant_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenMutant_SystemCall_6_3_XXXX + jmp NtOpenMutant_SystemCall_Unknown +NtOpenMutant_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenMutant_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenMutant_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenMutant_SystemCall_6_0_6002 + jmp NtOpenMutant_SystemCall_Unknown +NtOpenMutant_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenMutant_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenMutant_SystemCall_6_1_7601 + jmp NtOpenMutant_SystemCall_Unknown +NtOpenMutant_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenMutant_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenMutant_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenMutant_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenMutant_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenMutant_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenMutant_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenMutant_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenMutant_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenMutant_SystemCall_10_0_18363 + jmp NtOpenMutant_SystemCall_Unknown +NtOpenMutant_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00bch + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f4h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f0h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f0h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f6h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f6h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0108h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 010bh + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0110h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0113h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0115h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0119h + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 011bh + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 011dh + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 011eh + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 011fh + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 011fh + jmp NtOpenMutant_Epilogue +NtOpenMutant_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenMutant_Epilogue: + mov r10, rcx + syscall + ret +NtOpenMutant ENDP + +NtOpenObjectAuditAlarm PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenObjectAuditAlarm_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenObjectAuditAlarm_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenObjectAuditAlarm_Check_10_0_XXXX + jmp NtOpenObjectAuditAlarm_SystemCall_Unknown +NtOpenObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenObjectAuditAlarm_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenObjectAuditAlarm_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenObjectAuditAlarm_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenObjectAuditAlarm_SystemCall_6_3_XXXX + jmp NtOpenObjectAuditAlarm_SystemCall_Unknown +NtOpenObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenObjectAuditAlarm_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenObjectAuditAlarm_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenObjectAuditAlarm_SystemCall_6_0_6002 + jmp NtOpenObjectAuditAlarm_SystemCall_Unknown +NtOpenObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenObjectAuditAlarm_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenObjectAuditAlarm_SystemCall_6_1_7601 + jmp NtOpenObjectAuditAlarm_SystemCall_Unknown +NtOpenObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenObjectAuditAlarm_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenObjectAuditAlarm_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenObjectAuditAlarm_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenObjectAuditAlarm_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenObjectAuditAlarm_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenObjectAuditAlarm_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenObjectAuditAlarm_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenObjectAuditAlarm_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenObjectAuditAlarm_SystemCall_10_0_18363 + jmp NtOpenObjectAuditAlarm_SystemCall_Unknown +NtOpenObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00bdh + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f5h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f1h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f1h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f7h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f7h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0109h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 010ch + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0111h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0114h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0116h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 011ah + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 011ch + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 011eh + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 011fh + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0120h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0120h + jmp NtOpenObjectAuditAlarm_Epilogue +NtOpenObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenObjectAuditAlarm_Epilogue: + mov r10, rcx + syscall + ret +NtOpenObjectAuditAlarm ENDP + +NtOpenPartition PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenPartition_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtOpenPartition_Check_10_0_XXXX + jmp NtOpenPartition_SystemCall_Unknown +NtOpenPartition_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenPartition_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenPartition_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenPartition_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenPartition_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenPartition_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenPartition_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenPartition_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenPartition_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenPartition_SystemCall_10_0_18363 + jmp NtOpenPartition_SystemCall_Unknown +NtOpenPartition_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0112h + jmp NtOpenPartition_Epilogue +NtOpenPartition_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0115h + jmp NtOpenPartition_Epilogue +NtOpenPartition_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0117h + jmp NtOpenPartition_Epilogue +NtOpenPartition_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 011bh + jmp NtOpenPartition_Epilogue +NtOpenPartition_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 011dh + jmp NtOpenPartition_Epilogue +NtOpenPartition_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 011fh + jmp NtOpenPartition_Epilogue +NtOpenPartition_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0120h + jmp NtOpenPartition_Epilogue +NtOpenPartition_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0121h + jmp NtOpenPartition_Epilogue +NtOpenPartition_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0121h + jmp NtOpenPartition_Epilogue +NtOpenPartition_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenPartition_Epilogue: + mov r10, rcx + syscall + ret +NtOpenPartition ENDP + +NtOpenPrivateNamespace PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenPrivateNamespace_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtOpenPrivateNamespace_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenPrivateNamespace_Check_10_0_XXXX + jmp NtOpenPrivateNamespace_SystemCall_Unknown +NtOpenPrivateNamespace_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenPrivateNamespace_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenPrivateNamespace_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenPrivateNamespace_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenPrivateNamespace_SystemCall_6_3_XXXX + jmp NtOpenPrivateNamespace_SystemCall_Unknown +NtOpenPrivateNamespace_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenPrivateNamespace_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenPrivateNamespace_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenPrivateNamespace_SystemCall_6_0_6002 + jmp NtOpenPrivateNamespace_SystemCall_Unknown +NtOpenPrivateNamespace_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenPrivateNamespace_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenPrivateNamespace_SystemCall_6_1_7601 + jmp NtOpenPrivateNamespace_SystemCall_Unknown +NtOpenPrivateNamespace_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenPrivateNamespace_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenPrivateNamespace_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenPrivateNamespace_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenPrivateNamespace_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenPrivateNamespace_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenPrivateNamespace_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenPrivateNamespace_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenPrivateNamespace_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenPrivateNamespace_SystemCall_10_0_18363 + jmp NtOpenPrivateNamespace_SystemCall_Unknown +NtOpenPrivateNamespace_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f6h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f2h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f2h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f8h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f8h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 010ah + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 010dh + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0113h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0116h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0118h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 011ch + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 011eh + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0120h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0121h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0122h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0122h + jmp NtOpenPrivateNamespace_Epilogue +NtOpenPrivateNamespace_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenPrivateNamespace_Epilogue: + mov r10, rcx + syscall + ret +NtOpenPrivateNamespace ENDP + +NtOpenProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenProcess_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenProcess_Check_10_0_XXXX + jmp NtOpenProcess_SystemCall_Unknown +NtOpenProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenProcess_SystemCall_6_3_XXXX + jmp NtOpenProcess_SystemCall_Unknown +NtOpenProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenProcess_SystemCall_6_0_6002 + jmp NtOpenProcess_SystemCall_Unknown +NtOpenProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenProcess_SystemCall_6_1_7601 + jmp NtOpenProcess_SystemCall_Unknown +NtOpenProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenProcess_SystemCall_10_0_18363 + jmp NtOpenProcess_SystemCall_Unknown +NtOpenProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0023h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0023h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0023h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0023h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0023h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0023h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0024h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0025h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0026h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0026h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0026h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0026h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0026h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0026h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0026h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0026h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0026h + jmp NtOpenProcess_Epilogue +NtOpenProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenProcess_Epilogue: + mov r10, rcx + syscall + ret +NtOpenProcess ENDP + +NtOpenProcessToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenProcessToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenProcessToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenProcessToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenProcessToken_Check_10_0_XXXX + jmp NtOpenProcessToken_SystemCall_Unknown +NtOpenProcessToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenProcessToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenProcessToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenProcessToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenProcessToken_SystemCall_6_3_XXXX + jmp NtOpenProcessToken_SystemCall_Unknown +NtOpenProcessToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenProcessToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenProcessToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenProcessToken_SystemCall_6_0_6002 + jmp NtOpenProcessToken_SystemCall_Unknown +NtOpenProcessToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenProcessToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenProcessToken_SystemCall_6_1_7601 + jmp NtOpenProcessToken_SystemCall_Unknown +NtOpenProcessToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenProcessToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenProcessToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenProcessToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenProcessToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenProcessToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenProcessToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenProcessToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenProcessToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenProcessToken_SystemCall_10_0_18363 + jmp NtOpenProcessToken_SystemCall_Unknown +NtOpenProcessToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00beh + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f7h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f3h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f3h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00f9h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00f9h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 010bh + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 010eh + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0114h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0117h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0119h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 011dh + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 011fh + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0121h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0122h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0123h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0123h + jmp NtOpenProcessToken_Epilogue +NtOpenProcessToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenProcessToken_Epilogue: + mov r10, rcx + syscall + ret +NtOpenProcessToken ENDP + +NtOpenProcessTokenEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenProcessTokenEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenProcessTokenEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenProcessTokenEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenProcessTokenEx_Check_10_0_XXXX + jmp NtOpenProcessTokenEx_SystemCall_Unknown +NtOpenProcessTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenProcessTokenEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenProcessTokenEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenProcessTokenEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenProcessTokenEx_SystemCall_6_3_XXXX + jmp NtOpenProcessTokenEx_SystemCall_Unknown +NtOpenProcessTokenEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenProcessTokenEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenProcessTokenEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenProcessTokenEx_SystemCall_6_0_6002 + jmp NtOpenProcessTokenEx_SystemCall_Unknown +NtOpenProcessTokenEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenProcessTokenEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenProcessTokenEx_SystemCall_6_1_7601 + jmp NtOpenProcessTokenEx_SystemCall_Unknown +NtOpenProcessTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenProcessTokenEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenProcessTokenEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenProcessTokenEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenProcessTokenEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenProcessTokenEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenProcessTokenEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenProcessTokenEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenProcessTokenEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenProcessTokenEx_SystemCall_10_0_18363 + jmp NtOpenProcessTokenEx_SystemCall_Unknown +NtOpenProcessTokenEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 002dh + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 002dh + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 002dh + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 002dh + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 002dh + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 002dh + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 002eh + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 002fh + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0030h + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0030h + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0030h + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0030h + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0030h + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0030h + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0030h + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0030h + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0030h + jmp NtOpenProcessTokenEx_Epilogue +NtOpenProcessTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenProcessTokenEx_Epilogue: + mov r10, rcx + syscall + ret +NtOpenProcessTokenEx ENDP + +NtOpenRegistryTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenRegistryTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtOpenRegistryTransaction_Check_10_0_XXXX + jmp NtOpenRegistryTransaction_SystemCall_Unknown +NtOpenRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 14393 + je NtOpenRegistryTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenRegistryTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenRegistryTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenRegistryTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenRegistryTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenRegistryTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenRegistryTransaction_SystemCall_10_0_18363 + jmp NtOpenRegistryTransaction_SystemCall_Unknown +NtOpenRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 011ah + jmp NtOpenRegistryTransaction_Epilogue +NtOpenRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 011eh + jmp NtOpenRegistryTransaction_Epilogue +NtOpenRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0120h + jmp NtOpenRegistryTransaction_Epilogue +NtOpenRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0122h + jmp NtOpenRegistryTransaction_Epilogue +NtOpenRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0123h + jmp NtOpenRegistryTransaction_Epilogue +NtOpenRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0124h + jmp NtOpenRegistryTransaction_Epilogue +NtOpenRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0124h + jmp NtOpenRegistryTransaction_Epilogue +NtOpenRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenRegistryTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtOpenRegistryTransaction ENDP + +NtOpenResourceManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenResourceManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtOpenResourceManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenResourceManager_Check_10_0_XXXX + jmp NtOpenResourceManager_SystemCall_Unknown +NtOpenResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenResourceManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenResourceManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenResourceManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenResourceManager_SystemCall_6_3_XXXX + jmp NtOpenResourceManager_SystemCall_Unknown +NtOpenResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenResourceManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenResourceManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenResourceManager_SystemCall_6_0_6002 + jmp NtOpenResourceManager_SystemCall_Unknown +NtOpenResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenResourceManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenResourceManager_SystemCall_6_1_7601 + jmp NtOpenResourceManager_SystemCall_Unknown +NtOpenResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenResourceManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenResourceManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenResourceManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenResourceManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenResourceManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenResourceManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenResourceManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenResourceManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenResourceManager_SystemCall_10_0_18363 + jmp NtOpenResourceManager_SystemCall_Unknown +NtOpenResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f8h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f4h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f4h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00fah + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00fah + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 010ch + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 010fh + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0115h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0118h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 011bh + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 011fh + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0121h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0123h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0124h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0125h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0125h + jmp NtOpenResourceManager_Epilogue +NtOpenResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenResourceManager_Epilogue: + mov r10, rcx + syscall + ret +NtOpenResourceManager ENDP + +NtOpenSection PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenSection_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenSection_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenSection_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenSection_Check_10_0_XXXX + jmp NtOpenSection_SystemCall_Unknown +NtOpenSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenSection_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenSection_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenSection_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenSection_SystemCall_6_3_XXXX + jmp NtOpenSection_SystemCall_Unknown +NtOpenSection_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenSection_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenSection_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenSection_SystemCall_6_0_6002 + jmp NtOpenSection_SystemCall_Unknown +NtOpenSection_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenSection_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenSection_SystemCall_6_1_7601 + jmp NtOpenSection_SystemCall_Unknown +NtOpenSection_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenSection_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenSection_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenSection_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenSection_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenSection_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenSection_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenSection_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenSection_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenSection_SystemCall_10_0_18363 + jmp NtOpenSection_SystemCall_Unknown +NtOpenSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0034h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0034h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0034h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0034h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0034h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0034h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0035h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0036h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0037h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0037h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0037h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0037h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0037h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0037h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0037h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0037h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0037h + jmp NtOpenSection_Epilogue +NtOpenSection_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenSection_Epilogue: + mov r10, rcx + syscall + ret +NtOpenSection ENDP + +NtOpenSemaphore PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenSemaphore_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenSemaphore_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenSemaphore_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenSemaphore_Check_10_0_XXXX + jmp NtOpenSemaphore_SystemCall_Unknown +NtOpenSemaphore_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenSemaphore_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenSemaphore_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenSemaphore_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenSemaphore_SystemCall_6_3_XXXX + jmp NtOpenSemaphore_SystemCall_Unknown +NtOpenSemaphore_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenSemaphore_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenSemaphore_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenSemaphore_SystemCall_6_0_6002 + jmp NtOpenSemaphore_SystemCall_Unknown +NtOpenSemaphore_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenSemaphore_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenSemaphore_SystemCall_6_1_7601 + jmp NtOpenSemaphore_SystemCall_Unknown +NtOpenSemaphore_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenSemaphore_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenSemaphore_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenSemaphore_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenSemaphore_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenSemaphore_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenSemaphore_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenSemaphore_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenSemaphore_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenSemaphore_SystemCall_10_0_18363 + jmp NtOpenSemaphore_SystemCall_Unknown +NtOpenSemaphore_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00bfh + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00f9h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f5h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f5h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00fbh + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00fbh + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 010dh + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0110h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0116h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0119h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 011ch + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0120h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0122h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0124h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0125h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0126h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0126h + jmp NtOpenSemaphore_Epilogue +NtOpenSemaphore_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenSemaphore_Epilogue: + mov r10, rcx + syscall + ret +NtOpenSemaphore ENDP + +NtOpenSession PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenSession_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtOpenSession_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenSession_Check_10_0_XXXX + jmp NtOpenSession_SystemCall_Unknown +NtOpenSession_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenSession_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenSession_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenSession_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenSession_SystemCall_6_3_XXXX + jmp NtOpenSession_SystemCall_Unknown +NtOpenSession_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenSession_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenSession_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenSession_SystemCall_6_0_6002 + jmp NtOpenSession_SystemCall_Unknown +NtOpenSession_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenSession_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenSession_SystemCall_6_1_7601 + jmp NtOpenSession_SystemCall_Unknown +NtOpenSession_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenSession_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenSession_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenSession_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenSession_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenSession_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenSession_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenSession_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenSession_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenSession_SystemCall_10_0_18363 + jmp NtOpenSession_SystemCall_Unknown +NtOpenSession_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00fah + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f6h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f6h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00fch + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00fch + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 010eh + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0111h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0117h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 011ah + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 011dh + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0121h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0123h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0125h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0126h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0127h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0127h + jmp NtOpenSession_Epilogue +NtOpenSession_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenSession_Epilogue: + mov r10, rcx + syscall + ret +NtOpenSession ENDP + +NtOpenSymbolicLinkObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenSymbolicLinkObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenSymbolicLinkObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenSymbolicLinkObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenSymbolicLinkObject_Check_10_0_XXXX + jmp NtOpenSymbolicLinkObject_SystemCall_Unknown +NtOpenSymbolicLinkObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenSymbolicLinkObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenSymbolicLinkObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenSymbolicLinkObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenSymbolicLinkObject_SystemCall_6_3_XXXX + jmp NtOpenSymbolicLinkObject_SystemCall_Unknown +NtOpenSymbolicLinkObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenSymbolicLinkObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenSymbolicLinkObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenSymbolicLinkObject_SystemCall_6_0_6002 + jmp NtOpenSymbolicLinkObject_SystemCall_Unknown +NtOpenSymbolicLinkObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenSymbolicLinkObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenSymbolicLinkObject_SystemCall_6_1_7601 + jmp NtOpenSymbolicLinkObject_SystemCall_Unknown +NtOpenSymbolicLinkObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenSymbolicLinkObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenSymbolicLinkObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenSymbolicLinkObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenSymbolicLinkObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenSymbolicLinkObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenSymbolicLinkObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenSymbolicLinkObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenSymbolicLinkObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenSymbolicLinkObject_SystemCall_10_0_18363 + jmp NtOpenSymbolicLinkObject_SystemCall_Unknown +NtOpenSymbolicLinkObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c0h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00fbh + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f7h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f7h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00fdh + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00fdh + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 010fh + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0112h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0118h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 011bh + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 011eh + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0122h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0124h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0126h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0127h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0128h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0128h + jmp NtOpenSymbolicLinkObject_Epilogue +NtOpenSymbolicLinkObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenSymbolicLinkObject_Epilogue: + mov r10, rcx + syscall + ret +NtOpenSymbolicLinkObject ENDP + +NtOpenThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenThread_Check_10_0_XXXX + jmp NtOpenThread_SystemCall_Unknown +NtOpenThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenThread_SystemCall_6_3_XXXX + jmp NtOpenThread_SystemCall_Unknown +NtOpenThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenThread_SystemCall_6_0_6002 + jmp NtOpenThread_SystemCall_Unknown +NtOpenThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenThread_SystemCall_6_1_7601 + jmp NtOpenThread_SystemCall_Unknown +NtOpenThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenThread_SystemCall_10_0_18363 + jmp NtOpenThread_SystemCall_Unknown +NtOpenThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c1h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00fch + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f8h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f8h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00feh + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00feh + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0110h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0113h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0119h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 011ch + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 011fh + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0123h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0125h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0127h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0128h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0129h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0129h + jmp NtOpenThread_Epilogue +NtOpenThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenThread_Epilogue: + mov r10, rcx + syscall + ret +NtOpenThread ENDP + +NtOpenThreadToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenThreadToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenThreadToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenThreadToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenThreadToken_Check_10_0_XXXX + jmp NtOpenThreadToken_SystemCall_Unknown +NtOpenThreadToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenThreadToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenThreadToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenThreadToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenThreadToken_SystemCall_6_3_XXXX + jmp NtOpenThreadToken_SystemCall_Unknown +NtOpenThreadToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenThreadToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenThreadToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenThreadToken_SystemCall_6_0_6002 + jmp NtOpenThreadToken_SystemCall_Unknown +NtOpenThreadToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenThreadToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenThreadToken_SystemCall_6_1_7601 + jmp NtOpenThreadToken_SystemCall_Unknown +NtOpenThreadToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenThreadToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenThreadToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenThreadToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenThreadToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenThreadToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenThreadToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenThreadToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenThreadToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenThreadToken_SystemCall_10_0_18363 + jmp NtOpenThreadToken_SystemCall_Unknown +NtOpenThreadToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0021h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0021h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0021h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0021h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0021h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0021h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0022h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0023h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0024h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0024h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0024h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0024h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0024h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0024h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0024h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0024h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0024h + jmp NtOpenThreadToken_Epilogue +NtOpenThreadToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenThreadToken_Epilogue: + mov r10, rcx + syscall + ret +NtOpenThreadToken ENDP + +NtOpenThreadTokenEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenThreadTokenEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenThreadTokenEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenThreadTokenEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenThreadTokenEx_Check_10_0_XXXX + jmp NtOpenThreadTokenEx_SystemCall_Unknown +NtOpenThreadTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenThreadTokenEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenThreadTokenEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenThreadTokenEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenThreadTokenEx_SystemCall_6_3_XXXX + jmp NtOpenThreadTokenEx_SystemCall_Unknown +NtOpenThreadTokenEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenThreadTokenEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenThreadTokenEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenThreadTokenEx_SystemCall_6_0_6002 + jmp NtOpenThreadTokenEx_SystemCall_Unknown +NtOpenThreadTokenEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenThreadTokenEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenThreadTokenEx_SystemCall_6_1_7601 + jmp NtOpenThreadTokenEx_SystemCall_Unknown +NtOpenThreadTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenThreadTokenEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenThreadTokenEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenThreadTokenEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenThreadTokenEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenThreadTokenEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenThreadTokenEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenThreadTokenEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenThreadTokenEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenThreadTokenEx_SystemCall_10_0_18363 + jmp NtOpenThreadTokenEx_SystemCall_Unknown +NtOpenThreadTokenEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 002ch + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 002ch + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 002ch + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 002ch + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 002ch + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 002ch + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 002dh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 002eh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 002fh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 002fh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 002fh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 002fh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 002fh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 002fh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 002fh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 002fh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 002fh + jmp NtOpenThreadTokenEx_Epilogue +NtOpenThreadTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenThreadTokenEx_Epilogue: + mov r10, rcx + syscall + ret +NtOpenThreadTokenEx ENDP + +NtOpenTimer PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenTimer_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtOpenTimer_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtOpenTimer_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenTimer_Check_10_0_XXXX + jmp NtOpenTimer_SystemCall_Unknown +NtOpenTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenTimer_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenTimer_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenTimer_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenTimer_SystemCall_6_3_XXXX + jmp NtOpenTimer_SystemCall_Unknown +NtOpenTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenTimer_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenTimer_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenTimer_SystemCall_6_0_6002 + jmp NtOpenTimer_SystemCall_Unknown +NtOpenTimer_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenTimer_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenTimer_SystemCall_6_1_7601 + jmp NtOpenTimer_SystemCall_Unknown +NtOpenTimer_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenTimer_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenTimer_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenTimer_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenTimer_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenTimer_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenTimer_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenTimer_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenTimer_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenTimer_SystemCall_10_0_18363 + jmp NtOpenTimer_SystemCall_Unknown +NtOpenTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c2h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00fdh + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00f9h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00f9h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 00ffh + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 00ffh + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0111h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0114h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 011ah + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 011dh + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0120h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0124h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0126h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0128h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0129h + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 012ah + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 012ah + jmp NtOpenTimer_Epilogue +NtOpenTimer_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenTimer_Epilogue: + mov r10, rcx + syscall + ret +NtOpenTimer ENDP + +NtOpenTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtOpenTransaction_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenTransaction_Check_10_0_XXXX + jmp NtOpenTransaction_SystemCall_Unknown +NtOpenTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenTransaction_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenTransaction_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenTransaction_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenTransaction_SystemCall_6_3_XXXX + jmp NtOpenTransaction_SystemCall_Unknown +NtOpenTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenTransaction_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenTransaction_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenTransaction_SystemCall_6_0_6002 + jmp NtOpenTransaction_SystemCall_Unknown +NtOpenTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenTransaction_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenTransaction_SystemCall_6_1_7601 + jmp NtOpenTransaction_SystemCall_Unknown +NtOpenTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenTransaction_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenTransaction_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenTransaction_SystemCall_10_0_18363 + jmp NtOpenTransaction_SystemCall_Unknown +NtOpenTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00feh + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00fah + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00fah + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0100h + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0100h + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0112h + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0115h + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 011bh + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 011eh + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0121h + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0125h + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0127h + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0129h + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 012ah + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 012bh + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 012bh + jmp NtOpenTransaction_Epilogue +NtOpenTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtOpenTransaction ENDP + +NtOpenTransactionManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtOpenTransactionManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtOpenTransactionManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtOpenTransactionManager_Check_10_0_XXXX + jmp NtOpenTransactionManager_SystemCall_Unknown +NtOpenTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtOpenTransactionManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtOpenTransactionManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenTransactionManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtOpenTransactionManager_SystemCall_6_3_XXXX + jmp NtOpenTransactionManager_SystemCall_Unknown +NtOpenTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtOpenTransactionManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtOpenTransactionManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtOpenTransactionManager_SystemCall_6_0_6002 + jmp NtOpenTransactionManager_SystemCall_Unknown +NtOpenTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtOpenTransactionManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtOpenTransactionManager_SystemCall_6_1_7601 + jmp NtOpenTransactionManager_SystemCall_Unknown +NtOpenTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtOpenTransactionManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtOpenTransactionManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtOpenTransactionManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtOpenTransactionManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtOpenTransactionManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtOpenTransactionManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtOpenTransactionManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtOpenTransactionManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtOpenTransactionManager_SystemCall_10_0_18363 + jmp NtOpenTransactionManager_SystemCall_Unknown +NtOpenTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 00ffh + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00fbh + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00fbh + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0101h + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0101h + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0113h + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0116h + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 011ch + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 011fh + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0122h + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0126h + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0128h + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 012ah + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 012bh + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 012ch + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 012ch + jmp NtOpenTransactionManager_Epilogue +NtOpenTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtOpenTransactionManager_Epilogue: + mov r10, rcx + syscall + ret +NtOpenTransactionManager ENDP + +NtPlugPlayControl PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPlugPlayControl_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtPlugPlayControl_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtPlugPlayControl_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPlugPlayControl_Check_10_0_XXXX + jmp NtPlugPlayControl_SystemCall_Unknown +NtPlugPlayControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPlugPlayControl_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPlugPlayControl_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPlugPlayControl_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPlugPlayControl_SystemCall_6_3_XXXX + jmp NtPlugPlayControl_SystemCall_Unknown +NtPlugPlayControl_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPlugPlayControl_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPlugPlayControl_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPlugPlayControl_SystemCall_6_0_6002 + jmp NtPlugPlayControl_SystemCall_Unknown +NtPlugPlayControl_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPlugPlayControl_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPlugPlayControl_SystemCall_6_1_7601 + jmp NtPlugPlayControl_SystemCall_Unknown +NtPlugPlayControl_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPlugPlayControl_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPlugPlayControl_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPlugPlayControl_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPlugPlayControl_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPlugPlayControl_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPlugPlayControl_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPlugPlayControl_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPlugPlayControl_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPlugPlayControl_SystemCall_10_0_18363 + jmp NtPlugPlayControl_SystemCall_Unknown +NtPlugPlayControl_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c3h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0100h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00fch + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00fch + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0102h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0102h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0114h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0117h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 011dh + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0120h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0123h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0127h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0129h + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 012bh + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 012ch + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 012dh + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 012dh + jmp NtPlugPlayControl_Epilogue +NtPlugPlayControl_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPlugPlayControl_Epilogue: + mov r10, rcx + syscall + ret +NtPlugPlayControl ENDP + +NtPowerInformation PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPowerInformation_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtPowerInformation_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtPowerInformation_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPowerInformation_Check_10_0_XXXX + jmp NtPowerInformation_SystemCall_Unknown +NtPowerInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPowerInformation_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPowerInformation_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPowerInformation_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPowerInformation_SystemCall_6_3_XXXX + jmp NtPowerInformation_SystemCall_Unknown +NtPowerInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPowerInformation_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPowerInformation_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPowerInformation_SystemCall_6_0_6002 + jmp NtPowerInformation_SystemCall_Unknown +NtPowerInformation_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPowerInformation_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPowerInformation_SystemCall_6_1_7601 + jmp NtPowerInformation_SystemCall_Unknown +NtPowerInformation_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPowerInformation_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPowerInformation_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPowerInformation_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPowerInformation_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPowerInformation_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPowerInformation_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPowerInformation_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPowerInformation_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPowerInformation_SystemCall_10_0_18363 + jmp NtPowerInformation_SystemCall_Unknown +NtPowerInformation_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 005ch + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 005ch + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 005ch + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 005ch + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 005ch + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 005ch + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 005dh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 005eh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 005fh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 005fh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 005fh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 005fh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 005fh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 005fh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 005fh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 005fh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 005fh + jmp NtPowerInformation_Epilogue +NtPowerInformation_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPowerInformation_Epilogue: + mov r10, rcx + syscall + ret +NtPowerInformation ENDP + +NtPrePrepareComplete PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPrePrepareComplete_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtPrePrepareComplete_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPrePrepareComplete_Check_10_0_XXXX + jmp NtPrePrepareComplete_SystemCall_Unknown +NtPrePrepareComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPrePrepareComplete_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPrePrepareComplete_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrePrepareComplete_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrePrepareComplete_SystemCall_6_3_XXXX + jmp NtPrePrepareComplete_SystemCall_Unknown +NtPrePrepareComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPrePrepareComplete_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPrePrepareComplete_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPrePrepareComplete_SystemCall_6_0_6002 + jmp NtPrePrepareComplete_SystemCall_Unknown +NtPrePrepareComplete_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPrePrepareComplete_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPrePrepareComplete_SystemCall_6_1_7601 + jmp NtPrePrepareComplete_SystemCall_Unknown +NtPrePrepareComplete_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPrePrepareComplete_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPrePrepareComplete_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPrePrepareComplete_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPrePrepareComplete_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPrePrepareComplete_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPrePrepareComplete_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPrePrepareComplete_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPrePrepareComplete_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPrePrepareComplete_SystemCall_10_0_18363 + jmp NtPrePrepareComplete_SystemCall_Unknown +NtPrePrepareComplete_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0101h + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00fdh + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00fdh + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0103h + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0103h + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0115h + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0118h + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 011eh + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0121h + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0124h + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0128h + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 012ah + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 012ch + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 012dh + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 012eh + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 012eh + jmp NtPrePrepareComplete_Epilogue +NtPrePrepareComplete_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPrePrepareComplete_Epilogue: + mov r10, rcx + syscall + ret +NtPrePrepareComplete ENDP + +NtPrePrepareEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPrePrepareEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtPrePrepareEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPrePrepareEnlistment_Check_10_0_XXXX + jmp NtPrePrepareEnlistment_SystemCall_Unknown +NtPrePrepareEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPrePrepareEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPrePrepareEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrePrepareEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrePrepareEnlistment_SystemCall_6_3_XXXX + jmp NtPrePrepareEnlistment_SystemCall_Unknown +NtPrePrepareEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPrePrepareEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPrePrepareEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPrePrepareEnlistment_SystemCall_6_0_6002 + jmp NtPrePrepareEnlistment_SystemCall_Unknown +NtPrePrepareEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPrePrepareEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPrePrepareEnlistment_SystemCall_6_1_7601 + jmp NtPrePrepareEnlistment_SystemCall_Unknown +NtPrePrepareEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPrePrepareEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPrePrepareEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPrePrepareEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPrePrepareEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPrePrepareEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPrePrepareEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPrePrepareEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPrePrepareEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPrePrepareEnlistment_SystemCall_10_0_18363 + jmp NtPrePrepareEnlistment_SystemCall_Unknown +NtPrePrepareEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0102h + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00feh + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00feh + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0104h + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0104h + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0116h + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0119h + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 011fh + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0122h + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0125h + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0129h + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 012bh + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 012dh + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 012eh + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 012fh + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 012fh + jmp NtPrePrepareEnlistment_Epilogue +NtPrePrepareEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPrePrepareEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtPrePrepareEnlistment ENDP + +NtPrepareComplete PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPrepareComplete_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtPrepareComplete_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPrepareComplete_Check_10_0_XXXX + jmp NtPrepareComplete_SystemCall_Unknown +NtPrepareComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPrepareComplete_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPrepareComplete_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrepareComplete_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrepareComplete_SystemCall_6_3_XXXX + jmp NtPrepareComplete_SystemCall_Unknown +NtPrepareComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPrepareComplete_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPrepareComplete_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPrepareComplete_SystemCall_6_0_6002 + jmp NtPrepareComplete_SystemCall_Unknown +NtPrepareComplete_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPrepareComplete_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPrepareComplete_SystemCall_6_1_7601 + jmp NtPrepareComplete_SystemCall_Unknown +NtPrepareComplete_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPrepareComplete_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPrepareComplete_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPrepareComplete_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPrepareComplete_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPrepareComplete_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPrepareComplete_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPrepareComplete_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPrepareComplete_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPrepareComplete_SystemCall_10_0_18363 + jmp NtPrepareComplete_SystemCall_Unknown +NtPrepareComplete_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0103h + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 00ffh + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 00ffh + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0105h + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0105h + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0117h + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 011ah + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0120h + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0123h + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0126h + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 012ah + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 012ch + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 012eh + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 012fh + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0130h + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0130h + jmp NtPrepareComplete_Epilogue +NtPrepareComplete_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPrepareComplete_Epilogue: + mov r10, rcx + syscall + ret +NtPrepareComplete ENDP + +NtPrepareEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPrepareEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtPrepareEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPrepareEnlistment_Check_10_0_XXXX + jmp NtPrepareEnlistment_SystemCall_Unknown +NtPrepareEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPrepareEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPrepareEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrepareEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrepareEnlistment_SystemCall_6_3_XXXX + jmp NtPrepareEnlistment_SystemCall_Unknown +NtPrepareEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPrepareEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPrepareEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPrepareEnlistment_SystemCall_6_0_6002 + jmp NtPrepareEnlistment_SystemCall_Unknown +NtPrepareEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPrepareEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPrepareEnlistment_SystemCall_6_1_7601 + jmp NtPrepareEnlistment_SystemCall_Unknown +NtPrepareEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPrepareEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPrepareEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPrepareEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPrepareEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPrepareEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPrepareEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPrepareEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPrepareEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPrepareEnlistment_SystemCall_10_0_18363 + jmp NtPrepareEnlistment_SystemCall_Unknown +NtPrepareEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0104h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0100h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0100h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0106h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0106h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0118h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 011bh + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0121h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0124h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0127h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 012bh + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 012dh + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 012fh + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0130h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0131h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0131h + jmp NtPrepareEnlistment_Epilogue +NtPrepareEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPrepareEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtPrepareEnlistment ENDP + +NtPrivilegeCheck PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPrivilegeCheck_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtPrivilegeCheck_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtPrivilegeCheck_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPrivilegeCheck_Check_10_0_XXXX + jmp NtPrivilegeCheck_SystemCall_Unknown +NtPrivilegeCheck_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPrivilegeCheck_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPrivilegeCheck_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrivilegeCheck_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrivilegeCheck_SystemCall_6_3_XXXX + jmp NtPrivilegeCheck_SystemCall_Unknown +NtPrivilegeCheck_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPrivilegeCheck_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPrivilegeCheck_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPrivilegeCheck_SystemCall_6_0_6002 + jmp NtPrivilegeCheck_SystemCall_Unknown +NtPrivilegeCheck_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPrivilegeCheck_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPrivilegeCheck_SystemCall_6_1_7601 + jmp NtPrivilegeCheck_SystemCall_Unknown +NtPrivilegeCheck_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPrivilegeCheck_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPrivilegeCheck_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPrivilegeCheck_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPrivilegeCheck_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPrivilegeCheck_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPrivilegeCheck_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPrivilegeCheck_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPrivilegeCheck_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPrivilegeCheck_SystemCall_10_0_18363 + jmp NtPrivilegeCheck_SystemCall_Unknown +NtPrivilegeCheck_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c4h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0105h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0101h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0101h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0107h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0107h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0119h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 011ch + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0122h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0125h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0128h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 012ch + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 012eh + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0130h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0131h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0132h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0132h + jmp NtPrivilegeCheck_Epilogue +NtPrivilegeCheck_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPrivilegeCheck_Epilogue: + mov r10, rcx + syscall + ret +NtPrivilegeCheck ENDP + +NtPrivilegeObjectAuditAlarm PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPrivilegeObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtPrivilegeObjectAuditAlarm_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtPrivilegeObjectAuditAlarm_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPrivilegeObjectAuditAlarm_Check_10_0_XXXX + jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown +NtPrivilegeObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPrivilegeObjectAuditAlarm_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPrivilegeObjectAuditAlarm_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrivilegeObjectAuditAlarm_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrivilegeObjectAuditAlarm_SystemCall_6_3_XXXX + jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown +NtPrivilegeObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6002 + jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown +NtPrivilegeObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPrivilegeObjectAuditAlarm_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPrivilegeObjectAuditAlarm_SystemCall_6_1_7601 + jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown +NtPrivilegeObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_18363 + jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown +NtPrivilegeObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c5h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0106h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0102h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0102h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0108h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0108h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 011ah + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 011dh + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0123h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0126h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0129h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 012dh + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 012fh + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0131h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0132h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0133h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0133h + jmp NtPrivilegeObjectAuditAlarm_Epilogue +NtPrivilegeObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPrivilegeObjectAuditAlarm_Epilogue: + mov r10, rcx + syscall + ret +NtPrivilegeObjectAuditAlarm ENDP + +NtPrivilegedServiceAuditAlarm PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPrivilegedServiceAuditAlarm_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtPrivilegedServiceAuditAlarm_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtPrivilegedServiceAuditAlarm_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPrivilegedServiceAuditAlarm_Check_10_0_XXXX + jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown +NtPrivilegedServiceAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPrivilegedServiceAuditAlarm_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPrivilegedServiceAuditAlarm_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrivilegedServiceAuditAlarm_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPrivilegedServiceAuditAlarm_SystemCall_6_3_XXXX + jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown +NtPrivilegedServiceAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6002 + jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown +NtPrivilegedServiceAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPrivilegedServiceAuditAlarm_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPrivilegedServiceAuditAlarm_SystemCall_6_1_7601 + jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown +NtPrivilegedServiceAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_18363 + jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown +NtPrivilegedServiceAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c6h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0107h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0103h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0103h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0109h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0109h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 011bh + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 011eh + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0124h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0127h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 012ah + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 012eh + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0130h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0132h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0133h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0134h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0134h + jmp NtPrivilegedServiceAuditAlarm_Epilogue +NtPrivilegedServiceAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPrivilegedServiceAuditAlarm_Epilogue: + mov r10, rcx + syscall + ret +NtPrivilegedServiceAuditAlarm ENDP + +NtPropagationComplete PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPropagationComplete_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtPropagationComplete_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPropagationComplete_Check_10_0_XXXX + jmp NtPropagationComplete_SystemCall_Unknown +NtPropagationComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPropagationComplete_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPropagationComplete_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPropagationComplete_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPropagationComplete_SystemCall_6_3_XXXX + jmp NtPropagationComplete_SystemCall_Unknown +NtPropagationComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPropagationComplete_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPropagationComplete_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPropagationComplete_SystemCall_6_0_6002 + jmp NtPropagationComplete_SystemCall_Unknown +NtPropagationComplete_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPropagationComplete_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPropagationComplete_SystemCall_6_1_7601 + jmp NtPropagationComplete_SystemCall_Unknown +NtPropagationComplete_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPropagationComplete_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPropagationComplete_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPropagationComplete_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPropagationComplete_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPropagationComplete_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPropagationComplete_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPropagationComplete_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPropagationComplete_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPropagationComplete_SystemCall_10_0_18363 + jmp NtPropagationComplete_SystemCall_Unknown +NtPropagationComplete_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0108h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0104h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0104h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 010ah + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 010ah + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 011ch + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 011fh + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0125h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0128h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 012bh + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 012fh + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0131h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0133h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0134h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0135h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0135h + jmp NtPropagationComplete_Epilogue +NtPropagationComplete_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPropagationComplete_Epilogue: + mov r10, rcx + syscall + ret +NtPropagationComplete ENDP + +NtPropagationFailed PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPropagationFailed_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtPropagationFailed_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPropagationFailed_Check_10_0_XXXX + jmp NtPropagationFailed_SystemCall_Unknown +NtPropagationFailed_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPropagationFailed_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPropagationFailed_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPropagationFailed_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPropagationFailed_SystemCall_6_3_XXXX + jmp NtPropagationFailed_SystemCall_Unknown +NtPropagationFailed_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPropagationFailed_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPropagationFailed_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPropagationFailed_SystemCall_6_0_6002 + jmp NtPropagationFailed_SystemCall_Unknown +NtPropagationFailed_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPropagationFailed_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPropagationFailed_SystemCall_6_1_7601 + jmp NtPropagationFailed_SystemCall_Unknown +NtPropagationFailed_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPropagationFailed_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPropagationFailed_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPropagationFailed_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPropagationFailed_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPropagationFailed_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPropagationFailed_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPropagationFailed_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPropagationFailed_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPropagationFailed_SystemCall_10_0_18363 + jmp NtPropagationFailed_SystemCall_Unknown +NtPropagationFailed_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0109h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0105h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0105h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 010bh + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 010bh + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 011dh + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0120h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0126h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0129h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 012ch + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0130h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0132h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0134h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0135h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0136h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0136h + jmp NtPropagationFailed_Epilogue +NtPropagationFailed_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPropagationFailed_Epilogue: + mov r10, rcx + syscall + ret +NtPropagationFailed ENDP + +NtProtectVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtProtectVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtProtectVirtualMemory_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtProtectVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtProtectVirtualMemory_Check_10_0_XXXX + jmp NtProtectVirtualMemory_SystemCall_Unknown +NtProtectVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtProtectVirtualMemory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtProtectVirtualMemory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtProtectVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtProtectVirtualMemory_SystemCall_6_3_XXXX + jmp NtProtectVirtualMemory_SystemCall_Unknown +NtProtectVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtProtectVirtualMemory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtProtectVirtualMemory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtProtectVirtualMemory_SystemCall_6_0_6002 + jmp NtProtectVirtualMemory_SystemCall_Unknown +NtProtectVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtProtectVirtualMemory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtProtectVirtualMemory_SystemCall_6_1_7601 + jmp NtProtectVirtualMemory_SystemCall_Unknown +NtProtectVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtProtectVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtProtectVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtProtectVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtProtectVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtProtectVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtProtectVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtProtectVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtProtectVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtProtectVirtualMemory_SystemCall_10_0_18363 + jmp NtProtectVirtualMemory_SystemCall_Unknown +NtProtectVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 004dh + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 004dh + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 004dh + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 004dh + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 004dh + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 004dh + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 004eh + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 004fh + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0050h + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0050h + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0050h + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0050h + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0050h + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0050h + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0050h + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0050h + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0050h + jmp NtProtectVirtualMemory_Epilogue +NtProtectVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtProtectVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtProtectVirtualMemory ENDP + +NtPullTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPullTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtPullTransaction_Check_6_X_XXXX + jmp NtPullTransaction_SystemCall_Unknown +NtPullTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPullTransaction_Check_6_0_XXXX + jmp NtPullTransaction_SystemCall_Unknown +NtPullTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPullTransaction_SystemCall_6_0_6000 + jmp NtPullTransaction_SystemCall_Unknown +NtPullTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 010ah + jmp NtPullTransaction_Epilogue +NtPullTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPullTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtPullTransaction ENDP + +NtPulseEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtPulseEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtPulseEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtPulseEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtPulseEvent_Check_10_0_XXXX + jmp NtPulseEvent_SystemCall_Unknown +NtPulseEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtPulseEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtPulseEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPulseEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtPulseEvent_SystemCall_6_3_XXXX + jmp NtPulseEvent_SystemCall_Unknown +NtPulseEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtPulseEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtPulseEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtPulseEvent_SystemCall_6_0_6002 + jmp NtPulseEvent_SystemCall_Unknown +NtPulseEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtPulseEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtPulseEvent_SystemCall_6_1_7601 + jmp NtPulseEvent_SystemCall_Unknown +NtPulseEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtPulseEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtPulseEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtPulseEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtPulseEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtPulseEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtPulseEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtPulseEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtPulseEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtPulseEvent_SystemCall_10_0_18363 + jmp NtPulseEvent_SystemCall_Unknown +NtPulseEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c7h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 010bh + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0106h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0106h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 010ch + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 010ch + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 011eh + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0121h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0127h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 012ah + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 012dh + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0131h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0133h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0135h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0136h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0137h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0137h + jmp NtPulseEvent_Epilogue +NtPulseEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtPulseEvent_Epilogue: + mov r10, rcx + syscall + ret +NtPulseEvent ENDP + +NtQueryAttributesFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryAttributesFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryAttributesFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryAttributesFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryAttributesFile_Check_10_0_XXXX + jmp NtQueryAttributesFile_SystemCall_Unknown +NtQueryAttributesFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryAttributesFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryAttributesFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryAttributesFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryAttributesFile_SystemCall_6_3_XXXX + jmp NtQueryAttributesFile_SystemCall_Unknown +NtQueryAttributesFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryAttributesFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryAttributesFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryAttributesFile_SystemCall_6_0_6002 + jmp NtQueryAttributesFile_SystemCall_Unknown +NtQueryAttributesFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryAttributesFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryAttributesFile_SystemCall_6_1_7601 + jmp NtQueryAttributesFile_SystemCall_Unknown +NtQueryAttributesFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryAttributesFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryAttributesFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryAttributesFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryAttributesFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryAttributesFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryAttributesFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryAttributesFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryAttributesFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryAttributesFile_SystemCall_10_0_18363 + jmp NtQueryAttributesFile_SystemCall_Unknown +NtQueryAttributesFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 003ah + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 003ah + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 003ah + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 003ah + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 003ah + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 003ah + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 003bh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 003ch + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 003dh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 003dh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 003dh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 003dh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 003dh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 003dh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 003dh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 003dh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 003dh + jmp NtQueryAttributesFile_Epilogue +NtQueryAttributesFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryAttributesFile_Epilogue: + mov r10, rcx + syscall + ret +NtQueryAttributesFile ENDP + +NtQueryAuxiliaryCounterFrequency PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryAuxiliaryCounterFrequency_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtQueryAuxiliaryCounterFrequency_Check_10_0_XXXX + jmp NtQueryAuxiliaryCounterFrequency_SystemCall_Unknown +NtQueryAuxiliaryCounterFrequency_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 15063 + je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_18363 + jmp NtQueryAuxiliaryCounterFrequency_SystemCall_Unknown +NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0132h + jmp NtQueryAuxiliaryCounterFrequency_Epilogue +NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0134h + jmp NtQueryAuxiliaryCounterFrequency_Epilogue +NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0136h + jmp NtQueryAuxiliaryCounterFrequency_Epilogue +NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0137h + jmp NtQueryAuxiliaryCounterFrequency_Epilogue +NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0138h + jmp NtQueryAuxiliaryCounterFrequency_Epilogue +NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0138h + jmp NtQueryAuxiliaryCounterFrequency_Epilogue +NtQueryAuxiliaryCounterFrequency_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryAuxiliaryCounterFrequency_Epilogue: + mov r10, rcx + syscall + ret +NtQueryAuxiliaryCounterFrequency ENDP + +NtQueryBootEntryOrder PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryBootEntryOrder_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryBootEntryOrder_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryBootEntryOrder_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryBootEntryOrder_Check_10_0_XXXX + jmp NtQueryBootEntryOrder_SystemCall_Unknown +NtQueryBootEntryOrder_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryBootEntryOrder_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryBootEntryOrder_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryBootEntryOrder_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryBootEntryOrder_SystemCall_6_3_XXXX + jmp NtQueryBootEntryOrder_SystemCall_Unknown +NtQueryBootEntryOrder_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryBootEntryOrder_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryBootEntryOrder_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryBootEntryOrder_SystemCall_6_0_6002 + jmp NtQueryBootEntryOrder_SystemCall_Unknown +NtQueryBootEntryOrder_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryBootEntryOrder_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryBootEntryOrder_SystemCall_6_1_7601 + jmp NtQueryBootEntryOrder_SystemCall_Unknown +NtQueryBootEntryOrder_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryBootEntryOrder_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryBootEntryOrder_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryBootEntryOrder_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryBootEntryOrder_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryBootEntryOrder_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryBootEntryOrder_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryBootEntryOrder_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryBootEntryOrder_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryBootEntryOrder_SystemCall_10_0_18363 + jmp NtQueryBootEntryOrder_SystemCall_Unknown +NtQueryBootEntryOrder_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c8h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 010ch + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0107h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0107h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 010dh + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 010dh + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 011fh + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0122h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0128h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 012bh + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 012eh + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0133h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0135h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0137h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0138h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0139h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0139h + jmp NtQueryBootEntryOrder_Epilogue +NtQueryBootEntryOrder_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryBootEntryOrder_Epilogue: + mov r10, rcx + syscall + ret +NtQueryBootEntryOrder ENDP + +NtQueryBootOptions PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryBootOptions_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryBootOptions_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryBootOptions_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryBootOptions_Check_10_0_XXXX + jmp NtQueryBootOptions_SystemCall_Unknown +NtQueryBootOptions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryBootOptions_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryBootOptions_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryBootOptions_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryBootOptions_SystemCall_6_3_XXXX + jmp NtQueryBootOptions_SystemCall_Unknown +NtQueryBootOptions_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryBootOptions_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryBootOptions_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryBootOptions_SystemCall_6_0_6002 + jmp NtQueryBootOptions_SystemCall_Unknown +NtQueryBootOptions_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryBootOptions_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryBootOptions_SystemCall_6_1_7601 + jmp NtQueryBootOptions_SystemCall_Unknown +NtQueryBootOptions_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryBootOptions_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryBootOptions_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryBootOptions_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryBootOptions_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryBootOptions_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryBootOptions_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryBootOptions_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryBootOptions_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryBootOptions_SystemCall_10_0_18363 + jmp NtQueryBootOptions_SystemCall_Unknown +NtQueryBootOptions_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00c9h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 010dh + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0108h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0108h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 010eh + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 010eh + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0120h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0123h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0129h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 012ch + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 012fh + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0134h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0136h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0138h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0139h + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 013ah + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 013ah + jmp NtQueryBootOptions_Epilogue +NtQueryBootOptions_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryBootOptions_Epilogue: + mov r10, rcx + syscall + ret +NtQueryBootOptions ENDP + +NtQueryDebugFilterState PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryDebugFilterState_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryDebugFilterState_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryDebugFilterState_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryDebugFilterState_Check_10_0_XXXX + jmp NtQueryDebugFilterState_SystemCall_Unknown +NtQueryDebugFilterState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryDebugFilterState_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryDebugFilterState_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDebugFilterState_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDebugFilterState_SystemCall_6_3_XXXX + jmp NtQueryDebugFilterState_SystemCall_Unknown +NtQueryDebugFilterState_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryDebugFilterState_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryDebugFilterState_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryDebugFilterState_SystemCall_6_0_6002 + jmp NtQueryDebugFilterState_SystemCall_Unknown +NtQueryDebugFilterState_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryDebugFilterState_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryDebugFilterState_SystemCall_6_1_7601 + jmp NtQueryDebugFilterState_SystemCall_Unknown +NtQueryDebugFilterState_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryDebugFilterState_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryDebugFilterState_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryDebugFilterState_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryDebugFilterState_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryDebugFilterState_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryDebugFilterState_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryDebugFilterState_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryDebugFilterState_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryDebugFilterState_SystemCall_10_0_18363 + jmp NtQueryDebugFilterState_SystemCall_Unknown +NtQueryDebugFilterState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00cah + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 010eh + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0109h + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0109h + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 010fh + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 010fh + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0121h + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0124h + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 012ah + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 012dh + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0130h + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0135h + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0137h + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0139h + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 013ah + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 013bh + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 013bh + jmp NtQueryDebugFilterState_Epilogue +NtQueryDebugFilterState_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryDebugFilterState_Epilogue: + mov r10, rcx + syscall + ret +NtQueryDebugFilterState ENDP + +NtQueryDefaultLocale PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryDefaultLocale_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryDefaultLocale_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryDefaultLocale_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryDefaultLocale_Check_10_0_XXXX + jmp NtQueryDefaultLocale_SystemCall_Unknown +NtQueryDefaultLocale_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryDefaultLocale_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryDefaultLocale_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDefaultLocale_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDefaultLocale_SystemCall_6_3_XXXX + jmp NtQueryDefaultLocale_SystemCall_Unknown +NtQueryDefaultLocale_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryDefaultLocale_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryDefaultLocale_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryDefaultLocale_SystemCall_6_0_6002 + jmp NtQueryDefaultLocale_SystemCall_Unknown +NtQueryDefaultLocale_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryDefaultLocale_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryDefaultLocale_SystemCall_6_1_7601 + jmp NtQueryDefaultLocale_SystemCall_Unknown +NtQueryDefaultLocale_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryDefaultLocale_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryDefaultLocale_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryDefaultLocale_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryDefaultLocale_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryDefaultLocale_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryDefaultLocale_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryDefaultLocale_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryDefaultLocale_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryDefaultLocale_SystemCall_10_0_18363 + jmp NtQueryDefaultLocale_SystemCall_Unknown +NtQueryDefaultLocale_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0012h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0012h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0012h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0012h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0012h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0012h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0013h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0014h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0015h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0015h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0015h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0015h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0015h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0015h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0015h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0015h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0015h + jmp NtQueryDefaultLocale_Epilogue +NtQueryDefaultLocale_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryDefaultLocale_Epilogue: + mov r10, rcx + syscall + ret +NtQueryDefaultLocale ENDP + +NtQueryDefaultUILanguage PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryDefaultUILanguage_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryDefaultUILanguage_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryDefaultUILanguage_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryDefaultUILanguage_Check_10_0_XXXX + jmp NtQueryDefaultUILanguage_SystemCall_Unknown +NtQueryDefaultUILanguage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryDefaultUILanguage_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryDefaultUILanguage_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDefaultUILanguage_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDefaultUILanguage_SystemCall_6_3_XXXX + jmp NtQueryDefaultUILanguage_SystemCall_Unknown +NtQueryDefaultUILanguage_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryDefaultUILanguage_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryDefaultUILanguage_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryDefaultUILanguage_SystemCall_6_0_6002 + jmp NtQueryDefaultUILanguage_SystemCall_Unknown +NtQueryDefaultUILanguage_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryDefaultUILanguage_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryDefaultUILanguage_SystemCall_6_1_7601 + jmp NtQueryDefaultUILanguage_SystemCall_Unknown +NtQueryDefaultUILanguage_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryDefaultUILanguage_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryDefaultUILanguage_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryDefaultUILanguage_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryDefaultUILanguage_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryDefaultUILanguage_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryDefaultUILanguage_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryDefaultUILanguage_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryDefaultUILanguage_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryDefaultUILanguage_SystemCall_10_0_18363 + jmp NtQueryDefaultUILanguage_SystemCall_Unknown +NtQueryDefaultUILanguage_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0041h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0041h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0041h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0041h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0041h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0041h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0042h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0043h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0044h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0044h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0044h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0044h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0044h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0044h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0044h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0044h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0044h + jmp NtQueryDefaultUILanguage_Epilogue +NtQueryDefaultUILanguage_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryDefaultUILanguage_Epilogue: + mov r10, rcx + syscall + ret +NtQueryDefaultUILanguage ENDP + +NtQueryDirectoryFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryDirectoryFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryDirectoryFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryDirectoryFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryDirectoryFile_Check_10_0_XXXX + jmp NtQueryDirectoryFile_SystemCall_Unknown +NtQueryDirectoryFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryDirectoryFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryDirectoryFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDirectoryFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDirectoryFile_SystemCall_6_3_XXXX + jmp NtQueryDirectoryFile_SystemCall_Unknown +NtQueryDirectoryFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryDirectoryFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryDirectoryFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryDirectoryFile_SystemCall_6_0_6002 + jmp NtQueryDirectoryFile_SystemCall_Unknown +NtQueryDirectoryFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryDirectoryFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryDirectoryFile_SystemCall_6_1_7601 + jmp NtQueryDirectoryFile_SystemCall_Unknown +NtQueryDirectoryFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryDirectoryFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryDirectoryFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryDirectoryFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryDirectoryFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryDirectoryFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryDirectoryFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryDirectoryFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryDirectoryFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryDirectoryFile_SystemCall_10_0_18363 + jmp NtQueryDirectoryFile_SystemCall_Unknown +NtQueryDirectoryFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0032h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0032h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0032h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0032h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0032h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0032h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0033h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0034h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0035h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0035h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0035h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0035h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0035h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0035h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0035h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0035h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0035h + jmp NtQueryDirectoryFile_Epilogue +NtQueryDirectoryFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryDirectoryFile_Epilogue: + mov r10, rcx + syscall + ret +NtQueryDirectoryFile ENDP + +NtQueryDirectoryFileEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryDirectoryFileEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtQueryDirectoryFileEx_Check_10_0_XXXX + jmp NtQueryDirectoryFileEx_SystemCall_Unknown +NtQueryDirectoryFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 16299 + je NtQueryDirectoryFileEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryDirectoryFileEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryDirectoryFileEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryDirectoryFileEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryDirectoryFileEx_SystemCall_10_0_18363 + jmp NtQueryDirectoryFileEx_SystemCall_Unknown +NtQueryDirectoryFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0138h + jmp NtQueryDirectoryFileEx_Epilogue +NtQueryDirectoryFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 013ah + jmp NtQueryDirectoryFileEx_Epilogue +NtQueryDirectoryFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 013bh + jmp NtQueryDirectoryFileEx_Epilogue +NtQueryDirectoryFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 013ch + jmp NtQueryDirectoryFileEx_Epilogue +NtQueryDirectoryFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 013ch + jmp NtQueryDirectoryFileEx_Epilogue +NtQueryDirectoryFileEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryDirectoryFileEx_Epilogue: + mov r10, rcx + syscall + ret +NtQueryDirectoryFileEx ENDP + +NtQueryDirectoryObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryDirectoryObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryDirectoryObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryDirectoryObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryDirectoryObject_Check_10_0_XXXX + jmp NtQueryDirectoryObject_SystemCall_Unknown +NtQueryDirectoryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryDirectoryObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryDirectoryObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDirectoryObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDirectoryObject_SystemCall_6_3_XXXX + jmp NtQueryDirectoryObject_SystemCall_Unknown +NtQueryDirectoryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryDirectoryObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryDirectoryObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryDirectoryObject_SystemCall_6_0_6002 + jmp NtQueryDirectoryObject_SystemCall_Unknown +NtQueryDirectoryObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryDirectoryObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryDirectoryObject_SystemCall_6_1_7601 + jmp NtQueryDirectoryObject_SystemCall_Unknown +NtQueryDirectoryObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryDirectoryObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryDirectoryObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryDirectoryObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryDirectoryObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryDirectoryObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryDirectoryObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryDirectoryObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryDirectoryObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryDirectoryObject_SystemCall_10_0_18363 + jmp NtQueryDirectoryObject_SystemCall_Unknown +NtQueryDirectoryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00cbh + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 010fh + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 010ah + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 010ah + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0110h + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0110h + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0122h + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0125h + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 012bh + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 012eh + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0131h + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0136h + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0139h + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 013bh + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 013ch + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 013dh + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 013dh + jmp NtQueryDirectoryObject_Epilogue +NtQueryDirectoryObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryDirectoryObject_Epilogue: + mov r10, rcx + syscall + ret +NtQueryDirectoryObject ENDP + +NtQueryDriverEntryOrder PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryDriverEntryOrder_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryDriverEntryOrder_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryDriverEntryOrder_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryDriverEntryOrder_Check_10_0_XXXX + jmp NtQueryDriverEntryOrder_SystemCall_Unknown +NtQueryDriverEntryOrder_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryDriverEntryOrder_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryDriverEntryOrder_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDriverEntryOrder_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryDriverEntryOrder_SystemCall_6_3_XXXX + jmp NtQueryDriverEntryOrder_SystemCall_Unknown +NtQueryDriverEntryOrder_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryDriverEntryOrder_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryDriverEntryOrder_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryDriverEntryOrder_SystemCall_6_0_6002 + jmp NtQueryDriverEntryOrder_SystemCall_Unknown +NtQueryDriverEntryOrder_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryDriverEntryOrder_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryDriverEntryOrder_SystemCall_6_1_7601 + jmp NtQueryDriverEntryOrder_SystemCall_Unknown +NtQueryDriverEntryOrder_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryDriverEntryOrder_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryDriverEntryOrder_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryDriverEntryOrder_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryDriverEntryOrder_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryDriverEntryOrder_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryDriverEntryOrder_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryDriverEntryOrder_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryDriverEntryOrder_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryDriverEntryOrder_SystemCall_10_0_18363 + jmp NtQueryDriverEntryOrder_SystemCall_Unknown +NtQueryDriverEntryOrder_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00cch + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0110h + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 010bh + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 010bh + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0111h + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0111h + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0123h + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0126h + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 012ch + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 012fh + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0132h + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0137h + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 013ah + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 013ch + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 013dh + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 013eh + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 013eh + jmp NtQueryDriverEntryOrder_Epilogue +NtQueryDriverEntryOrder_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryDriverEntryOrder_Epilogue: + mov r10, rcx + syscall + ret +NtQueryDriverEntryOrder ENDP + +NtQueryEaFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryEaFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryEaFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryEaFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryEaFile_Check_10_0_XXXX + jmp NtQueryEaFile_SystemCall_Unknown +NtQueryEaFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryEaFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryEaFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryEaFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryEaFile_SystemCall_6_3_XXXX + jmp NtQueryEaFile_SystemCall_Unknown +NtQueryEaFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryEaFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryEaFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryEaFile_SystemCall_6_0_6002 + jmp NtQueryEaFile_SystemCall_Unknown +NtQueryEaFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryEaFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryEaFile_SystemCall_6_1_7601 + jmp NtQueryEaFile_SystemCall_Unknown +NtQueryEaFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryEaFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryEaFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryEaFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryEaFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryEaFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryEaFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryEaFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryEaFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryEaFile_SystemCall_10_0_18363 + jmp NtQueryEaFile_SystemCall_Unknown +NtQueryEaFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00cdh + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0111h + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 010ch + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 010ch + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0112h + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0112h + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0124h + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0127h + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 012dh + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0130h + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0133h + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0138h + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 013bh + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 013dh + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 013eh + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 013fh + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 013fh + jmp NtQueryEaFile_Epilogue +NtQueryEaFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryEaFile_Epilogue: + mov r10, rcx + syscall + ret +NtQueryEaFile ENDP + +NtQueryEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryEvent_Check_10_0_XXXX + jmp NtQueryEvent_SystemCall_Unknown +NtQueryEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryEvent_SystemCall_6_3_XXXX + jmp NtQueryEvent_SystemCall_Unknown +NtQueryEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryEvent_SystemCall_6_0_6002 + jmp NtQueryEvent_SystemCall_Unknown +NtQueryEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryEvent_SystemCall_6_1_7601 + jmp NtQueryEvent_SystemCall_Unknown +NtQueryEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryEvent_SystemCall_10_0_18363 + jmp NtQueryEvent_SystemCall_Unknown +NtQueryEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0053h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0053h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0053h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0053h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0053h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0053h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0054h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0055h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0056h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0056h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0056h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0056h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0056h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0056h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0056h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0056h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0056h + jmp NtQueryEvent_Epilogue +NtQueryEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryEvent_Epilogue: + mov r10, rcx + syscall + ret +NtQueryEvent ENDP + +NtQueryFullAttributesFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryFullAttributesFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryFullAttributesFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryFullAttributesFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryFullAttributesFile_Check_10_0_XXXX + jmp NtQueryFullAttributesFile_SystemCall_Unknown +NtQueryFullAttributesFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryFullAttributesFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryFullAttributesFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryFullAttributesFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryFullAttributesFile_SystemCall_6_3_XXXX + jmp NtQueryFullAttributesFile_SystemCall_Unknown +NtQueryFullAttributesFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryFullAttributesFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryFullAttributesFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryFullAttributesFile_SystemCall_6_0_6002 + jmp NtQueryFullAttributesFile_SystemCall_Unknown +NtQueryFullAttributesFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryFullAttributesFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryFullAttributesFile_SystemCall_6_1_7601 + jmp NtQueryFullAttributesFile_SystemCall_Unknown +NtQueryFullAttributesFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryFullAttributesFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryFullAttributesFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryFullAttributesFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryFullAttributesFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryFullAttributesFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryFullAttributesFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryFullAttributesFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryFullAttributesFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryFullAttributesFile_SystemCall_10_0_18363 + jmp NtQueryFullAttributesFile_SystemCall_Unknown +NtQueryFullAttributesFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00ceh + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0112h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 010dh + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 010dh + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0113h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0113h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0125h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0128h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 012eh + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0131h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0134h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0139h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 013ch + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 013eh + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 013fh + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0140h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0140h + jmp NtQueryFullAttributesFile_Epilogue +NtQueryFullAttributesFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryFullAttributesFile_Epilogue: + mov r10, rcx + syscall + ret +NtQueryFullAttributesFile ENDP + +NtQueryInformationAtom PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationAtom_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryInformationAtom_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryInformationAtom_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationAtom_Check_10_0_XXXX + jmp NtQueryInformationAtom_SystemCall_Unknown +NtQueryInformationAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationAtom_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationAtom_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationAtom_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationAtom_SystemCall_6_3_XXXX + jmp NtQueryInformationAtom_SystemCall_Unknown +NtQueryInformationAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationAtom_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationAtom_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationAtom_SystemCall_6_0_6002 + jmp NtQueryInformationAtom_SystemCall_Unknown +NtQueryInformationAtom_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationAtom_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationAtom_SystemCall_6_1_7601 + jmp NtQueryInformationAtom_SystemCall_Unknown +NtQueryInformationAtom_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationAtom_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationAtom_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationAtom_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationAtom_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationAtom_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationAtom_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationAtom_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationAtom_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationAtom_SystemCall_10_0_18363 + jmp NtQueryInformationAtom_SystemCall_Unknown +NtQueryInformationAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00cfh + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0113h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 010eh + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 010eh + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0114h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0114h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0126h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0129h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 012fh + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0132h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0135h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 013ah + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 013dh + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 013fh + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0140h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0141h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0141h + jmp NtQueryInformationAtom_Epilogue +NtQueryInformationAtom_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationAtom_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationAtom ENDP + +NtQueryInformationByName PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationByName_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtQueryInformationByName_Check_10_0_XXXX + jmp NtQueryInformationByName_SystemCall_Unknown +NtQueryInformationByName_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationByName_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationByName_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationByName_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationByName_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationByName_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationByName_SystemCall_10_0_18363 + jmp NtQueryInformationByName_SystemCall_Unknown +NtQueryInformationByName_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 013bh + jmp NtQueryInformationByName_Epilogue +NtQueryInformationByName_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 013eh + jmp NtQueryInformationByName_Epilogue +NtQueryInformationByName_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0140h + jmp NtQueryInformationByName_Epilogue +NtQueryInformationByName_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0141h + jmp NtQueryInformationByName_Epilogue +NtQueryInformationByName_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0142h + jmp NtQueryInformationByName_Epilogue +NtQueryInformationByName_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0142h + jmp NtQueryInformationByName_Epilogue +NtQueryInformationByName_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationByName_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationByName ENDP + +NtQueryInformationEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQueryInformationEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationEnlistment_Check_10_0_XXXX + jmp NtQueryInformationEnlistment_SystemCall_Unknown +NtQueryInformationEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationEnlistment_SystemCall_6_3_XXXX + jmp NtQueryInformationEnlistment_SystemCall_Unknown +NtQueryInformationEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationEnlistment_SystemCall_6_0_6002 + jmp NtQueryInformationEnlistment_SystemCall_Unknown +NtQueryInformationEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationEnlistment_SystemCall_6_1_7601 + jmp NtQueryInformationEnlistment_SystemCall_Unknown +NtQueryInformationEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationEnlistment_SystemCall_10_0_18363 + jmp NtQueryInformationEnlistment_SystemCall_Unknown +NtQueryInformationEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0114h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 010fh + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 010fh + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0115h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0115h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0127h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 012ah + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0130h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0133h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0136h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 013ch + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 013fh + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0141h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0142h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0143h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0143h + jmp NtQueryInformationEnlistment_Epilogue +NtQueryInformationEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationEnlistment ENDP + +NtQueryInformationFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryInformationFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryInformationFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationFile_Check_10_0_XXXX + jmp NtQueryInformationFile_SystemCall_Unknown +NtQueryInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationFile_SystemCall_6_3_XXXX + jmp NtQueryInformationFile_SystemCall_Unknown +NtQueryInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationFile_SystemCall_6_0_6002 + jmp NtQueryInformationFile_SystemCall_Unknown +NtQueryInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationFile_SystemCall_6_1_7601 + jmp NtQueryInformationFile_SystemCall_Unknown +NtQueryInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationFile_SystemCall_10_0_18363 + jmp NtQueryInformationFile_SystemCall_Unknown +NtQueryInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 000eh + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 000eh + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 000eh + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 000eh + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 000eh + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 000eh + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 000fh + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0010h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0011h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0011h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0011h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0011h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0011h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0011h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0011h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0011h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0011h + jmp NtQueryInformationFile_Epilogue +NtQueryInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationFile_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationFile ENDP + +NtQueryInformationJobObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationJobObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryInformationJobObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryInformationJobObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationJobObject_Check_10_0_XXXX + jmp NtQueryInformationJobObject_SystemCall_Unknown +NtQueryInformationJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationJobObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationJobObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationJobObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationJobObject_SystemCall_6_3_XXXX + jmp NtQueryInformationJobObject_SystemCall_Unknown +NtQueryInformationJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationJobObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationJobObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationJobObject_SystemCall_6_0_6002 + jmp NtQueryInformationJobObject_SystemCall_Unknown +NtQueryInformationJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationJobObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationJobObject_SystemCall_6_1_7601 + jmp NtQueryInformationJobObject_SystemCall_Unknown +NtQueryInformationJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationJobObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationJobObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationJobObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationJobObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationJobObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationJobObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationJobObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationJobObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationJobObject_SystemCall_10_0_18363 + jmp NtQueryInformationJobObject_SystemCall_Unknown +NtQueryInformationJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d0h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0115h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0110h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0110h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0116h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0116h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0128h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 012bh + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0131h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0134h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0137h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 013dh + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0140h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0142h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0143h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0144h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0144h + jmp NtQueryInformationJobObject_Epilogue +NtQueryInformationJobObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationJobObject_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationJobObject ENDP + +NtQueryInformationPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryInformationPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryInformationPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationPort_Check_10_0_XXXX + jmp NtQueryInformationPort_SystemCall_Unknown +NtQueryInformationPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationPort_SystemCall_6_3_XXXX + jmp NtQueryInformationPort_SystemCall_Unknown +NtQueryInformationPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationPort_SystemCall_6_0_6002 + jmp NtQueryInformationPort_SystemCall_Unknown +NtQueryInformationPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationPort_SystemCall_6_1_7601 + jmp NtQueryInformationPort_SystemCall_Unknown +NtQueryInformationPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationPort_SystemCall_10_0_18363 + jmp NtQueryInformationPort_SystemCall_Unknown +NtQueryInformationPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d1h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0116h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0111h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0111h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0117h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0117h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0129h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 012ch + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0132h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0135h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0138h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 013eh + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0141h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0143h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0144h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0145h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0145h + jmp NtQueryInformationPort_Epilogue +NtQueryInformationPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationPort_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationPort ENDP + +NtQueryInformationProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryInformationProcess_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryInformationProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationProcess_Check_10_0_XXXX + jmp NtQueryInformationProcess_SystemCall_Unknown +NtQueryInformationProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationProcess_SystemCall_6_3_XXXX + jmp NtQueryInformationProcess_SystemCall_Unknown +NtQueryInformationProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationProcess_SystemCall_6_0_6002 + jmp NtQueryInformationProcess_SystemCall_Unknown +NtQueryInformationProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationProcess_SystemCall_6_1_7601 + jmp NtQueryInformationProcess_SystemCall_Unknown +NtQueryInformationProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationProcess_SystemCall_10_0_18363 + jmp NtQueryInformationProcess_SystemCall_Unknown +NtQueryInformationProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0016h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0016h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0016h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0016h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0016h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0016h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0017h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0018h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0019h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0019h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0019h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0019h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0019h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0019h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0019h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0019h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0019h + jmp NtQueryInformationProcess_Epilogue +NtQueryInformationProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationProcess_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationProcess ENDP + +NtQueryInformationResourceManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationResourceManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQueryInformationResourceManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationResourceManager_Check_10_0_XXXX + jmp NtQueryInformationResourceManager_SystemCall_Unknown +NtQueryInformationResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationResourceManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationResourceManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationResourceManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationResourceManager_SystemCall_6_3_XXXX + jmp NtQueryInformationResourceManager_SystemCall_Unknown +NtQueryInformationResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationResourceManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationResourceManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationResourceManager_SystemCall_6_0_6002 + jmp NtQueryInformationResourceManager_SystemCall_Unknown +NtQueryInformationResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationResourceManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationResourceManager_SystemCall_6_1_7601 + jmp NtQueryInformationResourceManager_SystemCall_Unknown +NtQueryInformationResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationResourceManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationResourceManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationResourceManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationResourceManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationResourceManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationResourceManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationResourceManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationResourceManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationResourceManager_SystemCall_10_0_18363 + jmp NtQueryInformationResourceManager_SystemCall_Unknown +NtQueryInformationResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0117h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0112h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0112h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0118h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0118h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 012ah + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 012dh + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0133h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0136h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0139h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 013fh + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0142h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0144h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0145h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0146h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0146h + jmp NtQueryInformationResourceManager_Epilogue +NtQueryInformationResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationResourceManager_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationResourceManager ENDP + +NtQueryInformationThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryInformationThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryInformationThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationThread_Check_10_0_XXXX + jmp NtQueryInformationThread_SystemCall_Unknown +NtQueryInformationThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationThread_SystemCall_6_3_XXXX + jmp NtQueryInformationThread_SystemCall_Unknown +NtQueryInformationThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationThread_SystemCall_6_0_6002 + jmp NtQueryInformationThread_SystemCall_Unknown +NtQueryInformationThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationThread_SystemCall_6_1_7601 + jmp NtQueryInformationThread_SystemCall_Unknown +NtQueryInformationThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationThread_SystemCall_10_0_18363 + jmp NtQueryInformationThread_SystemCall_Unknown +NtQueryInformationThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0022h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0022h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0022h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0022h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0022h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0022h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0023h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0024h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0025h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0025h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0025h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0025h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0025h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0025h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0025h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0025h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0025h + jmp NtQueryInformationThread_Epilogue +NtQueryInformationThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationThread_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationThread ENDP + +NtQueryInformationToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryInformationToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryInformationToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationToken_Check_10_0_XXXX + jmp NtQueryInformationToken_SystemCall_Unknown +NtQueryInformationToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationToken_SystemCall_6_3_XXXX + jmp NtQueryInformationToken_SystemCall_Unknown +NtQueryInformationToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationToken_SystemCall_6_0_6002 + jmp NtQueryInformationToken_SystemCall_Unknown +NtQueryInformationToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationToken_SystemCall_6_1_7601 + jmp NtQueryInformationToken_SystemCall_Unknown +NtQueryInformationToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationToken_SystemCall_10_0_18363 + jmp NtQueryInformationToken_SystemCall_Unknown +NtQueryInformationToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 001eh + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 001eh + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 001eh + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 001eh + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 001eh + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 001eh + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 001fh + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0020h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0021h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0021h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0021h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0021h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0021h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0021h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0021h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0021h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0021h + jmp NtQueryInformationToken_Epilogue +NtQueryInformationToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationToken_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationToken ENDP + +NtQueryInformationTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQueryInformationTransaction_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationTransaction_Check_10_0_XXXX + jmp NtQueryInformationTransaction_SystemCall_Unknown +NtQueryInformationTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationTransaction_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationTransaction_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationTransaction_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationTransaction_SystemCall_6_3_XXXX + jmp NtQueryInformationTransaction_SystemCall_Unknown +NtQueryInformationTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationTransaction_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationTransaction_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationTransaction_SystemCall_6_0_6002 + jmp NtQueryInformationTransaction_SystemCall_Unknown +NtQueryInformationTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationTransaction_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationTransaction_SystemCall_6_1_7601 + jmp NtQueryInformationTransaction_SystemCall_Unknown +NtQueryInformationTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationTransaction_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationTransaction_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationTransaction_SystemCall_10_0_18363 + jmp NtQueryInformationTransaction_SystemCall_Unknown +NtQueryInformationTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0118h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0113h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0113h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0119h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0119h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 012bh + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 012eh + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0134h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0137h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 013ah + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0140h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0143h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0145h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0146h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0147h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0147h + jmp NtQueryInformationTransaction_Epilogue +NtQueryInformationTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationTransaction ENDP + +NtQueryInformationTransactionManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationTransactionManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQueryInformationTransactionManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationTransactionManager_Check_10_0_XXXX + jmp NtQueryInformationTransactionManager_SystemCall_Unknown +NtQueryInformationTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationTransactionManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationTransactionManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationTransactionManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationTransactionManager_SystemCall_6_3_XXXX + jmp NtQueryInformationTransactionManager_SystemCall_Unknown +NtQueryInformationTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationTransactionManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationTransactionManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationTransactionManager_SystemCall_6_0_6002 + jmp NtQueryInformationTransactionManager_SystemCall_Unknown +NtQueryInformationTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationTransactionManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationTransactionManager_SystemCall_6_1_7601 + jmp NtQueryInformationTransactionManager_SystemCall_Unknown +NtQueryInformationTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationTransactionManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationTransactionManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationTransactionManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationTransactionManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationTransactionManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationTransactionManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationTransactionManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationTransactionManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationTransactionManager_SystemCall_10_0_18363 + jmp NtQueryInformationTransactionManager_SystemCall_Unknown +NtQueryInformationTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0119h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0114h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0114h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 011ah + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 011ah + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 012ch + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 012fh + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0135h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0138h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 013bh + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0141h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0144h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0146h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0147h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0148h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0148h + jmp NtQueryInformationTransactionManager_Epilogue +NtQueryInformationTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationTransactionManager_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationTransactionManager ENDP + +NtQueryInformationWorkerFactory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInformationWorkerFactory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQueryInformationWorkerFactory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInformationWorkerFactory_Check_10_0_XXXX + jmp NtQueryInformationWorkerFactory_SystemCall_Unknown +NtQueryInformationWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInformationWorkerFactory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInformationWorkerFactory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationWorkerFactory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInformationWorkerFactory_SystemCall_6_3_XXXX + jmp NtQueryInformationWorkerFactory_SystemCall_Unknown +NtQueryInformationWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInformationWorkerFactory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInformationWorkerFactory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInformationWorkerFactory_SystemCall_6_0_6002 + jmp NtQueryInformationWorkerFactory_SystemCall_Unknown +NtQueryInformationWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInformationWorkerFactory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInformationWorkerFactory_SystemCall_6_1_7601 + jmp NtQueryInformationWorkerFactory_SystemCall_Unknown +NtQueryInformationWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInformationWorkerFactory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInformationWorkerFactory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInformationWorkerFactory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInformationWorkerFactory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInformationWorkerFactory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInformationWorkerFactory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInformationWorkerFactory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInformationWorkerFactory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInformationWorkerFactory_SystemCall_10_0_18363 + jmp NtQueryInformationWorkerFactory_SystemCall_Unknown +NtQueryInformationWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 011ah + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0115h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0115h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 011bh + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 011bh + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 012dh + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0130h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0136h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0139h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 013ch + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0142h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0145h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0147h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0148h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0149h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0149h + jmp NtQueryInformationWorkerFactory_Epilogue +NtQueryInformationWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInformationWorkerFactory_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInformationWorkerFactory ENDP + +NtQueryInstallUILanguage PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryInstallUILanguage_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryInstallUILanguage_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryInstallUILanguage_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryInstallUILanguage_Check_10_0_XXXX + jmp NtQueryInstallUILanguage_SystemCall_Unknown +NtQueryInstallUILanguage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryInstallUILanguage_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryInstallUILanguage_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInstallUILanguage_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryInstallUILanguage_SystemCall_6_3_XXXX + jmp NtQueryInstallUILanguage_SystemCall_Unknown +NtQueryInstallUILanguage_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryInstallUILanguage_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryInstallUILanguage_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryInstallUILanguage_SystemCall_6_0_6002 + jmp NtQueryInstallUILanguage_SystemCall_Unknown +NtQueryInstallUILanguage_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryInstallUILanguage_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryInstallUILanguage_SystemCall_6_1_7601 + jmp NtQueryInstallUILanguage_SystemCall_Unknown +NtQueryInstallUILanguage_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryInstallUILanguage_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryInstallUILanguage_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryInstallUILanguage_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryInstallUILanguage_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryInstallUILanguage_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryInstallUILanguage_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryInstallUILanguage_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryInstallUILanguage_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryInstallUILanguage_SystemCall_10_0_18363 + jmp NtQueryInstallUILanguage_SystemCall_Unknown +NtQueryInstallUILanguage_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d2h + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 011bh + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0116h + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0116h + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 011ch + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 011ch + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 012eh + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0131h + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0137h + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 013ah + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 013dh + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0143h + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0146h + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0148h + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0149h + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 014ah + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 014ah + jmp NtQueryInstallUILanguage_Epilogue +NtQueryInstallUILanguage_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryInstallUILanguage_Epilogue: + mov r10, rcx + syscall + ret +NtQueryInstallUILanguage ENDP + +NtQueryIntervalProfile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryIntervalProfile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryIntervalProfile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryIntervalProfile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryIntervalProfile_Check_10_0_XXXX + jmp NtQueryIntervalProfile_SystemCall_Unknown +NtQueryIntervalProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryIntervalProfile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryIntervalProfile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryIntervalProfile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryIntervalProfile_SystemCall_6_3_XXXX + jmp NtQueryIntervalProfile_SystemCall_Unknown +NtQueryIntervalProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryIntervalProfile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryIntervalProfile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryIntervalProfile_SystemCall_6_0_6002 + jmp NtQueryIntervalProfile_SystemCall_Unknown +NtQueryIntervalProfile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryIntervalProfile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryIntervalProfile_SystemCall_6_1_7601 + jmp NtQueryIntervalProfile_SystemCall_Unknown +NtQueryIntervalProfile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryIntervalProfile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryIntervalProfile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryIntervalProfile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryIntervalProfile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryIntervalProfile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryIntervalProfile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryIntervalProfile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryIntervalProfile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryIntervalProfile_SystemCall_10_0_18363 + jmp NtQueryIntervalProfile_SystemCall_Unknown +NtQueryIntervalProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d3h + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 011ch + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0117h + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0117h + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 011dh + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 011dh + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 012fh + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0132h + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0138h + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 013bh + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 013eh + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0144h + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0147h + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0149h + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 014ah + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 014bh + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 014bh + jmp NtQueryIntervalProfile_Epilogue +NtQueryIntervalProfile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryIntervalProfile_Epilogue: + mov r10, rcx + syscall + ret +NtQueryIntervalProfile ENDP + +NtQueryIoCompletion PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryIoCompletion_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryIoCompletion_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryIoCompletion_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryIoCompletion_Check_10_0_XXXX + jmp NtQueryIoCompletion_SystemCall_Unknown +NtQueryIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryIoCompletion_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryIoCompletion_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryIoCompletion_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryIoCompletion_SystemCall_6_3_XXXX + jmp NtQueryIoCompletion_SystemCall_Unknown +NtQueryIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryIoCompletion_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryIoCompletion_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryIoCompletion_SystemCall_6_0_6002 + jmp NtQueryIoCompletion_SystemCall_Unknown +NtQueryIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryIoCompletion_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryIoCompletion_SystemCall_6_1_7601 + jmp NtQueryIoCompletion_SystemCall_Unknown +NtQueryIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryIoCompletion_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryIoCompletion_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryIoCompletion_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryIoCompletion_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryIoCompletion_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryIoCompletion_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryIoCompletion_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryIoCompletion_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryIoCompletion_SystemCall_10_0_18363 + jmp NtQueryIoCompletion_SystemCall_Unknown +NtQueryIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d4h + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 011dh + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0118h + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0118h + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 011eh + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 011eh + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0130h + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0133h + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0139h + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 013ch + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 013fh + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0145h + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0148h + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 014ah + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 014bh + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 014ch + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 014ch + jmp NtQueryIoCompletion_Epilogue +NtQueryIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryIoCompletion_Epilogue: + mov r10, rcx + syscall + ret +NtQueryIoCompletion ENDP + +NtQueryKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryKey_Check_10_0_XXXX + jmp NtQueryKey_SystemCall_Unknown +NtQueryKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryKey_SystemCall_6_3_XXXX + jmp NtQueryKey_SystemCall_Unknown +NtQueryKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryKey_SystemCall_6_0_6002 + jmp NtQueryKey_SystemCall_Unknown +NtQueryKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryKey_SystemCall_6_1_7601 + jmp NtQueryKey_SystemCall_Unknown +NtQueryKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryKey_SystemCall_10_0_18363 + jmp NtQueryKey_SystemCall_Unknown +NtQueryKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0013h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0013h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0013h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0013h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0013h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0013h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0014h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0015h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0016h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0016h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0016h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0016h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0016h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0016h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0016h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0016h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0016h + jmp NtQueryKey_Epilogue +NtQueryKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryKey_Epilogue: + mov r10, rcx + syscall + ret +NtQueryKey ENDP + +NtQueryLicenseValue PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryLicenseValue_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQueryLicenseValue_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryLicenseValue_Check_10_0_XXXX + jmp NtQueryLicenseValue_SystemCall_Unknown +NtQueryLicenseValue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryLicenseValue_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryLicenseValue_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryLicenseValue_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryLicenseValue_SystemCall_6_3_XXXX + jmp NtQueryLicenseValue_SystemCall_Unknown +NtQueryLicenseValue_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryLicenseValue_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryLicenseValue_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryLicenseValue_SystemCall_6_0_6002 + jmp NtQueryLicenseValue_SystemCall_Unknown +NtQueryLicenseValue_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryLicenseValue_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryLicenseValue_SystemCall_6_1_7601 + jmp NtQueryLicenseValue_SystemCall_Unknown +NtQueryLicenseValue_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryLicenseValue_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryLicenseValue_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryLicenseValue_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryLicenseValue_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryLicenseValue_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryLicenseValue_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryLicenseValue_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryLicenseValue_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryLicenseValue_SystemCall_10_0_18363 + jmp NtQueryLicenseValue_SystemCall_Unknown +NtQueryLicenseValue_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 011eh + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0119h + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0119h + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 011fh + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 011fh + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0131h + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0134h + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 013ah + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 013dh + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0140h + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0146h + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0149h + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 014bh + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 014ch + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 014dh + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 014dh + jmp NtQueryLicenseValue_Epilogue +NtQueryLicenseValue_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryLicenseValue_Epilogue: + mov r10, rcx + syscall + ret +NtQueryLicenseValue ENDP + +NtQueryMultipleValueKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryMultipleValueKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryMultipleValueKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryMultipleValueKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryMultipleValueKey_Check_10_0_XXXX + jmp NtQueryMultipleValueKey_SystemCall_Unknown +NtQueryMultipleValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryMultipleValueKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryMultipleValueKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryMultipleValueKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryMultipleValueKey_SystemCall_6_3_XXXX + jmp NtQueryMultipleValueKey_SystemCall_Unknown +NtQueryMultipleValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryMultipleValueKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryMultipleValueKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryMultipleValueKey_SystemCall_6_0_6002 + jmp NtQueryMultipleValueKey_SystemCall_Unknown +NtQueryMultipleValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryMultipleValueKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryMultipleValueKey_SystemCall_6_1_7601 + jmp NtQueryMultipleValueKey_SystemCall_Unknown +NtQueryMultipleValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryMultipleValueKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryMultipleValueKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryMultipleValueKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryMultipleValueKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryMultipleValueKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryMultipleValueKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryMultipleValueKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryMultipleValueKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryMultipleValueKey_SystemCall_10_0_18363 + jmp NtQueryMultipleValueKey_SystemCall_Unknown +NtQueryMultipleValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d5h + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 011fh + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 011ah + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 011ah + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0120h + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0120h + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0132h + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0135h + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 013bh + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 013eh + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0141h + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0147h + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 014ah + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 014ch + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 014dh + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 014eh + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 014eh + jmp NtQueryMultipleValueKey_Epilogue +NtQueryMultipleValueKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryMultipleValueKey_Epilogue: + mov r10, rcx + syscall + ret +NtQueryMultipleValueKey ENDP + +NtQueryMutant PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryMutant_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryMutant_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryMutant_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryMutant_Check_10_0_XXXX + jmp NtQueryMutant_SystemCall_Unknown +NtQueryMutant_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryMutant_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryMutant_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryMutant_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryMutant_SystemCall_6_3_XXXX + jmp NtQueryMutant_SystemCall_Unknown +NtQueryMutant_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryMutant_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryMutant_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryMutant_SystemCall_6_0_6002 + jmp NtQueryMutant_SystemCall_Unknown +NtQueryMutant_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryMutant_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryMutant_SystemCall_6_1_7601 + jmp NtQueryMutant_SystemCall_Unknown +NtQueryMutant_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryMutant_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryMutant_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryMutant_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryMutant_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryMutant_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryMutant_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryMutant_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryMutant_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryMutant_SystemCall_10_0_18363 + jmp NtQueryMutant_SystemCall_Unknown +NtQueryMutant_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d6h + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0120h + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 011bh + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 011bh + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0121h + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0121h + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0133h + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0136h + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 013ch + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 013fh + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0142h + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0148h + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 014bh + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 014dh + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 014eh + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 014fh + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 014fh + jmp NtQueryMutant_Epilogue +NtQueryMutant_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryMutant_Epilogue: + mov r10, rcx + syscall + ret +NtQueryMutant ENDP + +NtQueryObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryObject_Check_10_0_XXXX + jmp NtQueryObject_SystemCall_Unknown +NtQueryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryObject_SystemCall_6_3_XXXX + jmp NtQueryObject_SystemCall_Unknown +NtQueryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryObject_SystemCall_6_0_6002 + jmp NtQueryObject_SystemCall_Unknown +NtQueryObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryObject_SystemCall_6_1_7601 + jmp NtQueryObject_SystemCall_Unknown +NtQueryObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryObject_SystemCall_10_0_18363 + jmp NtQueryObject_SystemCall_Unknown +NtQueryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 000dh + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 000dh + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 000dh + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 000dh + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 000dh + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 000dh + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 000eh + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 000fh + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0010h + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0010h + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0010h + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0010h + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0010h + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0010h + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0010h + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0010h + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0010h + jmp NtQueryObject_Epilogue +NtQueryObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryObject_Epilogue: + mov r10, rcx + syscall + ret +NtQueryObject ENDP + +NtQueryOpenSubKeys PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryOpenSubKeys_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryOpenSubKeys_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryOpenSubKeys_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryOpenSubKeys_Check_10_0_XXXX + jmp NtQueryOpenSubKeys_SystemCall_Unknown +NtQueryOpenSubKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryOpenSubKeys_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryOpenSubKeys_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryOpenSubKeys_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryOpenSubKeys_SystemCall_6_3_XXXX + jmp NtQueryOpenSubKeys_SystemCall_Unknown +NtQueryOpenSubKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryOpenSubKeys_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryOpenSubKeys_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryOpenSubKeys_SystemCall_6_0_6002 + jmp NtQueryOpenSubKeys_SystemCall_Unknown +NtQueryOpenSubKeys_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryOpenSubKeys_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryOpenSubKeys_SystemCall_6_1_7601 + jmp NtQueryOpenSubKeys_SystemCall_Unknown +NtQueryOpenSubKeys_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryOpenSubKeys_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryOpenSubKeys_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryOpenSubKeys_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryOpenSubKeys_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryOpenSubKeys_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryOpenSubKeys_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryOpenSubKeys_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryOpenSubKeys_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryOpenSubKeys_SystemCall_10_0_18363 + jmp NtQueryOpenSubKeys_SystemCall_Unknown +NtQueryOpenSubKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d7h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0121h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 011ch + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 011ch + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0122h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0122h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0134h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0137h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 013dh + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0140h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0143h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0149h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 014ch + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 014eh + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 014fh + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0150h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0150h + jmp NtQueryOpenSubKeys_Epilogue +NtQueryOpenSubKeys_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryOpenSubKeys_Epilogue: + mov r10, rcx + syscall + ret +NtQueryOpenSubKeys ENDP + +NtQueryOpenSubKeysEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryOpenSubKeysEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryOpenSubKeysEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryOpenSubKeysEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryOpenSubKeysEx_Check_10_0_XXXX + jmp NtQueryOpenSubKeysEx_SystemCall_Unknown +NtQueryOpenSubKeysEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryOpenSubKeysEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryOpenSubKeysEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryOpenSubKeysEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryOpenSubKeysEx_SystemCall_6_3_XXXX + jmp NtQueryOpenSubKeysEx_SystemCall_Unknown +NtQueryOpenSubKeysEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryOpenSubKeysEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryOpenSubKeysEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryOpenSubKeysEx_SystemCall_6_0_6002 + jmp NtQueryOpenSubKeysEx_SystemCall_Unknown +NtQueryOpenSubKeysEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryOpenSubKeysEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryOpenSubKeysEx_SystemCall_6_1_7601 + jmp NtQueryOpenSubKeysEx_SystemCall_Unknown +NtQueryOpenSubKeysEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryOpenSubKeysEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryOpenSubKeysEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryOpenSubKeysEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryOpenSubKeysEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryOpenSubKeysEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryOpenSubKeysEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryOpenSubKeysEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryOpenSubKeysEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryOpenSubKeysEx_SystemCall_10_0_18363 + jmp NtQueryOpenSubKeysEx_SystemCall_Unknown +NtQueryOpenSubKeysEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d8h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0122h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 011dh + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 011dh + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0123h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0123h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0135h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0138h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 013eh + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0141h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0144h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 014ah + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 014dh + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 014fh + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0150h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0151h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0151h + jmp NtQueryOpenSubKeysEx_Epilogue +NtQueryOpenSubKeysEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryOpenSubKeysEx_Epilogue: + mov r10, rcx + syscall + ret +NtQueryOpenSubKeysEx ENDP + +NtQueryPerformanceCounter PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryPerformanceCounter_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryPerformanceCounter_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryPerformanceCounter_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryPerformanceCounter_Check_10_0_XXXX + jmp NtQueryPerformanceCounter_SystemCall_Unknown +NtQueryPerformanceCounter_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryPerformanceCounter_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryPerformanceCounter_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryPerformanceCounter_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryPerformanceCounter_SystemCall_6_3_XXXX + jmp NtQueryPerformanceCounter_SystemCall_Unknown +NtQueryPerformanceCounter_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryPerformanceCounter_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryPerformanceCounter_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryPerformanceCounter_SystemCall_6_0_6002 + jmp NtQueryPerformanceCounter_SystemCall_Unknown +NtQueryPerformanceCounter_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryPerformanceCounter_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryPerformanceCounter_SystemCall_6_1_7601 + jmp NtQueryPerformanceCounter_SystemCall_Unknown +NtQueryPerformanceCounter_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryPerformanceCounter_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryPerformanceCounter_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryPerformanceCounter_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryPerformanceCounter_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryPerformanceCounter_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryPerformanceCounter_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryPerformanceCounter_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryPerformanceCounter_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryPerformanceCounter_SystemCall_10_0_18363 + jmp NtQueryPerformanceCounter_SystemCall_Unknown +NtQueryPerformanceCounter_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 002eh + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 002eh + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 002eh + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 002eh + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 002eh + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 002eh + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 002fh + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0030h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0031h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0031h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0031h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0031h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0031h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0031h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0031h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0031h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0031h + jmp NtQueryPerformanceCounter_Epilogue +NtQueryPerformanceCounter_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryPerformanceCounter_Epilogue: + mov r10, rcx + syscall + ret +NtQueryPerformanceCounter ENDP + +NtQueryPortInformationProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryPortInformationProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryPortInformationProcess_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryPortInformationProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryPortInformationProcess_Check_10_0_XXXX + jmp NtQueryPortInformationProcess_SystemCall_Unknown +NtQueryPortInformationProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryPortInformationProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryPortInformationProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryPortInformationProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryPortInformationProcess_SystemCall_6_3_XXXX + jmp NtQueryPortInformationProcess_SystemCall_Unknown +NtQueryPortInformationProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryPortInformationProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryPortInformationProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryPortInformationProcess_SystemCall_6_0_6002 + jmp NtQueryPortInformationProcess_SystemCall_Unknown +NtQueryPortInformationProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryPortInformationProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryPortInformationProcess_SystemCall_6_1_7601 + jmp NtQueryPortInformationProcess_SystemCall_Unknown +NtQueryPortInformationProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryPortInformationProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryPortInformationProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryPortInformationProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryPortInformationProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryPortInformationProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryPortInformationProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryPortInformationProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryPortInformationProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryPortInformationProcess_SystemCall_10_0_18363 + jmp NtQueryPortInformationProcess_SystemCall_Unknown +NtQueryPortInformationProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00d9h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0123h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 011eh + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 011eh + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0124h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0124h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0136h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0139h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 013fh + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0142h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0145h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 014bh + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 014eh + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0150h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0151h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0152h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0152h + jmp NtQueryPortInformationProcess_Epilogue +NtQueryPortInformationProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryPortInformationProcess_Epilogue: + mov r10, rcx + syscall + ret +NtQueryPortInformationProcess ENDP + +NtQueryQuotaInformationFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryQuotaInformationFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryQuotaInformationFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryQuotaInformationFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryQuotaInformationFile_Check_10_0_XXXX + jmp NtQueryQuotaInformationFile_SystemCall_Unknown +NtQueryQuotaInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryQuotaInformationFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryQuotaInformationFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryQuotaInformationFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryQuotaInformationFile_SystemCall_6_3_XXXX + jmp NtQueryQuotaInformationFile_SystemCall_Unknown +NtQueryQuotaInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryQuotaInformationFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryQuotaInformationFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryQuotaInformationFile_SystemCall_6_0_6002 + jmp NtQueryQuotaInformationFile_SystemCall_Unknown +NtQueryQuotaInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryQuotaInformationFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryQuotaInformationFile_SystemCall_6_1_7601 + jmp NtQueryQuotaInformationFile_SystemCall_Unknown +NtQueryQuotaInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryQuotaInformationFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryQuotaInformationFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryQuotaInformationFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryQuotaInformationFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryQuotaInformationFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryQuotaInformationFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryQuotaInformationFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryQuotaInformationFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryQuotaInformationFile_SystemCall_10_0_18363 + jmp NtQueryQuotaInformationFile_SystemCall_Unknown +NtQueryQuotaInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00dah + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0124h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 011fh + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 011fh + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0125h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0125h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0137h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 013ah + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0140h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0143h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0146h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 014ch + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 014fh + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0151h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0152h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0153h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0153h + jmp NtQueryQuotaInformationFile_Epilogue +NtQueryQuotaInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryQuotaInformationFile_Epilogue: + mov r10, rcx + syscall + ret +NtQueryQuotaInformationFile ENDP + +NtQuerySection PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySection_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQuerySection_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQuerySection_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySection_Check_10_0_XXXX + jmp NtQuerySection_SystemCall_Unknown +NtQuerySection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQuerySection_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQuerySection_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySection_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySection_SystemCall_6_3_XXXX + jmp NtQuerySection_SystemCall_Unknown +NtQuerySection_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQuerySection_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQuerySection_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQuerySection_SystemCall_6_0_6002 + jmp NtQuerySection_SystemCall_Unknown +NtQuerySection_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySection_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySection_SystemCall_6_1_7601 + jmp NtQuerySection_SystemCall_Unknown +NtQuerySection_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySection_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySection_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySection_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySection_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySection_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySection_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySection_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySection_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySection_SystemCall_10_0_18363 + jmp NtQuerySection_SystemCall_Unknown +NtQuerySection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 004eh + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 004eh + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 004eh + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 004eh + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 004eh + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 004eh + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 004fh + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0050h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0051h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0051h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0051h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0051h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0051h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0051h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0051h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0051h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0051h + jmp NtQuerySection_Epilogue +NtQuerySection_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySection_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySection ENDP + +NtQuerySecurityAttributesToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySecurityAttributesToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQuerySecurityAttributesToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySecurityAttributesToken_Check_10_0_XXXX + jmp NtQuerySecurityAttributesToken_SystemCall_Unknown +NtQuerySecurityAttributesToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtQuerySecurityAttributesToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySecurityAttributesToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySecurityAttributesToken_SystemCall_6_3_XXXX + jmp NtQuerySecurityAttributesToken_SystemCall_Unknown +NtQuerySecurityAttributesToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySecurityAttributesToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySecurityAttributesToken_SystemCall_6_1_7601 + jmp NtQuerySecurityAttributesToken_SystemCall_Unknown +NtQuerySecurityAttributesToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySecurityAttributesToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySecurityAttributesToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySecurityAttributesToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySecurityAttributesToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySecurityAttributesToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySecurityAttributesToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySecurityAttributesToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySecurityAttributesToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySecurityAttributesToken_SystemCall_10_0_18363 + jmp NtQuerySecurityAttributesToken_SystemCall_Unknown +NtQuerySecurityAttributesToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0126h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0126h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0138h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 013bh + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0141h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0144h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0147h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 014dh + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0150h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0152h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0153h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0154h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0154h + jmp NtQuerySecurityAttributesToken_Epilogue +NtQuerySecurityAttributesToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySecurityAttributesToken_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySecurityAttributesToken ENDP + +NtQuerySecurityObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySecurityObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQuerySecurityObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQuerySecurityObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySecurityObject_Check_10_0_XXXX + jmp NtQuerySecurityObject_SystemCall_Unknown +NtQuerySecurityObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQuerySecurityObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQuerySecurityObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySecurityObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySecurityObject_SystemCall_6_3_XXXX + jmp NtQuerySecurityObject_SystemCall_Unknown +NtQuerySecurityObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQuerySecurityObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQuerySecurityObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQuerySecurityObject_SystemCall_6_0_6002 + jmp NtQuerySecurityObject_SystemCall_Unknown +NtQuerySecurityObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySecurityObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySecurityObject_SystemCall_6_1_7601 + jmp NtQuerySecurityObject_SystemCall_Unknown +NtQuerySecurityObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySecurityObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySecurityObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySecurityObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySecurityObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySecurityObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySecurityObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySecurityObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySecurityObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySecurityObject_SystemCall_10_0_18363 + jmp NtQuerySecurityObject_SystemCall_Unknown +NtQuerySecurityObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00dbh + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0125h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0120h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0120h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0127h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0127h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0139h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 013ch + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0142h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0145h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0148h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 014eh + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0151h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0153h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0154h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0155h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0155h + jmp NtQuerySecurityObject_Epilogue +NtQuerySecurityObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySecurityObject_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySecurityObject ENDP + +NtQuerySecurityPolicy PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySecurityPolicy_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtQuerySecurityPolicy_Check_10_0_XXXX + jmp NtQuerySecurityPolicy_SystemCall_Unknown +NtQuerySecurityPolicy_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 14393 + je NtQuerySecurityPolicy_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySecurityPolicy_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySecurityPolicy_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySecurityPolicy_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySecurityPolicy_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySecurityPolicy_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySecurityPolicy_SystemCall_10_0_18363 + jmp NtQuerySecurityPolicy_SystemCall_Unknown +NtQuerySecurityPolicy_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0149h + jmp NtQuerySecurityPolicy_Epilogue +NtQuerySecurityPolicy_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 014fh + jmp NtQuerySecurityPolicy_Epilogue +NtQuerySecurityPolicy_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0152h + jmp NtQuerySecurityPolicy_Epilogue +NtQuerySecurityPolicy_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0154h + jmp NtQuerySecurityPolicy_Epilogue +NtQuerySecurityPolicy_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0155h + jmp NtQuerySecurityPolicy_Epilogue +NtQuerySecurityPolicy_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0156h + jmp NtQuerySecurityPolicy_Epilogue +NtQuerySecurityPolicy_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0156h + jmp NtQuerySecurityPolicy_Epilogue +NtQuerySecurityPolicy_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySecurityPolicy_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySecurityPolicy ENDP + +NtQuerySemaphore PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySemaphore_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQuerySemaphore_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQuerySemaphore_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySemaphore_Check_10_0_XXXX + jmp NtQuerySemaphore_SystemCall_Unknown +NtQuerySemaphore_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQuerySemaphore_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQuerySemaphore_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySemaphore_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySemaphore_SystemCall_6_3_XXXX + jmp NtQuerySemaphore_SystemCall_Unknown +NtQuerySemaphore_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQuerySemaphore_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQuerySemaphore_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQuerySemaphore_SystemCall_6_0_6002 + jmp NtQuerySemaphore_SystemCall_Unknown +NtQuerySemaphore_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySemaphore_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySemaphore_SystemCall_6_1_7601 + jmp NtQuerySemaphore_SystemCall_Unknown +NtQuerySemaphore_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySemaphore_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySemaphore_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySemaphore_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySemaphore_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySemaphore_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySemaphore_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySemaphore_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySemaphore_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySemaphore_SystemCall_10_0_18363 + jmp NtQuerySemaphore_SystemCall_Unknown +NtQuerySemaphore_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00dch + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0126h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0121h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0121h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0128h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0128h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 013ah + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 013dh + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0143h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0146h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 014ah + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0150h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0153h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0155h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0156h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0157h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0157h + jmp NtQuerySemaphore_Epilogue +NtQuerySemaphore_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySemaphore_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySemaphore ENDP + +NtQuerySymbolicLinkObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySymbolicLinkObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQuerySymbolicLinkObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQuerySymbolicLinkObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySymbolicLinkObject_Check_10_0_XXXX + jmp NtQuerySymbolicLinkObject_SystemCall_Unknown +NtQuerySymbolicLinkObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQuerySymbolicLinkObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQuerySymbolicLinkObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySymbolicLinkObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySymbolicLinkObject_SystemCall_6_3_XXXX + jmp NtQuerySymbolicLinkObject_SystemCall_Unknown +NtQuerySymbolicLinkObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQuerySymbolicLinkObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQuerySymbolicLinkObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQuerySymbolicLinkObject_SystemCall_6_0_6002 + jmp NtQuerySymbolicLinkObject_SystemCall_Unknown +NtQuerySymbolicLinkObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySymbolicLinkObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySymbolicLinkObject_SystemCall_6_1_7601 + jmp NtQuerySymbolicLinkObject_SystemCall_Unknown +NtQuerySymbolicLinkObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySymbolicLinkObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySymbolicLinkObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySymbolicLinkObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySymbolicLinkObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySymbolicLinkObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySymbolicLinkObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySymbolicLinkObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySymbolicLinkObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySymbolicLinkObject_SystemCall_10_0_18363 + jmp NtQuerySymbolicLinkObject_SystemCall_Unknown +NtQuerySymbolicLinkObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00ddh + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0127h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0122h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0122h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0129h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0129h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 013bh + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 013eh + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0144h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0147h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 014bh + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0151h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0154h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0156h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0157h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0158h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0158h + jmp NtQuerySymbolicLinkObject_Epilogue +NtQuerySymbolicLinkObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySymbolicLinkObject_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySymbolicLinkObject ENDP + +NtQuerySystemEnvironmentValue PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySystemEnvironmentValue_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQuerySystemEnvironmentValue_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQuerySystemEnvironmentValue_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySystemEnvironmentValue_Check_10_0_XXXX + jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown +NtQuerySystemEnvironmentValue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQuerySystemEnvironmentValue_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQuerySystemEnvironmentValue_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemEnvironmentValue_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemEnvironmentValue_SystemCall_6_3_XXXX + jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown +NtQuerySystemEnvironmentValue_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQuerySystemEnvironmentValue_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQuerySystemEnvironmentValue_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQuerySystemEnvironmentValue_SystemCall_6_0_6002 + jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown +NtQuerySystemEnvironmentValue_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySystemEnvironmentValue_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySystemEnvironmentValue_SystemCall_6_1_7601 + jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown +NtQuerySystemEnvironmentValue_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySystemEnvironmentValue_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySystemEnvironmentValue_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySystemEnvironmentValue_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySystemEnvironmentValue_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySystemEnvironmentValue_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySystemEnvironmentValue_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySystemEnvironmentValue_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySystemEnvironmentValue_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySystemEnvironmentValue_SystemCall_10_0_18363 + jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown +NtQuerySystemEnvironmentValue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00deh + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0128h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0123h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0123h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 012ah + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 012ah + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 013ch + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 013fh + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0145h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0148h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 014ch + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0152h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0155h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0157h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0158h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0159h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0159h + jmp NtQuerySystemEnvironmentValue_Epilogue +NtQuerySystemEnvironmentValue_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySystemEnvironmentValue_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySystemEnvironmentValue ENDP + +NtQuerySystemEnvironmentValueEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySystemEnvironmentValueEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQuerySystemEnvironmentValueEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQuerySystemEnvironmentValueEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySystemEnvironmentValueEx_Check_10_0_XXXX + jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown +NtQuerySystemEnvironmentValueEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQuerySystemEnvironmentValueEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQuerySystemEnvironmentValueEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemEnvironmentValueEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemEnvironmentValueEx_SystemCall_6_3_XXXX + jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown +NtQuerySystemEnvironmentValueEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6002 + jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown +NtQuerySystemEnvironmentValueEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySystemEnvironmentValueEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySystemEnvironmentValueEx_SystemCall_6_1_7601 + jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown +NtQuerySystemEnvironmentValueEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_18363 + jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown +NtQuerySystemEnvironmentValueEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00dfh + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0129h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0124h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0124h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 012bh + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 012bh + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 013dh + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0140h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0146h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0149h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 014dh + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0153h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0156h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0158h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0159h + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 015ah + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 015ah + jmp NtQuerySystemEnvironmentValueEx_Epilogue +NtQuerySystemEnvironmentValueEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySystemEnvironmentValueEx_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySystemEnvironmentValueEx ENDP + +NtQuerySystemInformation PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySystemInformation_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQuerySystemInformation_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQuerySystemInformation_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySystemInformation_Check_10_0_XXXX + jmp NtQuerySystemInformation_SystemCall_Unknown +NtQuerySystemInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQuerySystemInformation_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQuerySystemInformation_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemInformation_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemInformation_SystemCall_6_3_XXXX + jmp NtQuerySystemInformation_SystemCall_Unknown +NtQuerySystemInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQuerySystemInformation_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQuerySystemInformation_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQuerySystemInformation_SystemCall_6_0_6002 + jmp NtQuerySystemInformation_SystemCall_Unknown +NtQuerySystemInformation_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySystemInformation_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySystemInformation_SystemCall_6_1_7601 + jmp NtQuerySystemInformation_SystemCall_Unknown +NtQuerySystemInformation_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySystemInformation_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySystemInformation_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySystemInformation_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySystemInformation_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySystemInformation_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySystemInformation_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySystemInformation_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySystemInformation_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySystemInformation_SystemCall_10_0_18363 + jmp NtQuerySystemInformation_SystemCall_Unknown +NtQuerySystemInformation_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0033h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0033h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0033h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0033h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0033h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0033h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0034h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0035h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0036h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0036h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0036h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0036h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0036h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0036h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0036h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0036h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0036h + jmp NtQuerySystemInformation_Epilogue +NtQuerySystemInformation_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySystemInformation_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySystemInformation ENDP + +NtQuerySystemInformationEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySystemInformationEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQuerySystemInformationEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySystemInformationEx_Check_10_0_XXXX + jmp NtQuerySystemInformationEx_SystemCall_Unknown +NtQuerySystemInformationEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtQuerySystemInformationEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemInformationEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemInformationEx_SystemCall_6_3_XXXX + jmp NtQuerySystemInformationEx_SystemCall_Unknown +NtQuerySystemInformationEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySystemInformationEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySystemInformationEx_SystemCall_6_1_7601 + jmp NtQuerySystemInformationEx_SystemCall_Unknown +NtQuerySystemInformationEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySystemInformationEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySystemInformationEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySystemInformationEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySystemInformationEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySystemInformationEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySystemInformationEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySystemInformationEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySystemInformationEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySystemInformationEx_SystemCall_10_0_18363 + jmp NtQuerySystemInformationEx_SystemCall_Unknown +NtQuerySystemInformationEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 012ch + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 012ch + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 013eh + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0141h + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0147h + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 014ah + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 014eh + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0154h + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0157h + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0159h + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 015ah + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 015bh + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 015bh + jmp NtQuerySystemInformationEx_Epilogue +NtQuerySystemInformationEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySystemInformationEx_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySystemInformationEx ENDP + +NtQuerySystemTime PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQuerySystemTime_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQuerySystemTime_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQuerySystemTime_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQuerySystemTime_Check_10_0_XXXX + jmp NtQuerySystemTime_SystemCall_Unknown +NtQuerySystemTime_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQuerySystemTime_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQuerySystemTime_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemTime_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQuerySystemTime_SystemCall_6_3_XXXX + jmp NtQuerySystemTime_SystemCall_Unknown +NtQuerySystemTime_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQuerySystemTime_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQuerySystemTime_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQuerySystemTime_SystemCall_6_0_6002 + jmp NtQuerySystemTime_SystemCall_Unknown +NtQuerySystemTime_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQuerySystemTime_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQuerySystemTime_SystemCall_6_1_7601 + jmp NtQuerySystemTime_SystemCall_Unknown +NtQuerySystemTime_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQuerySystemTime_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQuerySystemTime_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQuerySystemTime_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQuerySystemTime_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQuerySystemTime_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQuerySystemTime_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQuerySystemTime_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQuerySystemTime_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQuerySystemTime_SystemCall_10_0_18363 + jmp NtQuerySystemTime_SystemCall_Unknown +NtQuerySystemTime_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0057h + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0057h + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0057h + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0057h + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0057h + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0057h + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0058h + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0059h + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 005ah + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 005ah + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 005ah + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 005ah + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 005ah + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 005ah + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 005ah + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 005ah + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 005ah + jmp NtQuerySystemTime_Epilogue +NtQuerySystemTime_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQuerySystemTime_Epilogue: + mov r10, rcx + syscall + ret +NtQuerySystemTime ENDP + +NtQueryTimer PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryTimer_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryTimer_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryTimer_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryTimer_Check_10_0_XXXX + jmp NtQueryTimer_SystemCall_Unknown +NtQueryTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryTimer_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryTimer_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryTimer_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryTimer_SystemCall_6_3_XXXX + jmp NtQueryTimer_SystemCall_Unknown +NtQueryTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryTimer_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryTimer_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryTimer_SystemCall_6_0_6002 + jmp NtQueryTimer_SystemCall_Unknown +NtQueryTimer_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryTimer_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryTimer_SystemCall_6_1_7601 + jmp NtQueryTimer_SystemCall_Unknown +NtQueryTimer_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryTimer_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryTimer_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryTimer_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryTimer_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryTimer_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryTimer_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryTimer_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryTimer_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryTimer_SystemCall_10_0_18363 + jmp NtQueryTimer_SystemCall_Unknown +NtQueryTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0035h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0035h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0035h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0035h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0035h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0035h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0036h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0037h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0038h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0038h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0038h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0038h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0038h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0038h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0038h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0038h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0038h + jmp NtQueryTimer_Epilogue +NtQueryTimer_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryTimer_Epilogue: + mov r10, rcx + syscall + ret +NtQueryTimer ENDP + +NtQueryTimerResolution PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryTimerResolution_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryTimerResolution_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryTimerResolution_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryTimerResolution_Check_10_0_XXXX + jmp NtQueryTimerResolution_SystemCall_Unknown +NtQueryTimerResolution_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryTimerResolution_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryTimerResolution_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryTimerResolution_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryTimerResolution_SystemCall_6_3_XXXX + jmp NtQueryTimerResolution_SystemCall_Unknown +NtQueryTimerResolution_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryTimerResolution_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryTimerResolution_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryTimerResolution_SystemCall_6_0_6002 + jmp NtQueryTimerResolution_SystemCall_Unknown +NtQueryTimerResolution_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryTimerResolution_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryTimerResolution_SystemCall_6_1_7601 + jmp NtQueryTimerResolution_SystemCall_Unknown +NtQueryTimerResolution_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryTimerResolution_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryTimerResolution_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryTimerResolution_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryTimerResolution_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryTimerResolution_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryTimerResolution_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryTimerResolution_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryTimerResolution_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryTimerResolution_SystemCall_10_0_18363 + jmp NtQueryTimerResolution_SystemCall_Unknown +NtQueryTimerResolution_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e0h + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 012ah + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0125h + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0125h + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 012dh + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 012dh + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 013fh + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0142h + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0148h + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 014bh + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 014fh + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0155h + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0158h + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 015ah + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 015bh + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 015ch + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 015ch + jmp NtQueryTimerResolution_Epilogue +NtQueryTimerResolution_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryTimerResolution_Epilogue: + mov r10, rcx + syscall + ret +NtQueryTimerResolution ENDP + +NtQueryValueKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryValueKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryValueKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryValueKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryValueKey_Check_10_0_XXXX + jmp NtQueryValueKey_SystemCall_Unknown +NtQueryValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryValueKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryValueKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryValueKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryValueKey_SystemCall_6_3_XXXX + jmp NtQueryValueKey_SystemCall_Unknown +NtQueryValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryValueKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryValueKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryValueKey_SystemCall_6_0_6002 + jmp NtQueryValueKey_SystemCall_Unknown +NtQueryValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryValueKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryValueKey_SystemCall_6_1_7601 + jmp NtQueryValueKey_SystemCall_Unknown +NtQueryValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryValueKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryValueKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryValueKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryValueKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryValueKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryValueKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryValueKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryValueKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryValueKey_SystemCall_10_0_18363 + jmp NtQueryValueKey_SystemCall_Unknown +NtQueryValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0014h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0014h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0014h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0014h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0014h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0014h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0015h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0016h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0017h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0017h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0017h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0017h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0017h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0017h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0017h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0017h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0017h + jmp NtQueryValueKey_Epilogue +NtQueryValueKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryValueKey_Epilogue: + mov r10, rcx + syscall + ret +NtQueryValueKey ENDP + +NtQueryVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryVirtualMemory_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryVirtualMemory_Check_10_0_XXXX + jmp NtQueryVirtualMemory_SystemCall_Unknown +NtQueryVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryVirtualMemory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryVirtualMemory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryVirtualMemory_SystemCall_6_3_XXXX + jmp NtQueryVirtualMemory_SystemCall_Unknown +NtQueryVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryVirtualMemory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryVirtualMemory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryVirtualMemory_SystemCall_6_0_6002 + jmp NtQueryVirtualMemory_SystemCall_Unknown +NtQueryVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryVirtualMemory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryVirtualMemory_SystemCall_6_1_7601 + jmp NtQueryVirtualMemory_SystemCall_Unknown +NtQueryVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryVirtualMemory_SystemCall_10_0_18363 + jmp NtQueryVirtualMemory_SystemCall_Unknown +NtQueryVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0020h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0020h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0020h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0020h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0020h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0020h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0021h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0022h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0023h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0023h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0023h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0023h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0023h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0023h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0023h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0023h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0023h + jmp NtQueryVirtualMemory_Epilogue +NtQueryVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtQueryVirtualMemory ENDP + +NtQueryVolumeInformationFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryVolumeInformationFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueryVolumeInformationFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueryVolumeInformationFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryVolumeInformationFile_Check_10_0_XXXX + jmp NtQueryVolumeInformationFile_SystemCall_Unknown +NtQueryVolumeInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueryVolumeInformationFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueryVolumeInformationFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryVolumeInformationFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryVolumeInformationFile_SystemCall_6_3_XXXX + jmp NtQueryVolumeInformationFile_SystemCall_Unknown +NtQueryVolumeInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueryVolumeInformationFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueryVolumeInformationFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueryVolumeInformationFile_SystemCall_6_0_6002 + jmp NtQueryVolumeInformationFile_SystemCall_Unknown +NtQueryVolumeInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueryVolumeInformationFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueryVolumeInformationFile_SystemCall_6_1_7601 + jmp NtQueryVolumeInformationFile_SystemCall_Unknown +NtQueryVolumeInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryVolumeInformationFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryVolumeInformationFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryVolumeInformationFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryVolumeInformationFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryVolumeInformationFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryVolumeInformationFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryVolumeInformationFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryVolumeInformationFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryVolumeInformationFile_SystemCall_10_0_18363 + jmp NtQueryVolumeInformationFile_SystemCall_Unknown +NtQueryVolumeInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0046h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0046h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0046h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0046h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0046h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0046h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0047h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0048h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0049h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0049h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0049h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0049h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0049h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0049h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0049h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0049h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0049h + jmp NtQueryVolumeInformationFile_Epilogue +NtQueryVolumeInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryVolumeInformationFile_Epilogue: + mov r10, rcx + syscall + ret +NtQueryVolumeInformationFile ENDP + +NtQueryWnfStateData PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryWnfStateData_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQueryWnfStateData_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryWnfStateData_Check_10_0_XXXX + jmp NtQueryWnfStateData_SystemCall_Unknown +NtQueryWnfStateData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtQueryWnfStateData_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryWnfStateData_SystemCall_6_3_XXXX + jmp NtQueryWnfStateData_SystemCall_Unknown +NtQueryWnfStateData_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryWnfStateData_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryWnfStateData_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryWnfStateData_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryWnfStateData_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryWnfStateData_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryWnfStateData_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryWnfStateData_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryWnfStateData_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryWnfStateData_SystemCall_10_0_18363 + jmp NtQueryWnfStateData_SystemCall_Unknown +NtQueryWnfStateData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0140h + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0143h + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0149h + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 014ch + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0150h + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0156h + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0159h + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 015bh + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 015ch + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 015dh + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 015dh + jmp NtQueryWnfStateData_Epilogue +NtQueryWnfStateData_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryWnfStateData_Epilogue: + mov r10, rcx + syscall + ret +NtQueryWnfStateData ENDP + +NtQueryWnfStateNameInformation PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueryWnfStateNameInformation_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQueryWnfStateNameInformation_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueryWnfStateNameInformation_Check_10_0_XXXX + jmp NtQueryWnfStateNameInformation_SystemCall_Unknown +NtQueryWnfStateNameInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtQueryWnfStateNameInformation_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueryWnfStateNameInformation_SystemCall_6_3_XXXX + jmp NtQueryWnfStateNameInformation_SystemCall_Unknown +NtQueryWnfStateNameInformation_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueryWnfStateNameInformation_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueryWnfStateNameInformation_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueryWnfStateNameInformation_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueryWnfStateNameInformation_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueryWnfStateNameInformation_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueryWnfStateNameInformation_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueryWnfStateNameInformation_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueryWnfStateNameInformation_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueryWnfStateNameInformation_SystemCall_10_0_18363 + jmp NtQueryWnfStateNameInformation_SystemCall_Unknown +NtQueryWnfStateNameInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0141h + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0144h + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 014ah + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 014dh + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0151h + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0157h + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 015ah + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 015ch + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 015dh + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 015eh + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 015eh + jmp NtQueryWnfStateNameInformation_Epilogue +NtQueryWnfStateNameInformation_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueryWnfStateNameInformation_Epilogue: + mov r10, rcx + syscall + ret +NtQueryWnfStateNameInformation ENDP + +NtQueueApcThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueueApcThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtQueueApcThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtQueueApcThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueueApcThread_Check_10_0_XXXX + jmp NtQueueApcThread_SystemCall_Unknown +NtQueueApcThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtQueueApcThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtQueueApcThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueueApcThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueueApcThread_SystemCall_6_3_XXXX + jmp NtQueueApcThread_SystemCall_Unknown +NtQueueApcThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtQueueApcThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtQueueApcThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtQueueApcThread_SystemCall_6_0_6002 + jmp NtQueueApcThread_SystemCall_Unknown +NtQueueApcThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueueApcThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueueApcThread_SystemCall_6_1_7601 + jmp NtQueueApcThread_SystemCall_Unknown +NtQueueApcThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueueApcThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueueApcThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueueApcThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueueApcThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueueApcThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueueApcThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueueApcThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueueApcThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueueApcThread_SystemCall_10_0_18363 + jmp NtQueueApcThread_SystemCall_Unknown +NtQueueApcThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0042h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0042h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0042h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0042h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0042h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0042h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0043h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0044h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0045h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0045h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0045h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0045h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0045h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0045h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0045h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0045h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0045h + jmp NtQueueApcThread_Epilogue +NtQueueApcThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueueApcThread_Epilogue: + mov r10, rcx + syscall + ret +NtQueueApcThread ENDP + +NtQueueApcThreadEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtQueueApcThreadEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtQueueApcThreadEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtQueueApcThreadEx_Check_10_0_XXXX + jmp NtQueueApcThreadEx_SystemCall_Unknown +NtQueueApcThreadEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtQueueApcThreadEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueueApcThreadEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtQueueApcThreadEx_SystemCall_6_3_XXXX + jmp NtQueueApcThreadEx_SystemCall_Unknown +NtQueueApcThreadEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtQueueApcThreadEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtQueueApcThreadEx_SystemCall_6_1_7601 + jmp NtQueueApcThreadEx_SystemCall_Unknown +NtQueueApcThreadEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtQueueApcThreadEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtQueueApcThreadEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtQueueApcThreadEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtQueueApcThreadEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtQueueApcThreadEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtQueueApcThreadEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtQueueApcThreadEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtQueueApcThreadEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtQueueApcThreadEx_SystemCall_10_0_18363 + jmp NtQueueApcThreadEx_SystemCall_Unknown +NtQueueApcThreadEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 012eh + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 012eh + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0142h + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0145h + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 014bh + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 014eh + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0152h + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0158h + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 015bh + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 015dh + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 015eh + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 015fh + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 015fh + jmp NtQueueApcThreadEx_Epilogue +NtQueueApcThreadEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtQueueApcThreadEx_Epilogue: + mov r10, rcx + syscall + ret +NtQueueApcThreadEx ENDP + +NtRaiseException PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRaiseException_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRaiseException_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRaiseException_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRaiseException_Check_10_0_XXXX + jmp NtRaiseException_SystemCall_Unknown +NtRaiseException_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRaiseException_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRaiseException_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRaiseException_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRaiseException_SystemCall_6_3_XXXX + jmp NtRaiseException_SystemCall_Unknown +NtRaiseException_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRaiseException_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRaiseException_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRaiseException_SystemCall_6_0_6002 + jmp NtRaiseException_SystemCall_Unknown +NtRaiseException_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRaiseException_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRaiseException_SystemCall_6_1_7601 + jmp NtRaiseException_SystemCall_Unknown +NtRaiseException_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRaiseException_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRaiseException_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRaiseException_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRaiseException_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRaiseException_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRaiseException_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRaiseException_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRaiseException_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRaiseException_SystemCall_10_0_18363 + jmp NtRaiseException_SystemCall_Unknown +NtRaiseException_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e1h + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 012bh + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0126h + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0126h + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 012fh + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 012fh + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0143h + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0146h + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 014ch + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 014fh + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0153h + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0159h + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 015ch + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 015eh + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 015fh + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0160h + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0160h + jmp NtRaiseException_Epilogue +NtRaiseException_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRaiseException_Epilogue: + mov r10, rcx + syscall + ret +NtRaiseException ENDP + +NtRaiseHardError PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRaiseHardError_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRaiseHardError_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRaiseHardError_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRaiseHardError_Check_10_0_XXXX + jmp NtRaiseHardError_SystemCall_Unknown +NtRaiseHardError_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRaiseHardError_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRaiseHardError_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRaiseHardError_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRaiseHardError_SystemCall_6_3_XXXX + jmp NtRaiseHardError_SystemCall_Unknown +NtRaiseHardError_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRaiseHardError_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRaiseHardError_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRaiseHardError_SystemCall_6_0_6002 + jmp NtRaiseHardError_SystemCall_Unknown +NtRaiseHardError_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRaiseHardError_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRaiseHardError_SystemCall_6_1_7601 + jmp NtRaiseHardError_SystemCall_Unknown +NtRaiseHardError_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRaiseHardError_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRaiseHardError_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRaiseHardError_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRaiseHardError_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRaiseHardError_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRaiseHardError_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRaiseHardError_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRaiseHardError_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRaiseHardError_SystemCall_10_0_18363 + jmp NtRaiseHardError_SystemCall_Unknown +NtRaiseHardError_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e2h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 012ch + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0127h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0127h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0130h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0130h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0144h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0147h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 014dh + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0150h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0154h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 015ah + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 015dh + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 015fh + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0160h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0161h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0161h + jmp NtRaiseHardError_Epilogue +NtRaiseHardError_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRaiseHardError_Epilogue: + mov r10, rcx + syscall + ret +NtRaiseHardError ENDP + +NtReadFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReadFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReadFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReadFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReadFile_Check_10_0_XXXX + jmp NtReadFile_SystemCall_Unknown +NtReadFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReadFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReadFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadFile_SystemCall_6_3_XXXX + jmp NtReadFile_SystemCall_Unknown +NtReadFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReadFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReadFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReadFile_SystemCall_6_0_6002 + jmp NtReadFile_SystemCall_Unknown +NtReadFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReadFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReadFile_SystemCall_6_1_7601 + jmp NtReadFile_SystemCall_Unknown +NtReadFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReadFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReadFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReadFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReadFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReadFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReadFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReadFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReadFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReadFile_SystemCall_10_0_18363 + jmp NtReadFile_SystemCall_Unknown +NtReadFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0003h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0003h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0003h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0003h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0003h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0003h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0004h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0005h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0006h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0006h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0006h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0006h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0006h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0006h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0006h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0006h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0006h + jmp NtReadFile_Epilogue +NtReadFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReadFile_Epilogue: + mov r10, rcx + syscall + ret +NtReadFile ENDP + +NtReadFileScatter PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReadFileScatter_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReadFileScatter_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReadFileScatter_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReadFileScatter_Check_10_0_XXXX + jmp NtReadFileScatter_SystemCall_Unknown +NtReadFileScatter_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReadFileScatter_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReadFileScatter_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadFileScatter_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadFileScatter_SystemCall_6_3_XXXX + jmp NtReadFileScatter_SystemCall_Unknown +NtReadFileScatter_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReadFileScatter_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReadFileScatter_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReadFileScatter_SystemCall_6_0_6002 + jmp NtReadFileScatter_SystemCall_Unknown +NtReadFileScatter_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReadFileScatter_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReadFileScatter_SystemCall_6_1_7601 + jmp NtReadFileScatter_SystemCall_Unknown +NtReadFileScatter_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReadFileScatter_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReadFileScatter_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReadFileScatter_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReadFileScatter_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReadFileScatter_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReadFileScatter_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReadFileScatter_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReadFileScatter_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReadFileScatter_SystemCall_10_0_18363 + jmp NtReadFileScatter_SystemCall_Unknown +NtReadFileScatter_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 002bh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 002bh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 002bh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 002bh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 002bh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 002bh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 002ch + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 002dh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 002eh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 002eh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 002eh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 002eh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 002eh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 002eh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 002eh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 002eh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 002eh + jmp NtReadFileScatter_Epilogue +NtReadFileScatter_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReadFileScatter_Epilogue: + mov r10, rcx + syscall + ret +NtReadFileScatter ENDP + +NtReadOnlyEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReadOnlyEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtReadOnlyEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReadOnlyEnlistment_Check_10_0_XXXX + jmp NtReadOnlyEnlistment_SystemCall_Unknown +NtReadOnlyEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReadOnlyEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReadOnlyEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadOnlyEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadOnlyEnlistment_SystemCall_6_3_XXXX + jmp NtReadOnlyEnlistment_SystemCall_Unknown +NtReadOnlyEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReadOnlyEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReadOnlyEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReadOnlyEnlistment_SystemCall_6_0_6002 + jmp NtReadOnlyEnlistment_SystemCall_Unknown +NtReadOnlyEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReadOnlyEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReadOnlyEnlistment_SystemCall_6_1_7601 + jmp NtReadOnlyEnlistment_SystemCall_Unknown +NtReadOnlyEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReadOnlyEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReadOnlyEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReadOnlyEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReadOnlyEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReadOnlyEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReadOnlyEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReadOnlyEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReadOnlyEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReadOnlyEnlistment_SystemCall_10_0_18363 + jmp NtReadOnlyEnlistment_SystemCall_Unknown +NtReadOnlyEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 012dh + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0128h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0128h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0131h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0131h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0145h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0148h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 014eh + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0151h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0155h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 015bh + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 015eh + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0160h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0161h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0162h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0162h + jmp NtReadOnlyEnlistment_Epilogue +NtReadOnlyEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReadOnlyEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtReadOnlyEnlistment ENDP + +NtReadRequestData PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReadRequestData_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReadRequestData_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReadRequestData_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReadRequestData_Check_10_0_XXXX + jmp NtReadRequestData_SystemCall_Unknown +NtReadRequestData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReadRequestData_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReadRequestData_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadRequestData_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadRequestData_SystemCall_6_3_XXXX + jmp NtReadRequestData_SystemCall_Unknown +NtReadRequestData_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReadRequestData_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReadRequestData_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReadRequestData_SystemCall_6_0_6002 + jmp NtReadRequestData_SystemCall_Unknown +NtReadRequestData_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReadRequestData_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReadRequestData_SystemCall_6_1_7601 + jmp NtReadRequestData_SystemCall_Unknown +NtReadRequestData_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReadRequestData_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReadRequestData_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReadRequestData_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReadRequestData_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReadRequestData_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReadRequestData_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReadRequestData_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReadRequestData_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReadRequestData_SystemCall_10_0_18363 + jmp NtReadRequestData_SystemCall_Unknown +NtReadRequestData_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0051h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0051h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0051h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0051h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0051h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0051h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0052h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0053h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0054h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0054h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0054h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0054h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0054h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0054h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0054h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0054h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0054h + jmp NtReadRequestData_Epilogue +NtReadRequestData_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReadRequestData_Epilogue: + mov r10, rcx + syscall + ret +NtReadRequestData ENDP + +NtReadVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReadVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReadVirtualMemory_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReadVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReadVirtualMemory_Check_10_0_XXXX + jmp NtReadVirtualMemory_SystemCall_Unknown +NtReadVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReadVirtualMemory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReadVirtualMemory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReadVirtualMemory_SystemCall_6_3_XXXX + jmp NtReadVirtualMemory_SystemCall_Unknown +NtReadVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReadVirtualMemory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReadVirtualMemory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReadVirtualMemory_SystemCall_6_0_6002 + jmp NtReadVirtualMemory_SystemCall_Unknown +NtReadVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReadVirtualMemory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReadVirtualMemory_SystemCall_6_1_7601 + jmp NtReadVirtualMemory_SystemCall_Unknown +NtReadVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReadVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReadVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReadVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReadVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReadVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReadVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReadVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReadVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReadVirtualMemory_SystemCall_10_0_18363 + jmp NtReadVirtualMemory_SystemCall_Unknown +NtReadVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 003ch + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 003ch + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 003ch + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 003ch + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 003ch + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 003ch + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 003dh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 003eh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 003fh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 003fh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 003fh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 003fh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 003fh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 003fh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 003fh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 003fh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 003fh + jmp NtReadVirtualMemory_Epilogue +NtReadVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReadVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtReadVirtualMemory ENDP + +NtRecoverEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRecoverEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRecoverEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRecoverEnlistment_Check_10_0_XXXX + jmp NtRecoverEnlistment_SystemCall_Unknown +NtRecoverEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRecoverEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRecoverEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRecoverEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRecoverEnlistment_SystemCall_6_3_XXXX + jmp NtRecoverEnlistment_SystemCall_Unknown +NtRecoverEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRecoverEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRecoverEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRecoverEnlistment_SystemCall_6_0_6002 + jmp NtRecoverEnlistment_SystemCall_Unknown +NtRecoverEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRecoverEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRecoverEnlistment_SystemCall_6_1_7601 + jmp NtRecoverEnlistment_SystemCall_Unknown +NtRecoverEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRecoverEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRecoverEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRecoverEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRecoverEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRecoverEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRecoverEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRecoverEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRecoverEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRecoverEnlistment_SystemCall_10_0_18363 + jmp NtRecoverEnlistment_SystemCall_Unknown +NtRecoverEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 012eh + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0129h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0129h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0132h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0132h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0146h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0149h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 014fh + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0152h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0156h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 015ch + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 015fh + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0161h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0162h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0163h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0163h + jmp NtRecoverEnlistment_Epilogue +NtRecoverEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRecoverEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtRecoverEnlistment ENDP + +NtRecoverResourceManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRecoverResourceManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRecoverResourceManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRecoverResourceManager_Check_10_0_XXXX + jmp NtRecoverResourceManager_SystemCall_Unknown +NtRecoverResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRecoverResourceManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRecoverResourceManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRecoverResourceManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRecoverResourceManager_SystemCall_6_3_XXXX + jmp NtRecoverResourceManager_SystemCall_Unknown +NtRecoverResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRecoverResourceManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRecoverResourceManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRecoverResourceManager_SystemCall_6_0_6002 + jmp NtRecoverResourceManager_SystemCall_Unknown +NtRecoverResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRecoverResourceManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRecoverResourceManager_SystemCall_6_1_7601 + jmp NtRecoverResourceManager_SystemCall_Unknown +NtRecoverResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRecoverResourceManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRecoverResourceManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRecoverResourceManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRecoverResourceManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRecoverResourceManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRecoverResourceManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRecoverResourceManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRecoverResourceManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRecoverResourceManager_SystemCall_10_0_18363 + jmp NtRecoverResourceManager_SystemCall_Unknown +NtRecoverResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 012fh + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 012ah + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 012ah + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0133h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0133h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0147h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 014ah + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0150h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0153h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0157h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 015dh + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0160h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0162h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0163h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0164h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0164h + jmp NtRecoverResourceManager_Epilogue +NtRecoverResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRecoverResourceManager_Epilogue: + mov r10, rcx + syscall + ret +NtRecoverResourceManager ENDP + +NtRecoverTransactionManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRecoverTransactionManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRecoverTransactionManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRecoverTransactionManager_Check_10_0_XXXX + jmp NtRecoverTransactionManager_SystemCall_Unknown +NtRecoverTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRecoverTransactionManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRecoverTransactionManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRecoverTransactionManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRecoverTransactionManager_SystemCall_6_3_XXXX + jmp NtRecoverTransactionManager_SystemCall_Unknown +NtRecoverTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRecoverTransactionManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRecoverTransactionManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRecoverTransactionManager_SystemCall_6_0_6002 + jmp NtRecoverTransactionManager_SystemCall_Unknown +NtRecoverTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRecoverTransactionManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRecoverTransactionManager_SystemCall_6_1_7601 + jmp NtRecoverTransactionManager_SystemCall_Unknown +NtRecoverTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRecoverTransactionManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRecoverTransactionManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRecoverTransactionManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRecoverTransactionManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRecoverTransactionManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRecoverTransactionManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRecoverTransactionManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRecoverTransactionManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRecoverTransactionManager_SystemCall_10_0_18363 + jmp NtRecoverTransactionManager_SystemCall_Unknown +NtRecoverTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0130h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 012bh + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 012bh + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0134h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0134h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0148h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 014bh + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0151h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0154h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0158h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 015eh + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0161h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0163h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0164h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0165h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0165h + jmp NtRecoverTransactionManager_Epilogue +NtRecoverTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRecoverTransactionManager_Epilogue: + mov r10, rcx + syscall + ret +NtRecoverTransactionManager ENDP + +NtRegisterProtocolAddressInformation PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRegisterProtocolAddressInformation_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRegisterProtocolAddressInformation_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRegisterProtocolAddressInformation_Check_10_0_XXXX + jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown +NtRegisterProtocolAddressInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRegisterProtocolAddressInformation_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRegisterProtocolAddressInformation_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRegisterProtocolAddressInformation_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRegisterProtocolAddressInformation_SystemCall_6_3_XXXX + jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown +NtRegisterProtocolAddressInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRegisterProtocolAddressInformation_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRegisterProtocolAddressInformation_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRegisterProtocolAddressInformation_SystemCall_6_0_6002 + jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown +NtRegisterProtocolAddressInformation_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRegisterProtocolAddressInformation_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRegisterProtocolAddressInformation_SystemCall_6_1_7601 + jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown +NtRegisterProtocolAddressInformation_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRegisterProtocolAddressInformation_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRegisterProtocolAddressInformation_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRegisterProtocolAddressInformation_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRegisterProtocolAddressInformation_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRegisterProtocolAddressInformation_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRegisterProtocolAddressInformation_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRegisterProtocolAddressInformation_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRegisterProtocolAddressInformation_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRegisterProtocolAddressInformation_SystemCall_10_0_18363 + jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown +NtRegisterProtocolAddressInformation_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0131h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 012ch + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 012ch + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0135h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0135h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0149h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 014ch + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0152h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0155h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0159h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 015fh + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0162h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0164h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0165h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0166h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0166h + jmp NtRegisterProtocolAddressInformation_Epilogue +NtRegisterProtocolAddressInformation_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRegisterProtocolAddressInformation_Epilogue: + mov r10, rcx + syscall + ret +NtRegisterProtocolAddressInformation ENDP + +NtRegisterThreadTerminatePort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRegisterThreadTerminatePort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRegisterThreadTerminatePort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRegisterThreadTerminatePort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRegisterThreadTerminatePort_Check_10_0_XXXX + jmp NtRegisterThreadTerminatePort_SystemCall_Unknown +NtRegisterThreadTerminatePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRegisterThreadTerminatePort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRegisterThreadTerminatePort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRegisterThreadTerminatePort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRegisterThreadTerminatePort_SystemCall_6_3_XXXX + jmp NtRegisterThreadTerminatePort_SystemCall_Unknown +NtRegisterThreadTerminatePort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRegisterThreadTerminatePort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRegisterThreadTerminatePort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRegisterThreadTerminatePort_SystemCall_6_0_6002 + jmp NtRegisterThreadTerminatePort_SystemCall_Unknown +NtRegisterThreadTerminatePort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRegisterThreadTerminatePort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRegisterThreadTerminatePort_SystemCall_6_1_7601 + jmp NtRegisterThreadTerminatePort_SystemCall_Unknown +NtRegisterThreadTerminatePort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRegisterThreadTerminatePort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRegisterThreadTerminatePort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRegisterThreadTerminatePort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRegisterThreadTerminatePort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRegisterThreadTerminatePort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRegisterThreadTerminatePort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRegisterThreadTerminatePort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRegisterThreadTerminatePort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRegisterThreadTerminatePort_SystemCall_10_0_18363 + jmp NtRegisterThreadTerminatePort_SystemCall_Unknown +NtRegisterThreadTerminatePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e3h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0132h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 012dh + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 012dh + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0136h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0136h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 014ah + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 014dh + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0153h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0156h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 015ah + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0160h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0163h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0165h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0166h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0167h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0167h + jmp NtRegisterThreadTerminatePort_Epilogue +NtRegisterThreadTerminatePort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRegisterThreadTerminatePort_Epilogue: + mov r10, rcx + syscall + ret +NtRegisterThreadTerminatePort ENDP + +NtReleaseCMFViewOwnership PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReleaseCMFViewOwnership_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtReleaseCMFViewOwnership_Check_6_X_XXXX + jmp NtReleaseCMFViewOwnership_SystemCall_Unknown +NtReleaseCMFViewOwnership_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReleaseCMFViewOwnership_Check_6_0_XXXX + jmp NtReleaseCMFViewOwnership_SystemCall_Unknown +NtReleaseCMFViewOwnership_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReleaseCMFViewOwnership_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReleaseCMFViewOwnership_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReleaseCMFViewOwnership_SystemCall_6_0_6002 + jmp NtReleaseCMFViewOwnership_SystemCall_Unknown +NtReleaseCMFViewOwnership_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0133h + jmp NtReleaseCMFViewOwnership_Epilogue +NtReleaseCMFViewOwnership_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 012eh + jmp NtReleaseCMFViewOwnership_Epilogue +NtReleaseCMFViewOwnership_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 012eh + jmp NtReleaseCMFViewOwnership_Epilogue +NtReleaseCMFViewOwnership_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReleaseCMFViewOwnership_Epilogue: + mov r10, rcx + syscall + ret +NtReleaseCMFViewOwnership ENDP + +NtReleaseKeyedEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReleaseKeyedEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReleaseKeyedEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReleaseKeyedEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReleaseKeyedEvent_Check_10_0_XXXX + jmp NtReleaseKeyedEvent_SystemCall_Unknown +NtReleaseKeyedEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReleaseKeyedEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReleaseKeyedEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReleaseKeyedEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReleaseKeyedEvent_SystemCall_6_3_XXXX + jmp NtReleaseKeyedEvent_SystemCall_Unknown +NtReleaseKeyedEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReleaseKeyedEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReleaseKeyedEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReleaseKeyedEvent_SystemCall_6_0_6002 + jmp NtReleaseKeyedEvent_SystemCall_Unknown +NtReleaseKeyedEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReleaseKeyedEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReleaseKeyedEvent_SystemCall_6_1_7601 + jmp NtReleaseKeyedEvent_SystemCall_Unknown +NtReleaseKeyedEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReleaseKeyedEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReleaseKeyedEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReleaseKeyedEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReleaseKeyedEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReleaseKeyedEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReleaseKeyedEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReleaseKeyedEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReleaseKeyedEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReleaseKeyedEvent_SystemCall_10_0_18363 + jmp NtReleaseKeyedEvent_SystemCall_Unknown +NtReleaseKeyedEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e4h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0134h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 012fh + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 012fh + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0137h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0137h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 014bh + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 014eh + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0154h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0157h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 015bh + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0161h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0164h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0166h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0167h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0168h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0168h + jmp NtReleaseKeyedEvent_Epilogue +NtReleaseKeyedEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReleaseKeyedEvent_Epilogue: + mov r10, rcx + syscall + ret +NtReleaseKeyedEvent ENDP + +NtReleaseMutant PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReleaseMutant_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReleaseMutant_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReleaseMutant_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReleaseMutant_Check_10_0_XXXX + jmp NtReleaseMutant_SystemCall_Unknown +NtReleaseMutant_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReleaseMutant_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReleaseMutant_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReleaseMutant_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReleaseMutant_SystemCall_6_3_XXXX + jmp NtReleaseMutant_SystemCall_Unknown +NtReleaseMutant_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReleaseMutant_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReleaseMutant_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReleaseMutant_SystemCall_6_0_6002 + jmp NtReleaseMutant_SystemCall_Unknown +NtReleaseMutant_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReleaseMutant_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReleaseMutant_SystemCall_6_1_7601 + jmp NtReleaseMutant_SystemCall_Unknown +NtReleaseMutant_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReleaseMutant_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReleaseMutant_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReleaseMutant_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReleaseMutant_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReleaseMutant_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReleaseMutant_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReleaseMutant_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReleaseMutant_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReleaseMutant_SystemCall_10_0_18363 + jmp NtReleaseMutant_SystemCall_Unknown +NtReleaseMutant_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 001dh + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 001dh + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 001dh + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 001dh + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 001dh + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 001dh + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 001eh + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 001fh + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0020h + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0020h + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0020h + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0020h + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0020h + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0020h + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0020h + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0020h + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0020h + jmp NtReleaseMutant_Epilogue +NtReleaseMutant_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReleaseMutant_Epilogue: + mov r10, rcx + syscall + ret +NtReleaseMutant ENDP + +NtReleaseSemaphore PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReleaseSemaphore_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReleaseSemaphore_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReleaseSemaphore_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReleaseSemaphore_Check_10_0_XXXX + jmp NtReleaseSemaphore_SystemCall_Unknown +NtReleaseSemaphore_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReleaseSemaphore_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReleaseSemaphore_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReleaseSemaphore_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReleaseSemaphore_SystemCall_6_3_XXXX + jmp NtReleaseSemaphore_SystemCall_Unknown +NtReleaseSemaphore_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReleaseSemaphore_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReleaseSemaphore_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReleaseSemaphore_SystemCall_6_0_6002 + jmp NtReleaseSemaphore_SystemCall_Unknown +NtReleaseSemaphore_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReleaseSemaphore_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReleaseSemaphore_SystemCall_6_1_7601 + jmp NtReleaseSemaphore_SystemCall_Unknown +NtReleaseSemaphore_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReleaseSemaphore_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReleaseSemaphore_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReleaseSemaphore_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReleaseSemaphore_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReleaseSemaphore_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReleaseSemaphore_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReleaseSemaphore_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReleaseSemaphore_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReleaseSemaphore_SystemCall_10_0_18363 + jmp NtReleaseSemaphore_SystemCall_Unknown +NtReleaseSemaphore_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0007h + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0007h + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0007h + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0007h + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0007h + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0007h + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0008h + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0009h + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 000ah + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 000ah + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 000ah + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 000ah + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 000ah + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 000ah + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 000ah + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 000ah + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 000ah + jmp NtReleaseSemaphore_Epilogue +NtReleaseSemaphore_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReleaseSemaphore_Epilogue: + mov r10, rcx + syscall + ret +NtReleaseSemaphore ENDP + +NtReleaseWorkerFactoryWorker PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReleaseWorkerFactoryWorker_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtReleaseWorkerFactoryWorker_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReleaseWorkerFactoryWorker_Check_10_0_XXXX + jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown +NtReleaseWorkerFactoryWorker_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReleaseWorkerFactoryWorker_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReleaseWorkerFactoryWorker_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReleaseWorkerFactoryWorker_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReleaseWorkerFactoryWorker_SystemCall_6_3_XXXX + jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown +NtReleaseWorkerFactoryWorker_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReleaseWorkerFactoryWorker_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReleaseWorkerFactoryWorker_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReleaseWorkerFactoryWorker_SystemCall_6_0_6002 + jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown +NtReleaseWorkerFactoryWorker_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReleaseWorkerFactoryWorker_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReleaseWorkerFactoryWorker_SystemCall_6_1_7601 + jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown +NtReleaseWorkerFactoryWorker_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReleaseWorkerFactoryWorker_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReleaseWorkerFactoryWorker_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReleaseWorkerFactoryWorker_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReleaseWorkerFactoryWorker_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReleaseWorkerFactoryWorker_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReleaseWorkerFactoryWorker_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReleaseWorkerFactoryWorker_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReleaseWorkerFactoryWorker_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReleaseWorkerFactoryWorker_SystemCall_10_0_18363 + jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown +NtReleaseWorkerFactoryWorker_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0135h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0130h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0130h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0138h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0138h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 014ch + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 014fh + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0155h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0158h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 015ch + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0162h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0165h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0167h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0168h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0169h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0169h + jmp NtReleaseWorkerFactoryWorker_Epilogue +NtReleaseWorkerFactoryWorker_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReleaseWorkerFactoryWorker_Epilogue: + mov r10, rcx + syscall + ret +NtReleaseWorkerFactoryWorker ENDP + +NtRemoveIoCompletion PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRemoveIoCompletion_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRemoveIoCompletion_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRemoveIoCompletion_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRemoveIoCompletion_Check_10_0_XXXX + jmp NtRemoveIoCompletion_SystemCall_Unknown +NtRemoveIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRemoveIoCompletion_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRemoveIoCompletion_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRemoveIoCompletion_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRemoveIoCompletion_SystemCall_6_3_XXXX + jmp NtRemoveIoCompletion_SystemCall_Unknown +NtRemoveIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRemoveIoCompletion_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRemoveIoCompletion_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRemoveIoCompletion_SystemCall_6_0_6002 + jmp NtRemoveIoCompletion_SystemCall_Unknown +NtRemoveIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRemoveIoCompletion_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRemoveIoCompletion_SystemCall_6_1_7601 + jmp NtRemoveIoCompletion_SystemCall_Unknown +NtRemoveIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRemoveIoCompletion_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRemoveIoCompletion_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRemoveIoCompletion_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRemoveIoCompletion_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRemoveIoCompletion_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRemoveIoCompletion_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRemoveIoCompletion_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRemoveIoCompletion_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRemoveIoCompletion_SystemCall_10_0_18363 + jmp NtRemoveIoCompletion_SystemCall_Unknown +NtRemoveIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0006h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0006h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0006h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0006h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0006h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0006h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0007h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0008h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0009h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0009h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0009h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0009h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0009h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0009h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0009h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0009h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0009h + jmp NtRemoveIoCompletion_Epilogue +NtRemoveIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRemoveIoCompletion_Epilogue: + mov r10, rcx + syscall + ret +NtRemoveIoCompletion ENDP + +NtRemoveIoCompletionEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRemoveIoCompletionEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRemoveIoCompletionEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRemoveIoCompletionEx_Check_10_0_XXXX + jmp NtRemoveIoCompletionEx_SystemCall_Unknown +NtRemoveIoCompletionEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRemoveIoCompletionEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRemoveIoCompletionEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRemoveIoCompletionEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRemoveIoCompletionEx_SystemCall_6_3_XXXX + jmp NtRemoveIoCompletionEx_SystemCall_Unknown +NtRemoveIoCompletionEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRemoveIoCompletionEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRemoveIoCompletionEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRemoveIoCompletionEx_SystemCall_6_0_6002 + jmp NtRemoveIoCompletionEx_SystemCall_Unknown +NtRemoveIoCompletionEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRemoveIoCompletionEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRemoveIoCompletionEx_SystemCall_6_1_7601 + jmp NtRemoveIoCompletionEx_SystemCall_Unknown +NtRemoveIoCompletionEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRemoveIoCompletionEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRemoveIoCompletionEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRemoveIoCompletionEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRemoveIoCompletionEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRemoveIoCompletionEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRemoveIoCompletionEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRemoveIoCompletionEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRemoveIoCompletionEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRemoveIoCompletionEx_SystemCall_10_0_18363 + jmp NtRemoveIoCompletionEx_SystemCall_Unknown +NtRemoveIoCompletionEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0136h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0131h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0131h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0139h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0139h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 014dh + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0150h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0156h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0159h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 015dh + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0163h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0166h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0168h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0169h + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 016ah + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 016ah + jmp NtRemoveIoCompletionEx_Epilogue +NtRemoveIoCompletionEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRemoveIoCompletionEx_Epilogue: + mov r10, rcx + syscall + ret +NtRemoveIoCompletionEx ENDP + +NtRemoveProcessDebug PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRemoveProcessDebug_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRemoveProcessDebug_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRemoveProcessDebug_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRemoveProcessDebug_Check_10_0_XXXX + jmp NtRemoveProcessDebug_SystemCall_Unknown +NtRemoveProcessDebug_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRemoveProcessDebug_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRemoveProcessDebug_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRemoveProcessDebug_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRemoveProcessDebug_SystemCall_6_3_XXXX + jmp NtRemoveProcessDebug_SystemCall_Unknown +NtRemoveProcessDebug_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRemoveProcessDebug_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRemoveProcessDebug_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRemoveProcessDebug_SystemCall_6_0_6002 + jmp NtRemoveProcessDebug_SystemCall_Unknown +NtRemoveProcessDebug_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRemoveProcessDebug_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRemoveProcessDebug_SystemCall_6_1_7601 + jmp NtRemoveProcessDebug_SystemCall_Unknown +NtRemoveProcessDebug_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRemoveProcessDebug_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRemoveProcessDebug_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRemoveProcessDebug_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRemoveProcessDebug_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRemoveProcessDebug_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRemoveProcessDebug_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRemoveProcessDebug_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRemoveProcessDebug_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRemoveProcessDebug_SystemCall_10_0_18363 + jmp NtRemoveProcessDebug_SystemCall_Unknown +NtRemoveProcessDebug_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e5h + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0137h + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0132h + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0132h + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 013ah + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 013ah + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 014eh + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0151h + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0157h + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 015ah + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 015eh + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0164h + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0167h + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0169h + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 016ah + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 016bh + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 016bh + jmp NtRemoveProcessDebug_Epilogue +NtRemoveProcessDebug_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRemoveProcessDebug_Epilogue: + mov r10, rcx + syscall + ret +NtRemoveProcessDebug ENDP + +NtRenameKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRenameKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRenameKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRenameKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRenameKey_Check_10_0_XXXX + jmp NtRenameKey_SystemCall_Unknown +NtRenameKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRenameKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRenameKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRenameKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRenameKey_SystemCall_6_3_XXXX + jmp NtRenameKey_SystemCall_Unknown +NtRenameKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRenameKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRenameKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRenameKey_SystemCall_6_0_6002 + jmp NtRenameKey_SystemCall_Unknown +NtRenameKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRenameKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRenameKey_SystemCall_6_1_7601 + jmp NtRenameKey_SystemCall_Unknown +NtRenameKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRenameKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRenameKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRenameKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRenameKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRenameKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRenameKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRenameKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRenameKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRenameKey_SystemCall_10_0_18363 + jmp NtRenameKey_SystemCall_Unknown +NtRenameKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e6h + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0138h + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0133h + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0133h + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 013bh + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 013bh + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 014fh + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0152h + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0158h + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 015bh + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 015fh + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0165h + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0168h + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 016ah + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 016bh + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 016ch + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 016ch + jmp NtRenameKey_Epilogue +NtRenameKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRenameKey_Epilogue: + mov r10, rcx + syscall + ret +NtRenameKey ENDP + +NtRenameTransactionManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRenameTransactionManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRenameTransactionManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRenameTransactionManager_Check_10_0_XXXX + jmp NtRenameTransactionManager_SystemCall_Unknown +NtRenameTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRenameTransactionManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRenameTransactionManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRenameTransactionManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRenameTransactionManager_SystemCall_6_3_XXXX + jmp NtRenameTransactionManager_SystemCall_Unknown +NtRenameTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6001 + je NtRenameTransactionManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRenameTransactionManager_SystemCall_6_0_6002 + jmp NtRenameTransactionManager_SystemCall_Unknown +NtRenameTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRenameTransactionManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRenameTransactionManager_SystemCall_6_1_7601 + jmp NtRenameTransactionManager_SystemCall_Unknown +NtRenameTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRenameTransactionManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRenameTransactionManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRenameTransactionManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRenameTransactionManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRenameTransactionManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRenameTransactionManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRenameTransactionManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRenameTransactionManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRenameTransactionManager_SystemCall_10_0_18363 + jmp NtRenameTransactionManager_SystemCall_Unknown +NtRenameTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0134h + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0134h + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 013ch + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 013ch + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0150h + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0153h + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0159h + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 015ch + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0160h + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0166h + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0169h + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 016bh + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 016ch + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 016dh + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 016dh + jmp NtRenameTransactionManager_Epilogue +NtRenameTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRenameTransactionManager_Epilogue: + mov r10, rcx + syscall + ret +NtRenameTransactionManager ENDP + +NtReplaceKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReplaceKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReplaceKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReplaceKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReplaceKey_Check_10_0_XXXX + jmp NtReplaceKey_SystemCall_Unknown +NtReplaceKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReplaceKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReplaceKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplaceKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplaceKey_SystemCall_6_3_XXXX + jmp NtReplaceKey_SystemCall_Unknown +NtReplaceKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReplaceKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReplaceKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReplaceKey_SystemCall_6_0_6002 + jmp NtReplaceKey_SystemCall_Unknown +NtReplaceKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReplaceKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReplaceKey_SystemCall_6_1_7601 + jmp NtReplaceKey_SystemCall_Unknown +NtReplaceKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReplaceKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReplaceKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReplaceKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReplaceKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReplaceKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReplaceKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReplaceKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReplaceKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReplaceKey_SystemCall_10_0_18363 + jmp NtReplaceKey_SystemCall_Unknown +NtReplaceKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e7h + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0139h + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0135h + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0135h + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 013dh + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 013dh + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0151h + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0154h + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 015ah + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 015dh + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0161h + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0167h + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 016ah + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 016ch + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 016dh + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 016eh + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 016eh + jmp NtReplaceKey_Epilogue +NtReplaceKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReplaceKey_Epilogue: + mov r10, rcx + syscall + ret +NtReplaceKey ENDP + +NtReplacePartitionUnit PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReplacePartitionUnit_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtReplacePartitionUnit_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReplacePartitionUnit_Check_10_0_XXXX + jmp NtReplacePartitionUnit_SystemCall_Unknown +NtReplacePartitionUnit_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReplacePartitionUnit_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReplacePartitionUnit_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplacePartitionUnit_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplacePartitionUnit_SystemCall_6_3_XXXX + jmp NtReplacePartitionUnit_SystemCall_Unknown +NtReplacePartitionUnit_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6001 + je NtReplacePartitionUnit_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReplacePartitionUnit_SystemCall_6_0_6002 + jmp NtReplacePartitionUnit_SystemCall_Unknown +NtReplacePartitionUnit_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReplacePartitionUnit_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReplacePartitionUnit_SystemCall_6_1_7601 + jmp NtReplacePartitionUnit_SystemCall_Unknown +NtReplacePartitionUnit_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReplacePartitionUnit_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReplacePartitionUnit_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReplacePartitionUnit_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReplacePartitionUnit_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReplacePartitionUnit_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReplacePartitionUnit_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReplacePartitionUnit_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReplacePartitionUnit_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReplacePartitionUnit_SystemCall_10_0_18363 + jmp NtReplacePartitionUnit_SystemCall_Unknown +NtReplacePartitionUnit_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0136h + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0136h + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 013eh + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 013eh + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0152h + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0155h + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 015bh + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 015eh + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0162h + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0168h + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 016bh + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 016dh + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 016eh + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 016fh + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 016fh + jmp NtReplacePartitionUnit_Epilogue +NtReplacePartitionUnit_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReplacePartitionUnit_Epilogue: + mov r10, rcx + syscall + ret +NtReplacePartitionUnit ENDP + +NtReplyPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReplyPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReplyPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReplyPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReplyPort_Check_10_0_XXXX + jmp NtReplyPort_SystemCall_Unknown +NtReplyPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReplyPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReplyPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplyPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplyPort_SystemCall_6_3_XXXX + jmp NtReplyPort_SystemCall_Unknown +NtReplyPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReplyPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReplyPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReplyPort_SystemCall_6_0_6002 + jmp NtReplyPort_SystemCall_Unknown +NtReplyPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReplyPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReplyPort_SystemCall_6_1_7601 + jmp NtReplyPort_SystemCall_Unknown +NtReplyPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReplyPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReplyPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReplyPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReplyPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReplyPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReplyPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReplyPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReplyPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReplyPort_SystemCall_10_0_18363 + jmp NtReplyPort_SystemCall_Unknown +NtReplyPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0009h + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0009h + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0009h + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0009h + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0009h + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0009h + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 000ah + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 000bh + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 000ch + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 000ch + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 000ch + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 000ch + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 000ch + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 000ch + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 000ch + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 000ch + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 000ch + jmp NtReplyPort_Epilogue +NtReplyPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReplyPort_Epilogue: + mov r10, rcx + syscall + ret +NtReplyPort ENDP + +NtReplyWaitReceivePort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReplyWaitReceivePort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReplyWaitReceivePort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReplyWaitReceivePort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReplyWaitReceivePort_Check_10_0_XXXX + jmp NtReplyWaitReceivePort_SystemCall_Unknown +NtReplyWaitReceivePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReplyWaitReceivePort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReplyWaitReceivePort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplyWaitReceivePort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplyWaitReceivePort_SystemCall_6_3_XXXX + jmp NtReplyWaitReceivePort_SystemCall_Unknown +NtReplyWaitReceivePort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReplyWaitReceivePort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReplyWaitReceivePort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReplyWaitReceivePort_SystemCall_6_0_6002 + jmp NtReplyWaitReceivePort_SystemCall_Unknown +NtReplyWaitReceivePort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReplyWaitReceivePort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReplyWaitReceivePort_SystemCall_6_1_7601 + jmp NtReplyWaitReceivePort_SystemCall_Unknown +NtReplyWaitReceivePort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReplyWaitReceivePort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReplyWaitReceivePort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReplyWaitReceivePort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReplyWaitReceivePort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReplyWaitReceivePort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReplyWaitReceivePort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReplyWaitReceivePort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReplyWaitReceivePort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReplyWaitReceivePort_SystemCall_10_0_18363 + jmp NtReplyWaitReceivePort_SystemCall_Unknown +NtReplyWaitReceivePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0008h + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0008h + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0008h + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0008h + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0008h + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0008h + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0009h + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 000ah + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 000bh + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 000bh + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 000bh + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 000bh + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 000bh + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 000bh + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 000bh + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 000bh + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 000bh + jmp NtReplyWaitReceivePort_Epilogue +NtReplyWaitReceivePort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReplyWaitReceivePort_Epilogue: + mov r10, rcx + syscall + ret +NtReplyWaitReceivePort ENDP + +NtReplyWaitReceivePortEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReplyWaitReceivePortEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReplyWaitReceivePortEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReplyWaitReceivePortEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReplyWaitReceivePortEx_Check_10_0_XXXX + jmp NtReplyWaitReceivePortEx_SystemCall_Unknown +NtReplyWaitReceivePortEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReplyWaitReceivePortEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReplyWaitReceivePortEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplyWaitReceivePortEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplyWaitReceivePortEx_SystemCall_6_3_XXXX + jmp NtReplyWaitReceivePortEx_SystemCall_Unknown +NtReplyWaitReceivePortEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReplyWaitReceivePortEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReplyWaitReceivePortEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReplyWaitReceivePortEx_SystemCall_6_0_6002 + jmp NtReplyWaitReceivePortEx_SystemCall_Unknown +NtReplyWaitReceivePortEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReplyWaitReceivePortEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReplyWaitReceivePortEx_SystemCall_6_1_7601 + jmp NtReplyWaitReceivePortEx_SystemCall_Unknown +NtReplyWaitReceivePortEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReplyWaitReceivePortEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReplyWaitReceivePortEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReplyWaitReceivePortEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReplyWaitReceivePortEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReplyWaitReceivePortEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReplyWaitReceivePortEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReplyWaitReceivePortEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReplyWaitReceivePortEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReplyWaitReceivePortEx_SystemCall_10_0_18363 + jmp NtReplyWaitReceivePortEx_SystemCall_Unknown +NtReplyWaitReceivePortEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0028h + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0028h + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0028h + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0028h + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0028h + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0028h + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0029h + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 002ah + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 002bh + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 002bh + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 002bh + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 002bh + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 002bh + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 002bh + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 002bh + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 002bh + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 002bh + jmp NtReplyWaitReceivePortEx_Epilogue +NtReplyWaitReceivePortEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReplyWaitReceivePortEx_Epilogue: + mov r10, rcx + syscall + ret +NtReplyWaitReceivePortEx ENDP + +NtReplyWaitReplyPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtReplyWaitReplyPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtReplyWaitReplyPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtReplyWaitReplyPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtReplyWaitReplyPort_Check_10_0_XXXX + jmp NtReplyWaitReplyPort_SystemCall_Unknown +NtReplyWaitReplyPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtReplyWaitReplyPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtReplyWaitReplyPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplyWaitReplyPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtReplyWaitReplyPort_SystemCall_6_3_XXXX + jmp NtReplyWaitReplyPort_SystemCall_Unknown +NtReplyWaitReplyPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtReplyWaitReplyPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtReplyWaitReplyPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtReplyWaitReplyPort_SystemCall_6_0_6002 + jmp NtReplyWaitReplyPort_SystemCall_Unknown +NtReplyWaitReplyPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtReplyWaitReplyPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtReplyWaitReplyPort_SystemCall_6_1_7601 + jmp NtReplyWaitReplyPort_SystemCall_Unknown +NtReplyWaitReplyPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtReplyWaitReplyPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtReplyWaitReplyPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtReplyWaitReplyPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtReplyWaitReplyPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtReplyWaitReplyPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtReplyWaitReplyPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtReplyWaitReplyPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtReplyWaitReplyPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtReplyWaitReplyPort_SystemCall_10_0_18363 + jmp NtReplyWaitReplyPort_SystemCall_Unknown +NtReplyWaitReplyPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e8h + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 013ah + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0137h + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0137h + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 013fh + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 013fh + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0153h + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0156h + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 015ch + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 015fh + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0163h + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0169h + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 016ch + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 016eh + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 016fh + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0170h + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0170h + jmp NtReplyWaitReplyPort_Epilogue +NtReplyWaitReplyPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtReplyWaitReplyPort_Epilogue: + mov r10, rcx + syscall + ret +NtReplyWaitReplyPort ENDP + +NtRequestDeviceWakeup PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRequestDeviceWakeup_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRequestDeviceWakeup_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRequestDeviceWakeup_Check_6_X_XXXX + jmp NtRequestDeviceWakeup_SystemCall_Unknown +NtRequestDeviceWakeup_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRequestDeviceWakeup_Check_6_0_XXXX + jmp NtRequestDeviceWakeup_SystemCall_Unknown +NtRequestDeviceWakeup_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRequestDeviceWakeup_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRequestDeviceWakeup_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRequestDeviceWakeup_SystemCall_6_0_6002 + jmp NtRequestDeviceWakeup_SystemCall_Unknown +NtRequestDeviceWakeup_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00e9h + jmp NtRequestDeviceWakeup_Epilogue +NtRequestDeviceWakeup_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 013bh + jmp NtRequestDeviceWakeup_Epilogue +NtRequestDeviceWakeup_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0138h + jmp NtRequestDeviceWakeup_Epilogue +NtRequestDeviceWakeup_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0138h + jmp NtRequestDeviceWakeup_Epilogue +NtRequestDeviceWakeup_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRequestDeviceWakeup_Epilogue: + mov r10, rcx + syscall + ret +NtRequestDeviceWakeup ENDP + +NtRequestPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRequestPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRequestPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRequestPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRequestPort_Check_10_0_XXXX + jmp NtRequestPort_SystemCall_Unknown +NtRequestPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRequestPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRequestPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRequestPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRequestPort_SystemCall_6_3_XXXX + jmp NtRequestPort_SystemCall_Unknown +NtRequestPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRequestPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRequestPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRequestPort_SystemCall_6_0_6002 + jmp NtRequestPort_SystemCall_Unknown +NtRequestPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRequestPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRequestPort_SystemCall_6_1_7601 + jmp NtRequestPort_SystemCall_Unknown +NtRequestPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRequestPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRequestPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRequestPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRequestPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRequestPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRequestPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRequestPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRequestPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRequestPort_SystemCall_10_0_18363 + jmp NtRequestPort_SystemCall_Unknown +NtRequestPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00eah + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 013ch + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0139h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0139h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0140h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0140h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0154h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0157h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 015dh + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0160h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0164h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 016ah + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 016dh + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 016fh + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0170h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0171h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0171h + jmp NtRequestPort_Epilogue +NtRequestPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRequestPort_Epilogue: + mov r10, rcx + syscall + ret +NtRequestPort ENDP + +NtRequestWaitReplyPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRequestWaitReplyPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRequestWaitReplyPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRequestWaitReplyPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRequestWaitReplyPort_Check_10_0_XXXX + jmp NtRequestWaitReplyPort_SystemCall_Unknown +NtRequestWaitReplyPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRequestWaitReplyPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRequestWaitReplyPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRequestWaitReplyPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRequestWaitReplyPort_SystemCall_6_3_XXXX + jmp NtRequestWaitReplyPort_SystemCall_Unknown +NtRequestWaitReplyPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRequestWaitReplyPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRequestWaitReplyPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRequestWaitReplyPort_SystemCall_6_0_6002 + jmp NtRequestWaitReplyPort_SystemCall_Unknown +NtRequestWaitReplyPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRequestWaitReplyPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRequestWaitReplyPort_SystemCall_6_1_7601 + jmp NtRequestWaitReplyPort_SystemCall_Unknown +NtRequestWaitReplyPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRequestWaitReplyPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRequestWaitReplyPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRequestWaitReplyPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRequestWaitReplyPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRequestWaitReplyPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRequestWaitReplyPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRequestWaitReplyPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRequestWaitReplyPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRequestWaitReplyPort_SystemCall_10_0_18363 + jmp NtRequestWaitReplyPort_SystemCall_Unknown +NtRequestWaitReplyPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 001fh + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 001fh + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 001fh + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 001fh + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 001fh + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 001fh + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0020h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0021h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0022h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0022h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0022h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0022h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0022h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0022h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0022h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0022h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0022h + jmp NtRequestWaitReplyPort_Epilogue +NtRequestWaitReplyPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRequestWaitReplyPort_Epilogue: + mov r10, rcx + syscall + ret +NtRequestWaitReplyPort ENDP + +NtRequestWakeupLatency PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRequestWakeupLatency_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRequestWakeupLatency_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRequestWakeupLatency_Check_6_X_XXXX + jmp NtRequestWakeupLatency_SystemCall_Unknown +NtRequestWakeupLatency_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRequestWakeupLatency_Check_6_0_XXXX + jmp NtRequestWakeupLatency_SystemCall_Unknown +NtRequestWakeupLatency_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRequestWakeupLatency_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRequestWakeupLatency_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRequestWakeupLatency_SystemCall_6_0_6002 + jmp NtRequestWakeupLatency_SystemCall_Unknown +NtRequestWakeupLatency_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00ebh + jmp NtRequestWakeupLatency_Epilogue +NtRequestWakeupLatency_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 013dh + jmp NtRequestWakeupLatency_Epilogue +NtRequestWakeupLatency_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 013ah + jmp NtRequestWakeupLatency_Epilogue +NtRequestWakeupLatency_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 013ah + jmp NtRequestWakeupLatency_Epilogue +NtRequestWakeupLatency_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRequestWakeupLatency_Epilogue: + mov r10, rcx + syscall + ret +NtRequestWakeupLatency ENDP + +NtResetEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtResetEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtResetEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtResetEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtResetEvent_Check_10_0_XXXX + jmp NtResetEvent_SystemCall_Unknown +NtResetEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtResetEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtResetEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtResetEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtResetEvent_SystemCall_6_3_XXXX + jmp NtResetEvent_SystemCall_Unknown +NtResetEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtResetEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtResetEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtResetEvent_SystemCall_6_0_6002 + jmp NtResetEvent_SystemCall_Unknown +NtResetEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtResetEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtResetEvent_SystemCall_6_1_7601 + jmp NtResetEvent_SystemCall_Unknown +NtResetEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtResetEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtResetEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtResetEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtResetEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtResetEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtResetEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtResetEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtResetEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtResetEvent_SystemCall_10_0_18363 + jmp NtResetEvent_SystemCall_Unknown +NtResetEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00ech + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 013eh + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 013bh + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 013bh + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0141h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0141h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0155h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0158h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 015eh + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0161h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0165h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 016bh + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 016eh + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0170h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0171h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0172h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0172h + jmp NtResetEvent_Epilogue +NtResetEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtResetEvent_Epilogue: + mov r10, rcx + syscall + ret +NtResetEvent ENDP + +NtResetWriteWatch PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtResetWriteWatch_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtResetWriteWatch_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtResetWriteWatch_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtResetWriteWatch_Check_10_0_XXXX + jmp NtResetWriteWatch_SystemCall_Unknown +NtResetWriteWatch_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtResetWriteWatch_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtResetWriteWatch_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtResetWriteWatch_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtResetWriteWatch_SystemCall_6_3_XXXX + jmp NtResetWriteWatch_SystemCall_Unknown +NtResetWriteWatch_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtResetWriteWatch_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtResetWriteWatch_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtResetWriteWatch_SystemCall_6_0_6002 + jmp NtResetWriteWatch_SystemCall_Unknown +NtResetWriteWatch_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtResetWriteWatch_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtResetWriteWatch_SystemCall_6_1_7601 + jmp NtResetWriteWatch_SystemCall_Unknown +NtResetWriteWatch_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtResetWriteWatch_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtResetWriteWatch_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtResetWriteWatch_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtResetWriteWatch_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtResetWriteWatch_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtResetWriteWatch_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtResetWriteWatch_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtResetWriteWatch_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtResetWriteWatch_SystemCall_10_0_18363 + jmp NtResetWriteWatch_SystemCall_Unknown +NtResetWriteWatch_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00edh + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 013fh + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 013ch + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 013ch + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0142h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0142h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0156h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0159h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 015fh + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0162h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0166h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 016ch + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 016fh + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0171h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0172h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0173h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0173h + jmp NtResetWriteWatch_Epilogue +NtResetWriteWatch_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtResetWriteWatch_Epilogue: + mov r10, rcx + syscall + ret +NtResetWriteWatch ENDP + +NtRestoreKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRestoreKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtRestoreKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtRestoreKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRestoreKey_Check_10_0_XXXX + jmp NtRestoreKey_SystemCall_Unknown +NtRestoreKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRestoreKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRestoreKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRestoreKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRestoreKey_SystemCall_6_3_XXXX + jmp NtRestoreKey_SystemCall_Unknown +NtRestoreKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRestoreKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRestoreKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRestoreKey_SystemCall_6_0_6002 + jmp NtRestoreKey_SystemCall_Unknown +NtRestoreKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRestoreKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRestoreKey_SystemCall_6_1_7601 + jmp NtRestoreKey_SystemCall_Unknown +NtRestoreKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRestoreKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRestoreKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRestoreKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRestoreKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRestoreKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRestoreKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRestoreKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRestoreKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRestoreKey_SystemCall_10_0_18363 + jmp NtRestoreKey_SystemCall_Unknown +NtRestoreKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00eeh + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0140h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 013dh + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 013dh + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0143h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0143h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0157h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 015ah + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0160h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0163h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0167h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 016dh + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0170h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0172h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0173h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0174h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0174h + jmp NtRestoreKey_Epilogue +NtRestoreKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRestoreKey_Epilogue: + mov r10, rcx + syscall + ret +NtRestoreKey ENDP + +NtResumeProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtResumeProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtResumeProcess_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtResumeProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtResumeProcess_Check_10_0_XXXX + jmp NtResumeProcess_SystemCall_Unknown +NtResumeProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtResumeProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtResumeProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtResumeProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtResumeProcess_SystemCall_6_3_XXXX + jmp NtResumeProcess_SystemCall_Unknown +NtResumeProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtResumeProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtResumeProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtResumeProcess_SystemCall_6_0_6002 + jmp NtResumeProcess_SystemCall_Unknown +NtResumeProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtResumeProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtResumeProcess_SystemCall_6_1_7601 + jmp NtResumeProcess_SystemCall_Unknown +NtResumeProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtResumeProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtResumeProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtResumeProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtResumeProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtResumeProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtResumeProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtResumeProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtResumeProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtResumeProcess_SystemCall_10_0_18363 + jmp NtResumeProcess_SystemCall_Unknown +NtResumeProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00efh + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0141h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 013eh + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 013eh + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0144h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0144h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0158h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 015bh + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0161h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0164h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0168h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 016eh + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0171h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0173h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0174h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0175h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0175h + jmp NtResumeProcess_Epilogue +NtResumeProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtResumeProcess_Epilogue: + mov r10, rcx + syscall + ret +NtResumeProcess ENDP + +NtResumeThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtResumeThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtResumeThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtResumeThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtResumeThread_Check_10_0_XXXX + jmp NtResumeThread_SystemCall_Unknown +NtResumeThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtResumeThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtResumeThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtResumeThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtResumeThread_SystemCall_6_3_XXXX + jmp NtResumeThread_SystemCall_Unknown +NtResumeThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtResumeThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtResumeThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtResumeThread_SystemCall_6_0_6002 + jmp NtResumeThread_SystemCall_Unknown +NtResumeThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtResumeThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtResumeThread_SystemCall_6_1_7601 + jmp NtResumeThread_SystemCall_Unknown +NtResumeThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtResumeThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtResumeThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtResumeThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtResumeThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtResumeThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtResumeThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtResumeThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtResumeThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtResumeThread_SystemCall_10_0_18363 + jmp NtResumeThread_SystemCall_Unknown +NtResumeThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 004fh + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 004fh + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 004fh + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 004fh + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 004fh + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 004fh + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0050h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0051h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0052h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0052h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0052h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0052h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0052h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0052h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0052h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0052h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0052h + jmp NtResumeThread_Epilogue +NtResumeThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtResumeThread_Epilogue: + mov r10, rcx + syscall + ret +NtResumeThread ENDP + +NtRevertContainerImpersonation PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRevertContainerImpersonation_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtRevertContainerImpersonation_Check_10_0_XXXX + jmp NtRevertContainerImpersonation_SystemCall_Unknown +NtRevertContainerImpersonation_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRevertContainerImpersonation_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRevertContainerImpersonation_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRevertContainerImpersonation_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRevertContainerImpersonation_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRevertContainerImpersonation_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRevertContainerImpersonation_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRevertContainerImpersonation_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRevertContainerImpersonation_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRevertContainerImpersonation_SystemCall_10_0_18363 + jmp NtRevertContainerImpersonation_SystemCall_Unknown +NtRevertContainerImpersonation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0162h + jmp NtRevertContainerImpersonation_Epilogue +NtRevertContainerImpersonation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0165h + jmp NtRevertContainerImpersonation_Epilogue +NtRevertContainerImpersonation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0169h + jmp NtRevertContainerImpersonation_Epilogue +NtRevertContainerImpersonation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 016fh + jmp NtRevertContainerImpersonation_Epilogue +NtRevertContainerImpersonation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0172h + jmp NtRevertContainerImpersonation_Epilogue +NtRevertContainerImpersonation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0174h + jmp NtRevertContainerImpersonation_Epilogue +NtRevertContainerImpersonation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0175h + jmp NtRevertContainerImpersonation_Epilogue +NtRevertContainerImpersonation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0176h + jmp NtRevertContainerImpersonation_Epilogue +NtRevertContainerImpersonation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0176h + jmp NtRevertContainerImpersonation_Epilogue +NtRevertContainerImpersonation_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRevertContainerImpersonation_Epilogue: + mov r10, rcx + syscall + ret +NtRevertContainerImpersonation ENDP + +NtRollbackComplete PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRollbackComplete_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRollbackComplete_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRollbackComplete_Check_10_0_XXXX + jmp NtRollbackComplete_SystemCall_Unknown +NtRollbackComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRollbackComplete_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRollbackComplete_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRollbackComplete_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRollbackComplete_SystemCall_6_3_XXXX + jmp NtRollbackComplete_SystemCall_Unknown +NtRollbackComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRollbackComplete_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRollbackComplete_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRollbackComplete_SystemCall_6_0_6002 + jmp NtRollbackComplete_SystemCall_Unknown +NtRollbackComplete_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRollbackComplete_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRollbackComplete_SystemCall_6_1_7601 + jmp NtRollbackComplete_SystemCall_Unknown +NtRollbackComplete_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRollbackComplete_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRollbackComplete_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRollbackComplete_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRollbackComplete_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRollbackComplete_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRollbackComplete_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRollbackComplete_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRollbackComplete_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRollbackComplete_SystemCall_10_0_18363 + jmp NtRollbackComplete_SystemCall_Unknown +NtRollbackComplete_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0142h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 013fh + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 013fh + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0145h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0145h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0159h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 015ch + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0163h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0166h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 016ah + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0170h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0173h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0175h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0176h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0177h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0177h + jmp NtRollbackComplete_Epilogue +NtRollbackComplete_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRollbackComplete_Epilogue: + mov r10, rcx + syscall + ret +NtRollbackComplete ENDP + +NtRollbackEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRollbackEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRollbackEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRollbackEnlistment_Check_10_0_XXXX + jmp NtRollbackEnlistment_SystemCall_Unknown +NtRollbackEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRollbackEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRollbackEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRollbackEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRollbackEnlistment_SystemCall_6_3_XXXX + jmp NtRollbackEnlistment_SystemCall_Unknown +NtRollbackEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRollbackEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRollbackEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRollbackEnlistment_SystemCall_6_0_6002 + jmp NtRollbackEnlistment_SystemCall_Unknown +NtRollbackEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRollbackEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRollbackEnlistment_SystemCall_6_1_7601 + jmp NtRollbackEnlistment_SystemCall_Unknown +NtRollbackEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRollbackEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRollbackEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRollbackEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRollbackEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRollbackEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRollbackEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRollbackEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRollbackEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRollbackEnlistment_SystemCall_10_0_18363 + jmp NtRollbackEnlistment_SystemCall_Unknown +NtRollbackEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0143h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0140h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0140h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0146h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0146h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 015ah + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 015dh + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0164h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0167h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 016bh + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0171h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0174h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0176h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0177h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0178h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0178h + jmp NtRollbackEnlistment_Epilogue +NtRollbackEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRollbackEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtRollbackEnlistment ENDP + +NtRollbackRegistryTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRollbackRegistryTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtRollbackRegistryTransaction_Check_10_0_XXXX + jmp NtRollbackRegistryTransaction_SystemCall_Unknown +NtRollbackRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 14393 + je NtRollbackRegistryTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRollbackRegistryTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRollbackRegistryTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRollbackRegistryTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRollbackRegistryTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRollbackRegistryTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRollbackRegistryTransaction_SystemCall_10_0_18363 + jmp NtRollbackRegistryTransaction_SystemCall_Unknown +NtRollbackRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 016ch + jmp NtRollbackRegistryTransaction_Epilogue +NtRollbackRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0172h + jmp NtRollbackRegistryTransaction_Epilogue +NtRollbackRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0175h + jmp NtRollbackRegistryTransaction_Epilogue +NtRollbackRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0177h + jmp NtRollbackRegistryTransaction_Epilogue +NtRollbackRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0178h + jmp NtRollbackRegistryTransaction_Epilogue +NtRollbackRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0179h + jmp NtRollbackRegistryTransaction_Epilogue +NtRollbackRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0179h + jmp NtRollbackRegistryTransaction_Epilogue +NtRollbackRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRollbackRegistryTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtRollbackRegistryTransaction ENDP + +NtRollbackSavepointTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRollbackSavepointTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRollbackSavepointTransaction_Check_6_X_XXXX + jmp NtRollbackSavepointTransaction_SystemCall_Unknown +NtRollbackSavepointTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRollbackSavepointTransaction_Check_6_0_XXXX + jmp NtRollbackSavepointTransaction_SystemCall_Unknown +NtRollbackSavepointTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRollbackSavepointTransaction_SystemCall_6_0_6000 + jmp NtRollbackSavepointTransaction_SystemCall_Unknown +NtRollbackSavepointTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0144h + jmp NtRollbackSavepointTransaction_Epilogue +NtRollbackSavepointTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRollbackSavepointTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtRollbackSavepointTransaction ENDP + +NtRollbackTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRollbackTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRollbackTransaction_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRollbackTransaction_Check_10_0_XXXX + jmp NtRollbackTransaction_SystemCall_Unknown +NtRollbackTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRollbackTransaction_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRollbackTransaction_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRollbackTransaction_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRollbackTransaction_SystemCall_6_3_XXXX + jmp NtRollbackTransaction_SystemCall_Unknown +NtRollbackTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRollbackTransaction_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRollbackTransaction_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRollbackTransaction_SystemCall_6_0_6002 + jmp NtRollbackTransaction_SystemCall_Unknown +NtRollbackTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRollbackTransaction_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRollbackTransaction_SystemCall_6_1_7601 + jmp NtRollbackTransaction_SystemCall_Unknown +NtRollbackTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRollbackTransaction_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRollbackTransaction_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRollbackTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRollbackTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRollbackTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRollbackTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRollbackTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRollbackTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRollbackTransaction_SystemCall_10_0_18363 + jmp NtRollbackTransaction_SystemCall_Unknown +NtRollbackTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0145h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0141h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0141h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0147h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0147h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 015bh + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 015eh + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0165h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0168h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 016dh + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0173h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0176h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0178h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0179h + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 017ah + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 017ah + jmp NtRollbackTransaction_Epilogue +NtRollbackTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRollbackTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtRollbackTransaction ENDP + +NtRollforwardTransactionManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtRollforwardTransactionManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtRollforwardTransactionManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtRollforwardTransactionManager_Check_10_0_XXXX + jmp NtRollforwardTransactionManager_SystemCall_Unknown +NtRollforwardTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtRollforwardTransactionManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtRollforwardTransactionManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRollforwardTransactionManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtRollforwardTransactionManager_SystemCall_6_3_XXXX + jmp NtRollforwardTransactionManager_SystemCall_Unknown +NtRollforwardTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtRollforwardTransactionManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtRollforwardTransactionManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtRollforwardTransactionManager_SystemCall_6_0_6002 + jmp NtRollforwardTransactionManager_SystemCall_Unknown +NtRollforwardTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtRollforwardTransactionManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtRollforwardTransactionManager_SystemCall_6_1_7601 + jmp NtRollforwardTransactionManager_SystemCall_Unknown +NtRollforwardTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtRollforwardTransactionManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtRollforwardTransactionManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtRollforwardTransactionManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtRollforwardTransactionManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtRollforwardTransactionManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtRollforwardTransactionManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtRollforwardTransactionManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtRollforwardTransactionManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtRollforwardTransactionManager_SystemCall_10_0_18363 + jmp NtRollforwardTransactionManager_SystemCall_Unknown +NtRollforwardTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0146h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0142h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0142h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0148h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0148h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 015ch + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 015fh + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0166h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0169h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 016eh + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0174h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0177h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0179h + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 017ah + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 017bh + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 017bh + jmp NtRollforwardTransactionManager_Epilogue +NtRollforwardTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtRollforwardTransactionManager_Epilogue: + mov r10, rcx + syscall + ret +NtRollforwardTransactionManager ENDP + +NtSaveKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSaveKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSaveKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSaveKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSaveKey_Check_10_0_XXXX + jmp NtSaveKey_SystemCall_Unknown +NtSaveKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSaveKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSaveKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSaveKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSaveKey_SystemCall_6_3_XXXX + jmp NtSaveKey_SystemCall_Unknown +NtSaveKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSaveKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSaveKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSaveKey_SystemCall_6_0_6002 + jmp NtSaveKey_SystemCall_Unknown +NtSaveKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSaveKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSaveKey_SystemCall_6_1_7601 + jmp NtSaveKey_SystemCall_Unknown +NtSaveKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSaveKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSaveKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSaveKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSaveKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSaveKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSaveKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSaveKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSaveKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSaveKey_SystemCall_10_0_18363 + jmp NtSaveKey_SystemCall_Unknown +NtSaveKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f0h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0147h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0143h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0143h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0149h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0149h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 015dh + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0160h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0167h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 016ah + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 016fh + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0175h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0178h + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 017ah + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 017bh + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 017ch + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 017ch + jmp NtSaveKey_Epilogue +NtSaveKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSaveKey_Epilogue: + mov r10, rcx + syscall + ret +NtSaveKey ENDP + +NtSaveKeyEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSaveKeyEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSaveKeyEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSaveKeyEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSaveKeyEx_Check_10_0_XXXX + jmp NtSaveKeyEx_SystemCall_Unknown +NtSaveKeyEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSaveKeyEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSaveKeyEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSaveKeyEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSaveKeyEx_SystemCall_6_3_XXXX + jmp NtSaveKeyEx_SystemCall_Unknown +NtSaveKeyEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSaveKeyEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSaveKeyEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSaveKeyEx_SystemCall_6_0_6002 + jmp NtSaveKeyEx_SystemCall_Unknown +NtSaveKeyEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSaveKeyEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSaveKeyEx_SystemCall_6_1_7601 + jmp NtSaveKeyEx_SystemCall_Unknown +NtSaveKeyEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSaveKeyEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSaveKeyEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSaveKeyEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSaveKeyEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSaveKeyEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSaveKeyEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSaveKeyEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSaveKeyEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSaveKeyEx_SystemCall_10_0_18363 + jmp NtSaveKeyEx_SystemCall_Unknown +NtSaveKeyEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f1h + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0148h + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0144h + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0144h + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 014ah + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 014ah + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 015eh + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0161h + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0168h + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 016bh + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0170h + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0176h + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0179h + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 017bh + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 017ch + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 017dh + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 017dh + jmp NtSaveKeyEx_Epilogue +NtSaveKeyEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSaveKeyEx_Epilogue: + mov r10, rcx + syscall + ret +NtSaveKeyEx ENDP + +NtSaveMergedKeys PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSaveMergedKeys_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSaveMergedKeys_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSaveMergedKeys_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSaveMergedKeys_Check_10_0_XXXX + jmp NtSaveMergedKeys_SystemCall_Unknown +NtSaveMergedKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSaveMergedKeys_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSaveMergedKeys_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSaveMergedKeys_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSaveMergedKeys_SystemCall_6_3_XXXX + jmp NtSaveMergedKeys_SystemCall_Unknown +NtSaveMergedKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSaveMergedKeys_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSaveMergedKeys_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSaveMergedKeys_SystemCall_6_0_6002 + jmp NtSaveMergedKeys_SystemCall_Unknown +NtSaveMergedKeys_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSaveMergedKeys_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSaveMergedKeys_SystemCall_6_1_7601 + jmp NtSaveMergedKeys_SystemCall_Unknown +NtSaveMergedKeys_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSaveMergedKeys_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSaveMergedKeys_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSaveMergedKeys_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSaveMergedKeys_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSaveMergedKeys_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSaveMergedKeys_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSaveMergedKeys_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSaveMergedKeys_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSaveMergedKeys_SystemCall_10_0_18363 + jmp NtSaveMergedKeys_SystemCall_Unknown +NtSaveMergedKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f2h + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0149h + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0145h + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0145h + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 014bh + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 014bh + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 015fh + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0162h + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0169h + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 016ch + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0171h + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0177h + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 017ah + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 017ch + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 017dh + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 017eh + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 017eh + jmp NtSaveMergedKeys_Epilogue +NtSaveMergedKeys_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSaveMergedKeys_Epilogue: + mov r10, rcx + syscall + ret +NtSaveMergedKeys ENDP + +NtSavepointComplete PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSavepointComplete_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSavepointComplete_Check_6_X_XXXX + jmp NtSavepointComplete_SystemCall_Unknown +NtSavepointComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSavepointComplete_Check_6_0_XXXX + jmp NtSavepointComplete_SystemCall_Unknown +NtSavepointComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSavepointComplete_SystemCall_6_0_6000 + jmp NtSavepointComplete_SystemCall_Unknown +NtSavepointComplete_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 014ah + jmp NtSavepointComplete_Epilogue +NtSavepointComplete_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSavepointComplete_Epilogue: + mov r10, rcx + syscall + ret +NtSavepointComplete ENDP + +NtSavepointTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSavepointTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSavepointTransaction_Check_6_X_XXXX + jmp NtSavepointTransaction_SystemCall_Unknown +NtSavepointTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSavepointTransaction_Check_6_0_XXXX + jmp NtSavepointTransaction_SystemCall_Unknown +NtSavepointTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSavepointTransaction_SystemCall_6_0_6000 + jmp NtSavepointTransaction_SystemCall_Unknown +NtSavepointTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 014bh + jmp NtSavepointTransaction_Epilogue +NtSavepointTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSavepointTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtSavepointTransaction ENDP + +NtSecureConnectPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSecureConnectPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSecureConnectPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSecureConnectPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSecureConnectPort_Check_10_0_XXXX + jmp NtSecureConnectPort_SystemCall_Unknown +NtSecureConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSecureConnectPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSecureConnectPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSecureConnectPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSecureConnectPort_SystemCall_6_3_XXXX + jmp NtSecureConnectPort_SystemCall_Unknown +NtSecureConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSecureConnectPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSecureConnectPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSecureConnectPort_SystemCall_6_0_6002 + jmp NtSecureConnectPort_SystemCall_Unknown +NtSecureConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSecureConnectPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSecureConnectPort_SystemCall_6_1_7601 + jmp NtSecureConnectPort_SystemCall_Unknown +NtSecureConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSecureConnectPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSecureConnectPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSecureConnectPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSecureConnectPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSecureConnectPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSecureConnectPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSecureConnectPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSecureConnectPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSecureConnectPort_SystemCall_10_0_18363 + jmp NtSecureConnectPort_SystemCall_Unknown +NtSecureConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f3h + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 014ch + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0146h + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0146h + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 014ch + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 014ch + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0160h + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0163h + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 016ah + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 016dh + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0172h + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0178h + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 017bh + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 017dh + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 017eh + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 017fh + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 017fh + jmp NtSecureConnectPort_Epilogue +NtSecureConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSecureConnectPort_Epilogue: + mov r10, rcx + syscall + ret +NtSecureConnectPort ENDP + +NtSerializeBoot PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSerializeBoot_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSerializeBoot_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSerializeBoot_Check_10_0_XXXX + jmp NtSerializeBoot_SystemCall_Unknown +NtSerializeBoot_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtSerializeBoot_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSerializeBoot_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSerializeBoot_SystemCall_6_3_XXXX + jmp NtSerializeBoot_SystemCall_Unknown +NtSerializeBoot_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSerializeBoot_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSerializeBoot_SystemCall_6_1_7601 + jmp NtSerializeBoot_SystemCall_Unknown +NtSerializeBoot_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSerializeBoot_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSerializeBoot_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSerializeBoot_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSerializeBoot_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSerializeBoot_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSerializeBoot_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSerializeBoot_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSerializeBoot_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSerializeBoot_SystemCall_10_0_18363 + jmp NtSerializeBoot_SystemCall_Unknown +NtSerializeBoot_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 014dh + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 014dh + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0161h + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0164h + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 016bh + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 016eh + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0173h + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0179h + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 017ch + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 017eh + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 017fh + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0180h + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0180h + jmp NtSerializeBoot_Epilogue +NtSerializeBoot_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSerializeBoot_Epilogue: + mov r10, rcx + syscall + ret +NtSerializeBoot ENDP + +NtSetBootEntryOrder PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetBootEntryOrder_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetBootEntryOrder_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetBootEntryOrder_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetBootEntryOrder_Check_10_0_XXXX + jmp NtSetBootEntryOrder_SystemCall_Unknown +NtSetBootEntryOrder_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetBootEntryOrder_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetBootEntryOrder_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetBootEntryOrder_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetBootEntryOrder_SystemCall_6_3_XXXX + jmp NtSetBootEntryOrder_SystemCall_Unknown +NtSetBootEntryOrder_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetBootEntryOrder_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetBootEntryOrder_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetBootEntryOrder_SystemCall_6_0_6002 + jmp NtSetBootEntryOrder_SystemCall_Unknown +NtSetBootEntryOrder_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetBootEntryOrder_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetBootEntryOrder_SystemCall_6_1_7601 + jmp NtSetBootEntryOrder_SystemCall_Unknown +NtSetBootEntryOrder_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetBootEntryOrder_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetBootEntryOrder_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetBootEntryOrder_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetBootEntryOrder_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetBootEntryOrder_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetBootEntryOrder_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetBootEntryOrder_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetBootEntryOrder_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetBootEntryOrder_SystemCall_10_0_18363 + jmp NtSetBootEntryOrder_SystemCall_Unknown +NtSetBootEntryOrder_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f4h + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 014dh + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0147h + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0147h + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 014eh + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 014eh + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0162h + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0165h + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 016ch + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 016fh + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0174h + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 017ah + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 017dh + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 017fh + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0180h + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0181h + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0181h + jmp NtSetBootEntryOrder_Epilogue +NtSetBootEntryOrder_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetBootEntryOrder_Epilogue: + mov r10, rcx + syscall + ret +NtSetBootEntryOrder ENDP + +NtSetBootOptions PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetBootOptions_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetBootOptions_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetBootOptions_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetBootOptions_Check_10_0_XXXX + jmp NtSetBootOptions_SystemCall_Unknown +NtSetBootOptions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetBootOptions_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetBootOptions_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetBootOptions_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetBootOptions_SystemCall_6_3_XXXX + jmp NtSetBootOptions_SystemCall_Unknown +NtSetBootOptions_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetBootOptions_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetBootOptions_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetBootOptions_SystemCall_6_0_6002 + jmp NtSetBootOptions_SystemCall_Unknown +NtSetBootOptions_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetBootOptions_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetBootOptions_SystemCall_6_1_7601 + jmp NtSetBootOptions_SystemCall_Unknown +NtSetBootOptions_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetBootOptions_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetBootOptions_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetBootOptions_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetBootOptions_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetBootOptions_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetBootOptions_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetBootOptions_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetBootOptions_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetBootOptions_SystemCall_10_0_18363 + jmp NtSetBootOptions_SystemCall_Unknown +NtSetBootOptions_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f5h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 014eh + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0148h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0148h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 014fh + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 014fh + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0163h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0166h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 016dh + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0170h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0175h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 017bh + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 017eh + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0180h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0181h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0182h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0182h + jmp NtSetBootOptions_Epilogue +NtSetBootOptions_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetBootOptions_Epilogue: + mov r10, rcx + syscall + ret +NtSetBootOptions ENDP + +NtSetCachedSigningLevel PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetCachedSigningLevel_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetCachedSigningLevel_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetCachedSigningLevel_Check_10_0_XXXX + jmp NtSetCachedSigningLevel_SystemCall_Unknown +NtSetCachedSigningLevel_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtSetCachedSigningLevel_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetCachedSigningLevel_SystemCall_6_3_XXXX + jmp NtSetCachedSigningLevel_SystemCall_Unknown +NtSetCachedSigningLevel_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetCachedSigningLevel_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetCachedSigningLevel_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetCachedSigningLevel_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetCachedSigningLevel_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetCachedSigningLevel_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetCachedSigningLevel_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetCachedSigningLevel_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetCachedSigningLevel_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetCachedSigningLevel_SystemCall_10_0_18363 + jmp NtSetCachedSigningLevel_SystemCall_Unknown +NtSetCachedSigningLevel_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0164h + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0167h + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 016eh + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0171h + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0176h + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 017ch + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 017fh + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0181h + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0182h + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0183h + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0183h + jmp NtSetCachedSigningLevel_Epilogue +NtSetCachedSigningLevel_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetCachedSigningLevel_Epilogue: + mov r10, rcx + syscall + ret +NtSetCachedSigningLevel ENDP + +NtSetCachedSigningLevel2 PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetCachedSigningLevel2_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtSetCachedSigningLevel2_Check_10_0_XXXX + jmp NtSetCachedSigningLevel2_SystemCall_Unknown +NtSetCachedSigningLevel2_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 14393 + je NtSetCachedSigningLevel2_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetCachedSigningLevel2_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetCachedSigningLevel2_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetCachedSigningLevel2_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetCachedSigningLevel2_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetCachedSigningLevel2_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetCachedSigningLevel2_SystemCall_10_0_18363 + jmp NtSetCachedSigningLevel2_SystemCall_Unknown +NtSetCachedSigningLevel2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0177h + jmp NtSetCachedSigningLevel2_Epilogue +NtSetCachedSigningLevel2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 017dh + jmp NtSetCachedSigningLevel2_Epilogue +NtSetCachedSigningLevel2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0180h + jmp NtSetCachedSigningLevel2_Epilogue +NtSetCachedSigningLevel2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0182h + jmp NtSetCachedSigningLevel2_Epilogue +NtSetCachedSigningLevel2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0183h + jmp NtSetCachedSigningLevel2_Epilogue +NtSetCachedSigningLevel2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0184h + jmp NtSetCachedSigningLevel2_Epilogue +NtSetCachedSigningLevel2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0184h + jmp NtSetCachedSigningLevel2_Epilogue +NtSetCachedSigningLevel2_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetCachedSigningLevel2_Epilogue: + mov r10, rcx + syscall + ret +NtSetCachedSigningLevel2 ENDP + +NtSetContextThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetContextThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetContextThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetContextThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetContextThread_Check_10_0_XXXX + jmp NtSetContextThread_SystemCall_Unknown +NtSetContextThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetContextThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetContextThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetContextThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetContextThread_SystemCall_6_3_XXXX + jmp NtSetContextThread_SystemCall_Unknown +NtSetContextThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetContextThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetContextThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetContextThread_SystemCall_6_0_6002 + jmp NtSetContextThread_SystemCall_Unknown +NtSetContextThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetContextThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetContextThread_SystemCall_6_1_7601 + jmp NtSetContextThread_SystemCall_Unknown +NtSetContextThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetContextThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetContextThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetContextThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetContextThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetContextThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetContextThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetContextThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetContextThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetContextThread_SystemCall_10_0_18363 + jmp NtSetContextThread_SystemCall_Unknown +NtSetContextThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f6h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 014fh + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0149h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0149h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0150h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0150h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0165h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0168h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 016fh + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0172h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0178h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 017eh + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0181h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0183h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0184h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0185h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0185h + jmp NtSetContextThread_Epilogue +NtSetContextThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetContextThread_Epilogue: + mov r10, rcx + syscall + ret +NtSetContextThread ENDP + +NtSetDebugFilterState PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetDebugFilterState_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetDebugFilterState_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetDebugFilterState_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetDebugFilterState_Check_10_0_XXXX + jmp NtSetDebugFilterState_SystemCall_Unknown +NtSetDebugFilterState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetDebugFilterState_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetDebugFilterState_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDebugFilterState_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDebugFilterState_SystemCall_6_3_XXXX + jmp NtSetDebugFilterState_SystemCall_Unknown +NtSetDebugFilterState_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetDebugFilterState_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetDebugFilterState_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetDebugFilterState_SystemCall_6_0_6002 + jmp NtSetDebugFilterState_SystemCall_Unknown +NtSetDebugFilterState_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetDebugFilterState_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetDebugFilterState_SystemCall_6_1_7601 + jmp NtSetDebugFilterState_SystemCall_Unknown +NtSetDebugFilterState_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetDebugFilterState_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetDebugFilterState_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetDebugFilterState_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetDebugFilterState_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetDebugFilterState_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetDebugFilterState_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetDebugFilterState_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetDebugFilterState_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetDebugFilterState_SystemCall_10_0_18363 + jmp NtSetDebugFilterState_SystemCall_Unknown +NtSetDebugFilterState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f7h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0150h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 014ah + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 014ah + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0151h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0151h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0166h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0169h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0170h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0173h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0179h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 017fh + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0182h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0184h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0185h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0186h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0186h + jmp NtSetDebugFilterState_Epilogue +NtSetDebugFilterState_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetDebugFilterState_Epilogue: + mov r10, rcx + syscall + ret +NtSetDebugFilterState ENDP + +NtSetDefaultHardErrorPort PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetDefaultHardErrorPort_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetDefaultHardErrorPort_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetDefaultHardErrorPort_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetDefaultHardErrorPort_Check_10_0_XXXX + jmp NtSetDefaultHardErrorPort_SystemCall_Unknown +NtSetDefaultHardErrorPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetDefaultHardErrorPort_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetDefaultHardErrorPort_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDefaultHardErrorPort_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDefaultHardErrorPort_SystemCall_6_3_XXXX + jmp NtSetDefaultHardErrorPort_SystemCall_Unknown +NtSetDefaultHardErrorPort_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetDefaultHardErrorPort_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetDefaultHardErrorPort_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetDefaultHardErrorPort_SystemCall_6_0_6002 + jmp NtSetDefaultHardErrorPort_SystemCall_Unknown +NtSetDefaultHardErrorPort_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetDefaultHardErrorPort_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetDefaultHardErrorPort_SystemCall_6_1_7601 + jmp NtSetDefaultHardErrorPort_SystemCall_Unknown +NtSetDefaultHardErrorPort_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetDefaultHardErrorPort_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetDefaultHardErrorPort_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetDefaultHardErrorPort_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetDefaultHardErrorPort_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetDefaultHardErrorPort_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetDefaultHardErrorPort_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetDefaultHardErrorPort_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetDefaultHardErrorPort_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetDefaultHardErrorPort_SystemCall_10_0_18363 + jmp NtSetDefaultHardErrorPort_SystemCall_Unknown +NtSetDefaultHardErrorPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f8h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0151h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 014bh + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 014bh + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0152h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0152h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0167h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 016ah + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0171h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0174h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 017ah + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0180h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0183h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0185h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0186h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0187h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0187h + jmp NtSetDefaultHardErrorPort_Epilogue +NtSetDefaultHardErrorPort_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetDefaultHardErrorPort_Epilogue: + mov r10, rcx + syscall + ret +NtSetDefaultHardErrorPort ENDP + +NtSetDefaultLocale PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetDefaultLocale_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetDefaultLocale_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetDefaultLocale_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetDefaultLocale_Check_10_0_XXXX + jmp NtSetDefaultLocale_SystemCall_Unknown +NtSetDefaultLocale_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetDefaultLocale_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetDefaultLocale_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDefaultLocale_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDefaultLocale_SystemCall_6_3_XXXX + jmp NtSetDefaultLocale_SystemCall_Unknown +NtSetDefaultLocale_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetDefaultLocale_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetDefaultLocale_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetDefaultLocale_SystemCall_6_0_6002 + jmp NtSetDefaultLocale_SystemCall_Unknown +NtSetDefaultLocale_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetDefaultLocale_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetDefaultLocale_SystemCall_6_1_7601 + jmp NtSetDefaultLocale_SystemCall_Unknown +NtSetDefaultLocale_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetDefaultLocale_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetDefaultLocale_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetDefaultLocale_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetDefaultLocale_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetDefaultLocale_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetDefaultLocale_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetDefaultLocale_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetDefaultLocale_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetDefaultLocale_SystemCall_10_0_18363 + jmp NtSetDefaultLocale_SystemCall_Unknown +NtSetDefaultLocale_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00f9h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0152h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 014ch + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 014ch + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0153h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0153h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0168h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 016bh + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0172h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0175h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 017bh + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0181h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0184h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0186h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0187h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0188h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0188h + jmp NtSetDefaultLocale_Epilogue +NtSetDefaultLocale_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetDefaultLocale_Epilogue: + mov r10, rcx + syscall + ret +NtSetDefaultLocale ENDP + +NtSetDefaultUILanguage PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetDefaultUILanguage_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetDefaultUILanguage_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetDefaultUILanguage_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetDefaultUILanguage_Check_10_0_XXXX + jmp NtSetDefaultUILanguage_SystemCall_Unknown +NtSetDefaultUILanguage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetDefaultUILanguage_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetDefaultUILanguage_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDefaultUILanguage_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDefaultUILanguage_SystemCall_6_3_XXXX + jmp NtSetDefaultUILanguage_SystemCall_Unknown +NtSetDefaultUILanguage_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetDefaultUILanguage_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetDefaultUILanguage_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetDefaultUILanguage_SystemCall_6_0_6002 + jmp NtSetDefaultUILanguage_SystemCall_Unknown +NtSetDefaultUILanguage_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetDefaultUILanguage_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetDefaultUILanguage_SystemCall_6_1_7601 + jmp NtSetDefaultUILanguage_SystemCall_Unknown +NtSetDefaultUILanguage_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetDefaultUILanguage_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetDefaultUILanguage_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetDefaultUILanguage_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetDefaultUILanguage_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetDefaultUILanguage_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetDefaultUILanguage_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetDefaultUILanguage_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetDefaultUILanguage_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetDefaultUILanguage_SystemCall_10_0_18363 + jmp NtSetDefaultUILanguage_SystemCall_Unknown +NtSetDefaultUILanguage_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00fah + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0153h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 014dh + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 014dh + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0154h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0154h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0169h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 016ch + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0173h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0176h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 017ch + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0182h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0185h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0187h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0188h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0189h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0189h + jmp NtSetDefaultUILanguage_Epilogue +NtSetDefaultUILanguage_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetDefaultUILanguage_Epilogue: + mov r10, rcx + syscall + ret +NtSetDefaultUILanguage ENDP + +NtSetDriverEntryOrder PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetDriverEntryOrder_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetDriverEntryOrder_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetDriverEntryOrder_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetDriverEntryOrder_Check_10_0_XXXX + jmp NtSetDriverEntryOrder_SystemCall_Unknown +NtSetDriverEntryOrder_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetDriverEntryOrder_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetDriverEntryOrder_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDriverEntryOrder_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetDriverEntryOrder_SystemCall_6_3_XXXX + jmp NtSetDriverEntryOrder_SystemCall_Unknown +NtSetDriverEntryOrder_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetDriverEntryOrder_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetDriverEntryOrder_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetDriverEntryOrder_SystemCall_6_0_6002 + jmp NtSetDriverEntryOrder_SystemCall_Unknown +NtSetDriverEntryOrder_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetDriverEntryOrder_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetDriverEntryOrder_SystemCall_6_1_7601 + jmp NtSetDriverEntryOrder_SystemCall_Unknown +NtSetDriverEntryOrder_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetDriverEntryOrder_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetDriverEntryOrder_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetDriverEntryOrder_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetDriverEntryOrder_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetDriverEntryOrder_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetDriverEntryOrder_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetDriverEntryOrder_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetDriverEntryOrder_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetDriverEntryOrder_SystemCall_10_0_18363 + jmp NtSetDriverEntryOrder_SystemCall_Unknown +NtSetDriverEntryOrder_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00fbh + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0154h + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 014eh + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 014eh + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0155h + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0155h + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 016ah + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 016dh + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0174h + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0177h + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 017dh + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0183h + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0186h + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0188h + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0189h + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 018ah + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 018ah + jmp NtSetDriverEntryOrder_Epilogue +NtSetDriverEntryOrder_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetDriverEntryOrder_Epilogue: + mov r10, rcx + syscall + ret +NtSetDriverEntryOrder ENDP + +NtSetEaFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetEaFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetEaFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetEaFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetEaFile_Check_10_0_XXXX + jmp NtSetEaFile_SystemCall_Unknown +NtSetEaFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetEaFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetEaFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetEaFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetEaFile_SystemCall_6_3_XXXX + jmp NtSetEaFile_SystemCall_Unknown +NtSetEaFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetEaFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetEaFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetEaFile_SystemCall_6_0_6002 + jmp NtSetEaFile_SystemCall_Unknown +NtSetEaFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetEaFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetEaFile_SystemCall_6_1_7601 + jmp NtSetEaFile_SystemCall_Unknown +NtSetEaFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetEaFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetEaFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetEaFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetEaFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetEaFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetEaFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetEaFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetEaFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetEaFile_SystemCall_10_0_18363 + jmp NtSetEaFile_SystemCall_Unknown +NtSetEaFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00fch + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0155h + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 014fh + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 014fh + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0156h + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0156h + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 016bh + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 016eh + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0175h + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0178h + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 017eh + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0184h + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0187h + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0189h + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 018ah + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 018bh + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 018bh + jmp NtSetEaFile_Epilogue +NtSetEaFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetEaFile_Epilogue: + mov r10, rcx + syscall + ret +NtSetEaFile ENDP + +NtSetEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetEvent_Check_10_0_XXXX + jmp NtSetEvent_SystemCall_Unknown +NtSetEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetEvent_SystemCall_6_3_XXXX + jmp NtSetEvent_SystemCall_Unknown +NtSetEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetEvent_SystemCall_6_0_6002 + jmp NtSetEvent_SystemCall_Unknown +NtSetEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetEvent_SystemCall_6_1_7601 + jmp NtSetEvent_SystemCall_Unknown +NtSetEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetEvent_SystemCall_10_0_18363 + jmp NtSetEvent_SystemCall_Unknown +NtSetEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 000bh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 000bh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 000bh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 000bh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 000bh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 000bh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 000ch + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 000dh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 000eh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 000eh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 000eh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 000eh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 000eh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 000eh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 000eh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 000eh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 000eh + jmp NtSetEvent_Epilogue +NtSetEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetEvent_Epilogue: + mov r10, rcx + syscall + ret +NtSetEvent ENDP + +NtSetEventBoostPriority PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetEventBoostPriority_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetEventBoostPriority_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetEventBoostPriority_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetEventBoostPriority_Check_10_0_XXXX + jmp NtSetEventBoostPriority_SystemCall_Unknown +NtSetEventBoostPriority_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetEventBoostPriority_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetEventBoostPriority_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetEventBoostPriority_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetEventBoostPriority_SystemCall_6_3_XXXX + jmp NtSetEventBoostPriority_SystemCall_Unknown +NtSetEventBoostPriority_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetEventBoostPriority_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetEventBoostPriority_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetEventBoostPriority_SystemCall_6_0_6002 + jmp NtSetEventBoostPriority_SystemCall_Unknown +NtSetEventBoostPriority_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetEventBoostPriority_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetEventBoostPriority_SystemCall_6_1_7601 + jmp NtSetEventBoostPriority_SystemCall_Unknown +NtSetEventBoostPriority_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetEventBoostPriority_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetEventBoostPriority_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetEventBoostPriority_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetEventBoostPriority_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetEventBoostPriority_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetEventBoostPriority_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetEventBoostPriority_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetEventBoostPriority_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetEventBoostPriority_SystemCall_10_0_18363 + jmp NtSetEventBoostPriority_SystemCall_Unknown +NtSetEventBoostPriority_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 002ah + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 002ah + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 002ah + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 002ah + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 002ah + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 002ah + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 002bh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 002ch + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 002dh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 002dh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 002dh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 002dh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 002dh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 002dh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 002dh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 002dh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 002dh + jmp NtSetEventBoostPriority_Epilogue +NtSetEventBoostPriority_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetEventBoostPriority_Epilogue: + mov r10, rcx + syscall + ret +NtSetEventBoostPriority ENDP + +NtSetHighEventPair PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetHighEventPair_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetHighEventPair_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetHighEventPair_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetHighEventPair_Check_10_0_XXXX + jmp NtSetHighEventPair_SystemCall_Unknown +NtSetHighEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetHighEventPair_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetHighEventPair_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetHighEventPair_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetHighEventPair_SystemCall_6_3_XXXX + jmp NtSetHighEventPair_SystemCall_Unknown +NtSetHighEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetHighEventPair_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetHighEventPair_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetHighEventPair_SystemCall_6_0_6002 + jmp NtSetHighEventPair_SystemCall_Unknown +NtSetHighEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetHighEventPair_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetHighEventPair_SystemCall_6_1_7601 + jmp NtSetHighEventPair_SystemCall_Unknown +NtSetHighEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetHighEventPair_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetHighEventPair_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetHighEventPair_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetHighEventPair_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetHighEventPair_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetHighEventPair_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetHighEventPair_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetHighEventPair_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetHighEventPair_SystemCall_10_0_18363 + jmp NtSetHighEventPair_SystemCall_Unknown +NtSetHighEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00fdh + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0156h + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0150h + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0150h + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0157h + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0157h + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 016ch + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 016fh + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0176h + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0179h + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 017fh + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0185h + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0188h + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 018ah + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 018bh + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 018ch + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 018ch + jmp NtSetHighEventPair_Epilogue +NtSetHighEventPair_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetHighEventPair_Epilogue: + mov r10, rcx + syscall + ret +NtSetHighEventPair ENDP + +NtSetHighWaitLowEventPair PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetHighWaitLowEventPair_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetHighWaitLowEventPair_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetHighWaitLowEventPair_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetHighWaitLowEventPair_Check_10_0_XXXX + jmp NtSetHighWaitLowEventPair_SystemCall_Unknown +NtSetHighWaitLowEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetHighWaitLowEventPair_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetHighWaitLowEventPair_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetHighWaitLowEventPair_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetHighWaitLowEventPair_SystemCall_6_3_XXXX + jmp NtSetHighWaitLowEventPair_SystemCall_Unknown +NtSetHighWaitLowEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetHighWaitLowEventPair_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetHighWaitLowEventPair_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetHighWaitLowEventPair_SystemCall_6_0_6002 + jmp NtSetHighWaitLowEventPair_SystemCall_Unknown +NtSetHighWaitLowEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetHighWaitLowEventPair_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetHighWaitLowEventPair_SystemCall_6_1_7601 + jmp NtSetHighWaitLowEventPair_SystemCall_Unknown +NtSetHighWaitLowEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetHighWaitLowEventPair_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetHighWaitLowEventPair_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetHighWaitLowEventPair_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetHighWaitLowEventPair_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetHighWaitLowEventPair_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetHighWaitLowEventPair_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetHighWaitLowEventPair_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetHighWaitLowEventPair_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetHighWaitLowEventPair_SystemCall_10_0_18363 + jmp NtSetHighWaitLowEventPair_SystemCall_Unknown +NtSetHighWaitLowEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00feh + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0157h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0151h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0151h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0158h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0158h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 016dh + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0170h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0177h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 017ah + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0180h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0186h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0189h + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 018bh + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 018ch + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 018dh + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 018dh + jmp NtSetHighWaitLowEventPair_Epilogue +NtSetHighWaitLowEventPair_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetHighWaitLowEventPair_Epilogue: + mov r10, rcx + syscall + ret +NtSetHighWaitLowEventPair ENDP + +NtSetIRTimer PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetIRTimer_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetIRTimer_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetIRTimer_Check_10_0_XXXX + jmp NtSetIRTimer_SystemCall_Unknown +NtSetIRTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtSetIRTimer_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetIRTimer_SystemCall_6_3_XXXX + jmp NtSetIRTimer_SystemCall_Unknown +NtSetIRTimer_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetIRTimer_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetIRTimer_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetIRTimer_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetIRTimer_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetIRTimer_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetIRTimer_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetIRTimer_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetIRTimer_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetIRTimer_SystemCall_10_0_18363 + jmp NtSetIRTimer_SystemCall_Unknown +NtSetIRTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 016eh + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0171h + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0178h + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 017bh + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0181h + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0187h + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 018ah + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 018ch + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 018dh + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 018eh + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 018eh + jmp NtSetIRTimer_Epilogue +NtSetIRTimer_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetIRTimer_Epilogue: + mov r10, rcx + syscall + ret +NtSetIRTimer ENDP + +NtSetInformationDebugObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationDebugObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetInformationDebugObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetInformationDebugObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationDebugObject_Check_10_0_XXXX + jmp NtSetInformationDebugObject_SystemCall_Unknown +NtSetInformationDebugObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationDebugObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationDebugObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationDebugObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationDebugObject_SystemCall_6_3_XXXX + jmp NtSetInformationDebugObject_SystemCall_Unknown +NtSetInformationDebugObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationDebugObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationDebugObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationDebugObject_SystemCall_6_0_6002 + jmp NtSetInformationDebugObject_SystemCall_Unknown +NtSetInformationDebugObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationDebugObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationDebugObject_SystemCall_6_1_7601 + jmp NtSetInformationDebugObject_SystemCall_Unknown +NtSetInformationDebugObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationDebugObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationDebugObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationDebugObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationDebugObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationDebugObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationDebugObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationDebugObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationDebugObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationDebugObject_SystemCall_10_0_18363 + jmp NtSetInformationDebugObject_SystemCall_Unknown +NtSetInformationDebugObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 00ffh + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0158h + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0152h + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0152h + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0159h + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0159h + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 016fh + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0172h + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0179h + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 017ch + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0182h + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0188h + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 018bh + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 018dh + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 018eh + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 018fh + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 018fh + jmp NtSetInformationDebugObject_Epilogue +NtSetInformationDebugObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationDebugObject_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationDebugObject ENDP + +NtSetInformationEnlistment PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationEnlistment_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetInformationEnlistment_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationEnlistment_Check_10_0_XXXX + jmp NtSetInformationEnlistment_SystemCall_Unknown +NtSetInformationEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationEnlistment_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationEnlistment_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationEnlistment_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationEnlistment_SystemCall_6_3_XXXX + jmp NtSetInformationEnlistment_SystemCall_Unknown +NtSetInformationEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationEnlistment_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationEnlistment_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationEnlistment_SystemCall_6_0_6002 + jmp NtSetInformationEnlistment_SystemCall_Unknown +NtSetInformationEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationEnlistment_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationEnlistment_SystemCall_6_1_7601 + jmp NtSetInformationEnlistment_SystemCall_Unknown +NtSetInformationEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationEnlistment_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationEnlistment_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationEnlistment_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationEnlistment_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationEnlistment_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationEnlistment_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationEnlistment_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationEnlistment_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationEnlistment_SystemCall_10_0_18363 + jmp NtSetInformationEnlistment_SystemCall_Unknown +NtSetInformationEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0159h + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0153h + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0153h + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 015ah + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 015ah + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0170h + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0173h + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 017ah + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 017dh + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0183h + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0189h + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 018ch + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 018eh + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 018fh + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0190h + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0190h + jmp NtSetInformationEnlistment_Epilogue +NtSetInformationEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationEnlistment_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationEnlistment ENDP + +NtSetInformationFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetInformationFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetInformationFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationFile_Check_10_0_XXXX + jmp NtSetInformationFile_SystemCall_Unknown +NtSetInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationFile_SystemCall_6_3_XXXX + jmp NtSetInformationFile_SystemCall_Unknown +NtSetInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationFile_SystemCall_6_0_6002 + jmp NtSetInformationFile_SystemCall_Unknown +NtSetInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationFile_SystemCall_6_1_7601 + jmp NtSetInformationFile_SystemCall_Unknown +NtSetInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationFile_SystemCall_10_0_18363 + jmp NtSetInformationFile_SystemCall_Unknown +NtSetInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0024h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0024h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0024h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0024h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0024h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0024h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0025h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0026h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0027h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0027h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0027h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0027h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0027h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0027h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0027h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0027h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0027h + jmp NtSetInformationFile_Epilogue +NtSetInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationFile_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationFile ENDP + +NtSetInformationJobObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationJobObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetInformationJobObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetInformationJobObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationJobObject_Check_10_0_XXXX + jmp NtSetInformationJobObject_SystemCall_Unknown +NtSetInformationJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationJobObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationJobObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationJobObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationJobObject_SystemCall_6_3_XXXX + jmp NtSetInformationJobObject_SystemCall_Unknown +NtSetInformationJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationJobObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationJobObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationJobObject_SystemCall_6_0_6002 + jmp NtSetInformationJobObject_SystemCall_Unknown +NtSetInformationJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationJobObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationJobObject_SystemCall_6_1_7601 + jmp NtSetInformationJobObject_SystemCall_Unknown +NtSetInformationJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationJobObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationJobObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationJobObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationJobObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationJobObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationJobObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationJobObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationJobObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationJobObject_SystemCall_10_0_18363 + jmp NtSetInformationJobObject_SystemCall_Unknown +NtSetInformationJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0100h + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 015ah + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0154h + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0154h + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 015bh + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 015bh + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0171h + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0174h + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 017bh + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 017eh + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0184h + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 018ah + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 018dh + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 018fh + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0190h + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0191h + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0191h + jmp NtSetInformationJobObject_Epilogue +NtSetInformationJobObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationJobObject_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationJobObject ENDP + +NtSetInformationKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetInformationKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetInformationKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationKey_Check_10_0_XXXX + jmp NtSetInformationKey_SystemCall_Unknown +NtSetInformationKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationKey_SystemCall_6_3_XXXX + jmp NtSetInformationKey_SystemCall_Unknown +NtSetInformationKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationKey_SystemCall_6_0_6002 + jmp NtSetInformationKey_SystemCall_Unknown +NtSetInformationKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationKey_SystemCall_6_1_7601 + jmp NtSetInformationKey_SystemCall_Unknown +NtSetInformationKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationKey_SystemCall_10_0_18363 + jmp NtSetInformationKey_SystemCall_Unknown +NtSetInformationKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0101h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 015bh + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0155h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0155h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 015ch + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 015ch + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0172h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0175h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 017ch + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 017fh + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0185h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 018bh + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 018eh + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0190h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0191h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0192h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0192h + jmp NtSetInformationKey_Epilogue +NtSetInformationKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationKey_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationKey ENDP + +NtSetInformationObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetInformationObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetInformationObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationObject_Check_10_0_XXXX + jmp NtSetInformationObject_SystemCall_Unknown +NtSetInformationObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationObject_SystemCall_6_3_XXXX + jmp NtSetInformationObject_SystemCall_Unknown +NtSetInformationObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationObject_SystemCall_6_0_6002 + jmp NtSetInformationObject_SystemCall_Unknown +NtSetInformationObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationObject_SystemCall_6_1_7601 + jmp NtSetInformationObject_SystemCall_Unknown +NtSetInformationObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationObject_SystemCall_10_0_18363 + jmp NtSetInformationObject_SystemCall_Unknown +NtSetInformationObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0059h + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0059h + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0059h + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0059h + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0059h + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0059h + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 005ah + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 005bh + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 005ch + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 005ch + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 005ch + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 005ch + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 005ch + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 005ch + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 005ch + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 005ch + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 005ch + jmp NtSetInformationObject_Epilogue +NtSetInformationObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationObject_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationObject ENDP + +NtSetInformationProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetInformationProcess_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetInformationProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationProcess_Check_10_0_XXXX + jmp NtSetInformationProcess_SystemCall_Unknown +NtSetInformationProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationProcess_SystemCall_6_3_XXXX + jmp NtSetInformationProcess_SystemCall_Unknown +NtSetInformationProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationProcess_SystemCall_6_0_6002 + jmp NtSetInformationProcess_SystemCall_Unknown +NtSetInformationProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationProcess_SystemCall_6_1_7601 + jmp NtSetInformationProcess_SystemCall_Unknown +NtSetInformationProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationProcess_SystemCall_10_0_18363 + jmp NtSetInformationProcess_SystemCall_Unknown +NtSetInformationProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0019h + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0019h + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0019h + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0019h + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0019h + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0019h + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 001ah + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 001bh + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 001ch + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 001ch + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 001ch + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 001ch + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 001ch + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 001ch + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 001ch + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 001ch + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 001ch + jmp NtSetInformationProcess_Epilogue +NtSetInformationProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationProcess_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationProcess ENDP + +NtSetInformationResourceManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationResourceManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetInformationResourceManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationResourceManager_Check_10_0_XXXX + jmp NtSetInformationResourceManager_SystemCall_Unknown +NtSetInformationResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationResourceManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationResourceManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationResourceManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationResourceManager_SystemCall_6_3_XXXX + jmp NtSetInformationResourceManager_SystemCall_Unknown +NtSetInformationResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationResourceManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationResourceManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationResourceManager_SystemCall_6_0_6002 + jmp NtSetInformationResourceManager_SystemCall_Unknown +NtSetInformationResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationResourceManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationResourceManager_SystemCall_6_1_7601 + jmp NtSetInformationResourceManager_SystemCall_Unknown +NtSetInformationResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationResourceManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationResourceManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationResourceManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationResourceManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationResourceManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationResourceManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationResourceManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationResourceManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationResourceManager_SystemCall_10_0_18363 + jmp NtSetInformationResourceManager_SystemCall_Unknown +NtSetInformationResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 015ch + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0156h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0156h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 015dh + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 015dh + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0173h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0176h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 017dh + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0180h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0186h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 018ch + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 018fh + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0191h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0192h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0193h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0193h + jmp NtSetInformationResourceManager_Epilogue +NtSetInformationResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationResourceManager_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationResourceManager ENDP + +NtSetInformationSymbolicLink PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationSymbolicLink_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtSetInformationSymbolicLink_Check_10_0_XXXX + jmp NtSetInformationSymbolicLink_SystemCall_Unknown +NtSetInformationSymbolicLink_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationSymbolicLink_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationSymbolicLink_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationSymbolicLink_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationSymbolicLink_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationSymbolicLink_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationSymbolicLink_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationSymbolicLink_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationSymbolicLink_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationSymbolicLink_SystemCall_10_0_18363 + jmp NtSetInformationSymbolicLink_SystemCall_Unknown +NtSetInformationSymbolicLink_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 017eh + jmp NtSetInformationSymbolicLink_Epilogue +NtSetInformationSymbolicLink_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0181h + jmp NtSetInformationSymbolicLink_Epilogue +NtSetInformationSymbolicLink_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0187h + jmp NtSetInformationSymbolicLink_Epilogue +NtSetInformationSymbolicLink_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 018dh + jmp NtSetInformationSymbolicLink_Epilogue +NtSetInformationSymbolicLink_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0190h + jmp NtSetInformationSymbolicLink_Epilogue +NtSetInformationSymbolicLink_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0192h + jmp NtSetInformationSymbolicLink_Epilogue +NtSetInformationSymbolicLink_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0193h + jmp NtSetInformationSymbolicLink_Epilogue +NtSetInformationSymbolicLink_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0194h + jmp NtSetInformationSymbolicLink_Epilogue +NtSetInformationSymbolicLink_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0194h + jmp NtSetInformationSymbolicLink_Epilogue +NtSetInformationSymbolicLink_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationSymbolicLink_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationSymbolicLink ENDP + +NtSetInformationThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetInformationThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetInformationThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationThread_Check_10_0_XXXX + jmp NtSetInformationThread_SystemCall_Unknown +NtSetInformationThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationThread_SystemCall_6_3_XXXX + jmp NtSetInformationThread_SystemCall_Unknown +NtSetInformationThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationThread_SystemCall_6_0_6002 + jmp NtSetInformationThread_SystemCall_Unknown +NtSetInformationThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationThread_SystemCall_6_1_7601 + jmp NtSetInformationThread_SystemCall_Unknown +NtSetInformationThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationThread_SystemCall_10_0_18363 + jmp NtSetInformationThread_SystemCall_Unknown +NtSetInformationThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 000ah + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 000ah + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 000ah + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 000ah + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 000ah + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 000ah + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 000bh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 000ch + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 000dh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 000dh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 000dh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 000dh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 000dh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 000dh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 000dh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 000dh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 000dh + jmp NtSetInformationThread_Epilogue +NtSetInformationThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationThread_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationThread ENDP + +NtSetInformationToken PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationToken_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetInformationToken_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetInformationToken_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationToken_Check_10_0_XXXX + jmp NtSetInformationToken_SystemCall_Unknown +NtSetInformationToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationToken_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationToken_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationToken_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationToken_SystemCall_6_3_XXXX + jmp NtSetInformationToken_SystemCall_Unknown +NtSetInformationToken_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationToken_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationToken_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationToken_SystemCall_6_0_6002 + jmp NtSetInformationToken_SystemCall_Unknown +NtSetInformationToken_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationToken_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationToken_SystemCall_6_1_7601 + jmp NtSetInformationToken_SystemCall_Unknown +NtSetInformationToken_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationToken_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationToken_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationToken_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationToken_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationToken_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationToken_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationToken_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationToken_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationToken_SystemCall_10_0_18363 + jmp NtSetInformationToken_SystemCall_Unknown +NtSetInformationToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0102h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 015dh + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0157h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0157h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 015eh + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 015eh + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0174h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0177h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 017fh + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0182h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0188h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 018eh + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0191h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0193h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0194h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0195h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0195h + jmp NtSetInformationToken_Epilogue +NtSetInformationToken_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationToken_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationToken ENDP + +NtSetInformationTransaction PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationTransaction_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetInformationTransaction_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationTransaction_Check_10_0_XXXX + jmp NtSetInformationTransaction_SystemCall_Unknown +NtSetInformationTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationTransaction_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationTransaction_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationTransaction_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationTransaction_SystemCall_6_3_XXXX + jmp NtSetInformationTransaction_SystemCall_Unknown +NtSetInformationTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationTransaction_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationTransaction_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationTransaction_SystemCall_6_0_6002 + jmp NtSetInformationTransaction_SystemCall_Unknown +NtSetInformationTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationTransaction_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationTransaction_SystemCall_6_1_7601 + jmp NtSetInformationTransaction_SystemCall_Unknown +NtSetInformationTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationTransaction_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationTransaction_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationTransaction_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationTransaction_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationTransaction_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationTransaction_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationTransaction_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationTransaction_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationTransaction_SystemCall_10_0_18363 + jmp NtSetInformationTransaction_SystemCall_Unknown +NtSetInformationTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 015eh + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0158h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0158h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 015fh + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 015fh + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0175h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0178h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0180h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0183h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0189h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 018fh + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0192h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0194h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0195h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0196h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0196h + jmp NtSetInformationTransaction_Epilogue +NtSetInformationTransaction_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationTransaction_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationTransaction ENDP + +NtSetInformationTransactionManager PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationTransactionManager_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetInformationTransactionManager_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationTransactionManager_Check_10_0_XXXX + jmp NtSetInformationTransactionManager_SystemCall_Unknown +NtSetInformationTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationTransactionManager_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationTransactionManager_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationTransactionManager_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationTransactionManager_SystemCall_6_3_XXXX + jmp NtSetInformationTransactionManager_SystemCall_Unknown +NtSetInformationTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationTransactionManager_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationTransactionManager_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationTransactionManager_SystemCall_6_0_6002 + jmp NtSetInformationTransactionManager_SystemCall_Unknown +NtSetInformationTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationTransactionManager_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationTransactionManager_SystemCall_6_1_7601 + jmp NtSetInformationTransactionManager_SystemCall_Unknown +NtSetInformationTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationTransactionManager_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationTransactionManager_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationTransactionManager_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationTransactionManager_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationTransactionManager_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationTransactionManager_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationTransactionManager_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationTransactionManager_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationTransactionManager_SystemCall_10_0_18363 + jmp NtSetInformationTransactionManager_SystemCall_Unknown +NtSetInformationTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 015fh + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0159h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0159h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0160h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0160h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0176h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0179h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0181h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0184h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 018ah + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0190h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0193h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0195h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0196h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0197h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0197h + jmp NtSetInformationTransactionManager_Epilogue +NtSetInformationTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationTransactionManager_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationTransactionManager ENDP + +NtSetInformationVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetInformationVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationVirtualMemory_Check_10_0_XXXX + jmp NtSetInformationVirtualMemory_SystemCall_Unknown +NtSetInformationVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtSetInformationVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationVirtualMemory_SystemCall_6_3_XXXX + jmp NtSetInformationVirtualMemory_SystemCall_Unknown +NtSetInformationVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationVirtualMemory_SystemCall_10_0_18363 + jmp NtSetInformationVirtualMemory_SystemCall_Unknown +NtSetInformationVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0177h + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 017ah + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0182h + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0185h + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 018bh + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0191h + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0194h + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0196h + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0197h + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0198h + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0198h + jmp NtSetInformationVirtualMemory_Epilogue +NtSetInformationVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationVirtualMemory ENDP + +NtSetInformationWorkerFactory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetInformationWorkerFactory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetInformationWorkerFactory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetInformationWorkerFactory_Check_10_0_XXXX + jmp NtSetInformationWorkerFactory_SystemCall_Unknown +NtSetInformationWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetInformationWorkerFactory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetInformationWorkerFactory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationWorkerFactory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetInformationWorkerFactory_SystemCall_6_3_XXXX + jmp NtSetInformationWorkerFactory_SystemCall_Unknown +NtSetInformationWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetInformationWorkerFactory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetInformationWorkerFactory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetInformationWorkerFactory_SystemCall_6_0_6002 + jmp NtSetInformationWorkerFactory_SystemCall_Unknown +NtSetInformationWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetInformationWorkerFactory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetInformationWorkerFactory_SystemCall_6_1_7601 + jmp NtSetInformationWorkerFactory_SystemCall_Unknown +NtSetInformationWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetInformationWorkerFactory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetInformationWorkerFactory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetInformationWorkerFactory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetInformationWorkerFactory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetInformationWorkerFactory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetInformationWorkerFactory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetInformationWorkerFactory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetInformationWorkerFactory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetInformationWorkerFactory_SystemCall_10_0_18363 + jmp NtSetInformationWorkerFactory_SystemCall_Unknown +NtSetInformationWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0160h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 015ah + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 015ah + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0161h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0161h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0178h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 017bh + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0183h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0186h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 018ch + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0192h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0195h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0197h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0198h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0199h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0199h + jmp NtSetInformationWorkerFactory_Epilogue +NtSetInformationWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetInformationWorkerFactory_Epilogue: + mov r10, rcx + syscall + ret +NtSetInformationWorkerFactory ENDP + +NtSetIntervalProfile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetIntervalProfile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetIntervalProfile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetIntervalProfile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetIntervalProfile_Check_10_0_XXXX + jmp NtSetIntervalProfile_SystemCall_Unknown +NtSetIntervalProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetIntervalProfile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetIntervalProfile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetIntervalProfile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetIntervalProfile_SystemCall_6_3_XXXX + jmp NtSetIntervalProfile_SystemCall_Unknown +NtSetIntervalProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetIntervalProfile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetIntervalProfile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetIntervalProfile_SystemCall_6_0_6002 + jmp NtSetIntervalProfile_SystemCall_Unknown +NtSetIntervalProfile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetIntervalProfile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetIntervalProfile_SystemCall_6_1_7601 + jmp NtSetIntervalProfile_SystemCall_Unknown +NtSetIntervalProfile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetIntervalProfile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetIntervalProfile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetIntervalProfile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetIntervalProfile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetIntervalProfile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetIntervalProfile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetIntervalProfile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetIntervalProfile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetIntervalProfile_SystemCall_10_0_18363 + jmp NtSetIntervalProfile_SystemCall_Unknown +NtSetIntervalProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0103h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0161h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 015bh + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 015bh + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0162h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0162h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0179h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 017ch + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0184h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0187h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 018dh + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0193h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0196h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0198h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0199h + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 019ah + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 019ah + jmp NtSetIntervalProfile_Epilogue +NtSetIntervalProfile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetIntervalProfile_Epilogue: + mov r10, rcx + syscall + ret +NtSetIntervalProfile ENDP + +NtSetIoCompletion PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetIoCompletion_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetIoCompletion_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetIoCompletion_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetIoCompletion_Check_10_0_XXXX + jmp NtSetIoCompletion_SystemCall_Unknown +NtSetIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetIoCompletion_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetIoCompletion_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetIoCompletion_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetIoCompletion_SystemCall_6_3_XXXX + jmp NtSetIoCompletion_SystemCall_Unknown +NtSetIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetIoCompletion_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetIoCompletion_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetIoCompletion_SystemCall_6_0_6002 + jmp NtSetIoCompletion_SystemCall_Unknown +NtSetIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetIoCompletion_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetIoCompletion_SystemCall_6_1_7601 + jmp NtSetIoCompletion_SystemCall_Unknown +NtSetIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetIoCompletion_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetIoCompletion_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetIoCompletion_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetIoCompletion_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetIoCompletion_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetIoCompletion_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetIoCompletion_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetIoCompletion_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetIoCompletion_SystemCall_10_0_18363 + jmp NtSetIoCompletion_SystemCall_Unknown +NtSetIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0104h + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0162h + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 015ch + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 015ch + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0163h + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0163h + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 017ah + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 017dh + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0185h + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0188h + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 018eh + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0194h + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0197h + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0199h + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 019ah + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 019bh + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 019bh + jmp NtSetIoCompletion_Epilogue +NtSetIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetIoCompletion_Epilogue: + mov r10, rcx + syscall + ret +NtSetIoCompletion ENDP + +NtSetIoCompletionEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetIoCompletionEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetIoCompletionEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetIoCompletionEx_Check_10_0_XXXX + jmp NtSetIoCompletionEx_SystemCall_Unknown +NtSetIoCompletionEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtSetIoCompletionEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetIoCompletionEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetIoCompletionEx_SystemCall_6_3_XXXX + jmp NtSetIoCompletionEx_SystemCall_Unknown +NtSetIoCompletionEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetIoCompletionEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetIoCompletionEx_SystemCall_6_1_7601 + jmp NtSetIoCompletionEx_SystemCall_Unknown +NtSetIoCompletionEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetIoCompletionEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetIoCompletionEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetIoCompletionEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetIoCompletionEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetIoCompletionEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetIoCompletionEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetIoCompletionEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetIoCompletionEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetIoCompletionEx_SystemCall_10_0_18363 + jmp NtSetIoCompletionEx_SystemCall_Unknown +NtSetIoCompletionEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0164h + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0164h + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 017bh + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 017eh + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0186h + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0189h + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 018fh + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0195h + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0198h + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 019ah + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 019bh + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 019ch + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 019ch + jmp NtSetIoCompletionEx_Epilogue +NtSetIoCompletionEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetIoCompletionEx_Epilogue: + mov r10, rcx + syscall + ret +NtSetIoCompletionEx ENDP + +NtSetLdtEntries PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetLdtEntries_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetLdtEntries_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetLdtEntries_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetLdtEntries_Check_10_0_XXXX + jmp NtSetLdtEntries_SystemCall_Unknown +NtSetLdtEntries_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetLdtEntries_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetLdtEntries_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetLdtEntries_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetLdtEntries_SystemCall_6_3_XXXX + jmp NtSetLdtEntries_SystemCall_Unknown +NtSetLdtEntries_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetLdtEntries_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetLdtEntries_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetLdtEntries_SystemCall_6_0_6002 + jmp NtSetLdtEntries_SystemCall_Unknown +NtSetLdtEntries_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetLdtEntries_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetLdtEntries_SystemCall_6_1_7601 + jmp NtSetLdtEntries_SystemCall_Unknown +NtSetLdtEntries_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetLdtEntries_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetLdtEntries_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetLdtEntries_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetLdtEntries_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetLdtEntries_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetLdtEntries_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetLdtEntries_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetLdtEntries_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetLdtEntries_SystemCall_10_0_18363 + jmp NtSetLdtEntries_SystemCall_Unknown +NtSetLdtEntries_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0105h + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0163h + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 015dh + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 015dh + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0165h + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0165h + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 017ch + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 017fh + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0187h + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 018ah + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0190h + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0196h + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0199h + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 019bh + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 019ch + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 019dh + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 019dh + jmp NtSetLdtEntries_Epilogue +NtSetLdtEntries_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetLdtEntries_Epilogue: + mov r10, rcx + syscall + ret +NtSetLdtEntries ENDP + +NtSetLowEventPair PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetLowEventPair_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetLowEventPair_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetLowEventPair_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetLowEventPair_Check_10_0_XXXX + jmp NtSetLowEventPair_SystemCall_Unknown +NtSetLowEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetLowEventPair_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetLowEventPair_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetLowEventPair_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetLowEventPair_SystemCall_6_3_XXXX + jmp NtSetLowEventPair_SystemCall_Unknown +NtSetLowEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetLowEventPair_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetLowEventPair_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetLowEventPair_SystemCall_6_0_6002 + jmp NtSetLowEventPair_SystemCall_Unknown +NtSetLowEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetLowEventPair_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetLowEventPair_SystemCall_6_1_7601 + jmp NtSetLowEventPair_SystemCall_Unknown +NtSetLowEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetLowEventPair_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetLowEventPair_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetLowEventPair_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetLowEventPair_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetLowEventPair_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetLowEventPair_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetLowEventPair_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetLowEventPair_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetLowEventPair_SystemCall_10_0_18363 + jmp NtSetLowEventPair_SystemCall_Unknown +NtSetLowEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0106h + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0164h + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 015eh + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 015eh + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0166h + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0166h + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 017dh + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0180h + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0188h + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 018bh + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0191h + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0197h + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 019ah + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 019ch + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 019dh + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 019eh + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 019eh + jmp NtSetLowEventPair_Epilogue +NtSetLowEventPair_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetLowEventPair_Epilogue: + mov r10, rcx + syscall + ret +NtSetLowEventPair ENDP + +NtSetLowWaitHighEventPair PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetLowWaitHighEventPair_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetLowWaitHighEventPair_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetLowWaitHighEventPair_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetLowWaitHighEventPair_Check_10_0_XXXX + jmp NtSetLowWaitHighEventPair_SystemCall_Unknown +NtSetLowWaitHighEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetLowWaitHighEventPair_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetLowWaitHighEventPair_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetLowWaitHighEventPair_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetLowWaitHighEventPair_SystemCall_6_3_XXXX + jmp NtSetLowWaitHighEventPair_SystemCall_Unknown +NtSetLowWaitHighEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetLowWaitHighEventPair_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetLowWaitHighEventPair_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetLowWaitHighEventPair_SystemCall_6_0_6002 + jmp NtSetLowWaitHighEventPair_SystemCall_Unknown +NtSetLowWaitHighEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetLowWaitHighEventPair_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetLowWaitHighEventPair_SystemCall_6_1_7601 + jmp NtSetLowWaitHighEventPair_SystemCall_Unknown +NtSetLowWaitHighEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetLowWaitHighEventPair_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetLowWaitHighEventPair_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetLowWaitHighEventPair_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetLowWaitHighEventPair_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetLowWaitHighEventPair_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetLowWaitHighEventPair_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetLowWaitHighEventPair_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetLowWaitHighEventPair_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetLowWaitHighEventPair_SystemCall_10_0_18363 + jmp NtSetLowWaitHighEventPair_SystemCall_Unknown +NtSetLowWaitHighEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0107h + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0165h + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 015fh + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 015fh + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0167h + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0167h + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 017eh + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0181h + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0189h + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 018ch + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0192h + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0198h + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 019bh + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 019dh + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 019eh + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 019fh + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 019fh + jmp NtSetLowWaitHighEventPair_Epilogue +NtSetLowWaitHighEventPair_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetLowWaitHighEventPair_Epilogue: + mov r10, rcx + syscall + ret +NtSetLowWaitHighEventPair ENDP + +NtSetQuotaInformationFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetQuotaInformationFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetQuotaInformationFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetQuotaInformationFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetQuotaInformationFile_Check_10_0_XXXX + jmp NtSetQuotaInformationFile_SystemCall_Unknown +NtSetQuotaInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetQuotaInformationFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetQuotaInformationFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetQuotaInformationFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetQuotaInformationFile_SystemCall_6_3_XXXX + jmp NtSetQuotaInformationFile_SystemCall_Unknown +NtSetQuotaInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetQuotaInformationFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetQuotaInformationFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetQuotaInformationFile_SystemCall_6_0_6002 + jmp NtSetQuotaInformationFile_SystemCall_Unknown +NtSetQuotaInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetQuotaInformationFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetQuotaInformationFile_SystemCall_6_1_7601 + jmp NtSetQuotaInformationFile_SystemCall_Unknown +NtSetQuotaInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetQuotaInformationFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetQuotaInformationFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetQuotaInformationFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetQuotaInformationFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetQuotaInformationFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetQuotaInformationFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetQuotaInformationFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetQuotaInformationFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetQuotaInformationFile_SystemCall_10_0_18363 + jmp NtSetQuotaInformationFile_SystemCall_Unknown +NtSetQuotaInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0108h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0166h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0160h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0160h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0168h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0168h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 017fh + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0182h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 018ah + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 018dh + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0193h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0199h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 019ch + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 019eh + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 019fh + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a0h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a0h + jmp NtSetQuotaInformationFile_Epilogue +NtSetQuotaInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetQuotaInformationFile_Epilogue: + mov r10, rcx + syscall + ret +NtSetQuotaInformationFile ENDP + +NtSetSecurityObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetSecurityObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetSecurityObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetSecurityObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetSecurityObject_Check_10_0_XXXX + jmp NtSetSecurityObject_SystemCall_Unknown +NtSetSecurityObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetSecurityObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetSecurityObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSecurityObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSecurityObject_SystemCall_6_3_XXXX + jmp NtSetSecurityObject_SystemCall_Unknown +NtSetSecurityObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetSecurityObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetSecurityObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetSecurityObject_SystemCall_6_0_6002 + jmp NtSetSecurityObject_SystemCall_Unknown +NtSetSecurityObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetSecurityObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetSecurityObject_SystemCall_6_1_7601 + jmp NtSetSecurityObject_SystemCall_Unknown +NtSetSecurityObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetSecurityObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetSecurityObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetSecurityObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetSecurityObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetSecurityObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetSecurityObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetSecurityObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetSecurityObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetSecurityObject_SystemCall_10_0_18363 + jmp NtSetSecurityObject_SystemCall_Unknown +NtSetSecurityObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0109h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0167h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0161h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0161h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0169h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0169h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0180h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0183h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 018bh + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 018eh + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0194h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 019ah + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 019dh + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 019fh + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a0h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a1h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a1h + jmp NtSetSecurityObject_Epilogue +NtSetSecurityObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetSecurityObject_Epilogue: + mov r10, rcx + syscall + ret +NtSetSecurityObject ENDP + +NtSetSystemEnvironmentValue PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetSystemEnvironmentValue_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetSystemEnvironmentValue_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetSystemEnvironmentValue_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetSystemEnvironmentValue_Check_10_0_XXXX + jmp NtSetSystemEnvironmentValue_SystemCall_Unknown +NtSetSystemEnvironmentValue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetSystemEnvironmentValue_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetSystemEnvironmentValue_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemEnvironmentValue_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemEnvironmentValue_SystemCall_6_3_XXXX + jmp NtSetSystemEnvironmentValue_SystemCall_Unknown +NtSetSystemEnvironmentValue_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetSystemEnvironmentValue_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetSystemEnvironmentValue_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetSystemEnvironmentValue_SystemCall_6_0_6002 + jmp NtSetSystemEnvironmentValue_SystemCall_Unknown +NtSetSystemEnvironmentValue_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetSystemEnvironmentValue_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetSystemEnvironmentValue_SystemCall_6_1_7601 + jmp NtSetSystemEnvironmentValue_SystemCall_Unknown +NtSetSystemEnvironmentValue_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetSystemEnvironmentValue_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetSystemEnvironmentValue_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetSystemEnvironmentValue_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetSystemEnvironmentValue_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetSystemEnvironmentValue_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetSystemEnvironmentValue_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetSystemEnvironmentValue_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetSystemEnvironmentValue_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetSystemEnvironmentValue_SystemCall_10_0_18363 + jmp NtSetSystemEnvironmentValue_SystemCall_Unknown +NtSetSystemEnvironmentValue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 010ah + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0168h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0162h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0162h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 016ah + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 016ah + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0181h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0184h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 018ch + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 018fh + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0195h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 019bh + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 019eh + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a0h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a1h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a2h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a2h + jmp NtSetSystemEnvironmentValue_Epilogue +NtSetSystemEnvironmentValue_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetSystemEnvironmentValue_Epilogue: + mov r10, rcx + syscall + ret +NtSetSystemEnvironmentValue ENDP + +NtSetSystemEnvironmentValueEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetSystemEnvironmentValueEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetSystemEnvironmentValueEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetSystemEnvironmentValueEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetSystemEnvironmentValueEx_Check_10_0_XXXX + jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown +NtSetSystemEnvironmentValueEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetSystemEnvironmentValueEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetSystemEnvironmentValueEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemEnvironmentValueEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemEnvironmentValueEx_SystemCall_6_3_XXXX + jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown +NtSetSystemEnvironmentValueEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetSystemEnvironmentValueEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetSystemEnvironmentValueEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetSystemEnvironmentValueEx_SystemCall_6_0_6002 + jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown +NtSetSystemEnvironmentValueEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetSystemEnvironmentValueEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetSystemEnvironmentValueEx_SystemCall_6_1_7601 + jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown +NtSetSystemEnvironmentValueEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetSystemEnvironmentValueEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetSystemEnvironmentValueEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetSystemEnvironmentValueEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetSystemEnvironmentValueEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetSystemEnvironmentValueEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetSystemEnvironmentValueEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetSystemEnvironmentValueEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetSystemEnvironmentValueEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetSystemEnvironmentValueEx_SystemCall_10_0_18363 + jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown +NtSetSystemEnvironmentValueEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 010bh + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0169h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0163h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0163h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 016bh + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 016bh + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0182h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0185h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 018dh + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0190h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0196h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 019ch + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 019fh + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a1h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a2h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a3h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a3h + jmp NtSetSystemEnvironmentValueEx_Epilogue +NtSetSystemEnvironmentValueEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetSystemEnvironmentValueEx_Epilogue: + mov r10, rcx + syscall + ret +NtSetSystemEnvironmentValueEx ENDP + +NtSetSystemInformation PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetSystemInformation_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetSystemInformation_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetSystemInformation_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetSystemInformation_Check_10_0_XXXX + jmp NtSetSystemInformation_SystemCall_Unknown +NtSetSystemInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetSystemInformation_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetSystemInformation_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemInformation_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemInformation_SystemCall_6_3_XXXX + jmp NtSetSystemInformation_SystemCall_Unknown +NtSetSystemInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetSystemInformation_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetSystemInformation_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetSystemInformation_SystemCall_6_0_6002 + jmp NtSetSystemInformation_SystemCall_Unknown +NtSetSystemInformation_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetSystemInformation_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetSystemInformation_SystemCall_6_1_7601 + jmp NtSetSystemInformation_SystemCall_Unknown +NtSetSystemInformation_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetSystemInformation_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetSystemInformation_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetSystemInformation_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetSystemInformation_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetSystemInformation_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetSystemInformation_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetSystemInformation_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetSystemInformation_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetSystemInformation_SystemCall_10_0_18363 + jmp NtSetSystemInformation_SystemCall_Unknown +NtSetSystemInformation_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 010ch + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 016ah + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0164h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0164h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 016ch + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 016ch + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0183h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0186h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 018eh + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0191h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0197h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 019dh + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a0h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a2h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a3h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a4h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a4h + jmp NtSetSystemInformation_Epilogue +NtSetSystemInformation_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetSystemInformation_Epilogue: + mov r10, rcx + syscall + ret +NtSetSystemInformation ENDP + +NtSetSystemPowerState PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetSystemPowerState_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetSystemPowerState_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetSystemPowerState_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetSystemPowerState_Check_10_0_XXXX + jmp NtSetSystemPowerState_SystemCall_Unknown +NtSetSystemPowerState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetSystemPowerState_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetSystemPowerState_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemPowerState_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemPowerState_SystemCall_6_3_XXXX + jmp NtSetSystemPowerState_SystemCall_Unknown +NtSetSystemPowerState_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetSystemPowerState_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetSystemPowerState_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetSystemPowerState_SystemCall_6_0_6002 + jmp NtSetSystemPowerState_SystemCall_Unknown +NtSetSystemPowerState_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetSystemPowerState_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetSystemPowerState_SystemCall_6_1_7601 + jmp NtSetSystemPowerState_SystemCall_Unknown +NtSetSystemPowerState_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetSystemPowerState_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetSystemPowerState_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetSystemPowerState_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetSystemPowerState_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetSystemPowerState_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetSystemPowerState_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetSystemPowerState_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetSystemPowerState_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetSystemPowerState_SystemCall_10_0_18363 + jmp NtSetSystemPowerState_SystemCall_Unknown +NtSetSystemPowerState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 010dh + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 016bh + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0165h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0165h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 016dh + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 016dh + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0184h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0187h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 018fh + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0192h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0198h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 019eh + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a1h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a3h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a4h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a5h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a5h + jmp NtSetSystemPowerState_Epilogue +NtSetSystemPowerState_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetSystemPowerState_Epilogue: + mov r10, rcx + syscall + ret +NtSetSystemPowerState ENDP + +NtSetSystemTime PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetSystemTime_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetSystemTime_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetSystemTime_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetSystemTime_Check_10_0_XXXX + jmp NtSetSystemTime_SystemCall_Unknown +NtSetSystemTime_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetSystemTime_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetSystemTime_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemTime_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetSystemTime_SystemCall_6_3_XXXX + jmp NtSetSystemTime_SystemCall_Unknown +NtSetSystemTime_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetSystemTime_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetSystemTime_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetSystemTime_SystemCall_6_0_6002 + jmp NtSetSystemTime_SystemCall_Unknown +NtSetSystemTime_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetSystemTime_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetSystemTime_SystemCall_6_1_7601 + jmp NtSetSystemTime_SystemCall_Unknown +NtSetSystemTime_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetSystemTime_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetSystemTime_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetSystemTime_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetSystemTime_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetSystemTime_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetSystemTime_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetSystemTime_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetSystemTime_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetSystemTime_SystemCall_10_0_18363 + jmp NtSetSystemTime_SystemCall_Unknown +NtSetSystemTime_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 010eh + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 016ch + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0166h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0166h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 016eh + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 016eh + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0185h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0188h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0190h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0193h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0199h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 019fh + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a2h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a4h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a5h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a6h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a6h + jmp NtSetSystemTime_Epilogue +NtSetSystemTime_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetSystemTime_Epilogue: + mov r10, rcx + syscall + ret +NtSetSystemTime ENDP + +NtSetThreadExecutionState PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetThreadExecutionState_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetThreadExecutionState_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetThreadExecutionState_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetThreadExecutionState_Check_10_0_XXXX + jmp NtSetThreadExecutionState_SystemCall_Unknown +NtSetThreadExecutionState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetThreadExecutionState_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetThreadExecutionState_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetThreadExecutionState_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetThreadExecutionState_SystemCall_6_3_XXXX + jmp NtSetThreadExecutionState_SystemCall_Unknown +NtSetThreadExecutionState_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetThreadExecutionState_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetThreadExecutionState_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetThreadExecutionState_SystemCall_6_0_6002 + jmp NtSetThreadExecutionState_SystemCall_Unknown +NtSetThreadExecutionState_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetThreadExecutionState_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetThreadExecutionState_SystemCall_6_1_7601 + jmp NtSetThreadExecutionState_SystemCall_Unknown +NtSetThreadExecutionState_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetThreadExecutionState_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetThreadExecutionState_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetThreadExecutionState_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetThreadExecutionState_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetThreadExecutionState_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetThreadExecutionState_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetThreadExecutionState_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetThreadExecutionState_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetThreadExecutionState_SystemCall_10_0_18363 + jmp NtSetThreadExecutionState_SystemCall_Unknown +NtSetThreadExecutionState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 010fh + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 016dh + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0167h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0167h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 016fh + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 016fh + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0186h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0189h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0191h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0194h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 019ah + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a0h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a3h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a5h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a6h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a7h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a7h + jmp NtSetThreadExecutionState_Epilogue +NtSetThreadExecutionState_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetThreadExecutionState_Epilogue: + mov r10, rcx + syscall + ret +NtSetThreadExecutionState ENDP + +NtSetTimer PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetTimer_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetTimer_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetTimer_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetTimer_Check_10_0_XXXX + jmp NtSetTimer_SystemCall_Unknown +NtSetTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetTimer_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetTimer_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetTimer_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetTimer_SystemCall_6_3_XXXX + jmp NtSetTimer_SystemCall_Unknown +NtSetTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetTimer_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetTimer_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetTimer_SystemCall_6_0_6002 + jmp NtSetTimer_SystemCall_Unknown +NtSetTimer_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetTimer_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetTimer_SystemCall_6_1_7601 + jmp NtSetTimer_SystemCall_Unknown +NtSetTimer_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetTimer_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetTimer_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetTimer_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetTimer_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetTimer_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetTimer_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetTimer_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetTimer_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetTimer_SystemCall_10_0_18363 + jmp NtSetTimer_SystemCall_Unknown +NtSetTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 005fh + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 005fh + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 005fh + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 005fh + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 005fh + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 005fh + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0060h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0061h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0062h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0062h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0062h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0062h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0062h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0062h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0062h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0062h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0062h + jmp NtSetTimer_Epilogue +NtSetTimer_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetTimer_Epilogue: + mov r10, rcx + syscall + ret +NtSetTimer ENDP + +NtSetTimer2 PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetTimer2_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetTimer2_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetTimer2_Check_10_0_XXXX + jmp NtSetTimer2_SystemCall_Unknown +NtSetTimer2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtSetTimer2_SystemCall_6_3_XXXX + jmp NtSetTimer2_SystemCall_Unknown +NtSetTimer2_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetTimer2_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetTimer2_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetTimer2_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetTimer2_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetTimer2_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetTimer2_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetTimer2_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetTimer2_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetTimer2_SystemCall_10_0_18363 + jmp NtSetTimer2_SystemCall_Unknown +NtSetTimer2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 018ah + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0192h + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0195h + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 019bh + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a1h + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a4h + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a6h + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a7h + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a8h + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a8h + jmp NtSetTimer2_Epilogue +NtSetTimer2_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetTimer2_Epilogue: + mov r10, rcx + syscall + ret +NtSetTimer2 ENDP + +NtSetTimerEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetTimerEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetTimerEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetTimerEx_Check_10_0_XXXX + jmp NtSetTimerEx_SystemCall_Unknown +NtSetTimerEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtSetTimerEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetTimerEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetTimerEx_SystemCall_6_3_XXXX + jmp NtSetTimerEx_SystemCall_Unknown +NtSetTimerEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetTimerEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetTimerEx_SystemCall_6_1_7601 + jmp NtSetTimerEx_SystemCall_Unknown +NtSetTimerEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetTimerEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetTimerEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetTimerEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetTimerEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetTimerEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetTimerEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetTimerEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetTimerEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetTimerEx_SystemCall_10_0_18363 + jmp NtSetTimerEx_SystemCall_Unknown +NtSetTimerEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0170h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0170h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0187h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 018bh + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0193h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0196h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 019ch + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a2h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a5h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a7h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a8h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01a9h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01a9h + jmp NtSetTimerEx_Epilogue +NtSetTimerEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetTimerEx_Epilogue: + mov r10, rcx + syscall + ret +NtSetTimerEx ENDP + +NtSetTimerResolution PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetTimerResolution_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetTimerResolution_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetTimerResolution_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetTimerResolution_Check_10_0_XXXX + jmp NtSetTimerResolution_SystemCall_Unknown +NtSetTimerResolution_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetTimerResolution_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetTimerResolution_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetTimerResolution_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetTimerResolution_SystemCall_6_3_XXXX + jmp NtSetTimerResolution_SystemCall_Unknown +NtSetTimerResolution_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetTimerResolution_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetTimerResolution_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetTimerResolution_SystemCall_6_0_6002 + jmp NtSetTimerResolution_SystemCall_Unknown +NtSetTimerResolution_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetTimerResolution_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetTimerResolution_SystemCall_6_1_7601 + jmp NtSetTimerResolution_SystemCall_Unknown +NtSetTimerResolution_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetTimerResolution_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetTimerResolution_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetTimerResolution_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetTimerResolution_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetTimerResolution_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetTimerResolution_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetTimerResolution_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetTimerResolution_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetTimerResolution_SystemCall_10_0_18363 + jmp NtSetTimerResolution_SystemCall_Unknown +NtSetTimerResolution_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0110h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 016eh + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0168h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0168h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0171h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0171h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0188h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 018ch + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0194h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0197h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 019dh + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a3h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a6h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a8h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01a9h + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01aah + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01aah + jmp NtSetTimerResolution_Epilogue +NtSetTimerResolution_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetTimerResolution_Epilogue: + mov r10, rcx + syscall + ret +NtSetTimerResolution ENDP + +NtSetUuidSeed PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetUuidSeed_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetUuidSeed_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetUuidSeed_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetUuidSeed_Check_10_0_XXXX + jmp NtSetUuidSeed_SystemCall_Unknown +NtSetUuidSeed_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetUuidSeed_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetUuidSeed_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetUuidSeed_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetUuidSeed_SystemCall_6_3_XXXX + jmp NtSetUuidSeed_SystemCall_Unknown +NtSetUuidSeed_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetUuidSeed_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetUuidSeed_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetUuidSeed_SystemCall_6_0_6002 + jmp NtSetUuidSeed_SystemCall_Unknown +NtSetUuidSeed_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetUuidSeed_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetUuidSeed_SystemCall_6_1_7601 + jmp NtSetUuidSeed_SystemCall_Unknown +NtSetUuidSeed_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetUuidSeed_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetUuidSeed_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetUuidSeed_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetUuidSeed_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetUuidSeed_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetUuidSeed_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetUuidSeed_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetUuidSeed_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetUuidSeed_SystemCall_10_0_18363 + jmp NtSetUuidSeed_SystemCall_Unknown +NtSetUuidSeed_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0111h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 016fh + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0169h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0169h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0172h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0172h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0189h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 018dh + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0195h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0198h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 019eh + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a4h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a7h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01a9h + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01aah + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01abh + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01abh + jmp NtSetUuidSeed_Epilogue +NtSetUuidSeed_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetUuidSeed_Epilogue: + mov r10, rcx + syscall + ret +NtSetUuidSeed ENDP + +NtSetValueKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetValueKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetValueKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetValueKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetValueKey_Check_10_0_XXXX + jmp NtSetValueKey_SystemCall_Unknown +NtSetValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetValueKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetValueKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetValueKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetValueKey_SystemCall_6_3_XXXX + jmp NtSetValueKey_SystemCall_Unknown +NtSetValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetValueKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetValueKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetValueKey_SystemCall_6_0_6002 + jmp NtSetValueKey_SystemCall_Unknown +NtSetValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetValueKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetValueKey_SystemCall_6_1_7601 + jmp NtSetValueKey_SystemCall_Unknown +NtSetValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetValueKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetValueKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetValueKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetValueKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetValueKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetValueKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetValueKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetValueKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetValueKey_SystemCall_10_0_18363 + jmp NtSetValueKey_SystemCall_Unknown +NtSetValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 005dh + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 005dh + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 005dh + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 005dh + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 005dh + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 005dh + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 005eh + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 005fh + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0060h + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0060h + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0060h + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0060h + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0060h + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0060h + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0060h + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0060h + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0060h + jmp NtSetValueKey_Epilogue +NtSetValueKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetValueKey_Epilogue: + mov r10, rcx + syscall + ret +NtSetValueKey ENDP + +NtSetVolumeInformationFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetVolumeInformationFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSetVolumeInformationFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSetVolumeInformationFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetVolumeInformationFile_Check_10_0_XXXX + jmp NtSetVolumeInformationFile_SystemCall_Unknown +NtSetVolumeInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSetVolumeInformationFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSetVolumeInformationFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetVolumeInformationFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSetVolumeInformationFile_SystemCall_6_3_XXXX + jmp NtSetVolumeInformationFile_SystemCall_Unknown +NtSetVolumeInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSetVolumeInformationFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSetVolumeInformationFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSetVolumeInformationFile_SystemCall_6_0_6002 + jmp NtSetVolumeInformationFile_SystemCall_Unknown +NtSetVolumeInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSetVolumeInformationFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSetVolumeInformationFile_SystemCall_6_1_7601 + jmp NtSetVolumeInformationFile_SystemCall_Unknown +NtSetVolumeInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetVolumeInformationFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetVolumeInformationFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetVolumeInformationFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetVolumeInformationFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetVolumeInformationFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetVolumeInformationFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetVolumeInformationFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetVolumeInformationFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetVolumeInformationFile_SystemCall_10_0_18363 + jmp NtSetVolumeInformationFile_SystemCall_Unknown +NtSetVolumeInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0112h + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0170h + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 016ah + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 016ah + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0173h + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0173h + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 018ah + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 018eh + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0196h + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0199h + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 019fh + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a5h + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a8h + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01aah + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01abh + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01ach + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01ach + jmp NtSetVolumeInformationFile_Epilogue +NtSetVolumeInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetVolumeInformationFile_Epilogue: + mov r10, rcx + syscall + ret +NtSetVolumeInformationFile ENDP + +NtSetWnfProcessNotificationEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSetWnfProcessNotificationEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSetWnfProcessNotificationEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSetWnfProcessNotificationEvent_Check_10_0_XXXX + jmp NtSetWnfProcessNotificationEvent_SystemCall_Unknown +NtSetWnfProcessNotificationEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtSetWnfProcessNotificationEvent_SystemCall_6_3_XXXX + jmp NtSetWnfProcessNotificationEvent_SystemCall_Unknown +NtSetWnfProcessNotificationEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSetWnfProcessNotificationEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSetWnfProcessNotificationEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSetWnfProcessNotificationEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSetWnfProcessNotificationEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSetWnfProcessNotificationEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSetWnfProcessNotificationEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSetWnfProcessNotificationEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSetWnfProcessNotificationEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSetWnfProcessNotificationEvent_SystemCall_10_0_18363 + jmp NtSetWnfProcessNotificationEvent_SystemCall_Unknown +NtSetWnfProcessNotificationEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 018fh + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0197h + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 019ah + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a0h + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a6h + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01a9h + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01abh + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01ach + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01adh + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01adh + jmp NtSetWnfProcessNotificationEvent_Epilogue +NtSetWnfProcessNotificationEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSetWnfProcessNotificationEvent_Epilogue: + mov r10, rcx + syscall + ret +NtSetWnfProcessNotificationEvent ENDP + +NtShutdownSystem PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtShutdownSystem_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtShutdownSystem_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtShutdownSystem_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtShutdownSystem_Check_10_0_XXXX + jmp NtShutdownSystem_SystemCall_Unknown +NtShutdownSystem_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtShutdownSystem_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtShutdownSystem_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtShutdownSystem_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtShutdownSystem_SystemCall_6_3_XXXX + jmp NtShutdownSystem_SystemCall_Unknown +NtShutdownSystem_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtShutdownSystem_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtShutdownSystem_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtShutdownSystem_SystemCall_6_0_6002 + jmp NtShutdownSystem_SystemCall_Unknown +NtShutdownSystem_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtShutdownSystem_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtShutdownSystem_SystemCall_6_1_7601 + jmp NtShutdownSystem_SystemCall_Unknown +NtShutdownSystem_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtShutdownSystem_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtShutdownSystem_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtShutdownSystem_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtShutdownSystem_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtShutdownSystem_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtShutdownSystem_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtShutdownSystem_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtShutdownSystem_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtShutdownSystem_SystemCall_10_0_18363 + jmp NtShutdownSystem_SystemCall_Unknown +NtShutdownSystem_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0113h + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0171h + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 016bh + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 016bh + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0174h + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0174h + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 018bh + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0190h + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0198h + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 019bh + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a1h + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a7h + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01aah + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01ach + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01adh + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01aeh + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01aeh + jmp NtShutdownSystem_Epilogue +NtShutdownSystem_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtShutdownSystem_Epilogue: + mov r10, rcx + syscall + ret +NtShutdownSystem ENDP + +NtShutdownWorkerFactory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtShutdownWorkerFactory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtShutdownWorkerFactory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtShutdownWorkerFactory_Check_10_0_XXXX + jmp NtShutdownWorkerFactory_SystemCall_Unknown +NtShutdownWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtShutdownWorkerFactory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtShutdownWorkerFactory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtShutdownWorkerFactory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtShutdownWorkerFactory_SystemCall_6_3_XXXX + jmp NtShutdownWorkerFactory_SystemCall_Unknown +NtShutdownWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtShutdownWorkerFactory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtShutdownWorkerFactory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtShutdownWorkerFactory_SystemCall_6_0_6002 + jmp NtShutdownWorkerFactory_SystemCall_Unknown +NtShutdownWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtShutdownWorkerFactory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtShutdownWorkerFactory_SystemCall_6_1_7601 + jmp NtShutdownWorkerFactory_SystemCall_Unknown +NtShutdownWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtShutdownWorkerFactory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtShutdownWorkerFactory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtShutdownWorkerFactory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtShutdownWorkerFactory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtShutdownWorkerFactory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtShutdownWorkerFactory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtShutdownWorkerFactory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtShutdownWorkerFactory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtShutdownWorkerFactory_SystemCall_10_0_18363 + jmp NtShutdownWorkerFactory_SystemCall_Unknown +NtShutdownWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0172h + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 016ch + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 016ch + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0175h + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0175h + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 018ch + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0191h + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0199h + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 019ch + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a2h + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a8h + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01abh + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01adh + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01aeh + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01afh + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01afh + jmp NtShutdownWorkerFactory_Epilogue +NtShutdownWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtShutdownWorkerFactory_Epilogue: + mov r10, rcx + syscall + ret +NtShutdownWorkerFactory ENDP + +NtSignalAndWaitForSingleObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSignalAndWaitForSingleObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSignalAndWaitForSingleObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSignalAndWaitForSingleObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSignalAndWaitForSingleObject_Check_10_0_XXXX + jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown +NtSignalAndWaitForSingleObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSignalAndWaitForSingleObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSignalAndWaitForSingleObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSignalAndWaitForSingleObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSignalAndWaitForSingleObject_SystemCall_6_3_XXXX + jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown +NtSignalAndWaitForSingleObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSignalAndWaitForSingleObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSignalAndWaitForSingleObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSignalAndWaitForSingleObject_SystemCall_6_0_6002 + jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown +NtSignalAndWaitForSingleObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSignalAndWaitForSingleObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSignalAndWaitForSingleObject_SystemCall_6_1_7601 + jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown +NtSignalAndWaitForSingleObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSignalAndWaitForSingleObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSignalAndWaitForSingleObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSignalAndWaitForSingleObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSignalAndWaitForSingleObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSignalAndWaitForSingleObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSignalAndWaitForSingleObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSignalAndWaitForSingleObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSignalAndWaitForSingleObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSignalAndWaitForSingleObject_SystemCall_10_0_18363 + jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown +NtSignalAndWaitForSingleObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0114h + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0173h + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 016dh + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 016dh + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0176h + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0176h + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 018dh + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0192h + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 019ah + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 019dh + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a3h + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01a9h + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01ach + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01aeh + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01afh + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b0h + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b0h + jmp NtSignalAndWaitForSingleObject_Epilogue +NtSignalAndWaitForSingleObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSignalAndWaitForSingleObject_Epilogue: + mov r10, rcx + syscall + ret +NtSignalAndWaitForSingleObject ENDP + +NtSinglePhaseReject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSinglePhaseReject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSinglePhaseReject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSinglePhaseReject_Check_10_0_XXXX + jmp NtSinglePhaseReject_SystemCall_Unknown +NtSinglePhaseReject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSinglePhaseReject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSinglePhaseReject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSinglePhaseReject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSinglePhaseReject_SystemCall_6_3_XXXX + jmp NtSinglePhaseReject_SystemCall_Unknown +NtSinglePhaseReject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSinglePhaseReject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSinglePhaseReject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSinglePhaseReject_SystemCall_6_0_6002 + jmp NtSinglePhaseReject_SystemCall_Unknown +NtSinglePhaseReject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSinglePhaseReject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSinglePhaseReject_SystemCall_6_1_7601 + jmp NtSinglePhaseReject_SystemCall_Unknown +NtSinglePhaseReject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSinglePhaseReject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSinglePhaseReject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSinglePhaseReject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSinglePhaseReject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSinglePhaseReject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSinglePhaseReject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSinglePhaseReject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSinglePhaseReject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSinglePhaseReject_SystemCall_10_0_18363 + jmp NtSinglePhaseReject_SystemCall_Unknown +NtSinglePhaseReject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0174h + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 016eh + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 016eh + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0177h + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0177h + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 018eh + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0193h + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 019bh + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 019eh + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a4h + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01aah + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01adh + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01afh + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b0h + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b1h + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b1h + jmp NtSinglePhaseReject_Epilogue +NtSinglePhaseReject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSinglePhaseReject_Epilogue: + mov r10, rcx + syscall + ret +NtSinglePhaseReject ENDP + +NtStartProfile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtStartProfile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtStartProfile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtStartProfile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtStartProfile_Check_10_0_XXXX + jmp NtStartProfile_SystemCall_Unknown +NtStartProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtStartProfile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtStartProfile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtStartProfile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtStartProfile_SystemCall_6_3_XXXX + jmp NtStartProfile_SystemCall_Unknown +NtStartProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtStartProfile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtStartProfile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtStartProfile_SystemCall_6_0_6002 + jmp NtStartProfile_SystemCall_Unknown +NtStartProfile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtStartProfile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtStartProfile_SystemCall_6_1_7601 + jmp NtStartProfile_SystemCall_Unknown +NtStartProfile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtStartProfile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtStartProfile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtStartProfile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtStartProfile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtStartProfile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtStartProfile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtStartProfile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtStartProfile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtStartProfile_SystemCall_10_0_18363 + jmp NtStartProfile_SystemCall_Unknown +NtStartProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0115h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0175h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 016fh + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 016fh + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0178h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0178h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 018fh + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0194h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 019ch + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 019fh + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a5h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01abh + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01aeh + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b0h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b1h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b2h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b2h + jmp NtStartProfile_Epilogue +NtStartProfile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtStartProfile_Epilogue: + mov r10, rcx + syscall + ret +NtStartProfile ENDP + +NtStartTm PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtStartTm_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtStartTm_Check_6_X_XXXX + jmp NtStartTm_SystemCall_Unknown +NtStartTm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtStartTm_Check_6_0_XXXX + jmp NtStartTm_SystemCall_Unknown +NtStartTm_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtStartTm_SystemCall_6_0_6000 + jmp NtStartTm_SystemCall_Unknown +NtStartTm_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0176h + jmp NtStartTm_Epilogue +NtStartTm_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtStartTm_Epilogue: + mov r10, rcx + syscall + ret +NtStartTm ENDP + +NtStopProfile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtStopProfile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtStopProfile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtStopProfile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtStopProfile_Check_10_0_XXXX + jmp NtStopProfile_SystemCall_Unknown +NtStopProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtStopProfile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtStopProfile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtStopProfile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtStopProfile_SystemCall_6_3_XXXX + jmp NtStopProfile_SystemCall_Unknown +NtStopProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtStopProfile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtStopProfile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtStopProfile_SystemCall_6_0_6002 + jmp NtStopProfile_SystemCall_Unknown +NtStopProfile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtStopProfile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtStopProfile_SystemCall_6_1_7601 + jmp NtStopProfile_SystemCall_Unknown +NtStopProfile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtStopProfile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtStopProfile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtStopProfile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtStopProfile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtStopProfile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtStopProfile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtStopProfile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtStopProfile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtStopProfile_SystemCall_10_0_18363 + jmp NtStopProfile_SystemCall_Unknown +NtStopProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0116h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0177h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0170h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0170h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0179h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0179h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0190h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0195h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 019dh + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a0h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a6h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01ach + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01afh + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b1h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b2h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b3h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b3h + jmp NtStopProfile_Epilogue +NtStopProfile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtStopProfile_Epilogue: + mov r10, rcx + syscall + ret +NtStopProfile ENDP + +NtSubscribeWnfStateChange PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSubscribeWnfStateChange_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtSubscribeWnfStateChange_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSubscribeWnfStateChange_Check_10_0_XXXX + jmp NtSubscribeWnfStateChange_SystemCall_Unknown +NtSubscribeWnfStateChange_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtSubscribeWnfStateChange_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSubscribeWnfStateChange_SystemCall_6_3_XXXX + jmp NtSubscribeWnfStateChange_SystemCall_Unknown +NtSubscribeWnfStateChange_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSubscribeWnfStateChange_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSubscribeWnfStateChange_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSubscribeWnfStateChange_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSubscribeWnfStateChange_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSubscribeWnfStateChange_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSubscribeWnfStateChange_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSubscribeWnfStateChange_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSubscribeWnfStateChange_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSubscribeWnfStateChange_SystemCall_10_0_18363 + jmp NtSubscribeWnfStateChange_SystemCall_Unknown +NtSubscribeWnfStateChange_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0191h + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0196h + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 019eh + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a1h + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a7h + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01adh + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b0h + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b2h + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b3h + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b4h + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b4h + jmp NtSubscribeWnfStateChange_Epilogue +NtSubscribeWnfStateChange_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSubscribeWnfStateChange_Epilogue: + mov r10, rcx + syscall + ret +NtSubscribeWnfStateChange ENDP + +NtSuspendProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSuspendProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSuspendProcess_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSuspendProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSuspendProcess_Check_10_0_XXXX + jmp NtSuspendProcess_SystemCall_Unknown +NtSuspendProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSuspendProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSuspendProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSuspendProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSuspendProcess_SystemCall_6_3_XXXX + jmp NtSuspendProcess_SystemCall_Unknown +NtSuspendProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSuspendProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSuspendProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSuspendProcess_SystemCall_6_0_6002 + jmp NtSuspendProcess_SystemCall_Unknown +NtSuspendProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSuspendProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSuspendProcess_SystemCall_6_1_7601 + jmp NtSuspendProcess_SystemCall_Unknown +NtSuspendProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSuspendProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSuspendProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSuspendProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSuspendProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSuspendProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSuspendProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSuspendProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSuspendProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSuspendProcess_SystemCall_10_0_18363 + jmp NtSuspendProcess_SystemCall_Unknown +NtSuspendProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0117h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0178h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0171h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0171h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 017ah + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 017ah + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0192h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0197h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 019fh + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a2h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a8h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01aeh + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b1h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b3h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b4h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b5h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b5h + jmp NtSuspendProcess_Epilogue +NtSuspendProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSuspendProcess_Epilogue: + mov r10, rcx + syscall + ret +NtSuspendProcess ENDP + +NtSuspendThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSuspendThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSuspendThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSuspendThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSuspendThread_Check_10_0_XXXX + jmp NtSuspendThread_SystemCall_Unknown +NtSuspendThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSuspendThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSuspendThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSuspendThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSuspendThread_SystemCall_6_3_XXXX + jmp NtSuspendThread_SystemCall_Unknown +NtSuspendThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSuspendThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSuspendThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSuspendThread_SystemCall_6_0_6002 + jmp NtSuspendThread_SystemCall_Unknown +NtSuspendThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSuspendThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSuspendThread_SystemCall_6_1_7601 + jmp NtSuspendThread_SystemCall_Unknown +NtSuspendThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSuspendThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSuspendThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSuspendThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSuspendThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSuspendThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSuspendThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSuspendThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSuspendThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSuspendThread_SystemCall_10_0_18363 + jmp NtSuspendThread_SystemCall_Unknown +NtSuspendThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0118h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0179h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0172h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0172h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 017bh + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 017bh + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0193h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0198h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a0h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a3h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01a9h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01afh + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b2h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b4h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b5h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b6h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b6h + jmp NtSuspendThread_Epilogue +NtSuspendThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSuspendThread_Epilogue: + mov r10, rcx + syscall + ret +NtSuspendThread ENDP + +NtSystemDebugControl PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtSystemDebugControl_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtSystemDebugControl_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtSystemDebugControl_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtSystemDebugControl_Check_10_0_XXXX + jmp NtSystemDebugControl_SystemCall_Unknown +NtSystemDebugControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtSystemDebugControl_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtSystemDebugControl_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSystemDebugControl_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtSystemDebugControl_SystemCall_6_3_XXXX + jmp NtSystemDebugControl_SystemCall_Unknown +NtSystemDebugControl_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtSystemDebugControl_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtSystemDebugControl_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtSystemDebugControl_SystemCall_6_0_6002 + jmp NtSystemDebugControl_SystemCall_Unknown +NtSystemDebugControl_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtSystemDebugControl_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtSystemDebugControl_SystemCall_6_1_7601 + jmp NtSystemDebugControl_SystemCall_Unknown +NtSystemDebugControl_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtSystemDebugControl_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtSystemDebugControl_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtSystemDebugControl_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtSystemDebugControl_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtSystemDebugControl_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtSystemDebugControl_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtSystemDebugControl_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtSystemDebugControl_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtSystemDebugControl_SystemCall_10_0_18363 + jmp NtSystemDebugControl_SystemCall_Unknown +NtSystemDebugControl_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0119h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 017ah + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0173h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0173h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 017ch + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 017ch + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0194h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0199h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a1h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a4h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01aah + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b0h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b3h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b5h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b6h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b7h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b7h + jmp NtSystemDebugControl_Epilogue +NtSystemDebugControl_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtSystemDebugControl_Epilogue: + mov r10, rcx + syscall + ret +NtSystemDebugControl ENDP + +NtTerminateEnclave PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtTerminateEnclave_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 10 + je NtTerminateEnclave_Check_10_0_XXXX + jmp NtTerminateEnclave_SystemCall_Unknown +NtTerminateEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 16299 + je NtTerminateEnclave_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtTerminateEnclave_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtTerminateEnclave_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtTerminateEnclave_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtTerminateEnclave_SystemCall_10_0_18363 + jmp NtTerminateEnclave_SystemCall_Unknown +NtTerminateEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b4h + jmp NtTerminateEnclave_Epilogue +NtTerminateEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b6h + jmp NtTerminateEnclave_Epilogue +NtTerminateEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b7h + jmp NtTerminateEnclave_Epilogue +NtTerminateEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b8h + jmp NtTerminateEnclave_Epilogue +NtTerminateEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b8h + jmp NtTerminateEnclave_Epilogue +NtTerminateEnclave_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtTerminateEnclave_Epilogue: + mov r10, rcx + syscall + ret +NtTerminateEnclave ENDP + +NtTerminateJobObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtTerminateJobObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtTerminateJobObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtTerminateJobObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtTerminateJobObject_Check_10_0_XXXX + jmp NtTerminateJobObject_SystemCall_Unknown +NtTerminateJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtTerminateJobObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtTerminateJobObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTerminateJobObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTerminateJobObject_SystemCall_6_3_XXXX + jmp NtTerminateJobObject_SystemCall_Unknown +NtTerminateJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtTerminateJobObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtTerminateJobObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtTerminateJobObject_SystemCall_6_0_6002 + jmp NtTerminateJobObject_SystemCall_Unknown +NtTerminateJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtTerminateJobObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtTerminateJobObject_SystemCall_6_1_7601 + jmp NtTerminateJobObject_SystemCall_Unknown +NtTerminateJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtTerminateJobObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtTerminateJobObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtTerminateJobObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtTerminateJobObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtTerminateJobObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtTerminateJobObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtTerminateJobObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtTerminateJobObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtTerminateJobObject_SystemCall_10_0_18363 + jmp NtTerminateJobObject_SystemCall_Unknown +NtTerminateJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 011ah + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 017bh + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0174h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0174h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 017dh + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 017dh + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0195h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 019ah + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a2h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a5h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01abh + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b1h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b5h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b7h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b8h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01b9h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01b9h + jmp NtTerminateJobObject_Epilogue +NtTerminateJobObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtTerminateJobObject_Epilogue: + mov r10, rcx + syscall + ret +NtTerminateJobObject ENDP + +NtTerminateProcess PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtTerminateProcess_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtTerminateProcess_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtTerminateProcess_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtTerminateProcess_Check_10_0_XXXX + jmp NtTerminateProcess_SystemCall_Unknown +NtTerminateProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtTerminateProcess_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtTerminateProcess_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTerminateProcess_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTerminateProcess_SystemCall_6_3_XXXX + jmp NtTerminateProcess_SystemCall_Unknown +NtTerminateProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtTerminateProcess_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtTerminateProcess_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtTerminateProcess_SystemCall_6_0_6002 + jmp NtTerminateProcess_SystemCall_Unknown +NtTerminateProcess_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtTerminateProcess_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtTerminateProcess_SystemCall_6_1_7601 + jmp NtTerminateProcess_SystemCall_Unknown +NtTerminateProcess_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtTerminateProcess_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtTerminateProcess_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtTerminateProcess_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtTerminateProcess_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtTerminateProcess_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtTerminateProcess_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtTerminateProcess_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtTerminateProcess_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtTerminateProcess_SystemCall_10_0_18363 + jmp NtTerminateProcess_SystemCall_Unknown +NtTerminateProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0029h + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0029h + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0029h + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0029h + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0029h + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0029h + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 002ah + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 002bh + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 002ch + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 002ch + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 002ch + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 002ch + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 002ch + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 002ch + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 002ch + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 002ch + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 002ch + jmp NtTerminateProcess_Epilogue +NtTerminateProcess_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtTerminateProcess_Epilogue: + mov r10, rcx + syscall + ret +NtTerminateProcess ENDP + +NtTerminateThread PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtTerminateThread_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtTerminateThread_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtTerminateThread_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtTerminateThread_Check_10_0_XXXX + jmp NtTerminateThread_SystemCall_Unknown +NtTerminateThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtTerminateThread_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtTerminateThread_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTerminateThread_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTerminateThread_SystemCall_6_3_XXXX + jmp NtTerminateThread_SystemCall_Unknown +NtTerminateThread_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtTerminateThread_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtTerminateThread_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtTerminateThread_SystemCall_6_0_6002 + jmp NtTerminateThread_SystemCall_Unknown +NtTerminateThread_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtTerminateThread_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtTerminateThread_SystemCall_6_1_7601 + jmp NtTerminateThread_SystemCall_Unknown +NtTerminateThread_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtTerminateThread_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtTerminateThread_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtTerminateThread_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtTerminateThread_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtTerminateThread_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtTerminateThread_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtTerminateThread_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtTerminateThread_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtTerminateThread_SystemCall_10_0_18363 + jmp NtTerminateThread_SystemCall_Unknown +NtTerminateThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0050h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0050h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0050h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0050h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0050h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0050h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0051h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0052h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0053h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0053h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0053h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0053h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0053h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0053h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0053h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0053h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0053h + jmp NtTerminateThread_Epilogue +NtTerminateThread_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtTerminateThread_Epilogue: + mov r10, rcx + syscall + ret +NtTerminateThread ENDP + +NtTestAlert PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtTestAlert_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtTestAlert_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtTestAlert_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtTestAlert_Check_10_0_XXXX + jmp NtTestAlert_SystemCall_Unknown +NtTestAlert_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtTestAlert_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtTestAlert_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTestAlert_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTestAlert_SystemCall_6_3_XXXX + jmp NtTestAlert_SystemCall_Unknown +NtTestAlert_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtTestAlert_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtTestAlert_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtTestAlert_SystemCall_6_0_6002 + jmp NtTestAlert_SystemCall_Unknown +NtTestAlert_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtTestAlert_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtTestAlert_SystemCall_6_1_7601 + jmp NtTestAlert_SystemCall_Unknown +NtTestAlert_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtTestAlert_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtTestAlert_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtTestAlert_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtTestAlert_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtTestAlert_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtTestAlert_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtTestAlert_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtTestAlert_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtTestAlert_SystemCall_10_0_18363 + jmp NtTestAlert_SystemCall_Unknown +NtTestAlert_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 011bh + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 017ch + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0175h + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0175h + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 017eh + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 017eh + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0196h + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 019bh + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a3h + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a6h + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01ach + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b2h + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b6h + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b8h + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01b9h + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01bah + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01bah + jmp NtTestAlert_Epilogue +NtTestAlert_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtTestAlert_Epilogue: + mov r10, rcx + syscall + ret +NtTestAlert ENDP + +NtThawRegistry PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtThawRegistry_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtThawRegistry_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtThawRegistry_Check_10_0_XXXX + jmp NtThawRegistry_SystemCall_Unknown +NtThawRegistry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtThawRegistry_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtThawRegistry_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtThawRegistry_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtThawRegistry_SystemCall_6_3_XXXX + jmp NtThawRegistry_SystemCall_Unknown +NtThawRegistry_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtThawRegistry_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtThawRegistry_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtThawRegistry_SystemCall_6_0_6002 + jmp NtThawRegistry_SystemCall_Unknown +NtThawRegistry_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtThawRegistry_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtThawRegistry_SystemCall_6_1_7601 + jmp NtThawRegistry_SystemCall_Unknown +NtThawRegistry_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtThawRegistry_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtThawRegistry_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtThawRegistry_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtThawRegistry_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtThawRegistry_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtThawRegistry_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtThawRegistry_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtThawRegistry_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtThawRegistry_SystemCall_10_0_18363 + jmp NtThawRegistry_SystemCall_Unknown +NtThawRegistry_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 017dh + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0176h + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0176h + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 017fh + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 017fh + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0197h + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 019ch + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a4h + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a7h + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01adh + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b3h + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b7h + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01b9h + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01bah + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01bbh + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01bbh + jmp NtThawRegistry_Epilogue +NtThawRegistry_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtThawRegistry_Epilogue: + mov r10, rcx + syscall + ret +NtThawRegistry ENDP + +NtThawTransactions PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtThawTransactions_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtThawTransactions_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtThawTransactions_Check_10_0_XXXX + jmp NtThawTransactions_SystemCall_Unknown +NtThawTransactions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtThawTransactions_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtThawTransactions_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtThawTransactions_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtThawTransactions_SystemCall_6_3_XXXX + jmp NtThawTransactions_SystemCall_Unknown +NtThawTransactions_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtThawTransactions_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtThawTransactions_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtThawTransactions_SystemCall_6_0_6002 + jmp NtThawTransactions_SystemCall_Unknown +NtThawTransactions_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtThawTransactions_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtThawTransactions_SystemCall_6_1_7601 + jmp NtThawTransactions_SystemCall_Unknown +NtThawTransactions_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtThawTransactions_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtThawTransactions_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtThawTransactions_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtThawTransactions_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtThawTransactions_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtThawTransactions_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtThawTransactions_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtThawTransactions_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtThawTransactions_SystemCall_10_0_18363 + jmp NtThawTransactions_SystemCall_Unknown +NtThawTransactions_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 017eh + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0177h + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0177h + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0180h + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0180h + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0198h + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 019dh + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a5h + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a8h + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01aeh + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b4h + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b8h + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01bah + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01bbh + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01bch + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01bch + jmp NtThawTransactions_Epilogue +NtThawTransactions_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtThawTransactions_Epilogue: + mov r10, rcx + syscall + ret +NtThawTransactions ENDP + +NtTraceControl PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtTraceControl_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtTraceControl_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtTraceControl_Check_10_0_XXXX + jmp NtTraceControl_SystemCall_Unknown +NtTraceControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtTraceControl_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtTraceControl_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTraceControl_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTraceControl_SystemCall_6_3_XXXX + jmp NtTraceControl_SystemCall_Unknown +NtTraceControl_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtTraceControl_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtTraceControl_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtTraceControl_SystemCall_6_0_6002 + jmp NtTraceControl_SystemCall_Unknown +NtTraceControl_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtTraceControl_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtTraceControl_SystemCall_6_1_7601 + jmp NtTraceControl_SystemCall_Unknown +NtTraceControl_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtTraceControl_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtTraceControl_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtTraceControl_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtTraceControl_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtTraceControl_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtTraceControl_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtTraceControl_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtTraceControl_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtTraceControl_SystemCall_10_0_18363 + jmp NtTraceControl_SystemCall_Unknown +NtTraceControl_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 017fh + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0178h + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0178h + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0181h + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0181h + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0199h + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 019eh + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a6h + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01a9h + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01afh + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b5h + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01b9h + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01bbh + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01bch + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01bdh + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01bdh + jmp NtTraceControl_Epilogue +NtTraceControl_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtTraceControl_Epilogue: + mov r10, rcx + syscall + ret +NtTraceControl ENDP + +NtTraceEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtTraceEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtTraceEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtTraceEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtTraceEvent_Check_10_0_XXXX + jmp NtTraceEvent_SystemCall_Unknown +NtTraceEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtTraceEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtTraceEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTraceEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTraceEvent_SystemCall_6_3_XXXX + jmp NtTraceEvent_SystemCall_Unknown +NtTraceEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtTraceEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtTraceEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtTraceEvent_SystemCall_6_0_6002 + jmp NtTraceEvent_SystemCall_Unknown +NtTraceEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtTraceEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtTraceEvent_SystemCall_6_1_7601 + jmp NtTraceEvent_SystemCall_Unknown +NtTraceEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtTraceEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtTraceEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtTraceEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtTraceEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtTraceEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtTraceEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtTraceEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtTraceEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtTraceEvent_SystemCall_10_0_18363 + jmp NtTraceEvent_SystemCall_Unknown +NtTraceEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 005bh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 005bh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 005bh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 005bh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 005bh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 005bh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 005ch + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 005dh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 005eh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 005eh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 005eh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 005eh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 005eh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 005eh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 005eh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 005eh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 005eh + jmp NtTraceEvent_Epilogue +NtTraceEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtTraceEvent_Epilogue: + mov r10, rcx + syscall + ret +NtTraceEvent ENDP + +NtTranslateFilePath PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtTranslateFilePath_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtTranslateFilePath_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtTranslateFilePath_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtTranslateFilePath_Check_10_0_XXXX + jmp NtTranslateFilePath_SystemCall_Unknown +NtTranslateFilePath_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtTranslateFilePath_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtTranslateFilePath_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTranslateFilePath_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtTranslateFilePath_SystemCall_6_3_XXXX + jmp NtTranslateFilePath_SystemCall_Unknown +NtTranslateFilePath_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtTranslateFilePath_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtTranslateFilePath_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtTranslateFilePath_SystemCall_6_0_6002 + jmp NtTranslateFilePath_SystemCall_Unknown +NtTranslateFilePath_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtTranslateFilePath_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtTranslateFilePath_SystemCall_6_1_7601 + jmp NtTranslateFilePath_SystemCall_Unknown +NtTranslateFilePath_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtTranslateFilePath_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtTranslateFilePath_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtTranslateFilePath_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtTranslateFilePath_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtTranslateFilePath_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtTranslateFilePath_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtTranslateFilePath_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtTranslateFilePath_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtTranslateFilePath_SystemCall_10_0_18363 + jmp NtTranslateFilePath_SystemCall_Unknown +NtTranslateFilePath_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 011ch + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0180h + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0179h + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0179h + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0182h + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0182h + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 019ah + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 019fh + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a7h + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01aah + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b0h + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b6h + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01bah + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01bch + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01bdh + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01beh + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01beh + jmp NtTranslateFilePath_Epilogue +NtTranslateFilePath_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtTranslateFilePath_Epilogue: + mov r10, rcx + syscall + ret +NtTranslateFilePath ENDP + +NtUmsThreadYield PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUmsThreadYield_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtUmsThreadYield_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUmsThreadYield_Check_10_0_XXXX + jmp NtUmsThreadYield_SystemCall_Unknown +NtUmsThreadYield_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 1 + je NtUmsThreadYield_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUmsThreadYield_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUmsThreadYield_SystemCall_6_3_XXXX + jmp NtUmsThreadYield_SystemCall_Unknown +NtUmsThreadYield_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtUmsThreadYield_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtUmsThreadYield_SystemCall_6_1_7601 + jmp NtUmsThreadYield_SystemCall_Unknown +NtUmsThreadYield_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUmsThreadYield_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUmsThreadYield_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUmsThreadYield_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUmsThreadYield_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUmsThreadYield_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUmsThreadYield_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUmsThreadYield_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUmsThreadYield_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUmsThreadYield_SystemCall_10_0_18363 + jmp NtUmsThreadYield_SystemCall_Unknown +NtUmsThreadYield_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0183h + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0183h + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 019bh + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a0h + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a8h + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01abh + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b1h + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b7h + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01bbh + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01bdh + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01beh + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01bfh + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01bfh + jmp NtUmsThreadYield_Epilogue +NtUmsThreadYield_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUmsThreadYield_Epilogue: + mov r10, rcx + syscall + ret +NtUmsThreadYield ENDP + +NtUnloadDriver PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUnloadDriver_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtUnloadDriver_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtUnloadDriver_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUnloadDriver_Check_10_0_XXXX + jmp NtUnloadDriver_SystemCall_Unknown +NtUnloadDriver_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtUnloadDriver_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtUnloadDriver_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnloadDriver_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnloadDriver_SystemCall_6_3_XXXX + jmp NtUnloadDriver_SystemCall_Unknown +NtUnloadDriver_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtUnloadDriver_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtUnloadDriver_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtUnloadDriver_SystemCall_6_0_6002 + jmp NtUnloadDriver_SystemCall_Unknown +NtUnloadDriver_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtUnloadDriver_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtUnloadDriver_SystemCall_6_1_7601 + jmp NtUnloadDriver_SystemCall_Unknown +NtUnloadDriver_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUnloadDriver_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUnloadDriver_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUnloadDriver_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUnloadDriver_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUnloadDriver_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUnloadDriver_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUnloadDriver_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUnloadDriver_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUnloadDriver_SystemCall_10_0_18363 + jmp NtUnloadDriver_SystemCall_Unknown +NtUnloadDriver_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 011dh + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0181h + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 017ah + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 017ah + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0184h + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0184h + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 019ch + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a1h + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01a9h + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01ach + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b2h + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b8h + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01bch + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01beh + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01bfh + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c0h + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c0h + jmp NtUnloadDriver_Epilogue +NtUnloadDriver_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUnloadDriver_Epilogue: + mov r10, rcx + syscall + ret +NtUnloadDriver ENDP + +NtUnloadKey PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUnloadKey_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtUnloadKey_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtUnloadKey_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUnloadKey_Check_10_0_XXXX + jmp NtUnloadKey_SystemCall_Unknown +NtUnloadKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtUnloadKey_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtUnloadKey_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnloadKey_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnloadKey_SystemCall_6_3_XXXX + jmp NtUnloadKey_SystemCall_Unknown +NtUnloadKey_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtUnloadKey_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtUnloadKey_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtUnloadKey_SystemCall_6_0_6002 + jmp NtUnloadKey_SystemCall_Unknown +NtUnloadKey_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtUnloadKey_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtUnloadKey_SystemCall_6_1_7601 + jmp NtUnloadKey_SystemCall_Unknown +NtUnloadKey_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUnloadKey_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUnloadKey_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUnloadKey_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUnloadKey_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUnloadKey_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUnloadKey_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUnloadKey_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUnloadKey_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUnloadKey_SystemCall_10_0_18363 + jmp NtUnloadKey_SystemCall_Unknown +NtUnloadKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 011eh + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0182h + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 017bh + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 017bh + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0185h + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0185h + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 019dh + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a2h + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01aah + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01adh + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b3h + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01b9h + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01bdh + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01bfh + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c0h + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c1h + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c1h + jmp NtUnloadKey_Epilogue +NtUnloadKey_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUnloadKey_Epilogue: + mov r10, rcx + syscall + ret +NtUnloadKey ENDP + +NtUnloadKey2 PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUnloadKey2_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtUnloadKey2_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtUnloadKey2_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUnloadKey2_Check_10_0_XXXX + jmp NtUnloadKey2_SystemCall_Unknown +NtUnloadKey2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtUnloadKey2_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtUnloadKey2_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnloadKey2_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnloadKey2_SystemCall_6_3_XXXX + jmp NtUnloadKey2_SystemCall_Unknown +NtUnloadKey2_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtUnloadKey2_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtUnloadKey2_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtUnloadKey2_SystemCall_6_0_6002 + jmp NtUnloadKey2_SystemCall_Unknown +NtUnloadKey2_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtUnloadKey2_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtUnloadKey2_SystemCall_6_1_7601 + jmp NtUnloadKey2_SystemCall_Unknown +NtUnloadKey2_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUnloadKey2_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUnloadKey2_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUnloadKey2_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUnloadKey2_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUnloadKey2_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUnloadKey2_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUnloadKey2_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUnloadKey2_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUnloadKey2_SystemCall_10_0_18363 + jmp NtUnloadKey2_SystemCall_Unknown +NtUnloadKey2_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 011fh + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0183h + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 017ch + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 017ch + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0186h + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0186h + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 019eh + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a3h + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01abh + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01aeh + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b4h + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01bah + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01beh + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c0h + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c1h + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c2h + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c2h + jmp NtUnloadKey2_Epilogue +NtUnloadKey2_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUnloadKey2_Epilogue: + mov r10, rcx + syscall + ret +NtUnloadKey2 ENDP + +NtUnloadKeyEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUnloadKeyEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtUnloadKeyEx_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtUnloadKeyEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUnloadKeyEx_Check_10_0_XXXX + jmp NtUnloadKeyEx_SystemCall_Unknown +NtUnloadKeyEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtUnloadKeyEx_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtUnloadKeyEx_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnloadKeyEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnloadKeyEx_SystemCall_6_3_XXXX + jmp NtUnloadKeyEx_SystemCall_Unknown +NtUnloadKeyEx_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtUnloadKeyEx_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtUnloadKeyEx_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtUnloadKeyEx_SystemCall_6_0_6002 + jmp NtUnloadKeyEx_SystemCall_Unknown +NtUnloadKeyEx_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtUnloadKeyEx_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtUnloadKeyEx_SystemCall_6_1_7601 + jmp NtUnloadKeyEx_SystemCall_Unknown +NtUnloadKeyEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUnloadKeyEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUnloadKeyEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUnloadKeyEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUnloadKeyEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUnloadKeyEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUnloadKeyEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUnloadKeyEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUnloadKeyEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUnloadKeyEx_SystemCall_10_0_18363 + jmp NtUnloadKeyEx_SystemCall_Unknown +NtUnloadKeyEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0120h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0184h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 017dh + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 017dh + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0187h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0187h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 019fh + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a4h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01ach + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01afh + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b5h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01bbh + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01bfh + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c1h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c2h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c3h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c3h + jmp NtUnloadKeyEx_Epilogue +NtUnloadKeyEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUnloadKeyEx_Epilogue: + mov r10, rcx + syscall + ret +NtUnloadKeyEx ENDP + +NtUnlockFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUnlockFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtUnlockFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtUnlockFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUnlockFile_Check_10_0_XXXX + jmp NtUnlockFile_SystemCall_Unknown +NtUnlockFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtUnlockFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtUnlockFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnlockFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnlockFile_SystemCall_6_3_XXXX + jmp NtUnlockFile_SystemCall_Unknown +NtUnlockFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtUnlockFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtUnlockFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtUnlockFile_SystemCall_6_0_6002 + jmp NtUnlockFile_SystemCall_Unknown +NtUnlockFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtUnlockFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtUnlockFile_SystemCall_6_1_7601 + jmp NtUnlockFile_SystemCall_Unknown +NtUnlockFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUnlockFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUnlockFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUnlockFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUnlockFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUnlockFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUnlockFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUnlockFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUnlockFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUnlockFile_SystemCall_10_0_18363 + jmp NtUnlockFile_SystemCall_Unknown +NtUnlockFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0121h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0185h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 017eh + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 017eh + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0188h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0188h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a0h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a5h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01adh + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b0h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b6h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01bch + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c0h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c2h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c3h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c4h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c4h + jmp NtUnlockFile_Epilogue +NtUnlockFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUnlockFile_Epilogue: + mov r10, rcx + syscall + ret +NtUnlockFile ENDP + +NtUnlockVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUnlockVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtUnlockVirtualMemory_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtUnlockVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUnlockVirtualMemory_Check_10_0_XXXX + jmp NtUnlockVirtualMemory_SystemCall_Unknown +NtUnlockVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtUnlockVirtualMemory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtUnlockVirtualMemory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnlockVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnlockVirtualMemory_SystemCall_6_3_XXXX + jmp NtUnlockVirtualMemory_SystemCall_Unknown +NtUnlockVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtUnlockVirtualMemory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtUnlockVirtualMemory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtUnlockVirtualMemory_SystemCall_6_0_6002 + jmp NtUnlockVirtualMemory_SystemCall_Unknown +NtUnlockVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtUnlockVirtualMemory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtUnlockVirtualMemory_SystemCall_6_1_7601 + jmp NtUnlockVirtualMemory_SystemCall_Unknown +NtUnlockVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUnlockVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUnlockVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUnlockVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUnlockVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUnlockVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUnlockVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUnlockVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUnlockVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUnlockVirtualMemory_SystemCall_10_0_18363 + jmp NtUnlockVirtualMemory_SystemCall_Unknown +NtUnlockVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0122h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0186h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 017fh + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 017fh + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0189h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0189h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a1h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a6h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01aeh + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b1h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b7h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01bdh + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c1h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c3h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c4h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c5h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c5h + jmp NtUnlockVirtualMemory_Epilogue +NtUnlockVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUnlockVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtUnlockVirtualMemory ENDP + +NtUnmapViewOfSection PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUnmapViewOfSection_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtUnmapViewOfSection_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtUnmapViewOfSection_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUnmapViewOfSection_Check_10_0_XXXX + jmp NtUnmapViewOfSection_SystemCall_Unknown +NtUnmapViewOfSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtUnmapViewOfSection_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtUnmapViewOfSection_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnmapViewOfSection_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnmapViewOfSection_SystemCall_6_3_XXXX + jmp NtUnmapViewOfSection_SystemCall_Unknown +NtUnmapViewOfSection_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtUnmapViewOfSection_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtUnmapViewOfSection_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtUnmapViewOfSection_SystemCall_6_0_6002 + jmp NtUnmapViewOfSection_SystemCall_Unknown +NtUnmapViewOfSection_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtUnmapViewOfSection_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtUnmapViewOfSection_SystemCall_6_1_7601 + jmp NtUnmapViewOfSection_SystemCall_Unknown +NtUnmapViewOfSection_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUnmapViewOfSection_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUnmapViewOfSection_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUnmapViewOfSection_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUnmapViewOfSection_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUnmapViewOfSection_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUnmapViewOfSection_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUnmapViewOfSection_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUnmapViewOfSection_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUnmapViewOfSection_SystemCall_10_0_18363 + jmp NtUnmapViewOfSection_SystemCall_Unknown +NtUnmapViewOfSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0027h + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0027h + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0027h + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0027h + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0027h + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0027h + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0028h + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0029h + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 002ah + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 002ah + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 002ah + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 002ah + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 002ah + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 002ah + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 002ah + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 002ah + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 002ah + jmp NtUnmapViewOfSection_Epilogue +NtUnmapViewOfSection_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUnmapViewOfSection_Epilogue: + mov r10, rcx + syscall + ret +NtUnmapViewOfSection ENDP + +NtUnmapViewOfSectionEx PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUnmapViewOfSectionEx_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtUnmapViewOfSectionEx_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUnmapViewOfSectionEx_Check_10_0_XXXX + jmp NtUnmapViewOfSectionEx_SystemCall_Unknown +NtUnmapViewOfSectionEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtUnmapViewOfSectionEx_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnmapViewOfSectionEx_SystemCall_6_3_XXXX + jmp NtUnmapViewOfSectionEx_SystemCall_Unknown +NtUnmapViewOfSectionEx_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUnmapViewOfSectionEx_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUnmapViewOfSectionEx_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUnmapViewOfSectionEx_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUnmapViewOfSectionEx_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUnmapViewOfSectionEx_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUnmapViewOfSectionEx_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUnmapViewOfSectionEx_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUnmapViewOfSectionEx_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUnmapViewOfSectionEx_SystemCall_10_0_18363 + jmp NtUnmapViewOfSectionEx_SystemCall_Unknown +NtUnmapViewOfSectionEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a2h + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a7h + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01afh + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b2h + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b8h + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01beh + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c2h + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c4h + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c5h + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c6h + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c6h + jmp NtUnmapViewOfSectionEx_Epilogue +NtUnmapViewOfSectionEx_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUnmapViewOfSectionEx_Epilogue: + mov r10, rcx + syscall + ret +NtUnmapViewOfSectionEx ENDP + +NtUnsubscribeWnfStateChange PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUnsubscribeWnfStateChange_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtUnsubscribeWnfStateChange_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUnsubscribeWnfStateChange_Check_10_0_XXXX + jmp NtUnsubscribeWnfStateChange_SystemCall_Unknown +NtUnsubscribeWnfStateChange_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtUnsubscribeWnfStateChange_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUnsubscribeWnfStateChange_SystemCall_6_3_XXXX + jmp NtUnsubscribeWnfStateChange_SystemCall_Unknown +NtUnsubscribeWnfStateChange_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUnsubscribeWnfStateChange_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUnsubscribeWnfStateChange_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUnsubscribeWnfStateChange_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUnsubscribeWnfStateChange_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUnsubscribeWnfStateChange_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUnsubscribeWnfStateChange_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUnsubscribeWnfStateChange_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUnsubscribeWnfStateChange_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUnsubscribeWnfStateChange_SystemCall_10_0_18363 + jmp NtUnsubscribeWnfStateChange_SystemCall_Unknown +NtUnsubscribeWnfStateChange_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a3h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a8h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01b0h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b3h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01b9h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01bfh + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c3h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c5h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c6h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c7h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c7h + jmp NtUnsubscribeWnfStateChange_Epilogue +NtUnsubscribeWnfStateChange_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUnsubscribeWnfStateChange_Epilogue: + mov r10, rcx + syscall + ret +NtUnsubscribeWnfStateChange ENDP + +NtUpdateWnfStateData PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtUpdateWnfStateData_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtUpdateWnfStateData_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtUpdateWnfStateData_Check_10_0_XXXX + jmp NtUpdateWnfStateData_SystemCall_Unknown +NtUpdateWnfStateData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtUpdateWnfStateData_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtUpdateWnfStateData_SystemCall_6_3_XXXX + jmp NtUpdateWnfStateData_SystemCall_Unknown +NtUpdateWnfStateData_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtUpdateWnfStateData_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtUpdateWnfStateData_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtUpdateWnfStateData_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtUpdateWnfStateData_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtUpdateWnfStateData_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtUpdateWnfStateData_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtUpdateWnfStateData_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtUpdateWnfStateData_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtUpdateWnfStateData_SystemCall_10_0_18363 + jmp NtUpdateWnfStateData_SystemCall_Unknown +NtUpdateWnfStateData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a4h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01a9h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01b1h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b4h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01bah + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01c0h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c4h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c6h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c7h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c8h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c8h + jmp NtUpdateWnfStateData_Epilogue +NtUpdateWnfStateData_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtUpdateWnfStateData_Epilogue: + mov r10, rcx + syscall + ret +NtUpdateWnfStateData ENDP + +NtVdmControl PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtVdmControl_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtVdmControl_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtVdmControl_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtVdmControl_Check_10_0_XXXX + jmp NtVdmControl_SystemCall_Unknown +NtVdmControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtVdmControl_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtVdmControl_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtVdmControl_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtVdmControl_SystemCall_6_3_XXXX + jmp NtVdmControl_SystemCall_Unknown +NtVdmControl_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtVdmControl_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtVdmControl_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtVdmControl_SystemCall_6_0_6002 + jmp NtVdmControl_SystemCall_Unknown +NtVdmControl_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtVdmControl_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtVdmControl_SystemCall_6_1_7601 + jmp NtVdmControl_SystemCall_Unknown +NtVdmControl_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtVdmControl_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtVdmControl_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtVdmControl_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtVdmControl_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtVdmControl_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtVdmControl_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtVdmControl_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtVdmControl_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtVdmControl_SystemCall_10_0_18363 + jmp NtVdmControl_SystemCall_Unknown +NtVdmControl_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0123h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0187h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0180h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0180h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 018ah + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 018ah + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a5h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01aah + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01b2h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b5h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01bbh + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01c1h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c5h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c7h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c8h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01c9h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01c9h + jmp NtVdmControl_Epilogue +NtVdmControl_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtVdmControl_Epilogue: + mov r10, rcx + syscall + ret +NtVdmControl ENDP + +NtWaitForAlertByThreadId PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitForAlertByThreadId_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtWaitForAlertByThreadId_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWaitForAlertByThreadId_Check_10_0_XXXX + jmp NtWaitForAlertByThreadId_SystemCall_Unknown +NtWaitForAlertByThreadId_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtWaitForAlertByThreadId_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForAlertByThreadId_SystemCall_6_3_XXXX + jmp NtWaitForAlertByThreadId_SystemCall_Unknown +NtWaitForAlertByThreadId_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWaitForAlertByThreadId_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWaitForAlertByThreadId_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWaitForAlertByThreadId_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWaitForAlertByThreadId_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWaitForAlertByThreadId_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWaitForAlertByThreadId_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWaitForAlertByThreadId_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWaitForAlertByThreadId_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWaitForAlertByThreadId_SystemCall_10_0_18363 + jmp NtWaitForAlertByThreadId_SystemCall_Unknown +NtWaitForAlertByThreadId_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a6h + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01abh + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01b3h + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b6h + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01bch + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01c2h + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c6h + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c8h + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01c9h + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01cah + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01cah + jmp NtWaitForAlertByThreadId_Epilogue +NtWaitForAlertByThreadId_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitForAlertByThreadId_Epilogue: + mov r10, rcx + syscall + ret +NtWaitForAlertByThreadId ENDP + +NtWaitForDebugEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitForDebugEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWaitForDebugEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWaitForDebugEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWaitForDebugEvent_Check_10_0_XXXX + jmp NtWaitForDebugEvent_SystemCall_Unknown +NtWaitForDebugEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWaitForDebugEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWaitForDebugEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForDebugEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForDebugEvent_SystemCall_6_3_XXXX + jmp NtWaitForDebugEvent_SystemCall_Unknown +NtWaitForDebugEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWaitForDebugEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWaitForDebugEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWaitForDebugEvent_SystemCall_6_0_6002 + jmp NtWaitForDebugEvent_SystemCall_Unknown +NtWaitForDebugEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWaitForDebugEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWaitForDebugEvent_SystemCall_6_1_7601 + jmp NtWaitForDebugEvent_SystemCall_Unknown +NtWaitForDebugEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWaitForDebugEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWaitForDebugEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWaitForDebugEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWaitForDebugEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWaitForDebugEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWaitForDebugEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWaitForDebugEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWaitForDebugEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWaitForDebugEvent_SystemCall_10_0_18363 + jmp NtWaitForDebugEvent_SystemCall_Unknown +NtWaitForDebugEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0124h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0188h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0181h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0181h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 018bh + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 018bh + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a7h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01ach + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01b4h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b7h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01bdh + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01c3h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c7h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01c9h + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01cah + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01cbh + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01cbh + jmp NtWaitForDebugEvent_Epilogue +NtWaitForDebugEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitForDebugEvent_Epilogue: + mov r10, rcx + syscall + ret +NtWaitForDebugEvent ENDP + +NtWaitForKeyedEvent PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitForKeyedEvent_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWaitForKeyedEvent_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWaitForKeyedEvent_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWaitForKeyedEvent_Check_10_0_XXXX + jmp NtWaitForKeyedEvent_SystemCall_Unknown +NtWaitForKeyedEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWaitForKeyedEvent_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWaitForKeyedEvent_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForKeyedEvent_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForKeyedEvent_SystemCall_6_3_XXXX + jmp NtWaitForKeyedEvent_SystemCall_Unknown +NtWaitForKeyedEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWaitForKeyedEvent_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWaitForKeyedEvent_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWaitForKeyedEvent_SystemCall_6_0_6002 + jmp NtWaitForKeyedEvent_SystemCall_Unknown +NtWaitForKeyedEvent_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWaitForKeyedEvent_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWaitForKeyedEvent_SystemCall_6_1_7601 + jmp NtWaitForKeyedEvent_SystemCall_Unknown +NtWaitForKeyedEvent_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWaitForKeyedEvent_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWaitForKeyedEvent_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWaitForKeyedEvent_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWaitForKeyedEvent_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWaitForKeyedEvent_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWaitForKeyedEvent_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWaitForKeyedEvent_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWaitForKeyedEvent_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWaitForKeyedEvent_SystemCall_10_0_18363 + jmp NtWaitForKeyedEvent_SystemCall_Unknown +NtWaitForKeyedEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0125h + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0189h + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0182h + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0182h + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 018ch + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 018ch + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a8h + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01adh + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01b5h + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b8h + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01beh + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01c4h + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c8h + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01cah + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01cbh + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01cch + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01cch + jmp NtWaitForKeyedEvent_Epilogue +NtWaitForKeyedEvent_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitForKeyedEvent_Epilogue: + mov r10, rcx + syscall + ret +NtWaitForKeyedEvent ENDP + +NtWaitForMultipleObjects PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitForMultipleObjects_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWaitForMultipleObjects_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWaitForMultipleObjects_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWaitForMultipleObjects_Check_10_0_XXXX + jmp NtWaitForMultipleObjects_SystemCall_Unknown +NtWaitForMultipleObjects_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWaitForMultipleObjects_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWaitForMultipleObjects_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForMultipleObjects_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForMultipleObjects_SystemCall_6_3_XXXX + jmp NtWaitForMultipleObjects_SystemCall_Unknown +NtWaitForMultipleObjects_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWaitForMultipleObjects_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWaitForMultipleObjects_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWaitForMultipleObjects_SystemCall_6_0_6002 + jmp NtWaitForMultipleObjects_SystemCall_Unknown +NtWaitForMultipleObjects_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWaitForMultipleObjects_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWaitForMultipleObjects_SystemCall_6_1_7601 + jmp NtWaitForMultipleObjects_SystemCall_Unknown +NtWaitForMultipleObjects_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWaitForMultipleObjects_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWaitForMultipleObjects_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWaitForMultipleObjects_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWaitForMultipleObjects_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWaitForMultipleObjects_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWaitForMultipleObjects_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWaitForMultipleObjects_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWaitForMultipleObjects_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWaitForMultipleObjects_SystemCall_10_0_18363 + jmp NtWaitForMultipleObjects_SystemCall_Unknown +NtWaitForMultipleObjects_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0058h + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0058h + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0058h + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0058h + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0058h + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0058h + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0059h + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 005ah + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 005bh + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 005bh + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 005bh + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 005bh + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 005bh + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 005bh + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 005bh + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 005bh + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 005bh + jmp NtWaitForMultipleObjects_Epilogue +NtWaitForMultipleObjects_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitForMultipleObjects_Epilogue: + mov r10, rcx + syscall + ret +NtWaitForMultipleObjects ENDP + +NtWaitForMultipleObjects32 PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitForMultipleObjects32_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWaitForMultipleObjects32_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWaitForMultipleObjects32_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWaitForMultipleObjects32_Check_10_0_XXXX + jmp NtWaitForMultipleObjects32_SystemCall_Unknown +NtWaitForMultipleObjects32_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWaitForMultipleObjects32_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWaitForMultipleObjects32_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForMultipleObjects32_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForMultipleObjects32_SystemCall_6_3_XXXX + jmp NtWaitForMultipleObjects32_SystemCall_Unknown +NtWaitForMultipleObjects32_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWaitForMultipleObjects32_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWaitForMultipleObjects32_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWaitForMultipleObjects32_SystemCall_6_0_6002 + jmp NtWaitForMultipleObjects32_SystemCall_Unknown +NtWaitForMultipleObjects32_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWaitForMultipleObjects32_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWaitForMultipleObjects32_SystemCall_6_1_7601 + jmp NtWaitForMultipleObjects32_SystemCall_Unknown +NtWaitForMultipleObjects32_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWaitForMultipleObjects32_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWaitForMultipleObjects32_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWaitForMultipleObjects32_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWaitForMultipleObjects32_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWaitForMultipleObjects32_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWaitForMultipleObjects32_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWaitForMultipleObjects32_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWaitForMultipleObjects32_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWaitForMultipleObjects32_SystemCall_10_0_18363 + jmp NtWaitForMultipleObjects32_SystemCall_Unknown +NtWaitForMultipleObjects32_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0017h + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0017h + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0017h + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0017h + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0017h + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0017h + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0018h + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0019h + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 001ah + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 001ah + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 001ah + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 001ah + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 001ah + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 001ah + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 001ah + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 001ah + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 001ah + jmp NtWaitForMultipleObjects32_Epilogue +NtWaitForMultipleObjects32_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitForMultipleObjects32_Epilogue: + mov r10, rcx + syscall + ret +NtWaitForMultipleObjects32 ENDP + +NtWaitForSingleObject PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitForSingleObject_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWaitForSingleObject_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWaitForSingleObject_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWaitForSingleObject_Check_10_0_XXXX + jmp NtWaitForSingleObject_SystemCall_Unknown +NtWaitForSingleObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWaitForSingleObject_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWaitForSingleObject_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForSingleObject_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForSingleObject_SystemCall_6_3_XXXX + jmp NtWaitForSingleObject_SystemCall_Unknown +NtWaitForSingleObject_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWaitForSingleObject_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWaitForSingleObject_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWaitForSingleObject_SystemCall_6_0_6002 + jmp NtWaitForSingleObject_SystemCall_Unknown +NtWaitForSingleObject_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWaitForSingleObject_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWaitForSingleObject_SystemCall_6_1_7601 + jmp NtWaitForSingleObject_SystemCall_Unknown +NtWaitForSingleObject_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWaitForSingleObject_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWaitForSingleObject_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWaitForSingleObject_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWaitForSingleObject_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWaitForSingleObject_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWaitForSingleObject_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWaitForSingleObject_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWaitForSingleObject_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWaitForSingleObject_SystemCall_10_0_18363 + jmp NtWaitForSingleObject_SystemCall_Unknown +NtWaitForSingleObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0001h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0001h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0001h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0001h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0001h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0001h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0002h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0003h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0004h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0004h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0004h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0004h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0004h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0004h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0004h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0004h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0004h + jmp NtWaitForSingleObject_Epilogue +NtWaitForSingleObject_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitForSingleObject_Epilogue: + mov r10, rcx + syscall + ret +NtWaitForSingleObject ENDP + +NtWaitForWnfNotifications PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitForWnfNotifications_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtWaitForWnfNotifications_Check_6_X_XXXX + jmp NtWaitForWnfNotifications_SystemCall_Unknown +NtWaitForWnfNotifications_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 2 + je NtWaitForWnfNotifications_SystemCall_6_2_XXXX + jmp NtWaitForWnfNotifications_SystemCall_Unknown +NtWaitForWnfNotifications_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01a9h + jmp NtWaitForWnfNotifications_Epilogue +NtWaitForWnfNotifications_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitForWnfNotifications_Epilogue: + mov r10, rcx + syscall + ret +NtWaitForWnfNotifications ENDP + +NtWaitForWorkViaWorkerFactory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitForWorkViaWorkerFactory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtWaitForWorkViaWorkerFactory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWaitForWorkViaWorkerFactory_Check_10_0_XXXX + jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown +NtWaitForWorkViaWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWaitForWorkViaWorkerFactory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWaitForWorkViaWorkerFactory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForWorkViaWorkerFactory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitForWorkViaWorkerFactory_SystemCall_6_3_XXXX + jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown +NtWaitForWorkViaWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6002 + jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown +NtWaitForWorkViaWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWaitForWorkViaWorkerFactory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWaitForWorkViaWorkerFactory_SystemCall_6_1_7601 + jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown +NtWaitForWorkViaWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_18363 + jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown +NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 018ah + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0183h + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0183h + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 018dh + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 018dh + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01aah + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01aeh + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01b6h + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01b9h + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01bfh + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01c5h + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01c9h + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01cbh + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01cch + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01cdh + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01cdh + jmp NtWaitForWorkViaWorkerFactory_Epilogue +NtWaitForWorkViaWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitForWorkViaWorkerFactory_Epilogue: + mov r10, rcx + syscall + ret +NtWaitForWorkViaWorkerFactory ENDP + +NtWaitHighEventPair PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitHighEventPair_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWaitHighEventPair_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWaitHighEventPair_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWaitHighEventPair_Check_10_0_XXXX + jmp NtWaitHighEventPair_SystemCall_Unknown +NtWaitHighEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWaitHighEventPair_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWaitHighEventPair_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitHighEventPair_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitHighEventPair_SystemCall_6_3_XXXX + jmp NtWaitHighEventPair_SystemCall_Unknown +NtWaitHighEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWaitHighEventPair_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWaitHighEventPair_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWaitHighEventPair_SystemCall_6_0_6002 + jmp NtWaitHighEventPair_SystemCall_Unknown +NtWaitHighEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWaitHighEventPair_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWaitHighEventPair_SystemCall_6_1_7601 + jmp NtWaitHighEventPair_SystemCall_Unknown +NtWaitHighEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWaitHighEventPair_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWaitHighEventPair_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWaitHighEventPair_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWaitHighEventPair_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWaitHighEventPair_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWaitHighEventPair_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWaitHighEventPair_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWaitHighEventPair_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWaitHighEventPair_SystemCall_10_0_18363 + jmp NtWaitHighEventPair_SystemCall_Unknown +NtWaitHighEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0126h + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 018bh + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0184h + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0184h + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 018eh + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 018eh + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01abh + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01afh + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01b7h + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01bah + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01c0h + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01c6h + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01cah + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01cch + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01cdh + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01ceh + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01ceh + jmp NtWaitHighEventPair_Epilogue +NtWaitHighEventPair_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitHighEventPair_Epilogue: + mov r10, rcx + syscall + ret +NtWaitHighEventPair ENDP + +NtWaitLowEventPair PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWaitLowEventPair_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWaitLowEventPair_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWaitLowEventPair_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWaitLowEventPair_Check_10_0_XXXX + jmp NtWaitLowEventPair_SystemCall_Unknown +NtWaitLowEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWaitLowEventPair_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWaitLowEventPair_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitLowEventPair_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWaitLowEventPair_SystemCall_6_3_XXXX + jmp NtWaitLowEventPair_SystemCall_Unknown +NtWaitLowEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWaitLowEventPair_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWaitLowEventPair_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWaitLowEventPair_SystemCall_6_0_6002 + jmp NtWaitLowEventPair_SystemCall_Unknown +NtWaitLowEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWaitLowEventPair_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWaitLowEventPair_SystemCall_6_1_7601 + jmp NtWaitLowEventPair_SystemCall_Unknown +NtWaitLowEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWaitLowEventPair_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWaitLowEventPair_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWaitLowEventPair_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWaitLowEventPair_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWaitLowEventPair_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWaitLowEventPair_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWaitLowEventPair_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWaitLowEventPair_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWaitLowEventPair_SystemCall_10_0_18363 + jmp NtWaitLowEventPair_SystemCall_Unknown +NtWaitLowEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0127h + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 018ch + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0185h + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0185h + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 018fh + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 018fh + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 01ach + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 01b0h + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 01b8h + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 01bbh + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 01c1h + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 01c7h + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 01cbh + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 01cdh + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 01ceh + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 01cfh + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 01cfh + jmp NtWaitLowEventPair_Epilogue +NtWaitLowEventPair_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWaitLowEventPair_Epilogue: + mov r10, rcx + syscall + ret +NtWaitLowEventPair ENDP + +NtWorkerFactoryWorkerReady PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWorkerFactoryWorkerReady_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 6 + je NtWorkerFactoryWorkerReady_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWorkerFactoryWorkerReady_Check_10_0_XXXX + jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown +NtWorkerFactoryWorkerReady_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWorkerFactoryWorkerReady_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWorkerFactoryWorkerReady_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWorkerFactoryWorkerReady_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWorkerFactoryWorkerReady_SystemCall_6_3_XXXX + jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown +NtWorkerFactoryWorkerReady_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWorkerFactoryWorkerReady_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWorkerFactoryWorkerReady_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWorkerFactoryWorkerReady_SystemCall_6_0_6002 + jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown +NtWorkerFactoryWorkerReady_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWorkerFactoryWorkerReady_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWorkerFactoryWorkerReady_SystemCall_6_1_7601 + jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown +NtWorkerFactoryWorkerReady_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWorkerFactoryWorkerReady_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWorkerFactoryWorkerReady_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWorkerFactoryWorkerReady_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWorkerFactoryWorkerReady_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWorkerFactoryWorkerReady_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWorkerFactoryWorkerReady_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWorkerFactoryWorkerReady_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWorkerFactoryWorkerReady_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWorkerFactoryWorkerReady_SystemCall_10_0_18363 + jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown +NtWorkerFactoryWorkerReady_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 018dh + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0186h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0186h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0190h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0190h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0000h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0000h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0001h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0001h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0001h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0001h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0001h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0001h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0001h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0001h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0001h + jmp NtWorkerFactoryWorkerReady_Epilogue +NtWorkerFactoryWorkerReady_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWorkerFactoryWorkerReady_Epilogue: + mov r10, rcx + syscall + ret +NtWorkerFactoryWorkerReady ENDP + +NtWriteFile PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWriteFile_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWriteFile_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWriteFile_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWriteFile_Check_10_0_XXXX + jmp NtWriteFile_SystemCall_Unknown +NtWriteFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWriteFile_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWriteFile_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWriteFile_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWriteFile_SystemCall_6_3_XXXX + jmp NtWriteFile_SystemCall_Unknown +NtWriteFile_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWriteFile_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWriteFile_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWriteFile_SystemCall_6_0_6002 + jmp NtWriteFile_SystemCall_Unknown +NtWriteFile_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWriteFile_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWriteFile_SystemCall_6_1_7601 + jmp NtWriteFile_SystemCall_Unknown +NtWriteFile_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWriteFile_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWriteFile_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWriteFile_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWriteFile_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWriteFile_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWriteFile_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWriteFile_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWriteFile_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWriteFile_SystemCall_10_0_18363 + jmp NtWriteFile_SystemCall_Unknown +NtWriteFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0005h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0005h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0005h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0005h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0005h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0005h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0006h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0007h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0008h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0008h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0008h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0008h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0008h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0008h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0008h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0008h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0008h + jmp NtWriteFile_Epilogue +NtWriteFile_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWriteFile_Epilogue: + mov r10, rcx + syscall + ret +NtWriteFile ENDP + +NtWriteFileGather PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWriteFileGather_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWriteFileGather_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWriteFileGather_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWriteFileGather_Check_10_0_XXXX + jmp NtWriteFileGather_SystemCall_Unknown +NtWriteFileGather_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWriteFileGather_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWriteFileGather_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWriteFileGather_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWriteFileGather_SystemCall_6_3_XXXX + jmp NtWriteFileGather_SystemCall_Unknown +NtWriteFileGather_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWriteFileGather_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWriteFileGather_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWriteFileGather_SystemCall_6_0_6002 + jmp NtWriteFileGather_SystemCall_Unknown +NtWriteFileGather_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWriteFileGather_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWriteFileGather_SystemCall_6_1_7601 + jmp NtWriteFileGather_SystemCall_Unknown +NtWriteFileGather_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWriteFileGather_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWriteFileGather_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWriteFileGather_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWriteFileGather_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWriteFileGather_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWriteFileGather_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWriteFileGather_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWriteFileGather_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWriteFileGather_SystemCall_10_0_18363 + jmp NtWriteFileGather_SystemCall_Unknown +NtWriteFileGather_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0018h + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0018h + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0018h + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0018h + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0018h + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0018h + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0019h + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 001ah + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 001bh + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 001bh + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 001bh + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 001bh + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 001bh + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 001bh + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 001bh + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 001bh + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 001bh + jmp NtWriteFileGather_Epilogue +NtWriteFileGather_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWriteFileGather_Epilogue: + mov r10, rcx + syscall + ret +NtWriteFileGather ENDP + +NtWriteRequestData PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWriteRequestData_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWriteRequestData_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWriteRequestData_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWriteRequestData_Check_10_0_XXXX + jmp NtWriteRequestData_SystemCall_Unknown +NtWriteRequestData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWriteRequestData_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWriteRequestData_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWriteRequestData_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWriteRequestData_SystemCall_6_3_XXXX + jmp NtWriteRequestData_SystemCall_Unknown +NtWriteRequestData_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWriteRequestData_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWriteRequestData_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWriteRequestData_SystemCall_6_0_6002 + jmp NtWriteRequestData_SystemCall_Unknown +NtWriteRequestData_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWriteRequestData_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWriteRequestData_SystemCall_6_1_7601 + jmp NtWriteRequestData_SystemCall_Unknown +NtWriteRequestData_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWriteRequestData_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWriteRequestData_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWriteRequestData_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWriteRequestData_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWriteRequestData_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWriteRequestData_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWriteRequestData_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWriteRequestData_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWriteRequestData_SystemCall_10_0_18363 + jmp NtWriteRequestData_SystemCall_Unknown +NtWriteRequestData_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0054h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0054h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0054h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0054h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0054h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0054h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0055h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0056h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0057h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0057h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0057h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0057h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0057h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0057h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0057h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0057h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0057h + jmp NtWriteRequestData_Epilogue +NtWriteRequestData_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWriteRequestData_Epilogue: + mov r10, rcx + syscall + ret +NtWriteRequestData ENDP + +NtWriteVirtualMemory PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtWriteVirtualMemory_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtWriteVirtualMemory_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtWriteVirtualMemory_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtWriteVirtualMemory_Check_10_0_XXXX + jmp NtWriteVirtualMemory_SystemCall_Unknown +NtWriteVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtWriteVirtualMemory_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtWriteVirtualMemory_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWriteVirtualMemory_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtWriteVirtualMemory_SystemCall_6_3_XXXX + jmp NtWriteVirtualMemory_SystemCall_Unknown +NtWriteVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtWriteVirtualMemory_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtWriteVirtualMemory_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtWriteVirtualMemory_SystemCall_6_0_6002 + jmp NtWriteVirtualMemory_SystemCall_Unknown +NtWriteVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtWriteVirtualMemory_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtWriteVirtualMemory_SystemCall_6_1_7601 + jmp NtWriteVirtualMemory_SystemCall_Unknown +NtWriteVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtWriteVirtualMemory_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtWriteVirtualMemory_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtWriteVirtualMemory_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtWriteVirtualMemory_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtWriteVirtualMemory_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtWriteVirtualMemory_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtWriteVirtualMemory_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtWriteVirtualMemory_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtWriteVirtualMemory_SystemCall_10_0_18363 + jmp NtWriteVirtualMemory_SystemCall_Unknown +NtWriteVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0037h + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0037h + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0037h + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0037h + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0037h + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0037h + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0038h + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0039h + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 003ah + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 003ah + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 003ah + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 003ah + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 003ah + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 003ah + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 003ah + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 003ah + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 003ah + jmp NtWriteVirtualMemory_Epilogue +NtWriteVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtWriteVirtualMemory_Epilogue: + mov r10, rcx + syscall + ret +NtWriteVirtualMemory ENDP + +NtYieldExecution PROC + mov rax, gs:[60h] ; Load PEB into RAX. +NtYieldExecution_Check_X_X_XXXX: ; Check major version. + cmp dword ptr [rax+118h], 5 + je NtYieldExecution_SystemCall_5_X_XXXX + cmp dword ptr [rax+118h], 6 + je NtYieldExecution_Check_6_X_XXXX + cmp dword ptr [rax+118h], 10 + je NtYieldExecution_Check_10_0_XXXX + jmp NtYieldExecution_SystemCall_Unknown +NtYieldExecution_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. + cmp dword ptr [rax+11ch], 0 + je NtYieldExecution_Check_6_0_XXXX + cmp dword ptr [rax+11ch], 1 + je NtYieldExecution_Check_6_1_XXXX + cmp dword ptr [rax+11ch], 2 + je NtYieldExecution_SystemCall_6_2_XXXX + cmp dword ptr [rax+11ch], 2 + je NtYieldExecution_SystemCall_6_3_XXXX + jmp NtYieldExecution_SystemCall_Unknown +NtYieldExecution_Check_6_0_XXXX: ; Check build number for Windows Vista. + cmp dword ptr [rax+120h], 6000 + je NtYieldExecution_SystemCall_6_0_6000 + cmp dword ptr [rax+120h], 6001 + je NtYieldExecution_SystemCall_6_0_6001 + cmp dword ptr [rax+120h], 6002 + je NtYieldExecution_SystemCall_6_0_6002 + jmp NtYieldExecution_SystemCall_Unknown +NtYieldExecution_Check_6_1_XXXX: ; Check build number for Windows 7. + cmp dword ptr [rax+120h], 7600 + je NtYieldExecution_SystemCall_6_1_7600 + cmp dword ptr [rax+120h], 7601 + je NtYieldExecution_SystemCall_6_1_7601 + jmp NtYieldExecution_SystemCall_Unknown +NtYieldExecution_Check_10_0_XXXX: ; Check build number for Windows 10. + cmp dword ptr [rax+120h], 10240 + je NtYieldExecution_SystemCall_10_0_10240 + cmp dword ptr [rax+120h], 10586 + je NtYieldExecution_SystemCall_10_0_10586 + cmp dword ptr [rax+120h], 14393 + je NtYieldExecution_SystemCall_10_0_14393 + cmp dword ptr [rax+120h], 15063 + je NtYieldExecution_SystemCall_10_0_15063 + cmp dword ptr [rax+120h], 16299 + je NtYieldExecution_SystemCall_10_0_16299 + cmp dword ptr [rax+120h], 17134 + je NtYieldExecution_SystemCall_10_0_17134 + cmp dword ptr [rax+120h], 17763 + je NtYieldExecution_SystemCall_10_0_17763 + cmp dword ptr [rax+120h], 18362 + je NtYieldExecution_SystemCall_10_0_18362 + cmp dword ptr [rax+120h], 18363 + je NtYieldExecution_SystemCall_10_0_18363 + jmp NtYieldExecution_SystemCall_Unknown +NtYieldExecution_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 + mov eax, 0043h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_6_0_6000: ; Windows Vista SP0 + mov eax, 0043h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 + mov eax, 0043h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 + mov eax, 0043h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_6_1_7600: ; Windows 7 SP0 + mov eax, 0043h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 + mov eax, 0043h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 + mov eax, 0044h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 + mov eax, 0045h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) + mov eax, 0046h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) + mov eax, 0046h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) + mov eax, 0046h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) + mov eax, 0046h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) + mov eax, 0046h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) + mov eax, 0046h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) + mov eax, 0046h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) + mov eax, 0046h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) + mov eax, 0046h + jmp NtYieldExecution_Epilogue +NtYieldExecution_SystemCall_Unknown: ; Unknown/unsupported version. + ret +NtYieldExecution_Epilogue: + mov r10, rcx + syscall + ret +NtYieldExecution ENDP + +end \ No newline at end of file diff --git a/output/syscalls.h b/output/syscalls.h new file mode 100644 index 0000000..aa90566 --- /dev/null +++ b/output/syscalls.h @@ -0,0 +1,3992 @@ +#pragma once + +#include + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE +{ + PVOID pValue; + ULONG ValueLength; +} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE +{ + ULONG64 Version; + UNICODE_STRING Name; +} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; + +typedef struct _WNF_TYPE_ID +{ + GUID TypeId; +} WNF_TYPE_ID, *PWNF_TYPE_ID; + +typedef struct _WNF_STATE_NAME +{ + ULONG Data[2]; +} WNF_STATE_NAME, *PWNF_STATE_NAME; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 +{ + UNICODE_STRING Name; + USHORT ValueType; + USHORT Reserved; + ULONG Flags; + ULONG ValueCount; + union + { + PLONG64 pInt64; + PULONG64 pUint64; + PUNICODE_STRING pString; + PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; + PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; + } Values; +} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; + +typedef enum _PNP_VETO_TYPE +{ + PNP_VetoTypeUnknown, // unspecified + PNP_VetoLegacyDevice, // instance path + PNP_VetoPendingClose, // instance path + PNP_VetoWindowsApp, // module + PNP_VetoWindowsService, // service + PNP_VetoOutstandingOpen, // instance path + PNP_VetoDevice, // instance path + PNP_VetoDriver, // driver service name + PNP_VetoIllegalDeviceRequest, // instance path + PNP_VetoInsufficientPower, // unspecified + PNP_VetoNonDisableable, // instance path + PNP_VetoLegacyDriver, // service + PNP_VetoInsufficientRights // unspecified +} PNP_VETO_TYPE, *PPNP_VETO_TYPE; + +typedef enum _PLUGPLAY_EVENT_CATEGORY +{ + HardwareProfileChangeEvent, + TargetDeviceChangeEvent, + DeviceClassChangeEvent, + CustomDeviceEvent, + DeviceInstallEvent, + DeviceArrivalEvent, + PowerEvent, + VetoEvent, + BlockedDriverEvent, + InvalidIDEvent, + MaxPlugEventCategory +} PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; + +typedef VOID(KNORMAL_ROUTINE) ( + IN PVOID NormalContext, + IN PVOID SystemArgument1, + IN PVOID SystemArgument2); + +typedef enum _PS_CREATE_STATE +{ + PsCreateInitialState, + PsCreateFailOnFileOpen, + PsCreateFailOnSectionCreate, + PsCreateFailExeFormat, + PsCreateFailMachineMismatch, + PsCreateFailExeName, + PsCreateSuccess, + PsCreateMaximumStates +} PS_CREATE_STATE, *PPS_CREATE_STATE; + +typedef struct _WNF_TYPE_ID +{ + GUID TypeId; +} WNF_TYPE_ID, *PWNF_TYPE_ID; + +typedef struct _WNF_STATE_NAME +{ + ULONG Data[2]; +} WNF_STATE_NAME, *PWNF_STATE_NAME; + +typedef struct _CLIENT_ID +{ + void* UniqueProcess; + void* UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef struct _PS_ATTRIBUTE +{ + ULONG Attribute; + SIZE_T Size; + union + { + ULONG Value; + PVOID ValuePtr; + } u1; + PSIZE_T ReturnLength; +} PS_ATTRIBUTE, *PPS_ATTRIBUTE; + +#ifndef InitializeObjectAttributes +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ +} +#endif + +typedef enum _SECTION_INHERIT +{ + ViewShare = 1, + ViewUnmap = 2 +} SECTION_INHERIT, *PSECTION_INHERIT; + +typedef enum _KPROFILE_SOURCE +{ + ProfileTime = 0, + ProfileAlignmentFixup = 1, + ProfileTotalIssues = 2, + ProfilePipelineDry = 3, + ProfileLoadInstructions = 4, + ProfilePipelineFrozen = 5, + ProfileBranchInstructions = 6, + ProfileTotalNonissues = 7, + ProfileDcacheMisses = 8, + ProfileIcacheMisses = 9, + ProfileCacheMisses = 10, + ProfileBranchMispredictions = 11, + ProfileStoreInstructions = 12, + ProfileFpInstructions = 13, + ProfileIntegerInstructions = 14, + Profile2Issue = 15, + Profile3Issue = 16, + Profile4Issue = 17, + ProfileSpecialInstructions = 18, + ProfileTotalCycles = 19, + ProfileIcacheIssues = 20, + ProfileDcacheAccesses = 21, + ProfileMemoryBarrierCycles = 22, + ProfileLoadLinkedIssues = 23, + ProfileMaximum = 24, +} KPROFILE_SOURCE, *PKPROFILE_SOURCE; + +typedef struct _OBJECT_ATTRIBUTES +{ + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; + +typedef struct _PS_ATTRIBUTE_LIST +{ + SIZE_T TotalLength; + PS_ATTRIBUTE Attributes[1]; +} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; + +typedef VOID(NTAPI* PIO_APC_ROUTINE) ( + IN PVOID ApcContext, + IN PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG Reserved); + +typedef struct _IO_STATUS_BLOCK +{ + union + { + NTSTATUS Status; + VOID* Pointer; + }; + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef struct _UNICODE_STRING +{ + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING; + +typedef struct _PORT_MESSAGE +{ + union + { + union + { + struct + { + short DataLength; + short TotalLength; + } s1; + unsigned long Length; + }; + } u1; + union + { + union + { + struct + { + short Type; + short DataInfoOffset; + } s2; + unsigned long ZeroInit; + }; + } u2; + union + { + CLIENT_ID ClientId; + double DoNotUseThisField; + }; + unsigned long MessageId; + union + { + unsigned __int64 ClientViewSize; + struct + { + unsigned long CallbackId; + long __PADDING__[1]; + }; + }; +} PORT_MESSAGE, *PPORT_MESSAGE; + +typedef struct _ALPC_MESSAGE_ATTRIBUTES +{ + unsigned long AllocatedAttributes; + unsigned long ValidAttributes; +} ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; + +typedef struct _ALPC_DATA_VIEW_ATTR +{ + ULONG Flags; + HANDLE SectionHandle; + PVOID ViewBase; + SIZE_T ViewSize; +} ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; + +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation = 0, + SystemPerformanceInformation = 2, + SystemTimeOfDayInformation = 3, + SystemProcessInformation = 5, + SystemProcessorPerformanceInformation = 8, + SystemInterruptInformation = 23, + SystemExceptionInformation = 33, + SystemRegistryQuotaInformation = 37, + SystemLookasideInformation = 45, + SystemCodeIntegrityInformation = 103, + SystemPolicyInformation = 134, +} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; + +typedef enum _DEBUGOBJECTINFOCLASS +{ + DebugObjectFlags = 1, + MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; + +typedef enum _PORT_INFORMATION_CLASS +{ + PortBasicInformation, +#if DEVL + PortDumpInformation +#endif +} PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS; + +typedef struct _EFI_DRIVER_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG DriverFilePathOffset; +} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; + +typedef enum _ALPC_PORT_INFORMATION_CLASS +{ + AlpcBasicInformation, + AlpcPortInformation, + AlpcAssociateCompletionPortInformation, + AlpcConnectedSIDInformation, + AlpcServerInformation, + AlpcMessageZoneInformation, + AlpcRegisterCompletionListInformation, + AlpcUnregisterCompletionListInformation, + AlpcAdjustCompletionListConcurrencyCountInformation, + AlpcRegisterCallbackInformation, + AlpcCompletionListRundownInformation +} ALPC_PORT_INFORMATION_CLASS, *PALPC_PORT_INFORMATION_CLASS; + +typedef struct _CLIENT_ID +{ + void* UniqueProcess; + void* UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef struct _FILE_USER_QUOTA_INFORMATION +{ + ULONG NextEntryOffset; + ULONG SidLength; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER QuotaUsed; + LARGE_INTEGER QuotaThreshold; + LARGE_INTEGER QuotaLimit; + SID Sid[1]; +} FILE_USER_QUOTA_INFORMATION, *PFILE_USER_QUOTA_INFORMATION; + +typedef struct _FILE_QUOTA_LIST_INFORMATION +{ + ULONG NextEntryOffset; + ULONG SidLength; + SID Sid[1]; +} FILE_QUOTA_LIST_INFORMATION, *PFILE_QUOTA_LIST_INFORMATION; + +typedef enum _KEY_VALUE_INFORMATION_CLASS { + KeyValueBasicInformation = 0, + KeyValueFullInformation, + KeyValuePartialInformation, + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, + MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +typedef const WNF_STATE_NAME *PCWNF_STATE_NAME; + +typedef const WNF_TYPE_ID *PCWNF_TYPE_ID; + +typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; + +typedef struct _MEM_EXTENDED_PARAMETER +{ + struct { + ULONG64 Type; + ULONG64 Reserved; + } DUMMYSTRUCTNAME; + union { + ULONG64 ULong64; + PVOID Pointer; + SIZE_T Size; + HANDLE Handle; + ULONG ULong; + } DUMMYUNIONNAME; +} MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER; + +typedef enum _IO_COMPLETION_INFORMATION_CLASS +{ + IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS; + +typedef enum _PLUGPLAY_CONTROL_CLASS +{ + PlugPlayControlEnumerateDevice, + PlugPlayControlRegisterNewDevice, + PlugPlayControlDeregisterDevice, + PlugPlayControlInitializeDevice, + PlugPlayControlStartDevice, + PlugPlayControlUnlockDevice, + PlugPlayControlQueryAndRemoveDevice, + PlugPlayControlUserResponse, + PlugPlayControlGenerateLegacyDevice, + PlugPlayControlGetInterfaceDeviceList, + PlugPlayControlProperty, + PlugPlayControlDeviceClassAssociation, + PlugPlayControlGetRelatedDevice, + PlugPlayControlGetInterfaceDeviceAlias, + PlugPlayControlDeviceStatus, + PlugPlayControlGetDeviceDepth, + PlugPlayControlQueryDeviceRelations, + PlugPlayControlTargetDeviceRelation, + PlugPlayControlQueryConflictList, + PlugPlayControlRetrieveDock, + PlugPlayControlResetDevice, + PlugPlayControlHaltDevice, + PlugPlayControlGetBlockedDriverList, + MaxPlugPlayControl +} PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; + +typedef enum _ATOM_INFORMATION_CLASS +{ + AtomBasicInformation, + AtomTableInformation +} ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS; + +typedef enum _KEY_INFORMATION_CLASS +{ + KeyBasicInformation = 0, + KeyNodeInformation = 1, + KeyFullInformation = 2, + KeyNameInformation = 3, + KeyCachedInformation = 4, + KeyFlagsInformation = 5, + KeyVirtualizationInformation = 6, + KeyHandleTagsInformation = 7, + MaxKeyInfoClass = 8 +} KEY_INFORMATION_CLASS, *PKEY_INFORMATION_CLASS; + +typedef enum _WAIT_TYPE +{ + WaitAll = 0, + WaitAny = 1 +} WAIT_TYPE, *PWAIT_TYPE; + +typedef struct _FILE_FULL_EA_INFORMATION +{ + ULONG NextEntryOffset; + UCHAR Flags; + UCHAR EaNameLength; + USHORT EaValueLength; + CHAR EaName[1]; +} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; + +typedef struct _FILE_GET_EA_INFORMATION +{ + ULONG NextEntryOffset; + BYTE EaNameLength; + CHAR EaName[1]; +} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; + +typedef enum _FSINFOCLASS +{ + FileFsVolumeInformation = 1, + FileFsLabelInformation = 2, + FileFsSizeInformation = 3, + FileFsDeviceInformation = 4, + FileFsAttributeInformation = 5, + FileFsControlInformation = 6, + FileFsFullSizeInformation = 7, + FileFsObjectIdInformation = 8, + FileFsDriverPathInformation = 9, + FileFsVolumeFlagsInformation = 10, + FileFsSectorSizeInformation = 11, + FileFsDataCopyInformation = 12, + FileFsMetadataSizeInformation = 13, + FileFsFullSizeInformationEx = 14, + FileFsMaximumInformation = 15, +} FSINFOCLASS, *PFSINFOCLASS; + +typedef enum _IO_SESSION_EVENT +{ + IoSessionEventIgnore, + IoSessionEventCreated, + IoSessionEventTerminated, + IoSessionEventConnected, + IoSessionEventDisconnected, + IoSessionEventLogon, + IoSessionEventLogoff, + IoSessionEventMax +} IO_SESSION_EVENT, *PIO_SESSION_EVENT; + +typedef enum _IO_SESSION_STATE +{ + IoSessionStateCreated = 1, + IoSessionStateInitialized = 2, + IoSessionStateConnected = 3, + IoSessionStateDisconnected = 4, + IoSessionStateDisconnectedLoggedOn = 5, + IoSessionStateLoggedOn = 6, + IoSessionStateLoggedOff = 7, + IoSessionStateTerminated = 8, + IoSessionStateMax = 9, +} IO_SESSION_STATE, *PIO_SESSION_STATE; + +typedef struct _PS_CREATE_INFO +{ + SIZE_T Size; + PS_CREATE_STATE State; + union + { + // PsCreateInitialState + struct { + union { + ULONG InitFlags; + struct { + UCHAR WriteOutputOnExit : 1; + UCHAR DetectManifest : 1; + UCHAR IFEOSkipDebugger : 1; + UCHAR IFEODoNotPropagateKeyState : 1; + UCHAR SpareBits1 : 4; + UCHAR SpareBits2 : 8; + USHORT ProhibitedImageCharacteristics : 16; + }; + }; + ACCESS_MASK AdditionalFileAccess; + } InitState; + // PsCreateFailOnSectionCreate + struct { + HANDLE FileHandle; + } FailSection; + // PsCreateFailExeFormat + struct { + USHORT DllCharacteristics; + } ExeFormat; + // PsCreateFailExeName + struct { + HANDLE IFEOKey; + } ExeName; + // PsCreateSuccess + struct { + union { + ULONG OutputFlags; + struct { + UCHAR ProtectedProcess : 1; + UCHAR AddressSpaceOverride : 1; + UCHAR DevOverrideEnabled : 1; // from Image File Execution Options + UCHAR ManifestDetected : 1; + UCHAR ProtectedProcessLight : 1; + UCHAR SpareBits1 : 3; + UCHAR SpareBits2 : 8; + USHORT SpareBits3 : 16; + }; + }; + HANDLE FileHandle; + HANDLE SectionHandle; + ULONGLONG UserProcessParametersNative; + ULONG UserProcessParametersWow64; + ULONG CurrentParameterFlags; + ULONGLONG PebAddressNative; + ULONG PebAddressWow64; + ULONGLONG ManifestAddress; + ULONG ManifestSize; + } SuccessState; + }; +} PS_CREATE_INFO, *PPS_CREATE_INFO; + +typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS +{ + VmPrefetchInformation, + VmPagePriorityInformation, + VmCfgCallTargetInformation +} VIRTUAL_MEMORY_INFORMATION_CLASS, *PVIRTUAL_MEMORY_INFORMATION_CLASS; + +typedef struct _MEMORY_RANGE_ENTRY +{ + PVOID VirtualAddress; + SIZE_T NumberOfBytes; +} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; + +typedef enum _THREADINFOCLASS +{ + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair_Reusable, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger, + ThreadBreakOnTermination, + MaxThreadInfoClass +} THREADINFOCLASS, *PTHREADINFOCLASS; + +typedef enum _PROCESSINFOCLASS +{ + ProcessBasicInformation = 0, + ProcessDebugPort = 7, + ProcessWow64Information = 26, + ProcessImageFileName = 27, + ProcessBreakOnTermination = 29 +} PROCESSINFOCLASS, *PPROCESSINFOCLASS; + +typedef enum _SEMAPHORE_INFORMATION_CLASS +{ + SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS; + +typedef PVOID* PPVOID; + +typedef enum _FILE_INFORMATION_CLASS +{ + FileDirectoryInformation = 1, + FileFullDirectoryInformation = 2, + FileBothDirectoryInformation = 3, + FileBasicInformation = 4, + FileStandardInformation = 5, + FileInternalInformation = 6, + FileEaInformation = 7, + FileAccessInformation = 8, + FileNameInformation = 9, + FileRenameInformation = 10, + FileLinkInformation = 11, + FileNamesInformation = 12, + FileDispositionInformation = 13, + FilePositionInformation = 14, + FileFullEaInformation = 15, + FileModeInformation = 16, + FileAlignmentInformation = 17, + FileAllInformation = 18, + FileAllocationInformation = 19, + FileEndOfFileInformation = 20, + FileAlternateNameInformation = 21, + FileStreamInformation = 22, + FilePipeInformation = 23, + FilePipeLocalInformation = 24, + FilePipeRemoteInformation = 25, + FileMailslotQueryInformation = 26, + FileMailslotSetInformation = 27, + FileCompressionInformation = 28, + FileObjectIdInformation = 29, + FileCompletionInformation = 30, + FileMoveClusterInformation = 31, + FileQuotaInformation = 32, + FileReparsePointInformation = 33, + FileNetworkOpenInformation = 34, + FileAttributeTagInformation = 35, + FileTrackingInformation = 36, + FileIdBothDirectoryInformation = 37, + FileIdFullDirectoryInformation = 38, + FileValidDataLengthInformation = 39, + FileShortNameInformation = 40, + FileIoCompletionNotificationInformation = 41, + FileIoStatusBlockRangeInformation = 42, + FileIoPriorityHintInformation = 43, + FileSfioReserveInformation = 44, + FileSfioVolumeInformation = 45, + FileHardLinkInformation = 46, + FileProcessIdsUsingFileInformation = 47, + FileNormalizedNameInformation = 48, + FileNetworkPhysicalNameInformation = 49, + FileIdGlobalTxDirectoryInformation = 50, + FileIsRemoteDeviceInformation = 51, + FileUnusedInformation = 52, + FileNumaNodeInformation = 53, + FileStandardLinkInformation = 54, + FileRemoteProtocolInformation = 55, + FileRenameInformationBypassAccessCheck = 56, + FileLinkInformationBypassAccessCheck = 57, + FileVolumeNameInformation = 58, + FileIdInformation = 59, + FileIdExtdDirectoryInformation = 60, + FileReplaceCompletionInformation = 61, + FileHardLinkFullIdInformation = 62, + FileIdExtdBothDirectoryInformation = 63, + FileDispositionInformationEx = 64, + FileRenameInformationEx = 65, + FileRenameInformationExBypassAccessCheck = 66, + FileMaximumInformation = 67, +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef struct _USER_STACK +{ + PVOID FixedStackBase; + PVOID FixedStackLimit; + PVOID ExpandableStackBase; + PVOID ExpandableStackLimit; + PVOID ExpandableStackBottom; +} USER_STACK, *PUSER_STACK; + +typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE; + +typedef LANGID* PLANGID; + +typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)( + IN PVOID TimerContext, + IN ULONG TimerLowValue, + IN LONG TimerHighValue); + +typedef struct _PLUGPLAY_EVENT_BLOCK +{ + GUID EventGuid; + PLUGPLAY_EVENT_CATEGORY EventCategory; + PULONG Result; + ULONG Flags; + ULONG TotalSize; + PVOID DeviceObject; + + union + { + struct + { + GUID ClassGuid; + WCHAR SymbolicLinkName[1]; + } DeviceClass; + struct + { + WCHAR DeviceIds[1]; + } TargetDevice; + struct + { + WCHAR DeviceId[1]; + } InstallDevice; + struct + { + PVOID NotificationStructure; + WCHAR DeviceIds[1]; + } CustomNotification; + struct + { + PVOID Notification; + } ProfileNotification; + struct + { + ULONG NotificationCode; + ULONG NotificationData; + } PowerNotification; + struct + { + PNP_VETO_TYPE VetoType; + WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName + } VetoNotification; + struct + { + GUID BlockedDriverGuid; + } BlockedDriverNotification; + struct + { + WCHAR ParentId[1]; + } InvalidIDNotification; + } u; +} PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; + +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, + MemoryWorkingSetInformation, + MemoryMappedFilenameInformation, + MemoryRegionInformation, + MemoryWorkingSetExInformation, + MemorySharedCommitInformation, + MemoryImageInformation, + MemoryRegionInformationEx, + MemoryPrivilegedBasicInformation, + MemoryEnclaveImageInformation, + MemoryBasicInformationCapped +} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; + +typedef enum _OBJECT_INFORMATION_CLASS +{ + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectAllTypesInformation, + ObjectHandleInformation +} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; + +typedef enum _KEY_SET_INFORMATION_CLASS +{ + KeyWriteTimeInformation, + KeyWow64FlagsInformation, + KeyControlFlagsInformation, + KeySetVirtualizationInformation, + KeySetDebugInformation, + KeySetHandleTagsInformation, + MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum. +} KEY_SET_INFORMATION_CLASS, *PKEY_SET_INFORMATION_CLASS; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; + ULONG Unknown; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef enum _APPHELPCACHESERVICECLASS +{ + ApphelpCacheServiceLookup = 0, + ApphelpCacheServiceRemove = 1, + ApphelpCacheServiceUpdate = 2, + ApphelpCacheServiceFlush = 3, + ApphelpCacheServiceDump = 4, + ApphelpDBGReadRegistry = 0x100, + ApphelpDBGWriteRegistry = 0x101, +} APPHELPCACHESERVICECLASS, *PAPPHELPCACHESERVICECLASS; + +typedef enum _MEMORY_RESERVE_TYPE +{ + MemoryReserveUserApc, + MemoryReserveIoCompletion, + MemoryReserveTypeMax +} MEMORY_RESERVE_TYPE, *PMEMORY_RESERVE_TYPE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION +{ + USHORT Version; + USHORT Reserved; + ULONG AttributeCount; + union + { + PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; + } Attribute; +} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; + +typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; + +typedef USHORT RTL_ATOM, *PRTL_ATOM; + +typedef struct _ALPC_CONTEXT_ATTR +{ + PVOID PortContext; + PVOID MessageContext; + ULONG SequenceNumber; + ULONG MessageID; + ULONG CallbackID; +} ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; + +typedef enum _SECTION_INFORMATION_CLASS +{ + SectionBasicInformation, + SectionImageInformation, +} SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; + +typedef struct _KEY_VALUE_ENTRY +{ + PUNICODE_STRING ValueName; + ULONG DataLength; + ULONG DataOffset; + ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +typedef struct _BOOT_OPTIONS +{ + ULONG Version; + ULONG Length; + ULONG Timeout; + ULONG CurrentBootEntryId; + ULONG NextBootEntryId; + WCHAR HeadlessRedirection[1]; +} BOOT_OPTIONS, *PBOOT_OPTIONS; + +typedef struct _ALPC_PORT_ATTRIBUTES +{ + ULONG Flags; + SECURITY_QUALITY_OF_SERVICE SecurityQos; + SIZE_T MaxMessageLength; + SIZE_T MemoryBandwidth; + SIZE_T MaxPoolUsage; + SIZE_T MaxSectionSize; + SIZE_T MaxViewSize; + SIZE_T MaxTotalSectionSize; + ULONG DupObjectTypes; +#ifdef _WIN64 + ULONG Reserved; +#endif +} ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; + +typedef enum _SHUTDOWN_ACTION { + ShutdownNoReboot, + ShutdownReboot, + ShutdownPowerOff +} SHUTDOWN_ACTION; + +typedef struct _ALPC_SECURITY_ATTR +{ + ULONG Flags; + PSECURITY_QUALITY_OF_SERVICE SecurityQos; + HANDLE ContextHandle; + ULONG Reserved1; + ULONG Reserved2; +} ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; + +typedef struct FILE_BASIC_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + ULONG FileAttributes; +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; + +typedef struct _PORT_SECTION_WRITE +{ + ULONG Length; + HANDLE SectionHandle; + ULONG SectionOffset; + ULONG ViewSize; + PVOID ViewBase; + PVOID TargetViewBase; +} PORT_SECTION_WRITE, *PPORT_SECTION_WRITE; + +typedef struct _PORT_SECTION_READ +{ + ULONG Length; + ULONG ViewSize; + ULONG ViewBase; +} PORT_SECTION_READ, *PPORT_SECTION_READ; + +typedef struct _BOOT_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG BootFilePathOffset; + ULONG OsOptionsLength; + UCHAR OsOptions[ANYSIZE_ARRAY]; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _T2_SET_PARAMETERS_V0 +{ + ULONG Version; + ULONG Reserved; + LONGLONG NoWakeTolerance; +} T2_SET_PARAMETERS, *PT2_SET_PARAMETERS; + +typedef enum _WORKERFACTORYINFOCLASS +{ + WorkerFactoryTimeout, + WorkerFactoryRetryTimeout, + WorkerFactoryIdleTimeout, + WorkerFactoryBindingCount, + WorkerFactoryThreadMinimum, + WorkerFactoryThreadMaximum, + WorkerFactoryPaused, + WorkerFactoryBasicInformation, + WorkerFactoryAdjustThreadGoal, + WorkerFactoryCallbackType, + WorkerFactoryStackInformation, + MaxWorkerFactoryInfoClass +} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; + +typedef enum _DEBUG_CONTROL_CODE +{ + SysDbgQueryModuleInformation = 0, + SysDbgQueryTraceInformation = 1, + SysDbgSetTracePoint = 2, + SysDbgSetSpecialCall = 3, + SysDbgClearSpecialCalls = 4, + SysDbgQuerySpecialCalls = 5, + SysDbgBreakPoint = 6, + SysDbgQueryVersion = 7, + SysDbgReadVirtual = 8, + SysDbgWriteVirtual = 9, + SysDbgReadPhysical = 10, + SysDbgWritePhysical = 11, + SysDbgReadControlSpace = 12, + SysDbgWriteControlSpace = 13, + SysDbgReadIoSpace = 14, + SysDbgWriteIoSpace = 15, + SysDbgReadMsr = 16, + SysDbgWriteMsr = 17, + SysDbgReadBusData = 18, + SysDbgWriteBusData = 19, + SysDbgCheckLowMemory = 20, + SysDbgEnableKernelDebugger = 21, + SysDbgDisableKernelDebugger = 22, + SysDbgGetAutoKdEnable = 23, + SysDbgSetAutoKdEnable = 24, + SysDbgGetPrintBufferSize = 25, + SysDbgSetPrintBufferSize = 26, + SysDbgGetKdUmExceptionEnable = 27, + SysDbgSetKdUmExceptionEnable = 28, + SysDbgGetTriageDump = 29, + SysDbgGetKdBlockEnable = 30, + SysDbgSetKdBlockEnable = 31 +} DEBUG_CONTROL_CODE, *PDEBUG_CONTROL_CODE; + +typedef enum _WNF_STATE_NAME_LIFETIME +{ + WnfWellKnownStateName = 0, + WnfPermanentStateName = 1, + WnfPersistentStateName = 2, + WnfTemporaryStateName = 3 +} WNF_STATE_NAME_LIFETIME, *PWNF_STATE_NAME_LIFETIME; + +typedef enum _WNF_DATA_SCOPE +{ + WnfDataScopeSystem = 0, + WnfDataScopeSession = 1, + WnfDataScopeUser = 2, + WnfDataScopeProcess = 3, + WnfDataScopeMachine = 4 +} WNF_DATA_SCOPE, *PWNF_DATA_SCOPE; + +typedef enum _FILTER_BOOT_OPTION_OPERATION +{ + FilterBootOptionOperationOpenSystemStore, + FilterBootOptionOperationSetElement, + FilterBootOptionOperationDeleteElement, + FilterBootOptionOperationMax +} FILTER_BOOT_OPTION_OPERATION, *PFILTER_BOOT_OPTION_OPERATION; + +typedef struct _FILE_PATH +{ + ULONG Version; + ULONG Length; + ULONG Type; + CHAR FilePath[1]; +} FILE_PATH, *PFILE_PATH; + +typedef enum _MUTANT_INFORMATION_CLASS +{ + MutantBasicInformation, + MutantOwnerInformation +} MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS; + +typedef enum _VDMSERVICECLASS +{ + VdmStartExecution, + VdmQueueInterrupt, + VdmDelayInterrupt, + VdmInitialize, + VdmFeatures, + VdmSetInt21Handler, + VdmQueryDir, + VdmPrinterDirectIoOpen, + VdmPrinterDirectIoClose, + VdmPrinterInitialize, + VdmSetLdtEntries, + VdmSetProcessLdtInfo, + VdmAdlibEmulation, + VdmPMCliControl, + VdmQueryVdmProcess +} VDMSERVICECLASS, *PVDMSERVICECLASS; + +typedef enum _TIMER_TYPE +{ + NotificationTimer, + SynchronizationTimer +} TIMER_TYPE, *PTIMER_TYPE; + +typedef struct _FILE_IO_COMPLETION_INFORMATION +{ + PVOID KeyContext; + PVOID ApcContext; + IO_STATUS_BLOCK IoStatusBlock; +} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; + +typedef struct _WNF_DELIVERY_DESCRIPTOR +{ + unsigned __int64 SubscriptionId; + WNF_STATE_NAME StateName; + unsigned long ChangeStamp; + unsigned long StateDataSize; + unsigned long EventMask; + WNF_TYPE_ID TypeId; + unsigned long StateDataOffset; +} WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR; + +typedef PVOID PT2_CANCEL_PARAMETERS; + +typedef enum _TIMER_INFORMATION_CLASS +{ + TimerBasicInformation +} TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS; + +typedef enum _ALPC_MESSAGE_INFORMATION_CLASS +{ + AlpcMessageSidInformation, + AlpcMessageTokenModifiedIdInformation +} ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS; + +typedef enum _TIMER_SET_INFORMATION_CLASS +{ + TimerSetCoalescableTimer, + MaxTimerInfoClass +} TIMER_SET_INFORMATION_CLASS, *PTIMER_SET_INFORMATION_CLASS; + +typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS +{ + DirectoryNotifyInformation = 1, + DirectoryNotifyExtendedInformation = 2, +} DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS; + +typedef enum _EVENT_TYPE +{ + NotificationEvent = 0, + SynchronizationEvent = 1, +} EVENT_TYPE, *PEVENT_TYPE; + +typedef enum _EVENT_INFORMATION_CLASS +{ + EventBasicInformation +} EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS; + +typedef enum _MEMORY_PARTITION_INFORMATION_CLASS +{ + SystemMemoryPartitionInformation, + SystemMemoryPartitionMoveMemory, + SystemMemoryPartitionAddPagefile, + SystemMemoryPartitionCombineMemory, + SystemMemoryPartitionInitialAddMemory, + SystemMemoryPartitionGetMemoryEvents, + SystemMemoryPartitionMax +} MEMORY_PARTITION_INFORMATION_CLASS, *PMEMORY_PARTITION_INFORMATION_CLASS; + +EXTERN_C NTSTATUS NtMapViewOfSection( + IN HANDLE SectionHandle, + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN ULONG ZeroBits, + IN SIZE_T CommitSize, + IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, + IN OUT PSIZE_T ViewSize, + IN SECTION_INHERIT InheritDisposition, + IN ULONG AllocationType, + IN ULONG Win32Protect); + +EXTERN_C NTSTATUS NtQueryDirectoryObject( + IN HANDLE DirectoryHandle, + OUT PVOID Buffer OPTIONAL, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN BOOLEAN RestartScan, + IN OUT PULONG Context, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtOpenThreadTokenEx( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS NtAccessCheckByType( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN HANDLE ClientToken, + IN ULONG DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS NtAddAtom( + IN PWSTR AtomName OPTIONAL, + IN ULONG Length, + OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS NtSetWnfProcessNotificationEvent( + IN HANDLE NotificationEvent); + +EXTERN_C NTSTATUS NtSetIntervalProfile( + IN ULONG Interval, + IN KPROFILE_SOURCE Source); + +EXTERN_C NTSTATUS NtQueryOpenSubKeysEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG BufferLength, + OUT PVOID Buffer, + OUT PULONG RequiredSize); + +EXTERN_C NTSTATUS NtSetCachedSigningLevel( + IN ULONG Flags, + IN SE_SIGNING_LEVEL InputSigningLevel, + IN PHANDLE SourceFiles, + IN ULONG SourceFileCount, + IN HANDLE TargetFile OPTIONAL); + +EXTERN_C NTSTATUS NtThawRegistry(); + +EXTERN_C NTSTATUS NtCreateThreadEx( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ProcessHandle, + IN PVOID StartRoutine, + IN PVOID Argument OPTIONAL, + IN ULONG CreateFlags, + IN SIZE_T ZeroBits, + IN SIZE_T StackSize, + IN SIZE_T MaximumStackSize, + IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS NtQuerySystemTime( + OUT PLARGE_INTEGER SystemTime); + +EXTERN_C NTSTATUS NtPrePrepareComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtReadFileScatter( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS NtDeleteValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName); + +EXTERN_C NTSTATUS NtAlpcSendWaitReceivePort( + IN HANDLE PortHandle, + IN ULONG Flags, + IN PPORT_MESSAGE SendMessage OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL, + OUT PPORT_MESSAGE ReceiveMessage OPTIONAL, + IN OUT PSIZE_T BufferLength OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtQueryIntervalProfile( + IN KPROFILE_SOURCE ProfileSource, + OUT PULONG Interval); + +EXTERN_C NTSTATUS NtCreateSemaphore( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN LONG InitialCount, + IN LONG MaximumCount); + +EXTERN_C NTSTATUS NtAlpcCreateSectionView( + IN HANDLE PortHandle, + IN ULONG Flags, + IN OUT PALPC_DATA_VIEW_ATTR ViewAttributes); + +EXTERN_C NTSTATUS NtCreateWaitCompletionPacket( + OUT PHANDLE WaitCompletionPacketHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS NtCommitEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtQuerySystemInformationEx( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT PVOID SystemInformation OPTIONAL, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtSetInformationDebugObject( + IN HANDLE DebugObject, + IN DEBUGOBJECTINFOCLASS InformationClass, + IN PVOID Information, + IN ULONG InformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtOpenJobObject( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtQueryInformationPort( + IN HANDLE PortHandle, + IN PORT_INFORMATION_CLASS PortInformationClass, + OUT PVOID PortInformation, + IN ULONG Length, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtResumeProcess( + IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS NtDisplayString( + IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS NtAddDriverEntry( + IN PEFI_DRIVER_ENTRY DriverEntry, + OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS NtOpenKeyedEvent( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtResetEvent( + IN HANDLE EventHandle, + OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS NtSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle); + +EXTERN_C NTSTATUS NtCreateIRTimer( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS NtDeleteObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS NtAlpcQueryInformation( + IN HANDLE PortHandle OPTIONAL, + IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, + IN OUT PVOID PortInformation, + IN ULONG Length, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtDuplicateObject( + IN HANDLE SourceProcessHandle, + IN HANDLE SourceHandle, + IN HANDLE TargetProcessHandle OPTIONAL, + OUT PHANDLE TargetHandle OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Options); + +EXTERN_C NTSTATUS NtClearEvent( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS NtQuerySecurityObject( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + OUT PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, + IN ULONG Length, + OUT PULONG LengthNeeded); + +EXTERN_C NTSTATUS NtOpenThread( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS NtAlertThreadByThreadId( + IN ULONG ThreadId); + +EXTERN_C NTSTATUS NtRollbackRegistryTransaction( + IN HANDLE RegistryHandle, + IN BOOL Wait); + +EXTERN_C NTSTATUS NtSignalAndWaitForSingleObject( + IN HANDLE hObjectToSignal, + IN HANDLE hObjectToWaitOn, + IN BOOLEAN bAlertable, + IN PLARGE_INTEGER dwMilliseconds OPTIONAL); + +EXTERN_C NTSTATUS NtQueryQuotaInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PFILE_USER_QUOTA_INFORMATION Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN PFILE_QUOTA_LIST_INFORMATION SidList OPTIONAL, + IN ULONG SidListLength, + IN PSID StartSid OPTIONAL, + IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS NtFsControlFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG FsControlCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS NtOpenProcess( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS NtUnloadDriver( + IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS NtSetLowEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS NtPropagationComplete( + IN HANDLE ResourceManagerHandle, + IN ULONG RequestCookie, + IN ULONG BufferLength, + IN PVOID Buffer); + +EXTERN_C NTSTATUS NtWaitForSingleObject( + IN HANDLE ObjectHandle, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER TimeOut OPTIONAL); + +EXTERN_C NTSTATUS NtGetCachedSigningLevel( + IN HANDLE File, + OUT PULONG Flags, + OUT PSE_SIGNING_LEVEL SigningLevel, + OUT PUCHAR Thumbprint OPTIONAL, + IN OUT PULONG ThumbprintSize OPTIONAL, + OUT PULONG ThumbprintAlgorithm OPTIONAL); + +EXTERN_C NTSTATUS NtQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS NtLoadDriver( + IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS NtRollforwardTransactionManager( + IN HANDLE TransactionManagerHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtConvertBetweenAuxiliaryCounterAndPerformanceCounter( + IN ULONG UnknownParameter1, + IN ULONG UnknownParameter2, + IN ULONG UnknownParameter3, + IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS NtCallEnclave( + IN PENCLAVE_ROUTINE Routine, + IN PVOID Parameter, + IN BOOLEAN WaitForThread, + IN OUT PVOID ReturnValue OPTIONAL); + +EXTERN_C NTSTATUS NtCancelWaitCompletionPacket( + IN HANDLE WaitCompletionPacketHandle, + IN BOOLEAN RemoveSignaledPacket); + +EXTERN_C NTSTATUS NtCreateTransaction( + OUT PHANDLE TransactionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN LPGUID Uow OPTIONAL, + IN HANDLE TmHandle OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN ULONG IsolationLevel OPTIONAL, + IN ULONG IsolationFlags OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL, + IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS NtOpenRegistryTransaction( + OUT PHANDLE RegistryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtAllocateUserPhysicalPages( + IN HANDLE ProcessHandle, + IN OUT PULONG NumberOfPages, + OUT PULONG UserPfnArray); + +EXTERN_C NTSTATUS NtDelayExecution( + IN BOOLEAN Alertable, + IN PLARGE_INTEGER DelayInterval); + +EXTERN_C NTSTATUS NtDeviceIoControlFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG IoControlCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS NtQueryLicenseValue( + IN PUNICODE_STRING ValueName, + OUT PULONG Type OPTIONAL, + OUT PVOID SystemData OPTIONAL, + IN ULONG DataSize, + OUT PULONG ResultDataSize); + +EXTERN_C NTSTATUS NtReadOnlyEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtUpdateWnfStateData( + IN PCWNF_STATE_NAME StateName, + IN PVOID Buffer OPTIONAL, + IN ULONG Length OPTIONAL, + IN PCWNF_TYPE_ID TypeId OPTIONAL, + IN PVOID ExplicitScope OPTIONAL, + IN WNF_CHANGE_STAMP MatchingChangeStamp, + IN ULONG CheckStamp); + +EXTERN_C NTSTATUS NtAlpcDeleteSecurityContext( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS NtSetInformationJobObject( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + IN PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength); + +EXTERN_C NTSTATUS NtDuplicateToken( + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN BOOLEAN EffectiveOnly, + IN TOKEN_TYPE TokenType, + OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS NtGetCurrentProcessorNumber(); + +EXTERN_C NTSTATUS NtAccessCheckByTypeAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS NtGetNextProcess( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewProcessHandle); + +EXTERN_C NTSTATUS NtCreateDebugObject( + OUT PHANDLE DebugObjectHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtCreateEnclave( + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN ULONG_PTR ZeroBits, + IN SIZE_T Size, + IN SIZE_T InitialCommitment, + IN ULONG EnclaveType, + IN PVOID EnclaveInformation, + IN ULONG EnclaveInformationLength, + OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS NtReleaseSemaphore( + IN HANDLE SemaphoreHandle, + IN LONG ReleaseCount, + OUT PLONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS NtWaitForDebugEvent( + IN HANDLE DebugObjectHandle, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL, + OUT PVOID WaitStateChange); + +EXTERN_C NTSTATUS NtRaiseHardError( + IN NTSTATUS ErrorStatus, + IN ULONG NumberOfParameters, + IN ULONG UnicodeStringParameterMask, + IN PULONG_PTR Parameters, + IN ULONG ValidResponseOptions, + OUT PULONG Response); + +EXTERN_C NTSTATUS NtCompressKey( + IN HANDLE Key); + +EXTERN_C NTSTATUS NtQueryWnfStateNameInformation( + IN PCWNF_STATE_NAME StateName, + IN PCWNF_TYPE_ID NameInfoClass, + IN PVOID ExplicitScope OPTIONAL, + OUT PVOID InfoBuffer, + IN ULONG InfoBufferSize); + +EXTERN_C NTSTATUS NtCreateProfile( + OUT PHANDLE ProfileHandle, + IN HANDLE Process OPTIONAL, + IN PVOID ProfileBase, + IN ULONG ProfileSize, + IN ULONG BucketSize, + IN PULONG Buffer, + IN ULONG BufferSize, + IN KPROFILE_SOURCE ProfileSource, + IN ULONG Affinity); + +EXTERN_C NTSTATUS NtQueryOpenSubKeys( + IN POBJECT_ATTRIBUTES TargetKey, + OUT PULONG HandleCount); + +EXTERN_C NTSTATUS NtRegisterProtocolAddressInformation( + IN HANDLE ResourceManager, + IN LPGUID ProtocolId, + IN ULONG ProtocolInformationSize, + IN PVOID ProtocolInformation, + IN ULONG CreateOptions OPTIONAL); + +EXTERN_C NTSTATUS NtWaitForWnfNotifications(); + +EXTERN_C NTSTATUS NtEnumerateDriverEntries( + OUT PVOID Buffer OPTIONAL, + IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS NtGetNlsSectionPtr( + IN ULONG SectionType, + IN ULONG SectionData, + IN PVOID ContextData, + OUT PVOID SectionPointer, + OUT PULONG SectionSize); + +EXTERN_C NTSTATUS NtLockVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PULONG RegionSize, + IN ULONG MapType); + +EXTERN_C NTSTATUS NtDeleteDriverEntry( + IN ULONG Id); + +EXTERN_C NTSTATUS NtNotifyChangeMultipleKeys( + IN HANDLE MasterKeyHandle, + IN ULONG Count OPTIONAL, + IN POBJECT_ATTRIBUTES SubordinateObjects OPTIONAL, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT PVOID Buffer OPTIONAL, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS NtSetLowWaitHighEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS NtCompareSigningLevels( + IN ULONG UnknownParameter1, + IN ULONG UnknownParameter2); + +EXTERN_C NTSTATUS NtSuspendProcess( + IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS NtCreateResourceManager( + OUT PHANDLE ResourceManagerHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE TmHandle, + IN LPGUID RmGuid, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS NtReleaseKeyedEvent( + IN HANDLE KeyedEventHandle, + IN PVOID KeyValue, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtRestoreKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtTraceEvent( + IN HANDLE TraceHandle, + IN ULONG Flags, + IN ULONG FieldSize, + IN PVOID Fields); + +EXTERN_C NTSTATUS NtIsSystemResumeAutomatic(); + +EXTERN_C NTSTATUS NtCreateSectionEx( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PLARGE_INTEGER MaximumSize OPTIONAL, + IN ULONG SectionPageProtection, + IN ULONG AllocationAttributes, + IN HANDLE FileHandle OPTIONAL, + IN PMEM_EXTENDED_PARAMETER ExtendedParameters, + IN ULONG ExtendedParametersCount); + +EXTERN_C NTSTATUS NtResetWriteWatch( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN ULONG RegionSize); + +EXTERN_C NTSTATUS NtQueryIoCompletion( + IN HANDLE IoCompletionHandle, + IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, + OUT PVOID IoCompletionInformation, + IN ULONG IoCompletionInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtLoadEnclaveData( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN SIZE_T BufferSize, + IN ULONG Protect, + IN PVOID PageInformation, + IN ULONG PageInformationLength, + OUT PSIZE_T NumberOfBytesWritten OPTIONAL, + OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS NtInitializeEnclave( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID EnclaveInformation, + IN ULONG EnclaveInformationLength, + OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS NtWriteRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Request, + IN ULONG DataIndex, + IN PVOID Buffer, + IN ULONG Length, + OUT PULONG ResultLength OPTIONAL); + +EXTERN_C NTSTATUS NtRecoverTransactionManager( + IN HANDLE TransactionManagerHandle); + +EXTERN_C NTSTATUS NtSetSystemEnvironmentValueEx( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + IN PVOID Value OPTIONAL, + IN ULONG ValueLength, + IN ULONG Attributes); + +EXTERN_C NTSTATUS NtEnumerateValueKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS NtCreateWaitablePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS NtSetQuotaInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_USER_QUOTA_INFORMATION Buffer, + IN ULONG Length); + +EXTERN_C NTSTATUS NtDeleteWnfStateName( + IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS NtRollbackSavepointTransaction( + IN HANDLE TransactionHandle, + IN ULONG SavePointId); + +EXTERN_C NTSTATUS NtDrawText( + IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS NtFlushInstallUILanguage( + IN LANGID InstallUILanguage, + IN ULONG SetComittedFlag); + +EXTERN_C NTSTATUS NtQueryInformationTransaction( + IN HANDLE TransactionHandle, + IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + OUT PVOID TransactionInformation, + IN ULONG TransactionInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtPlugPlayControl( + IN PLUGPLAY_CONTROL_CLASS PnPControlClass, + IN OUT PVOID PnPControlData, + IN ULONG PnPControlDataLength); + +EXTERN_C NTSTATUS NtRequestPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage); + +EXTERN_C NTSTATUS NtQuerySystemEnvironmentValueEx( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + OUT PVOID Value OPTIONAL, + IN OUT PULONG ValueLength, + OUT PULONG Attributes OPTIONAL); + +EXTERN_C NTSTATUS NtQueryInformationAtom( + IN USHORT Atom, + IN ATOM_INFORMATION_CLASS AtomInformationClass, + OUT PVOID AtomInformation, + IN ULONG AtomInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtEnumerateBootEntries( + OUT PVOID Buffer OPTIONAL, + IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS NtSetBootEntryOrder( + IN PULONG Ids, + IN ULONG Count); + +EXTERN_C NTSTATUS NtCreateSection( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PLARGE_INTEGER MaximumSize OPTIONAL, + IN ULONG SectionPageProtection, + IN ULONG AllocationAttributes, + IN HANDLE FileHandle OPTIONAL); + +EXTERN_C NTSTATUS NtPrivilegeObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS NtLockRegistryKey( + IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS NtSetIoCompletion( + IN HANDLE IoCompletionHandle, + IN ULONG CompletionKey, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN NTSTATUS CompletionStatus, + IN ULONG NumberOfBytesTransfered); + +EXTERN_C NTSTATUS NtCreateKeyedEvent( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtRequestWaitReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage, + OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS NtAlpcSetInformation( + IN HANDLE PortHandle, + IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, + IN PVOID PortInformation OPTIONAL, + IN ULONG Length); + +EXTERN_C NTSTATUS NtGetDevicePowerState( + IN HANDLE Device, + OUT PDEVICE_POWER_STATE State); + +EXTERN_C NTSTATUS NtQueryKey( + IN HANDLE KeyHandle, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT PVOID KeyInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS NtSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN ULONG TitleIndex OPTIONAL, + IN ULONG Type, + IN PVOID SystemData, + IN ULONG DataSize); + +EXTERN_C NTSTATUS NtWaitForMultipleObjects( + IN ULONG Count, + IN PHANDLE Handles, + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtCancelSynchronousIoFile( + IN HANDLE ThreadHandle, + IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS NtMapCMFModule( + IN ULONG What, + IN ULONG Index, + OUT PULONG CacheIndexOut OPTIONAL, + OUT PULONG CacheFlagsOut OPTIONAL, + OUT PULONG ViewSizeOut OPTIONAL, + OUT PVOID BaseAddress OPTIONAL); + +EXTERN_C NTSTATUS NtSetDebugFilterState( + IN ULONG ComponentId, + IN ULONG Level, + IN BOOLEAN State); + +EXTERN_C NTSTATUS NtReadRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG DataEntryIndex, + OUT PVOID Buffer, + IN ULONG BufferSize, + OUT PULONG NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS NtQueryEaFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PFILE_FULL_EA_INFORMATION Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN PFILE_GET_EA_INFORMATION EaList OPTIONAL, + IN ULONG EaListLength, + IN PULONG EaIndex OPTIONAL, + IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS NtSetVolumeInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileSystemInformation, + IN ULONG Length, + IN FSINFOCLASS FileSystemInformationClass); + +EXTERN_C NTSTATUS NtPrePrepareEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtReplyWaitReceivePort( + IN HANDLE PortHandle, + OUT PVOID PortContext OPTIONAL, + IN PPORT_MESSAGE ReplyMessage OPTIONAL, + OUT PPORT_MESSAGE ReceiveMessage); + +EXTERN_C NTSTATUS NtNotifyChangeSession( + IN HANDLE SessionHandle, + IN ULONG ChangeSequenceNumber, + IN PLARGE_INTEGER ChangeTimeStamp, + IN IO_SESSION_EVENT Event, + IN IO_SESSION_STATE NewState, + IN IO_SESSION_STATE PreviousState, + IN PVOID Payload OPTIONAL, + IN ULONG PayloadSize); + +EXTERN_C NTSTATUS NtCreateSymbolicLinkObject( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PUNICODE_STRING LinkTarget); + +EXTERN_C NTSTATUS NtCreateUserProcess( + OUT PHANDLE ProcessHandle, + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK ProcessDesiredAccess, + IN ACCESS_MASK ThreadDesiredAccess, + IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, + IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, + IN ULONG ProcessFlags, + IN ULONG ThreadFlags, + IN PVOID ProcessParameters OPTIONAL, + IN OUT PPS_CREATE_INFO CreateInfo, + IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS NtPrivilegedServiceAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PUNICODE_STRING ServiceName, + IN HANDLE ClientToken, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS NtCreateDirectoryObject( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtFlushInstructionCache( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + IN ULONG Length); + +EXTERN_C NTSTATUS NtSavepointComplete( + IN HANDLE TransactionHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtSetInformationVirtualMemory( + IN HANDLE ProcessHandle, + IN VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, + IN ULONG_PTR NumberOfEntries, + IN PMEMORY_RANGE_ENTRY VirtualAddresses, + IN PVOID VmInformation, + IN ULONG VmInformationLength); + +EXTERN_C NTSTATUS NtCreateMutant( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN BOOLEAN InitialOwner); + +EXTERN_C NTSTATUS NtSetInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + IN PVOID ThreadInformation, + IN ULONG ThreadInformationLength); + +EXTERN_C NTSTATUS NtQueryInformationProcess( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + OUT PVOID ProcessInformation, + IN ULONG ProcessInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtStopProfile( + IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS NtQuerySemaphore( + IN HANDLE SemaphoreHandle, + IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, + OUT PVOID SemaphoreInformation, + IN ULONG SemaphoreInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtMapViewOfSectionEx( + IN HANDLE SectionHandle, + IN HANDLE ProcessHandle, + IN OUT PLARGE_INTEGER SectionOffset, + IN OUT PPVOID BaseAddress, + IN OUT PSIZE_T ViewSize, + IN ULONG AllocationType, + IN ULONG Protect, + IN OUT PVOID DataBuffer OPTIONAL, + IN ULONG DataCount); + +EXTERN_C NTSTATUS NtQueryInformationByName( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS NtReplacePartitionUnit( + IN PUNICODE_STRING TargetInstancePath, + IN PUNICODE_STRING SpareInstancePath, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtSetCachedSigningLevel2( + IN ULONG Flags, + IN ULONG InputSigningLevel, + IN PHANDLE SourceFiles, + IN ULONG SourceFileCount, + IN HANDLE TargetFile OPTIONAL, + IN PVOID LevelInformation OPTIONAL); + +EXTERN_C NTSTATUS NtManageHotPatch( + IN ULONG UnknownParameter1, + IN ULONG UnknownParameter2, + IN ULONG UnknownParameter3, + IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS NtCancelDeviceWakeupRequest( + IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS NtFreeVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN OUT PULONG RegionSize, + IN ULONG FreeType); + +EXTERN_C NTSTATUS NtRollbackTransaction( + IN HANDLE TransactionHandle, + IN BOOLEAN Wait); + +EXTERN_C NTSTATUS NtOpenEnlistment( + OUT PHANDLE EnlistmentHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE ResourceManagerHandle, + IN LPGUID EnlistmentGuid, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS NtOpenProcessToken( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS NtTerminateProcess( + IN HANDLE ProcessHandle OPTIONAL, + IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS NtContinue( + IN PCONTEXT ContextRecord, + IN BOOLEAN TestAlert); + +EXTERN_C NTSTATUS NtSerializeBoot(); + +EXTERN_C NTSTATUS NtAlpcImpersonateClientOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN PVOID Flags); + +EXTERN_C NTSTATUS NtStartTm(); + +EXTERN_C NTSTATUS NtStartProfile( + IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS NtAlpcDeletePortSection( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE SectionHandle); + +EXTERN_C NTSTATUS NtWaitForMultipleObjects32( + IN ULONG ObjectCount, + IN PHANDLE Handles, + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtCreateThread( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ProcessHandle, + OUT PCLIENT_ID ClientId, + IN PCONTEXT ThreadContext, + IN PUSER_STACK InitialTeb, + IN BOOLEAN CreateSuspended); + +EXTERN_C NTSTATUS NtRequestWakeupLatency( + IN ULONG LatencyTime); + +EXTERN_C NTSTATUS NtCreateEventPair( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS NtCreateRegistryTransaction( + OUT PHANDLE Handle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN DWORD Flags); + +EXTERN_C NTSTATUS NtSetDefaultLocale( + IN BOOLEAN UserProfile, + IN LCID DefaultLocaleId); + +EXTERN_C NTSTATUS NtQueueApcThreadEx( + IN HANDLE ThreadHandle, + IN HANDLE UserApcReserveHandle OPTIONAL, + IN PKNORMAL_ROUTINE ApcRoutine, + IN PVOID ApcArgument1 OPTIONAL, + IN PVOID ApcArgument2 OPTIONAL, + IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS NtRollbackEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtSetSystemEnvironmentValue( + IN PUNICODE_STRING VariableName, + IN PUNICODE_STRING Value); + +EXTERN_C NTSTATUS NtIsUILanguageComitted(); + +EXTERN_C NTSTATUS NtQueryInstallUILanguage( + OUT PLANGID InstallUILanguageId); + +EXTERN_C NTSTATUS NtOpenResourceManager( + OUT PHANDLE ResourceManagerHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE TmHandle, + IN LPGUID ResourceManagerGuid OPTIONAL, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS NtPrepareEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtCancelIoFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS NtPropagationFailed( + IN HANDLE ResourceManagerHandle, + IN ULONG RequestCookie, + IN NTSTATUS PropStatus); + +EXTERN_C NTSTATUS NtSetInformationResourceManager( + IN HANDLE ResourceManagerHandle, + IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + IN PVOID ResourceManagerInformation, + IN ULONG ResourceManagerInformationLength); + +EXTERN_C NTSTATUS NtGetNotificationResourceManager( + IN HANDLE ResourceManagerHandle, + OUT PTRANSACTION_NOTIFICATION TransactionNotification, + IN ULONG NotificationLength, + IN PLARGE_INTEGER Timeout OPTIONAL, + OUT PULONG ReturnLength OPTIONAL, + IN ULONG Asynchronous, + IN ULONG AsynchronousContext OPTIONAL); + +EXTERN_C NTSTATUS NtSetTimer( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime, + IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, + IN PVOID TimerContext OPTIONAL, + IN BOOLEAN ResumeTimer, + IN LONG Period OPTIONAL, + OUT PBOOLEAN PreviousState OPTIONAL); + +EXTERN_C NTSTATUS NtOpenKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtGetPlugPlayEvent( + IN HANDLE EventHandle, + IN PVOID Context OPTIONAL, + OUT PPLUGPLAY_EVENT_BLOCK EventBlock, + IN ULONG EventBufferSize); + +EXTERN_C NTSTATUS NtRenameKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName); + +EXTERN_C NTSTATUS NtWriteFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS NtAllocateUuids( + OUT PLARGE_INTEGER Time, + OUT PULONG Range, + OUT PULONG Sequence, + OUT PUCHAR Seed); + +EXTERN_C NTSTATUS NtQueryVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN MEMORY_INFORMATION_CLASS MemoryInformationClass, + OUT PVOID MemoryInformation, + IN ULONG MemoryInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtOpenPartition( + OUT PHANDLE PartitionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtAlpcDeleteSectionView( + IN HANDLE PortHandle, + IN ULONG Flags, + IN PVOID ViewBase); + +EXTERN_C NTSTATUS NtTerminateEnclave( + IN PVOID BaseAddress, + IN BOOLEAN WaitForThread); + +EXTERN_C NTSTATUS NtCompleteConnectPort( + IN HANDLE PortHandle); + +EXTERN_C NTSTATUS NtFreeUserPhysicalPages( + IN HANDLE ProcessHandle, + IN OUT PULONG NumberOfPages, + IN PULONG UserPfnArray); + +EXTERN_C NTSTATUS NtSetInformationSymbolicLink( + IN HANDLE Handle, + IN ULONG Class, + IN PVOID Buffer, + IN ULONG BufferLength); + +EXTERN_C NTSTATUS NtUnsubscribeWnfStateChange( + IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS NtOpenKeyEx( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG OpenOptions); + +EXTERN_C NTSTATUS NtImpersonateAnonymousToken( + IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS NtSetIRTimer( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime OPTIONAL); + +EXTERN_C NTSTATUS NtCreateToken( + OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN TOKEN_TYPE TokenType, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER User, + IN PTOKEN_GROUPS Groups, + IN PTOKEN_PRIVILEGES Privileges, + IN PTOKEN_OWNER Owner OPTIONAL, + IN PTOKEN_PRIMARY_GROUP PrimaryGroup, + IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, + IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS NtReplyWaitReplyPort( + IN HANDLE PortHandle, + IN OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS NtCreatePartition( + OUT PHANDLE PartitionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG PreferredNode); + +EXTERN_C NTSTATUS NtOpenTimer( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtAlertResumeThread( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS NtWaitForAlertByThreadId( + IN HANDLE Handle, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtSetInformationObject( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + IN PVOID ObjectInformation, + IN ULONG ObjectInformationLength); + +EXTERN_C NTSTATUS NtAllocateVirtualMemoryEx( + IN HANDLE ProcessHandle, + IN OUT PPVOID lpAddress, + IN ULONG_PTR ZeroBits, + IN OUT PSIZE_T pSize, + IN ULONG flAllocationType, + IN OUT PVOID DataBuffer OPTIONAL, + IN ULONG DataCount); + +EXTERN_C NTSTATUS NtQuerySystemEnvironmentValue( + IN PUNICODE_STRING VariableName, + OUT PVOID VariableValue, + IN ULONG ValueLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtSetInformationKey( + IN HANDLE KeyHandle, + IN KEY_SET_INFORMATION_CLASS KeySetInformationClass, + IN PVOID KeySetInformation, + IN ULONG KeySetInformationLength); + +EXTERN_C NTSTATUS NtQueryFullAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation); + +EXTERN_C NTSTATUS NtSetContextThread( + IN HANDLE ThreadHandle, + IN PCONTEXT Context); + +EXTERN_C NTSTATUS NtApphelpCacheControl( + IN APPHELPCACHESERVICECLASS Service, + IN PVOID ServiceData); + +EXTERN_C NTSTATUS NtCreateProcess( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ParentProcess, + IN BOOLEAN InheritObjectTable, + IN HANDLE SectionHandle OPTIONAL, + IN HANDLE DebugPort OPTIONAL, + IN HANDLE ExceptionPort OPTIONAL); + +EXTERN_C NTSTATUS NtMapUserPhysicalPagesScatter( + IN PVOID VirtualAddresses, + IN PULONG NumberOfPages, + IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS NtClearSavepointTransaction( + IN HANDLE TransactionHandle, + IN ULONG SavePointId); + +EXTERN_C NTSTATUS NtLockFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PULARGE_INTEGER ByteOffset, + IN PULARGE_INTEGER Length, + IN ULONG Key, + IN BOOLEAN FailImmediately, + IN BOOLEAN ExclusiveLock); + +EXTERN_C NTSTATUS NtAllocateReserveObject( + OUT PHANDLE MemoryReserveHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN MEMORY_RESERVE_TYPE Type); + +EXTERN_C NTSTATUS NtUmsThreadYield( + IN PVOID SchedulerParam); + +EXTERN_C NTSTATUS NtSetEaFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_FULL_EA_INFORMATION EaBuffer, + IN ULONG EaBufferSize); + +EXTERN_C NTSTATUS NtAdjustTokenClaimsAndDeviceGroups( + IN HANDLE TokenHandle, + IN BOOLEAN UserResetToDefault, + IN BOOLEAN DeviceResetToDefault, + IN BOOLEAN DeviceGroupsResetToDefault, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL, + IN PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL, + IN ULONG UserBufferLength, + OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL, + IN ULONG DeviceBufferLength, + OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL, + IN ULONG DeviceGroupsBufferLength, + OUT PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL, + OUT PULONG UserReturnLength OPTIONAL, + OUT PULONG DeviceReturnLength OPTIONAL, + OUT PULONG DeviceGroupsReturnBufferLength OPTIONAL); + +EXTERN_C NTSTATUS NtAdjustGroupsToken( + IN HANDLE TokenHandle, + IN BOOLEAN ResetToDefault, + IN PTOKEN_GROUPS NewState OPTIONAL, + IN ULONG BufferLength OPTIONAL, + OUT PTOKEN_GROUPS PreviousState OPTIONAL, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS NtLoadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtQueryTimerResolution( + OUT PULONG MaximumTime, + OUT PULONG MinimumTime, + OUT PULONG CurrentTime); + +EXTERN_C NTSTATUS NtQueueApcThread( + IN HANDLE ThreadHandle, + IN PKNORMAL_ROUTINE ApcRoutine, + IN PVOID ApcArgument1 OPTIONAL, + IN PVOID ApcArgument2 OPTIONAL, + IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS NtLoadHotPatch( + IN PUNICODE_STRING HotPatchName, + IN ULONG LoadFlag); + +EXTERN_C NTSTATUS NtOpenKeyTransacted( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS NtUnmapViewOfSectionEx( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtListenPort( + IN HANDLE PortHandle, + OUT PPORT_MESSAGE ConnectionRequest); + +EXTERN_C NTSTATUS NtQueryInformationEnlistment( + IN HANDLE EnlistmentHandle, + IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + OUT PVOID EnlistmentInformation, + IN ULONG EnlistmentInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtAlpcImpersonateClientContainerOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtCreateMailslotFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CreateOptions, + IN ULONG MailslotQuota, + IN ULONG MaximumMessageSize, + IN PLARGE_INTEGER ReadTimeout); + +EXTERN_C NTSTATUS NtWaitForKeyedEvent( + IN HANDLE KeyedEventHandle, + IN PVOID Key, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtSetInformationEnlistment( + IN HANDLE EnlistmentHandle, + IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + IN PVOID EnlistmentInformation, + IN ULONG EnlistmentInformationLength); + +EXTERN_C NTSTATUS NtRemoveIoCompletion( + IN HANDLE IoCompletionHandle, + OUT PULONG KeyContext, + OUT PULONG ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtQueryWnfStateData( + IN PCWNF_STATE_NAME StateName, + IN PCWNF_TYPE_ID TypeId OPTIONAL, + IN PVOID ExplicitScope OPTIONAL, + OUT PWNF_CHANGE_STAMP ChangeStamp, + OUT PVOID Buffer OPTIONAL, + IN OUT PULONG BufferSize); + +EXTERN_C NTSTATUS NtLockProductActivationKeys( + IN OUT PULONG pPrivateVer OPTIONAL, + OUT PULONG pSafeMode OPTIONAL); + +EXTERN_C NTSTATUS NtSetInformationTransactionManager( + IN HANDLE TransactionHandle, + IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + IN PVOID TransactionInformation, + IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS NtSetDefaultHardErrorPort( + IN HANDLE PortHandle); + +EXTERN_C NTSTATUS NtAddAtomEx( + IN PWSTR AtomName, + IN ULONG Length, + IN PRTL_ATOM Atom, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtQueryInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS NtAlpcRevokeSecurityContext( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS NtFilterToken( + IN HANDLE ExistingTokenHandle, + IN ULONG Flags, + IN PTOKEN_GROUPS SidsToDisable OPTIONAL, + IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, + IN PTOKEN_GROUPS RestrictedSids OPTIONAL, + OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS NtRaiseException( + IN PEXCEPTION_RECORD ExceptionRecord, + IN PCONTEXT ContextRecord, + IN BOOLEAN FirstChance); + +EXTERN_C NTSTATUS NtOpenDirectoryObject( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtUnloadKey( + IN POBJECT_ATTRIBUTES DestinationKeyName); + +EXTERN_C NTSTATUS NtSubscribeWnfStateChange( + IN PCWNF_STATE_NAME StateName, + IN WNF_CHANGE_STAMP ChangeStamp OPTIONAL, + IN ULONG EventMask, + OUT PLARGE_INTEGER SubscriptionId OPTIONAL); + +EXTERN_C NTSTATUS NtUnlockVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PULONG NumberOfBytesToUnlock, + IN ULONG LockType); + +EXTERN_C NTSTATUS NtFlushVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN OUT PULONG RegionSize, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS NtAlpcCancelMessage( + IN HANDLE PortHandle, + IN ULONG Flags, + IN PALPC_CONTEXT_ATTR MessageContext); + +EXTERN_C NTSTATUS NtUnloadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtMakeTemporaryObject( + IN HANDLE Handle); + +EXTERN_C NTSTATUS NtQuerySection( + IN HANDLE SectionHandle, + IN SECTION_INFORMATION_CLASS SectionInformationClass, + OUT PVOID SectionInformation, + IN ULONG SectionInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_VALUE_ENTRY ValueEntries, + IN ULONG EntryCount, + OUT PVOID ValueBuffer, + IN PULONG BufferLength, + OUT PULONG RequiredBufferLength OPTIONAL); + +EXTERN_C NTSTATUS NtRenameTransactionManager( + IN PUNICODE_STRING LogFileName, + IN LPGUID ExistingTransactionManagerGuid); + +EXTERN_C NTSTATUS NtDebugActiveProcess( + IN HANDLE ProcessHandle, + IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS NtQuerySecurityAttributesToken( + IN HANDLE TokenHandle, + IN PUNICODE_STRING Attributes OPTIONAL, + IN ULONG NumberOfAttributes, + OUT PVOID Buffer, + IN ULONG Length, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS NtReadFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + OUT PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS NtSetSystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength); + +EXTERN_C NTSTATUS NtQueryBootOptions( + OUT PBOOT_OPTIONS BootOptions OPTIONAL, + IN OUT PULONG BootOptionsLength); + +EXTERN_C NTSTATUS NtRecoverEnlistment( + IN HANDLE EnlistmentHandle, + IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS NtPulseEvent( + IN HANDLE EventHandle, + OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS NtCreateEnlistment( + OUT PHANDLE EnlistmentHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE ResourceManagerHandle, + IN HANDLE TransactionHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN NOTIFICATION_MASK NotificationMask, + IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS NtSetEvent( + IN HANDLE EventHandle, + OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS NtAlpcCreatePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL); + +EXTERN_C NTSTATUS NtShutdownSystem( + IN SHUTDOWN_ACTION Action); + +EXTERN_C NTSTATUS NtAlpcCreateSecurityContext( + IN HANDLE PortHandle, + IN ULONG Flags, + IN OUT PALPC_SECURITY_ATTR SecurityAttribute); + +EXTERN_C NTSTATUS NtQueryDefaultUILanguage( + OUT PLANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS NtAccessCheck( + IN PSECURITY_DESCRIPTOR pSecurityDescriptor, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiaredAccess, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PBOOLEAN AccessStatus); + +EXTERN_C NTSTATUS NtFreezeRegistry( + IN ULONG TimeOutInSeconds); + +EXTERN_C NTSTATUS NtFlushBuffersFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS NtSetEventBoostPriority( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS NtQueryAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_BASIC_INFORMATION FileInformation); + +EXTERN_C NTSTATUS NtCreateTimer2( + OUT PHANDLE TimerHandle, + IN PVOID Reserved1 OPTIONAL, + IN PVOID Reserved2 OPTIONAL, + IN ULONG Attributes, + IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS NtQueryObject( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation OPTIONAL, + IN ULONG ObjectInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtRequestDeviceWakeup( + IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS NtOpenPrivateNamespace( + OUT PHANDLE NamespaceHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS NtCreateProfileEx( + OUT PHANDLE ProfileHandle, + IN HANDLE Process OPTIONAL, + IN PVOID ProfileBase, + IN SIZE_T ProfileSize, + IN ULONG BucketSize, + IN PULONG Buffer, + IN ULONG BufferSize, + IN KPROFILE_SOURCE ProfileSource, + IN USHORT GroupCount, + IN PGROUP_AFFINITY GroupAffinity); + +EXTERN_C NTSTATUS NtOpenFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG OpenOptions); + +EXTERN_C NTSTATUS NtSecureConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, + IN PSID RequiredServerSid OPTIONAL, + IN OUT PPORT_SECTION_READ ServerView OPTIONAL, + OUT PULONG MaxMessageLength OPTIONAL, + IN OUT PVOID ConnectionInformation OPTIONAL, + IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS NtInitializeRegistry( + IN USHORT BootCondition); + +EXTERN_C NTSTATUS NtMakePermanentObject( + IN HANDLE Handle); + +EXTERN_C NTSTATUS NtGetContextThread( + IN HANDLE ThreadHandle, + IN OUT PCONTEXT ThreadContext); + +EXTERN_C NTSTATUS NtSuspendThread( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount); + +EXTERN_C NTSTATUS NtSetTimerResolution( + IN ULONG DesiredResolution, + IN BOOLEAN SetResolution, + OUT PULONG CurrentResolution); + +EXTERN_C NTSTATUS NtQueryVolumeInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FsInformation, + IN ULONG Length, + IN FSINFOCLASS FsInformationClass); + +EXTERN_C NTSTATUS NtSetInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + IN PVOID TokenInformation, + IN ULONG TokenInformationLength); + +EXTERN_C NTSTATUS NtDisableLastKnownGood(); + +EXTERN_C NTSTATUS NtAssignProcessToJobObject( + IN HANDLE JobHandle, + IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS NtEnumerateSystemEnvironmentValuesEx( + IN ULONG InformationClass, + OUT PVOID Buffer, + IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS NtDeleteAtom( + IN USHORT Atom); + +EXTERN_C NTSTATUS NtRevertContainerImpersonation(); + +EXTERN_C NTSTATUS NtEnableLastKnownGood(); + +EXTERN_C NTSTATUS NtCreateKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG TitleIndex, + IN PUNICODE_STRING Class OPTIONAL, + IN ULONG CreateOptions, + OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS NtCreatePrivateNamespace( + OUT PHANDLE NamespaceHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS NtUnlockFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PULARGE_INTEGER ByteOffset, + IN PULARGE_INTEGER Length, + IN ULONG Key); + +EXTERN_C NTSTATUS NtSetSystemTime( + IN PLARGE_INTEGER SystemTime, + OUT PLARGE_INTEGER PreviousTime OPTIONAL); + +EXTERN_C NTSTATUS NtQueryInformationJobObject( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + OUT PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtAlpcOpenSenderThread( + OUT PHANDLE ThreadHandle, + IN HANDLE PortHandle, + IN PPORT_MESSAGE PortMessage, + IN ULONG Flags, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtOpenTransactionManager( + OUT PHANDLE TmHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PUNICODE_STRING LogFileName OPTIONAL, + IN LPGUID TmIdentity OPTIONAL, + IN ULONG OpenOptions OPTIONAL); + +EXTERN_C NTSTATUS NtYieldExecution(); + +EXTERN_C NTSTATUS NtSaveMergedKeys( + IN HANDLE HighPrecedenceKeyHandle, + IN HANDLE LowPrecedenceKeyHandle, + IN HANDLE FileHandle); + +EXTERN_C NTSTATUS NtLoadKey( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile); + +EXTERN_C NTSTATUS NtWriteVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN ULONG NumberOfBytesToWrite, + OUT PULONG NumberOfBytesWritten OPTIONAL); + +EXTERN_C NTSTATUS NtReplaceKey( + IN POBJECT_ATTRIBUTES NewFile, + IN HANDLE TargetHandle, + IN POBJECT_ATTRIBUTES OldFile); + +EXTERN_C NTSTATUS NtModifyBootEntry( + IN PBOOT_ENTRY BootEntry); + +EXTERN_C NTSTATUS NtOpenTransaction( + OUT PHANDLE TransactionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN LPGUID Uow, + IN HANDLE TmHandle OPTIONAL); + +EXTERN_C NTSTATUS NtQuerySymbolicLinkObject( + IN HANDLE LinkHandle, + IN OUT PUNICODE_STRING LinkTarget, + OUT PULONG ReturnedLength OPTIONAL); + +EXTERN_C NTSTATUS NtOpenObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN ACCESS_MASK GrantedAccess, + IN PPRIVILEGE_SET Privileges OPTIONAL, + IN BOOLEAN ObjectCreation, + IN BOOLEAN AccessGranted, + OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS NtSetIoCompletionEx( + IN HANDLE IoCompletionHandle, + IN HANDLE IoCompletionPacketHandle, + IN PVOID KeyContext OPTIONAL, + IN PVOID ApcContext OPTIONAL, + IN NTSTATUS IoStatus, + IN ULONG_PTR IoStatusInformation); + +EXTERN_C NTSTATUS NtSetTimer2( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime, + IN PLARGE_INTEGER Period OPTIONAL, + IN PT2_SET_PARAMETERS Parameters); + +EXTERN_C NTSTATUS NtSetInformationWorkerFactory( + IN HANDLE WorkerFactoryHandle, + IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + IN PVOID WorkerFactoryInformation, + IN ULONG WorkerFactoryInformationLength); + +EXTERN_C NTSTATUS NtSetInformationTransaction( + IN HANDLE TransactionHandle, + IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionInformationClass, + IN PVOID TransactionInformation, + IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS NtCreateWorkerFactory( + OUT PHANDLE WorkerFactoryHandleReturn, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE CompletionPortHandle, + IN HANDLE WorkerProcessHandle, + IN PVOID StartRoutine, + IN PVOID StartParameter OPTIONAL, + IN ULONG MaxThreadCount OPTIONAL, + IN SIZE_T StackReserve OPTIONAL, + IN SIZE_T StackCommit OPTIONAL); + +EXTERN_C NTSTATUS NtSetHighEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS NtCreateTransactionManager( + OUT PHANDLE TmHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PUNICODE_STRING LogFileName OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN ULONG CommitStrength OPTIONAL); + +EXTERN_C NTSTATUS NtListTransactions(); + +EXTERN_C NTSTATUS NtGetNextThread( + IN HANDLE ProcessHandle, + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewThreadHandle); + +EXTERN_C NTSTATUS NtOpenSession( + OUT PHANDLE SessionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtAllocateLocallyUniqueId( + OUT PLUID Luid); + +EXTERN_C NTSTATUS NtQueryDirectoryFileEx( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass, + IN ULONG QueryFlags, + IN PUNICODE_STRING FileName OPTIONAL); + +EXTERN_C NTSTATUS NtGetWriteWatch( + IN HANDLE ProcessHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + IN ULONG RegionSize, + OUT PULONG UserAddressArray, + IN OUT PULONG EntriesInUserAddressArray, + OUT PULONG Granularity); + +EXTERN_C NTSTATUS NtReadVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + OUT PVOID Buffer, + IN ULONG BufferSize, + OUT PULONG NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS NtGetMUIRegistryInfo( + IN ULONG Flags, + IN OUT PULONG DataSize, + OUT PVOID SystemData); + +EXTERN_C NTSTATUS NtSetSystemPowerState( + IN POWER_ACTION SystemAction, + IN SYSTEM_POWER_STATE MinSystemState, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtProtectVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN OUT PULONG RegionSize, + IN ULONG NewProtect, + OUT PULONG OldProtect); + +EXTERN_C NTSTATUS NtTerminateJobObject( + IN HANDLE JobHandle, + IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS NtQueryInformationWorkerFactory( + IN HANDLE WorkerFactoryHandle, + IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + OUT PVOID WorkerFactoryInformation, + IN ULONG WorkerFactoryInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtFilterTokenEx( + IN HANDLE TokenHandle, + IN ULONG Flags, + IN PTOKEN_GROUPS SidsToDisable OPTIONAL, + IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, + IN PTOKEN_GROUPS RestrictedSids OPTIONAL, + IN ULONG DisableUserClaimsCount, + IN PUNICODE_STRING UserClaimsToDisable OPTIONAL, + IN ULONG DisableDeviceClaimsCount, + IN PUNICODE_STRING DeviceClaimsToDisable OPTIONAL, + IN PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL, + IN PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL, + OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS NtAreMappedFilesTheSame( + IN PVOID File1MappedAsAnImage, + IN PVOID File2MappedAsFile); + +EXTERN_C NTSTATUS NtCreateTokenEx( + OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN TOKEN_TYPE TokenType, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER User, + IN PTOKEN_GROUPS Groups, + IN PTOKEN_PRIVILEGES Privileges, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL, + IN PTOKEN_GROUPS DeviceGroups OPTIONAL, + IN PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy OPTIONAL, + IN PTOKEN_OWNER Owner OPTIONAL, + IN PTOKEN_PRIMARY_GROUP PrimaryGroup, + IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, + IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS NtOpenProcessTokenEx( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS NtInitiatePowerAction( + IN POWER_ACTION SystemAction, + IN SYSTEM_POWER_STATE LightestSystemState, + IN ULONG Flags, + IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS NtOpenSemaphore( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtQueryInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + OUT PVOID ThreadInformation, + IN ULONG ThreadInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtWriteFileGather( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS NtWaitHighEventPair( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS NtSystemDebugControl( + IN DEBUG_CONTROL_CODE Command, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtAllocateVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN ULONG ZeroBits, + IN OUT PULONG RegionSize, + IN ULONG AllocationType, + IN ULONG Protect); + +EXTERN_C NTSTATUS NtCreateWnfStateName( + OUT PCWNF_STATE_NAME StateName, + IN WNF_STATE_NAME_LIFETIME NameLifetime, + IN WNF_DATA_SCOPE DataScope, + IN BOOLEAN PersistData, + IN PCWNF_TYPE_ID TypeId OPTIONAL, + IN ULONG MaximumStateSize, + IN PSECURITY_DESCRIPTOR SecurityDescriptor); + +EXTERN_C NTSTATUS NtQueryInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS NtQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtUnloadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN HANDLE Event OPTIONAL); + +EXTERN_C NTSTATUS NtFilterBootOption( + IN FILTER_BOOT_OPTION_OPERATION FilterOperation, + IN ULONG ObjectType, + IN ULONG ElementType, + IN PVOID SystemData OPTIONAL, + IN ULONG DataSize); + +EXTERN_C NTSTATUS NtCreateCrossVmEvent(); + +EXTERN_C NTSTATUS NtOpenMutant( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtAlpcAcceptConnectPort( + OUT PHANDLE PortHandle, + IN HANDLE ConnectionPortHandle, + IN ULONG Flags, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + IN PVOID PortContext OPTIONAL, + IN PPORT_MESSAGE ConnectionRequest, + IN OUT PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL, + IN BOOLEAN AcceptConnection); + +EXTERN_C NTSTATUS NtAccessCheckByTypeResultList( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS NtAccessCheckByTypeResultListAndAuditAlarmByHandle( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN HANDLE ClientToken, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS NtSetHighWaitLowEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS NtCommitTransaction( + IN HANDLE TransactionHandle, + IN BOOLEAN Wait); + +EXTERN_C NTSTATUS NtSaveKeyEx( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Format); + +EXTERN_C NTSTATUS NtCreateIoCompletion( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG Count OPTIONAL); + +EXTERN_C NTSTATUS NtOpenEvent( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtAlertThread( + IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS NtQueryAuxiliaryCounterFrequency( + OUT PULONGLONG lpAuxiliaryCounterFrequency); + +EXTERN_C NTSTATUS NtReleaseMutant( + IN HANDLE MutantHandle, + OUT PULONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS NtSetDefaultUILanguage( + IN LANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS NtDeleteBootEntry( + IN ULONG Id); + +EXTERN_C NTSTATUS NtIsProcessInJob( + IN HANDLE ProcessHandle, + IN HANDLE JobHandle OPTIONAL); + +EXTERN_C NTSTATUS NtNotifyChangeKey( + IN HANDLE KeyHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT PVOID Buffer OPTIONAL, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS NtImpersonateClientOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message); + +EXTERN_C NTSTATUS NtTranslateFilePath( + IN PFILE_PATH InputFilePath, + IN ULONG OutputType, + OUT PFILE_PATH OutputFilePath OPTIONAL, + IN OUT PULONG OutputFilePathLength OPTIONAL); + +EXTERN_C NTSTATUS NtDeletePrivateNamespace( + IN HANDLE NamespaceHandle); + +EXTERN_C NTSTATUS NtOpenSection( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtCommitRegistryTransaction( + IN HANDLE RegistryHandle, + IN BOOL Wait); + +EXTERN_C NTSTATUS NtOpenIoCompletion( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtSetSecurityObject( + IN HANDLE ObjectHandle, + IN SECURITY_INFORMATION SecurityInformationClass, + IN PSECURITY_DESCRIPTOR DescriptorBuffer); + +EXTERN_C NTSTATUS NtSetThreadExecutionState( + IN EXECUTION_STATE ExecutionState, + OUT PEXECUTION_STATE PreviousExecutionState); + +EXTERN_C NTSTATUS NtLoadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags, + IN HANDLE TrustClassKey OPTIONAL, + IN HANDLE Event OPTIONAL, + IN ACCESS_MASK DesiredAccess OPTIONAL, + OUT PHANDLE RootHandle OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatus OPTIONAL); + +EXTERN_C NTSTATUS NtQueryInformationTransactionManager( + IN HANDLE TransactionManagerHandle, + IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, + OUT PVOID TransactionManagerInformation, + IN ULONG TransactionManagerInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtSetUuidSeed( + IN PUCHAR Seed); + +EXTERN_C NTSTATUS NtCompareObjects( + IN HANDLE FirstObjectHandle, + IN HANDLE SecondObjectHandle); + +EXTERN_C NTSTATUS NtAcceptConnectPort( + OUT PHANDLE ServerPortHandle, + IN ULONG AlternativeReceivePortHandle OPTIONAL, + IN PPORT_MESSAGE ConnectionReply, + IN BOOLEAN AcceptConnection, + IN OUT PPORT_SECTION_WRITE ServerSharedMemory OPTIONAL, + OUT PPORT_SECTION_READ ClientSharedMemory OPTIONAL); + +EXTERN_C NTSTATUS NtCreateJobObject( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS NtQueryMutant( + IN HANDLE MutantHandle, + IN MUTANT_INFORMATION_CLASS MutantInformationClass, + OUT PVOID MutantInformation, + IN ULONG MutantInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtCloseObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS NtFreezeTransactions( + IN PLARGE_INTEGER FreezeTimeout, + IN PLARGE_INTEGER ThawTimeout); + +EXTERN_C NTSTATUS NtSetInformationProcess( + IN HANDLE DeviceHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + IN PVOID ProcessInformation, + IN ULONG Length); + +EXTERN_C NTSTATUS NtAdjustPrivilegesToken( + IN HANDLE TokenHandle, + IN BOOLEAN DisableAllPrivileges, + IN PTOKEN_PRIVILEGES NewState OPTIONAL, + IN ULONG BufferLength, + OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtVdmControl( + IN VDMSERVICECLASS Service, + IN OUT PVOID ServiceData); + +EXTERN_C NTSTATUS NtAlpcConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + IN ULONG Flags, + IN PSID RequiredServerSid OPTIONAL, + IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, + IN OUT PULONG BufferLength OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtWaitForWorkViaWorkerFactory( + IN HANDLE WorkerFactoryHandle, + OUT PVOID MiniPacket); + +EXTERN_C NTSTATUS NtCompareTokens( + IN HANDLE FirstTokenHandle, + IN HANDLE SecondTokenHandle, + OUT PBOOLEAN Equal); + +EXTERN_C NTSTATUS NtAcquireProcessActivityReference(); + +EXTERN_C NTSTATUS NtFlushWriteBuffer(); + +EXTERN_C NTSTATUS NtCreateTimer( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN TIMER_TYPE TimerType); + +EXTERN_C NTSTATUS NtDebugContinue( + IN HANDLE DebugObjectHandle, + IN PCLIENT_ID ClientId, + IN NTSTATUS ContinueStatus); + +EXTERN_C NTSTATUS NtCompactKeys( + IN ULONG Count, + IN HANDLE KeyArray); + +EXTERN_C NTSTATUS NtRegisterThreadTerminatePort( + IN HANDLE PortHandle); + +EXTERN_C NTSTATUS NtAlpcCreatePortSection( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE SectionHandle OPTIONAL, + IN SIZE_T SectionSize, + OUT PHANDLE AlpcSectionHandle, + OUT PSIZE_T ActualSectionSize); + +EXTERN_C NTSTATUS NtSetBootOptions( + IN PBOOT_OPTIONS BootOptions, + IN ULONG FieldsToChange); + +EXTERN_C NTSTATUS NtQueryDriverEntryOrder( + IN PULONG Ids OPTIONAL, + IN OUT PULONG Count); + +EXTERN_C NTSTATUS NtThawTransactions(); + +EXTERN_C NTSTATUS NtAccessCheckByTypeResultListAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS NtTestAlert(); + +EXTERN_C NTSTATUS NtSetDriverEntryOrder( + IN PULONG Ids, + IN PULONG Count); + +EXTERN_C NTSTATUS NtTraceControl( + IN ULONG FunctionCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS NtAddBootEntry( + IN PBOOT_ENTRY BootEntry, + OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS NtAlpcOpenSenderProcess( + OUT PHANDLE ProcessHandle, + IN HANDLE PortHandle, + IN PPORT_MESSAGE PortMessage, + IN ULONG Flags, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtDeleteFile( + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtSavepointTransaction( + IN HANDLE TransactionHandle, + IN BOOLEAN Flag, + OUT ULONG SavePointId); + +EXTERN_C NTSTATUS NtCallbackReturn( + IN PVOID OutputBuffer OPTIONAL, + IN ULONG OutputLength, + IN NTSTATUS Status); + +EXTERN_C NTSTATUS NtReleaseCMFViewOwnership(); + +EXTERN_C NTSTATUS NtCancelTimer( + IN HANDLE TimerHandle, + OUT PBOOLEAN CurrentState OPTIONAL); + +EXTERN_C NTSTATUS NtCreateDirectoryObjectEx( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ShadowDirectoryHandle, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtQueryBootEntryOrder( + OUT PULONG Ids OPTIONAL, + IN OUT PULONG Count); + +EXTERN_C NTSTATUS NtRemoveProcessDebug( + IN HANDLE ProcessHandle, + IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS NtAccessCheckAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PBOOLEAN AccessStatus, + OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS NtReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS NtPowerInformation( + IN POWER_INFORMATION_LEVEL InformationLevel, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS NtConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, + IN OUT PPORT_SECTION_READ ServerView OPTIONAL, + OUT PULONG MaxMessageLength OPTIONAL, + IN OUT PVOID ConnectionInformation OPTIONAL, + IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS NtModifyDriverEntry( + IN PEFI_DRIVER_ENTRY DriverEntry); + +EXTERN_C NTSTATUS NtCreateJobSet( + IN ULONG NumJob, + IN PJOB_SET_ARRAY UserJobSet, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtTerminateThread( + IN HANDLE ThreadHandle, + IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS NtMapUserPhysicalPages( + IN PVOID VirtualAddress, + IN PULONG NumberOfPages, + IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS NtFlushKey( + IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS NtDeleteWnfStateData( + IN PCWNF_STATE_NAME StateName, + IN PVOID ExplicitScope OPTIONAL); + +EXTERN_C NTSTATUS NtCreateFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER AllocationSize OPTIONAL, + IN ULONG FileAttributes, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN PVOID EaBuffer OPTIONAL, + IN ULONG EaLength); + +EXTERN_C NTSTATUS NtResumeThread( + IN HANDLE ThreadHandle, + IN OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS NtSetLdtEntries( + IN ULONG Selector0, + IN ULONG Entry0Low, + IN ULONG Entry0Hi, + IN ULONG Selector1, + IN ULONG Entry1Low, + IN ULONG Entry1Hi); + +EXTERN_C NTSTATUS NtRemoveIoCompletionEx( + IN HANDLE IoCompletionHandle, + OUT PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, + IN ULONG Count, + OUT PULONG NumEntriesRemoved, + IN PLARGE_INTEGER Timeout OPTIONAL, + IN BOOLEAN Alertable); + +EXTERN_C NTSTATUS NtPrivilegeCheck( + IN HANDLE ClientToken, + IN OUT PPRIVILEGE_SET RequiredPrivileges, + OUT PBOOLEAN Result); + +EXTERN_C NTSTATUS NtNotifyChangeDirectoryFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PFILE_NOTIFY_INFORMATION Buffer, + IN ULONG Length, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree); + +EXTERN_C NTSTATUS NtCreateNamedPipeFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN BOOLEAN NamedPipeType, + IN BOOLEAN ReadMode, + IN BOOLEAN CompletionMode, + IN ULONG MaximumInstances, + IN ULONG InboundQuota, + IN ULONG OutboundQuota, + IN PLARGE_INTEGER DefaultTimeout OPTIONAL); + +EXTERN_C NTSTATUS NtGetCompleteWnfStateSubscription( + IN PCWNF_STATE_NAME OldDescriptorStateName OPTIONAL, + IN PLARGE_INTEGER OldSubscriptionId OPTIONAL, + IN ULONG OldDescriptorEventMask OPTIONAL, + IN ULONG OldDescriptorStatus OPTIONAL, + OUT PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, + IN ULONG DescriptorSize); + +EXTERN_C NTSTATUS NtCreateKeyTransacted( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG TitleIndex, + IN PUNICODE_STRING Class OPTIONAL, + IN ULONG CreateOptions, + IN HANDLE TransactionHandle, + OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS NtAlpcCreateResourceReserve( + IN HANDLE PortHandle, + IN ULONG Flags, + IN SIZE_T MessageSize, + OUT PHANDLE ResourceId); + +EXTERN_C NTSTATUS NtAcquireCMFViewOwnership( + OUT BOOLEAN TimeStamp, + OUT BOOLEAN TokenTaken, + IN BOOLEAN ReplaceExisting); + +EXTERN_C NTSTATUS NtCancelTimer2( + IN HANDLE TimerHandle, + IN PT2_CANCEL_PARAMETERS Parameters); + +EXTERN_C NTSTATUS NtQueryTimer( + IN HANDLE TimerHandle, + IN TIMER_INFORMATION_CLASS TimerInformationClass, + OUT PVOID TimerInformation, + IN ULONG TimerInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtQueryDebugFilterState( + IN ULONG ComponentId, + IN ULONG Level); + +EXTERN_C NTSTATUS NtReplyWaitReceivePortEx( + IN HANDLE PortHandle, + OUT PULONG PortContext OPTIONAL, + IN PPORT_MESSAGE ReplyMessage OPTIONAL, + OUT PPORT_MESSAGE ReceiveMessage, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtAlpcQueryInformationMessage( + IN HANDLE PortHandle, + IN PPORT_MESSAGE PortMessage, + IN ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, + OUT PVOID MessageInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtAlpcDisconnectPort( + IN HANDLE PortHandle, + IN ULONG Flags); + +EXTERN_C NTSTATUS NtQuerySecurityPolicy( + IN ULONG_PTR UnknownParameter1, + IN ULONG_PTR UnknownParameter2, + IN ULONG_PTR UnknownParameter3, + IN ULONG_PTR UnknownParameter4, + IN ULONG_PTR UnknownParameter5, + IN ULONG_PTR UnknownParameter6); + +EXTERN_C NTSTATUS NtClose( + IN HANDLE Handle); + +EXTERN_C NTSTATUS NtSetTimerEx( + IN HANDLE TimerHandle, + IN TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, + IN OUT PVOID TimerSetInformation OPTIONAL, + IN ULONG TimerSetInformationLength); + +EXTERN_C NTSTATUS NtCreatePagingFile( + IN PUNICODE_STRING PageFileName, + IN PULARGE_INTEGER MinimumSize, + IN PULARGE_INTEGER MaximumSize, + IN ULONG Priority); + +EXTERN_C NTSTATUS NtAlpcDeleteResourceReserve( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE ResourceId); + +EXTERN_C NTSTATUS NtRollbackComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtAlpcConnectPortEx( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, + IN POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + IN ULONG Flags, + IN PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL, + IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, + IN OUT PSIZE_T BufferLength OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS NtCreateLowBoxToken( + OUT PHANDLE TokenHandle, + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PSID PackageSid, + IN ULONG CapabilityCount, + IN PSID_AND_ATTRIBUTES Capabilities OPTIONAL, + IN ULONG HandleCount, + IN HANDLE Handles OPTIONAL); + +EXTERN_C NTSTATUS NtAssociateWaitCompletionPacket( + IN HANDLE WaitCompletionPacketHandle, + IN HANDLE IoCompletionHandle, + IN HANDLE TargetObjectHandle, + IN PVOID KeyContext OPTIONAL, + IN PVOID ApcContext OPTIONAL, + IN NTSTATUS IoStatus, + IN ULONG_PTR IoStatusInformation, + OUT PBOOLEAN AlreadySignaled OPTIONAL); + +EXTERN_C NTSTATUS NtCreatePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS NtUnmapViewOfSection( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress); + +EXTERN_C NTSTATUS NtCreateProcessEx( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ParentProcess, + IN ULONG Flags, + IN HANDLE SectionHandle OPTIONAL, + IN HANDLE DebugPort OPTIONAL, + IN HANDLE ExceptionPort OPTIONAL, + IN ULONG JobMemberLevel); + +EXTERN_C NTSTATUS NtOpenThreadToken( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS NtMarshallTransaction(); + +EXTERN_C NTSTATUS NtReleaseWorkerFactoryWorker( + IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS NtOpenEventPair( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtPullTransaction(); + +EXTERN_C NTSTATUS NtEnumerateKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT PVOID KeyInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS NtWaitLowEventPair( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS NtGetCurrentProcessorNumberEx( + OUT PULONG ProcNumber OPTIONAL); + +EXTERN_C NTSTATUS NtImpersonateThread( + IN HANDLE ServerThreadHandle, + IN HANDLE ClientThreadHandle, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); + +EXTERN_C NTSTATUS NtNotifyChangeDirectoryFileEx( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + IN DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass OPTIONAL); + +EXTERN_C NTSTATUS NtPrepareComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtFlushProcessWriteBuffers(); + +EXTERN_C NTSTATUS NtOpenSymbolicLinkObject( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS NtQueryInformationResourceManager( + IN HANDLE ResourceManagerHandle, + IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + OUT PVOID ResourceManagerInformation, + IN ULONG ResourceManagerInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtExtendSection( + IN HANDLE SectionHandle, + IN OUT PLARGE_INTEGER NewSectionSize); + +EXTERN_C NTSTATUS NtQueryPortInformationProcess(); + +EXTERN_C NTSTATUS NtQueryDirectoryFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass, + IN BOOLEAN ReturnSingleEntry, + IN PUNICODE_STRING FileName OPTIONAL, + IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS NtSinglePhaseReject( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtQueryDefaultLocale( + IN BOOLEAN UserProfile, + OUT PLCID DefaultLocaleId); + +EXTERN_C NTSTATUS NtSetInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS NtCreateEvent( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN EVENT_TYPE EventType, + IN BOOLEAN InitialState); + +EXTERN_C NTSTATUS NtShutdownWorkerFactory( + IN HANDLE WorkerFactoryHandle, + IN OUT PLONG PendingWorkerCount); + +EXTERN_C NTSTATUS NtFlushBuffersFileEx( + IN HANDLE FileHandle, + IN ULONG Flags, + IN PVOID Parameters, + IN ULONG ParametersSize, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS NtEnumerateTransactionObject( + IN HANDLE RootObjectHandle OPTIONAL, + IN KTMOBJECT_TYPE QueryType, + IN OUT PKTMOBJECT_CURSOR ObjectCursor, + IN ULONG ObjectCursorLength, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS NtInitializeNlsFiles( + OUT PVOID BaseAddress, + OUT PLCID DefaultLocaleId, + OUT PLARGE_INTEGER DefaultCasingTableSize); + +EXTERN_C NTSTATUS NtQueryPerformanceCounter( + OUT PLARGE_INTEGER PerformanceCounter, + OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); + +EXTERN_C NTSTATUS NtQueryEvent( + IN HANDLE EventHandle, + IN EVENT_INFORMATION_CLASS EventInformationClass, + OUT PVOID EventInformation, + IN ULONG EventInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS NtFindAtom( + IN PWSTR AtomName OPTIONAL, + IN ULONG Length, + OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS NtCommitComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS NtWorkerFactoryWorkerReady( + IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS NtDeleteKey( + IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS NtManagePartition( + IN HANDLE TargetHandle, + IN HANDLE SourceHandle, + IN MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, + IN OUT PVOID PartitionInformation, + IN ULONG PartitionInformationLength); + +EXTERN_C NTSTATUS NtOpenKeyTransactedEx( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG OpenOptions, + IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS NtRecoverResourceManager( + IN HANDLE ResourceManagerHandle); + +EXTERN_C NTSTATUS NtCancelIoFileEx( + IN HANDLE FileHandle, + IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS NtClearAllSavepointsTransaction( + IN HANDLE TransactionHandle); +